Patient Privacy: How Far is Too Far?

N ew national Medical Privacy Guidelines were issued in April 2001. The guidelines are designed to safeguard private patient information in a computerized world where data are readily accessible to a number of individuals and organizations. Compliance standards that affect healthcare plans, doctor's offices, hospitals, and insurance companies must be met by April 2003. Significant expense is associated with this Act; experts suggest that compliance with these guidelines could cost the nation $4 to $40 billion. Failure to comply with these standards can result in fines, imprisonment, or both. The current cost and access debate pertaining to these new guidelines is reviewed. Also, the ethical principle of patient confidentiality is reviewed, along with its relationship to privacy relevant to wound care - especially computer-generated wound care tracking across practice settings.

History

The Medical Privacy Guidelines are outlined in the Health Insurance Portability and Accountability Act (HIPAA), a product of the Clinton administration that was approved by Congress in 1996. The Health Insurance Portability and Accountability Act, also known as the Kennedy-Kassebaum Act, contains a set of codes that guarantee "portable" health insurance coverage, as well as measures to reduce fraud by healthcare providers and consumers and a mandate to reduce costs through standardized electronic transmission of financial transactions. The guidelines are designed to ensure that medically related information cannot be disclosed without written consent from the patient. Because of the nature of this Act, the matter of confidentiality was attached to the larger issue of health insurance portability.¹

The Debate

Most Americans have medical secrets that they prefer stay secret. The question is, at what cost, economically and therapeutically? Some healthcare providers and insurance companies have complained to the Department of Health and Human Services that essential, routine activities could be jeopardized by strict interpretation of the rule, requiring patients to sign forms in advance that give permission to disclose information about their health, medications, and hospitalization. Although the department agrees that privacy protection must not interfere with the patient's access to or the quality of healthcare delivery, they argue that safeguards could improve the goals of confidentiality.
The Department of Health and Human Services is aware that huge data banks pose a realistic threat - that personal healthcare information can be accessed without either notice or consent for reasons that have nothing to do with the patient's medical treatment or healthcare reimbursement. For example, medical information about an individual may be passed onto a lender who may then deny the patient's application for a home mortgage or credit card or to an employer who may use health information to make employment decisions.

Ethical Considerations

With few exceptions, the right to personal privacy has long been an ethical right and legal mandate in the United States and many other countries. Ethical dilemmas emerge as clinicians attempt to balance the need to protect the patient's privacy with the obligation, for example, to share information across practice settings. Unquestionably, patients relinquish some degree of personal privacy when they share information about themselves and their personal histories. However, when this occurs without the patient's permission, it is considered an infringement on personal privacy or a threat to confidentiality.
An invasion of privacy is different from a breach of confidentiality. An infringement of a patient's right to confidentiality occurs only if the person to whom the patient disclosed the information in confidence fails to protect the information or deliberately discloses it to someone without patient consent. A person who enters a medical records department or computer data bank without authorization violates the rights of privacy rather than infringes on rights of confidentiality. Therefore, only the person to whom information is given in a confidential relationship can be charged with violating rights of confidentiality.² The Health Insurance Portability and Accountability Act primarily addresses issues of privacy.
By nature, ethics considers the various ways human beings understand and examine moral life - ie, the study of right and wrong action.³ Practical ethics refers to the use of ethical theory to examine moral problems, practices, and policies, including professional and public policy.² Clinicians, policy makers, and consumers must balance the ethical concepts of respect for personal autonomy and issues of access within the context of privacy and confidentiality, all while considering a scarcity of resources. Are mandates such as HIPAA economical? Can HIPAA be implemented without sacrificing scarce resources and access to healthcare information?

Options for Compliance

Although wound care tracking programs that cross practice settings enhance continuum of care, these programs may threaten patient privacy. Recognizing options for HIPAA compliance in the face of this emerging technology will become increasingly important.
Thoroughly understanding the regulations is the first step in compliance. Review and understand the appropriate procedure for disclosure of health information. Read the Act in its entirety. Organizations have opted to assign a key person to oversee compliance activities. Establish a comprehensive inventory of what is considered confidential information to help identify compliance opportunities. Vendors and subcontractors must be compliant and held accountable as well.¹

The Heart of the Matter

Some contend that by focusing on this issue, healthcare clinicians may have lost the point. In reality, patients may simply want respect - this debate may have more to do with dignity and respect than with the legalities of information exchange. Breaches of privacy and confidentiality might be more difficult if the clinician cares for the patient within an environment of dignity and respect. Yet dignity and respect are difficult to legislate. As clinicians face the tenuous and costly task of implementing the mandates of this Act, the best interest of our patients is to recognize the value of dignity and respect in patient care.

Conclusion

Few clinicians deny that the guidelines pose challenges for healthcare providers. The new privacy and confidentiality standards reflect consumer demand for respect for protection against unwarranted revelation of information. Clinicians, therefore, must be up to the challenge. - OWM See the HIPAA document in its original form at www.aspe.hhs.gov/admnsimp/Index.htm