THE NEWS early last week that the administration was poised to issue rules on medical privacy -- rules that appeared Friday -- touched off a furious burst of doomsaying by affected groups. Insurers, drug companies and HMOs that had successfully blocked Congress from enacting a medical privacy law declared that the regulations would add $43 billion to health care costs over five years. The BlueCross BlueShield Association distributed a scary diagram showing the need for repeated notice to patients as their records were transferred from a physician to a hospital to a lab and back.
Now the regulations are out, and they require nothing of the sort. Patients must be notified if their electronic records are shared for reasons other than medical treatment or payment -- for instance, marketing -- and they must be allowed to see their medical records and correct errors. These are basic privileges whose enshrinement in law was long overdue.
Congress in 1996 gave the Department of Health and Human Services authority to regulate if Congress itself failed to pass a medical privacy law by August 1999. The same law required hospitals, doctors and insurers to share medical data more efficiently online; lawmakers feared, sensibly, that this would mean an explosion in the misuse of such data unless strong privacy protections were already in place. The ease of sharing data on patients has quickened worrisome trends toward large-scale brokering of sensitive information possessed by hospitals, insurers, pharmacists, HMOs and other entities -- information that can be enormously profitable as it is sold and resold, but enormously damaging to individuals if it reaches the wrong eyes.
Some exchange among caregivers is obviously necessary and valuable -- that's the point of the 1996 law. Privacy rules must also make exceptions for investigators pursuing fraud, law enforcement authorities armed with court orders and some public health and research needs. But those exceptions need to be narrow and, whenever possible, confined to information stripped of identifying marks. An early draft of the HHS rule drew criticism for making the loopholes too wide -- for instance, allowing police to see records without a court order. Those requirements are now tighter.
Much of the opposition that kept privacy bills gridlocked in Congress comes from those unwilling to give up the chance to make bales of money on information about people's ailments, habits and medications. So intense is this opposition that conferees on the appropriation bill for Labor and Health and Human Services, urged by both House and Senate leadership, last week slipped language into the final report that would have extended the missed deadline two years and headed off the new regulations. Immediate outcry reversed that effort, but those unhappy with the regulations may try again. The broad and urgent public interest in keeping medical data private should trump any such efforts.