@Info. Policy: Bush team stumbles on health privacy

Robert Gellman

In March, the Bush administration proposed some modifications to the health privacy rule that Bill Clinton promulgated on his way out the door. The rule was issued under the Health Insurance Portability and Accountability Act, fondly referred to as HIPAA.

The press generally trashed the Bush changes as antiprivacy. They weren't so terrible, and the real story is how the Bush people mishandled the release of the proposal.

The subject is complex, so I want to concentrate on two issues. First, the Clinton rule had an awful provision that allowed patient records to be used and disclosed for marketing without patient consent.

Health records could end up in the possession of junk mailers and telemarketers, and you could stop the marketing only after someone tried to sell you something. The policy was the most antiprivacy proposal I have ever seen.

A second provision of the Clinton rule required patients to sign consent forms before their records could be used for treatment, payment or health care operations. If you didn't consent, you could be denied treatment or payment, so you didn't really have a choice after all.

Mandatory consent is not true consent, but the symbolic signature made some privacy groups happy.

Bush changed the marketing provision so that health records can't be used without prior consent.

Assuming the details are done right, that will be a major improvement, and one that Bush should get lots of credit for making.

Bush also changed the consent rule. In place of Clinton's oxymoronic mandatory consent, Bush would make consent optional. In exchange, he proposed strengthening the patient privacy notice process, although the strengthening is minor.

The change in consent sounds terrible, but at a practical level, there is absolutely no difference in what happens to health records with or without the signed consent. The reality of our ornately complex health care system is that patients have virtually no say in how their records are used and disclosed. That is true under the Clinton rule and under the Bush revisions. Real consent would require big changes at health care institutions.

So how did the Bush folks present these changes? Like rank amateurs.

They led with the symbolic and largely meaningless consent change and buried the substantive, pro-patient, pro-privacy marketing change.

Privacy advocates, politicians and the news media fell all over themselves to scream about the consent provision.

The whole thing looked even worse when the big, bad health care industry gave a round of applause for the consent change.

I have rarely seen public relations so badly mishandled. It makes me wonder if anyone at the White House or the Health and Human Services Department understood the privacy issue at all.

The HIPAA privacy rule won't take effect for another year, and the proposed rule changes may not be final until the fall. We have plenty of time for more privacy follies.

Robert Gellman is a Washington privacy and information policy consultant. E-mail him at rgellman@cais.com.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above