American Journal of Law & Medicine

Medical records and your privacy: developing federal legislation to protect patient privacy rights.

[F]ederal law does more today to guarantee the privacy of our choices of video rentals than it does our personal medical histories.(1)

--Donna Shalala, Secretary of Health and Human Services


In 1997, Judi Selig, a secretary for a South Carolina machinery firm, probably did not anticipate her employer's extreme reaction to her medical history.(2) When her employer discovered that Ms. Selig had been exposed to hepatitis several years before, it demanded that she undergo a blood test and sign a medical release form so that the doctors in the employer's health plan could access her records.(3) When Ms. Selig consented to the test but refused to sign the release form, her employer punished her by suspending her for a week without pay.(4) Ms. Selig quit the company mainly because it threatened her privacy.(5)

When Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA),(6) it created a self-imposed deadline of August 21, 1999, by which it had to pass comprehensive federal privacy legislation.(7) Since Congress failed to meet the deadline, the Secretary of Health and Human Services (HHS) was required by HIPAA to promulgate regulations establishing federal privacy standards by February 21, 2000.(8) Although HHS was hoping Congress would pass legislation when it reconvened in September 1999,(9) President Clinton announced new privacy regulations in the absence of federal legislation on October 29, 1999.(10) The regulations constitute the first national medical privacy standards.(11) However, because the regulations apply only to electronic medical records, Congress still needs to pass legislation to protect medical records that are kept on paper.(12)

Congress has long recognized the need for more comprehensive federal legislation, and in early 2000, Congress renewed its commitment to passing such legislation.(13) Senator Tom Daschle (D-SD), the Senate's highest ranking Democrat, announced the formation of a Senate Democratic Privacy Task Force in February 2000.(14) Senator Patrick Leahy (D-VT) will head the Democratic task force.(15) Also in February 2000, Senator Richard Shelby (R-AL) announced the creation of a bipartisan Congressional Privacy Caucus.(16) On February 17, 2000, an HHS official testified before a House health subcommittee, stressing the importance of protecting patient privacy.(17) Congress is considering whether to draft federal legislation or to endorse the HHS's regulations.(18)

This Note argues that while the HHS regulations create privacy guidelines for electronic medical records, the regulations are merely the first step in ensuring that citizens receive the confidentiality they deserve. Part II of this Note examines the controversy surrounding patient privacy legislation, the HHS rules and their effect on the patient-doctor relationship. Part III discusses the strengths and weaknesses of pending Congressional bills, and the recommendations of the American Medical Association (AMA). Part IV of this Note examines the most controversial provisions featured in the proposed bills, namely federal preemption and the individual's private right of action. Part V concludes that the public needs Congressional legislation that protects their paper medical records in addition to their electronic medical records, as well as additional federal privacy protection. Patient medical record privacy is necessary to ensure that patients will receive the quality care they need and deserve.



Technology has become a mixed blessing for the health care industry and patients.(19) Technology enables health care entities to distribute patient records more quickly to more parties, so patients enjoy greatly improved quality of care.(20) For example, pharmaceutical companies rely on patient data to conduct new drug research, and insurance companies rely on patient data to provide cost-efficient services.(21) Patients reap benefits from such use.

However, patients need privacy safeguards to protect sensitive information.(22) For example, a patient's medical records, which previously were controlled by his or her personal physician, now may be handled by more than a dozen different organizations.(23) Congress has recognized the need to pass legislation that provides additional privacy safeguards.(24)

Many patients fear that organizations that gain access to their private medical records will misuse their medical data. For example, many patients are concerned that prospective employers will access their medical records and discriminate against them while they are searching for employment.(25) A recent survey indicated that "more than a third of all Fortune 500 companies check medical records before they hire or promote [employees]."(26) One such employer, who investigated the prescription drugs taken by its employees, discovered that one employee was HIV-positive.(27) Before HHS issued the confidentiality rules, a patient's entire medical record could be released to an employer even if the employer requested only a portion of the information.(28)

Patients are also concerned that their consumer status will be adversely affected if their medical information is readily accessible.(29) For example, banks may deny an applicant's loan application based on his or her medical information.(30) Furthermore, credit card companies frequently assess patients' treatment information.(31) Patients also fear that insurance companies will use genetic information contained in patient medical records and deny them health insurance.(32) Patients with conditions that require high cost treatment may face discrimination.(33) Some patients taking prescription drugs have been disturbed at home by unsolicited letters from marketing companies trying to press their products.(34) Patients' fears have increased as electronic data becomes more accessible.(35)


