The HIPAA Privacy Rule must die. Since its inception in 2003, the HIPAA Privacy Rule has been invoked by health care providers not to protect us patients as Congress originally intended, but rather as a crutch for health care providers to fall back on when they have an interest, be it laziness, financial, incompetence or whatever, in making it more difficult for patients to gain control over our own health care decisions.
A Personal Anecdote
The absolute absurdity of this law was brought home to me recently when visiting a friend in the hospital who had suffered from a debilitating stroke. My friend Laura was uninsured at the time of the stroke and wanted my help when the public hospital she was at abruptly decided to discharge her without any notice or treatment plan. The hospital administrator in charge of Laura's case refused to speak to me, citing HIPAA. This despite the fact that my friend Laura was literally seated in her wheelchair beside me as I broached the topic of Laura's health. Fortunately, I am an Ivy-League educated attorney who happens to know a thing or two about HIPAA. "Laura," I then asked, "do you make me your agent to discuss every aspect of your health, without limitation, with any and all agents or representatives of this hospital?" She responded that she did. The hospital administrator was then trapped, and reluctantly began to talk to me.
The Legislation Itself
But should we really need a lawyer beside us to access our own health records? The drafters of HIPAA certainly didn't think so. Which is why if you check the applicable law, 45 CFR 164.502, one of the very first things is makes crystal clear is that although this is a privacy law, it is of course not to be used against the very individual whose privacy it is meant to protect:
Sec. 164.502 Uses and disclosures of protected health information: general rules.
(a) Standard. A covered entity may not use or disclose protected
health information, except as permitted or required by this subpart or
by subpart C of part 160 of this subchapter.
(1) Permitted uses and disclosures. A covered entity is permitted to
use or disclose protected health information as follows:
(i) To the individual;
Purpose of the HIPAA Privacy Rule
The HIPAA Privacy Rule is there to protect us patients from others who would do evil, nefarious things with our health care information. As the U.S. Department of Health and Human Services states on its website: "without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions."
Ask yourself this: what are you more worried about: being denied for a mortgage on account of health information leaking out somehow to the bank underwriting your mortgage, or spending hours and days on the phone with your doctors' receptionists and administrators trying to figure out what is going on with your health so that you can make an informed decision about the next step? I know where I stand on the answer to that question. And that's why I repeat: the HIPAA Privacy Rule must die.