Collateral Privacy Effects of the ACA:
Privacy, by its nature, involves the "lack of" something -- access by or disclosure to others. As is the case with a lot of negative concepts, it's not always easy to spot all of the possible situations where privacy may be affected. The unintended consequence of a lot of well-intentioned acts is the loss of privacy.
One good example of this effect (in a backward sort of way) is the "hide" rule in the HITECH Act. Under the "hide" rule, if a patient pays in full "out of pocket" for a medical services and requests that the provider not disclose information about the service to the patient's insurer, the provider must abide by that wish. In other words, the patient can "hide" the service from his or her insurer. The problem comes when the service provided leads to the need for other services, which the patient wants to have the insurer pay for. For example, the patient pays for the procedure and it goes fine, but the patient develops a complication that requires an expensive follow-up procedure, or an infection that requires expensive antibiotics. The insurer isn't going to pay for the follow-up procedure or antibiotics unless it's medically necessary, and the insurer can't determine if it's medically necessary if it doesn't know that the initial procedure was done. In that case, the attempt to grant a negative privacy right in a particular area has the unintended consequence of interrupting the healthcare system in a different area.
ACA (the Affordable Care Act, or Obamacare) also has a good example of a grant of rights in one area adversely affecting privacy elsewhere. The ACA effectively re-defines "child" to mean anyone under the age of 26, at least for purposes of a parent keeping his/her children on his/her health insurance. Children (under 18) are usually covered as dependents on a parent's insurance, which usually makes sense. But children (under 18) don't have much privacy, at least as far as their parents are concerned. In fact, depending on state law, HIPAA will usually treat the parent as the "personal representative" of his/her child, which allows the parent to obtain access to the child's entire medical record. Even if the child has some privacy rights (over the age of 14 or 16, for example, some states give children some specific privacy rights), if the care is paid for by insurance, the parent will usually see an "EOB" from the insurance company, explaining what was paid for.
When the age of "childhood" is extended beyond 18 for purposes of insurance coverage, it has an impact on the privacy rights of those in that cohort. The Washington Post has an example
of that problem. As illustrated, it's not a new problem: before ACA, many "children" over the age of 18 stayed on their parent's insurance if they were in college for example. While those children had full privacy rights against their parents and their parents could not simply ask for the medical records of their adult children, if the kids received healthcare under the parent's insurance, it was likely that the parents would find out about it when the insurer sent the EOB or asked the parents to pay their deductible.
The ACA expands the issue, though, because it expands the pool of "children" covered on their parents' insurance. "Kids" in college mostly expect that their parents will be involved in their lives, and don't expect perfect privacy, while "kids" who are 25 years old, living and working on their own (but taking advantage of the ACA to stay on their parents' insurance) probably expect a little more privacy from their parents.
Then again, in this economy, are there really that many 25-year-olds living and working on their own?
Blogger: HIPAA Blog - Edit your Template