[ Monday, April 05, 2004 ]
A Decision in the Philadelphia HIPAA case:
I mentioned below that a new lawsuit had been filed a few months ago in Federal court in Philadelphia, challenging the revisions to HIPAA that removed the consent requirement. As originally drafted, providers had to obtain written patient consent before using PHI for even routine uses, and had to obtain an authorization for non-routine uses. That requirement was revised (rightly, I think) in amendments to the HIPAA Privacy Rule which stated that as long as your Notice of Privacy Protections described the routine uses you would be implementing, you did not need explicit authorization. This also freed up second-tier providers (such as specialists) to use the information prior to first seeing the patient. Under the original rule, if a primary care physician wanted to refer a patient to a specialist and sent over the chart, the specialist could not even review the chart until the patient showed up and signed a consent. Likewise, the PCP couldn't phone in a prescription to a pharmacy, unless the patient had already used the pharmacy and signed a consent.
The revised rules do allow the patient to request that the provider not use information in any particular way, such as not disclosing to other providers without the patient's specific authorization. Providers don't have to agree with the request, but if they do agree, they have to comply with it. However, in practice, providers simply refuse to agree with any such restrictions.
The challenge in Philly
was made by some consumer groups and one particular plaintiff, who had been turned down by three providers when she requested restrictions on the use of her PHI. The judge ruled that she had standing, but ruled in favor of the government on all factual matters. The court basically stated that the rule itself did not exceed the agency's mandate (which I feel, if anything, is the strongest argument against HIPAA's enforceability), the amendment removing the consent requirement was properly promulgated and approved, and the provisions don't violate the 1st and 5th amendment rights of individuals because nobody is compelled to disclose information under HIPAA.
In fact, under the original provisions of HIPAA, a provider needed a patient's consent to use or disclose his or her PHI for treatment, payment, or healthcare operations. A provider could refuse to provide care to a patient if the patient refused to sign the consent. Under the revised rule, the provider can go forward with treatment, payment, and operations (routine uses) without consent, as long as the provider has put the patient on notice (through the NoPP) that the provider will use the PHI in that way. The patient can ask for restrictions, but the provider can refuse.
I do not see how the situation for the plaintiff in the Philly case would have changed based on the amendment to the Privacy Rule. Under the old method, the provider would have asked the patient to sign a consent allowing the provider to use and disclose PHI for routine uses (basically, what the provider can do now). The patient would have refused, just as she refused to allow the provider what it could do under the revised rule. The provider would then have refused to treat the patient.
I agree with the court's decision. I haven't read it all yet, but I think that the basic balancing act between an individual's right to protection and a provider's need to use the information is fairly well struck in HIPAA. If you don't want a provider disclosing your PHI, ask them to restrict their uses and disclosures. Most won't agree, since they don't want to set themselves up to be sued by you if they inadvertently disclose the information or otherwise have to treat your file differently than they treat everyone else's file. It's just too inefficient for them to do that. But that just means that you'll have to shop around for someone who is willing to inefficiently and expensively change their system for you. You will have to look long and hard to find that person, and you'll probably have to pay more, but if that means a more streamlined, cheaper system for the rest of us, that's the price you'll have to pay for your paranoia. Sorry.
Jeff [9:08 AM]
Blogger: HIPAA Blog - Edit your Template