HMO’s Invade Patient Privacy


to the Bush administration, a new federal rule took effect on April
14 that authorizes HMOs to take medical records from clinics, hospitals,
and pharmacies without patient consent. The new rule drew enormous
media attention when it took effect, but the media’s description
of the rule was grossly misleading. Most news outlets not only failed
to report the new privileges extended to HMOs, they also described
the rule as if it enhanced medical privacy. 

these headlines: “A tougher medical privacy law” (



), “Patients gain greater privacy”

San Jose Mercury News

), “More privacy, fewer flowers
for patients” (

St. Paul Pioneer Press

), “Patients’
rights include healthy dose of privacy” (

Cleveland Plain

), and “New legislation will benefit patients”

Richmond Times-Dispatch

). Consider these lead-off sentences:
“File cabinets with medical records are being locked”

Associated Press

); “New federally mandated rules…allow
patients to keep their names and conditions private, even from loved
ones and relatives” (“ABC News”); and “When
Dr. Stephen C. Albrecht of Olympia, Washington, called a hospital
in Tacoma recently to inquire about one of his patients,…he had
trouble getting information” (

New York Times


media justified its description of the new rule as pro-patient by
ignoring the damage HMOs may now legally wreak on patient privacy
and by focusing on three relatively minor changes: (1) providers
must take steps to reduce accidental revelations of patient information
(such as placing hoods on computer screens); (2) patients now have
a federally mandated right to see their own medical records (a right
that was already guaranteed by state laws in about half the states);
and (3) providers and HMOs have to make an effort to give patients
copies of their so-called privacy policies.  

are some examples of the changes the media talked about. “In
hospitals, patient charts should be turned to face the wall so people
walking by cannot read them” (AP). “Dr. Matthew J. Messina,
a dentist in…Ohio…said he had changed the schedule posted
each day in his treatment room, so patients would be identified
only by their first names” (

New York Times

). According


maga- zine, patients picking up their Viagra prescription
will no longer have to hear pharmacists call out, “Yoohoo.
Your Viagra prescription is ready.” 

these protections afforded by the new rule, known as the Health
Insurance Portability and Accountability Act (HIPAA) Privacy Rule,
are minor compared to the loss of protection HMO patients will suffer.
One can appreciate, for example, the rule’s effort to minimize
the possibility that strangers might see patient names on a file,
a scheduling board, or a computer screen. But the possibility that
providers might inadvertently reveal patients’ names or even
data about their health to a few strangers passing by poses a tiny
threat to patient privacy compared to the certainty that HMOs have
been routinely examining, and now, with the blessing of the federal
government, will continue to examine routinely, patient medical
records without patient consent. Moreover, the Privacy Rule permits
HMOs to share those medical records with hundreds of thousands of
firms the HIPAA rule calls “business associates.” 

for the new federal right of patients to see their own medical records
and to receive notices of provider and insurer privacy policies.
But like the right not to have doctors talk about patients in the
elevator with people standing around, these rights offer only minor
protection at best. When people worry about damage to their medical
privacy, they’re not thinking the damage will occur because
the information in their medical record is false; they’re thinking
damage will be done because third parties who didn’t have their
consent will paw through their records. The right to see statements
of providers is less significant than the right to see one’s
own records. These “notices of privacy practices” list
dozens of vaguely defined reasons patient privacy can be invaded
and dozens of vaguely defined individuals who can look at patient
records without patient consent. 

that the media failed to comprehend the importance of reporting
the damage HIPAA will do to privacy via the exception made for HMOs,
it is no surprise that the media also failed to explain the role
that the health insurance industry played in persuading the Bush
administration to let HMOs invade patient privacy. Other industries,
most notably the hospital and drug industries, complained about
the consent requirement, but it was the HMO industry that complained
the loudest. Thanks in part to the media’s lackadaisical attention
to the HMO industry’s lobbying, the industry ultimately got
what it wanted. Before April 14, HMOs routinely commandeered medical
records in a legal twilight zone. After April 14, HMOs will routinely
commandeer medical records with the assurance that their actions
are legal. 

the end of 2000, the HMO industry was not happy with the proposed
HIPAA rule, then nearing what was expected to be its final form.
When the Clinton administration published its recommended version
of the rule in December, President Clinton made a point of highlighting
the fact that patient consent was now in the rule. But the next
month, the health insurance and hospital industries began to lobby
Tommy Thompson, Bush’s new Secretary of the Department of Health
and Human Services (HHS), to reverse the consent rule. It is no
accident that Thompson made his announcement that he would “review”
the HIPAA rule at a meeting of the American Association of Health
Plans, the national trade group for the HMO industry. 

a draft version of the HIPAA rule was announced by HHS on March
21, 2002, the removal of the patient consent requirement was denounced
by Democrats, doctors, and privacy advocates. Senator Ted Kennedy
(D-MA) said the new rule was “a surrender to major corporate
interests.” Al Gore asked, “What kind of values lead this
Administration to dismantle the medical privacy of Americans and
allow insurance companies greater access to your private files?”
None of it mattered. The final version of the rule— posted
in August 2002 and effective last April 14—left out the consent

battle is by no means over. In early April, a coalition of privacy
advocates, including physicians, filed a suit against Secretary
Thompson in the U.S. District Court of Philadelphia. According to
the coalition, Thompson exceeded his authority when he “eliminate[d]
the right to privacy of individuals for their personal medical records…” 

is, of course, Congress. When Congress enacted HIPAA in 1996, it
gave away its authority to the executive branch to draft the privacy
rule, but it did not give away that authority forever. Congress
can always take it back. At least two bills have been introduced
to do that. Representatives Edward Markey (D-MA) and Dana Rohrabacher
(R-CA) have introduced the Stop Taking Our Health Privacy Act, which
would repeal. Representative Ron Paul (R-TX) has introduced a bill
to repeal the entire rule. 

Sullivan, a Minneapolis resident, writes frequently on health policy.