I was visiting my personal physician a few days ago. While sitting in his waiting room, I learned quite a bit of information about several of the doctor’s patients by merely overhearing some telephone conversations in the front office.
One employee phoned in an antidepressant prescription for Mary Jones. Another was discussing with John Smith the specifics of his psoriasis treatment. Then, I overheard the doctor himself asking for Sally Brown, and then giving her the results of her pap smear. (She’s going to need to be referred for some cryosurgery, and she now knows that the problem is possibly a result of an earlier sexually transmitted disease.) And now I, someone who may or may not know these patients myself, am privy to their ailments.
As a physician-turned-lawyer whose practice includes advising healthcare clients on patient privacy issues, I felt obligated to give my doctor, who happens to also be a friend, a bit of free legal advice. He admitted that that he and his office staff should be more careful about divulging patient confidences.
I explained to my friend that, in our computer- and Internet-driven world, the public is becoming ever more concerned about the privacy of personal information. The governor of California just signed into law a bill that will require all businesses and state agencies to inform state residents about any unauthorized access to the resident’s computerized personal information. Those businesses include hospitals, medical groups, physician practices, and the like. Most states have also enacted statutes that specifically limit disclosures of individually identifiable patient information.
And of course, there is HIPAA, the Health Insurance Portability and Accountability Act, a federal statute that significantly impacts the way patient information may be handled and disclosed. Physicians will have to comply with HIPAA’s requirements by next spring.
My friend acknowledged that he had a basic awareness of some of these laws. He expressed anger and disappointment that such breaches could now actually get him into legal trouble, or possibly even criminal legal trouble. He wistfully reminisced about the “old days” when such indiscretions were merely ethical violations that might have resulted in a slap on the wrist from the county medical society, or at worst, from the state medical board.
Enforced Ethics
Ethics is the set of rules or standards governing the conduct of the members of a profession. At first glance, it appears that one of the most fundamental ethical principles in medicine — maintaining the privacy of the doctor-patient relationship, and protecting the information obtained as a result of that relationship — is becoming the law. For many years, the physicians and the members of all other professions enforced their ethics through licensing boards, peer review bodies, and professional societies. The legislators stayed out of the way. Is it an insult to the medical profession that the legislators are now interfering in medical ethics? Has the public, through its legislators, decided that physicians are unable to police themselves?
To conclude that the legislators are attempting to regulate medical ethics through consumer and patient privacy legislation would be a narrow view of the purpose of these laws. With healthcare comprising an ever-increasing percentage of our nation’s gross national product, the public is justified in being concerned about more than whether individual physicians are violating patient confidences by inappropriately discussing Mrs. Jones’ hysterectomy at a cocktail party.
These laws target healthcare as a multibillion-dollar industry, and, whether we like it or not, physicians are now simply a small part of that industry. Though physicians are still appropriately the key players in medical staff governance, the business of healthcare is now shared with many non-physician business executives. The day-to-day business of healthcare necessarily requires that all sorts of people — from receptionists to phlebotomists to chief financial officers — have access to and control over patient medical information.
Further, our private healthcare data is now transmitted over the information superhighway to insurers, managed care organizations, independent practice organizations, medical record keeping services, and scores of other entities. The public’s concerns over patient privacy today arise not so much because of the lack of professionalism of an individual physician (or his or her overworked office staff), but rather because of the huge extent to which the information has become accessible to countless numbers of people and because of the potential vulnerabilities of the information databases.
Restoring Trust
To better ensure that our private health information remains private, state and federal legislation is no doubt necessary. It only follows that physicians, as one small part of the healthcare system, must be included among those mandated to ensure patient privacy. Indeed, that legislation, though perhaps burdensome from an administrative perspective, ultimately allows physicians, medical groups, and the like to ensure that their patients are able to restore trust to this important profession with some of the most private information there is, information concerning our health.
R. Gregory Cochran, MD, JD, is an associate in Foley & Lardner’s San Francisco office.
Reprinted with permission from the Group Practice Journal. Copyright ©2002, American Medical Group Association, November/December 2002.
Additional Resources
|
| Important Dates for HIPAA Implementation | |
| Aug. 21, 1996 The Health Information Portability and Accountability Act becomes law. |
Aug. 14, 2002 Final Rule “Standards for Privacy of Individually Identifiable Health Information” (Privacy Rule) is published in the Federal Register. |
| Dec. 28, 2000 Final rule “Standards for Privacy of Individually Identifiable Health Information” (Privacy Rule) is published in the Federal Register. |
Oct. 15, 2002 Date by which a compliance plan for an Electronic Health Transactions and Code Sets one-year extension needed to be postmarked or filed electronically. |
| Dec. 27, 2001 The Administrative Simplification Compliance Act becomes law, providing a means by which the administrative simplification provisions of HIPAA may be extended by one year. |
Oct. 16, 2002 Original compliance date for Electronic Health Transactions and Code Sets. |
| April 14, 2001 Effective date for the Privacy Rule. |
Feb. 20, 2003 Final Rule for Electronic Health Transactions and Code Sets is published in the Federal Register. |
| March 27, 2002 Health and Human Services proposes changes to the Privacy Rule https://www.hhs.gov/ocr/hipaa/propmods.txt. |
April 14, 2003 Compliance date for the Privacy Rule. |
| March 29, 2002 CMS issues a model compliance plan for filing a one-year extension to comply with the rule governing electronic healthcare transactions https://www.cms.hhs. gov/hipaa/hipaa2/ASCAForm.asp. |
Oct. 16, 2003 Compliance date for Electronic Health Transactions and Code Sets for those with a compliance plan filed by Oct. 15, 2002. |
| July 6, 2002 The HHS Office for Civil Rights publishes “Guidance for the Privacy Rule” https://www.hhs.gov/ocr/hipaa. |
|