Chapter 3.B.1 The Duty to Maintain Confidentiality
Notes: Common Law and Statutory Duties to Maintain Confidentiality
6.1. Health Reform, Electronic Health Records, and Privacy.
On February 17, 2009, President Obama signed the American Recovery and Reinvestment Act (ARRA) of 2009 into law. A portion of the ARRA, known as the Health Information Technology for Economic and Clinical Health (HITECH) Act, contains significant incentives for hospital and physician adoption of electronic health records (EHR). American Recovery and Reinvestment Act of 2009, Pub.L. No. 111-5, Feb. 17, 2009, 123 Stat. 115; Health Information Technology for Economic and Clinical Health Act (HITECH Act), Pub. L. 111-5, Div. A, Title XIII, Div. B, Title IV, Feb. 17, 2009, 123 Stat. 226, 467.
The new legislation combines the “carrot” of
financial incentives of $19 billion to physicians and hospitals over five years
with the “stick” of reduced Medicare payments (beginning at 1%) to physicians
not using electronic health records starting in 2015, absent special
American Medical Association Current Topics in Advocacy, Explanation of Health IT
Provisions, no date, at 1, available at http://www.ama-assn.org/ama1/
The Obama administration has promoted a standardized electronic health record (EHR) as a pillar of health care reform. Why has a switch to EHR become synonymous with healthcare reform? Proponents of EHR argue that digital records reduce costs and improve health care quality. See generally, Center for IT Health, Potential Benefits of an EHR, http://www.centerforhit.org/online/chit/home/cme-learn/tutorials/ehrcourses/ehr101/benefits.html (last visited Oct. 17, 2010).An EHR-based system could either reduce or increase healthcare fraud. See Donald W. Simborg, Healthcare Fraud: Whose Problem is it Anyway?, 15 J Am Med Inform Assoc. 278-280 (2008) (although “the potential for fraud increases in an electronic environment," EHR can be designed “to promote fraud management and minimize opportunities for fraud and abuse.”)
A national, integrated EHR system will result in a huge stockpile of extremely personal data that may be accessed from many points; the very risks sought to be addressed in the HIPAA Privacy Rule may be exacerbated. See Rachael King, Putting Patient Privacy in Peril?, Business Week, April 6, 2009.Security therefore will continue to be a major concern. Hackers and identity thieves will do their best to access salacious or valuable personal information contained in electronic medical records. For example, the Washington Post reported that hackers broke into a Virginia state web site designed to track prescription drug use. The hackers deleted the records of over 8 million patients and demanded $10 million dollars for the return of the information. See Brian Krebs, Hackers Break into Virginia Health Professions Database, Demand Ransom, Wash. Post, May 4, 2009, available at http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html.
HIPAA’s Privacy Rule and Security Rule are designed to protect patients’ personal health information and to prevent inappropriate use. Yet critics argue that enforcement of HIPAA’s privacy and security provisions has been relatively weak. No fines had been issued in the first three years of HIPAA implementation despite nearly 20,000 grievances. Rob Stein, Medical Privacy Law Nets No Fines, Wash. Post, June 5, 2006, at A1, available at http://www.washingtonpost.com/wp-dyn/content/article/2006/06/04/AR2006060400672.html.
The HITECH Act includes enhanced enforcement mechanisms for privacy and security breaches relating to electronic personal health information. The new provisions may enhance enforcement and thereby protect patient privacy. See American Recovery and Reinvestment Act of 2009, Pub.L. No. 111-5, §§ 13402 – 13411, codified at 42 USCA §§ 17931-17940.
Aside from privacy and security concerns, there are many practical difficulties associated with a national switch to a completely EHR-based system. Health privacy has become an issue in the debate over health care reform. Policymakers, scholars, and professionals disagree about how the U.S. government should go about implementing its new pro-IT policies. See Steve Lohr, Doctors Raise Doubts on Digital Health Data, NY Times, March 25, 2009; A.K. Jhaet al., Use of Electronic Health Records in U.S. Hospitals, 360 New Eng. J. Med. 1628-1638 (2009). See also, Steve Lohr, A Push for the Wired Patient’s Bill of Rights, NY Times, June 22, 2009, available at www.newyorktimes.com (describing movement “to firmly inject the rights of patients into the Obama administration’s multibillion-dollar drive to computerize medical records.”)
6.1(2). Consequences of ARRA.
The Secretary of HHS submitted proposed final rules under the ARRA to the White House Office of Management and Budget. The rules included provisions governing when patients must be told by doctors, hospitals or insurers about improper use of disclosure of their medical information.HHS proposed requiring disclosure only when the violation posed “a significant risk of financial, reputational or other harm to the individual.” The proposed standard was criticized as insufficiently protective by many groups. Following the urging of the White House, Secretary Sebelius withdrew the rules to allow for further consideration. See Robert Pear, Tighter Medical Privacy Rules Sought, N.Y. Times, August 22, 2010, available at: http://www.nytimes.com/2010/08/23/health/policy/23privacy.html.
6.2. Genetic Privacy.
The Genetic Information Nondiscrimination Act of 2008 (GINA), Pub. L. 110-233, May 21, 2008, 122 Stat. 881, was enacted to protect individuals from discrimination in employment and health insurance based on their genetic information. To view the text of the legislation, click on this link.
Section 2 of GINA recites the justifications for federal legislative protection from genetic discrimination, including the history of state eugenics laws and examples of public and private discrimination and the inadequacy of existing federal and state legislation. The Act notes that
Congress has collected substantial evidence that the American public and the medical community find the existing patchwork of State and Federal laws to be confusing and inadequate to protect them from discrimination. Therefore Federal legislation establishing a national and uniform basic standard is necessary to fully protect the public from discrimination and allay their concerns about the potential for discrimination, thereby allowing individuals to take advantage of genetic testing, technologies, research, and new therapies.Id.at §2(5).
GINA generally prohibits the use of genetic information to discriminate in health benefit plans, group health insurance, individual plans, and Medicare supplemental insurance. Id. at § 101-104. Entities are also prohibited from requiring genetic tests or collecting genetic information. Discrimination is defined and limited to determinations made based on genetic factors; entities are still permitted to make coverage and cost decisions based on the manifestation of disease or illness. Id. GINA amends HIPAA to ensure that genetic information is included within HIPAA’s protection of health information. Id. at §105.Employers are also prohibited from discriminating against employees or potential employees based on a broad definition of genetic information that includes both the individual and his/her family members. Id. at 201-213.
For more information about GINA see Health law - genetics - Congress restricts use of genetic information by insurers and employers. - Genetic Information Nondiscrimination Act of 2008, Pub. L. No. 110-233, 122 Stat. 881 (to be codified in scattered sections of 26, 29, and 42 U.S.C.), 122 Harv. L. Rev 1038 (2009); the National Human Genome Research Institute (NHGRI), http://www.genome.gov; and P.W. Payne et al., Health Insurance and the Genetic Information Nondiscrimination Act of 2008: Implications for public health policy and practice, 124(2) Public Health Rep. 328-31 (2009).