Bush team fumbles on health privacy rule
In December, the Health and Human Services Department under President Clinton issued a final privacy rule on use of health records. The rule, authorized by the Health Insurance Portability and Accountability Act, had a long and tortured history and'I confidently predict'will have a long and tortured future as well.
Somewhat unexpectedly, the Bush administration decided to take a fresh round of comments on the rule. It seems that the Clinton folks screwed up notifying Congress, and the 60-day period for congressional review had to be extended.
The new HHS secretary, Tommy G. Thompson, opened the rule for more comment during the extended period. What happens next? It is hard to predict. I was going to write about how the rule will affect federal agencies'and affect them it will'but now I have to wait until a new final rule.
The decision to reopen the rule for comment is a bit bizarre politically. Instead of being able to blame Clinton for the rule, the Bush folks, by intervening before the rule became final, have accepted complete responsibility. Whatever happens from this point forward will be all their fault.
It would have made more political sense to let the rule become final and to fix it later. The real effective date is two years away, so there would have been plenty of time.
The Clinton rule is a mixed bag from any perspective. It offers patients a few limited rights, but some are illusory. It protects the ability of every user of health records to continue to have access to records without patient consent. Law enforcement agencies, for example, need only wave a badge to be able to see anyone's health records.
Admittedly, it is hard to balance privacy against all the uses of health records that we allow. Citizens want someone else to pay their bills. Everyone wants access to high-quality, low-cost care. These goals conflict with privacy, and the trade-offs can be sharp.
The single worst part of the rule is the marketing language. No one wants a telemarketing call from someone who knows whether one has been treated for cancer, syphilis, hemorrhoids or anything else. HHS went out of its way to allow use of health records for marketing. Patients can't even opt out of marketing lists until after they have been marketed to. Marketers can actually have broader access to records than a patient's next of kin. The marketing provision is just awful.
I see three scenarios for the new HHS review. First, Thompson could let the rule go into effect as written. That wouldn't satisfy the health industry. Second, Thompson could suck the little remaining substance out of the rule. Most of the health industry would love that, but Thompson would become the anti-privacy poster child. Any health privacy scandal stories would identify him as the guy who killed health privacy rules.
Third, Thompson could fix a few real technical problems identified by industry, and the marketing rule too. Some balanced changes would make everyone a little happier, and Thompson would come out looking practical, thoughtful and useful.
When we see the results, we will find out what kind of a politician and policy-maker Tommy Thompson really is. I'd say that I am optimistic, but I wouldn't want to lie to you.Robert Gellman is a Washington privacy and information policy consultant. E-mail him at firstname.lastname@example.org.