Many patients and doctors believe that the lack of medical record confidentiality negatively impacts the patient-doctor relationship.(36) AMA member Joseph Heyman, M.D., notes, "[t]here is nothing as important for the physician-patient relationship [as the privacy of medical records], because if you haven't got the privacy, you haven't got the relationship."(37) If patients do not feel comfortable sharing sensitive information with their physicians, the essential trust between patients and physicians is lost.(38)

Some doctors fear that patients are discouraged from seeking treatment for certain illnesses because they fear their medical condition will be disclosed to unwanted parties.(39) For example, people with sexually transmitted diseases are deterred from undergoing testing because of privacy concerns.(40) Patients also fear the misuse of information about treatment for sensitive issues such as substance abuse, alcoholism, genetic disorders or mental health.(41) Furthermore, if patients are not adequately protected by privacy safeguards, doctors may stop reporting certain medical data to public health officials for fear of sensitive patient data falling into the wrong hands.(42) This would jeopardize health officials' chances of accurately identifying public epidemics.(43)


While HHS regulations are a "necessary first step" in protecting the privacy of patient medical records, both sides of the debate criticize the rules.(44) Generally, doctors,(45) patients and consumer advocates(46) support the rules, while insurance companies, hospitals and law enforcement officials criticize them.(47) Psychiatrists are ambivalent about the rules, particularly because they fear the rules will negatively impact mental health patients.(48)

1. Core HHS Regulations

Patients and physicians who desire stronger privacy rules support several core HHS regulations. Although covered entities(49) such as health care providers need not gain patient consent before releasing records needed to treat patients or pay claims, they are required to secure the patient's consent in other instances. For example, the covered entity must gain the patient's consent if the health records will be used "for marketing of health and non-health items and services ... disclosure by sale, rental, or barter; [or] use and disclosure to non-health related divisions of the covered entity."(50) The federal rules give patients the "right to request a ... health care provider to amend or correct protected health information about him or her ... for as long as the [health care provider] maintains the information."(51) In addition, the federal rules will "establish minimum protections for patients' privacy"(52) and will not override state laws when the state law "is more stringent" than the requirements in the federal rules.(53)

The federal rules require covered entities to make "all reasonable efforts not to use or disclose more than the minimum amount of protected health information necessary to accomplish the intended purpose of the use or disclosure."(54) The rules permit physicians, hospitals, and health plans to charge patients a "reasonable, cost-based fee for copying health information."(55) Violators must pay a maximum civil penalty of $25,000, and violators who commit criminal "willful violations" must pay a penalty of $50,000 and serve up to a year in jail.(56) Violators face a $250,000 penalty and up to ten years in jail if they attempt to sell or use data for "commercial advantage, personal gain, or malicious harm."(57)

The federal rules address the need for privacy concerning mental health records.(58) For example, if psychotherapy notes will be used "by a person other than the creator," or disclosed to such a person, the patient must authorize the use of his or her patient records.(59) Psychotherapy notes are defined as "notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or group, joint or family counseling session."(60) A psychotherapist does not need a patient's consent to disclose "medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plank symptoms, prognosis and progress to date."(61)

However, HIPAA placed many significant restrictions on the scope of the federal rules.(62) First, HIPAA only allowed HHS to regulate electronic records, although the majority of patient records are in paper form.(63) Second, while the rules apply to health insurers and health care providers, pharmaceutical companies and various outside businesses that aid in processing medical claims are not covered under the federal rules.(64)

2. Criticisms of HHS Regulations

Law enforcement officials(65) are very critical of the rules.(66) Under the new HHS regulations, officials wishing to access medical records need a search warrant, subpoena(67) or permission from a judge or an administrative hearing office.(68) These requirements indicate a reversal of the Clinton administration's previous position.(69) Law enforcement officials argue they need to gain instant access to medical records in emergencies when assessing a criminal's mental state is critical to determining how to proceed.(70) For example, law enforcement officials might require mental health information on a criminal when they need to assess a situation involving hostages or threats of harm.(71) Knowing the mental history of a person holding hostages may help law enforcement officials respond to the situation.(72)

Psychiatrists have expressed ambivalence about the rule changes, noting that the rules may inadvertently weaken a patient's control over his or her medical records.(73) For example, Dr. Paul S. Applebaum, vice president of the APA, noted, "[t]he [Clinton] administration's proposal would protect notes taken by a therapist in the course of psychotherapy, and that's good. But it would take away some of the power that patients have traditionally had to decide when and if their records are released to third parties. …

Log in to your account to read this article – and millions more.