Privacy panel: HIPAA, other laws don't put patients first

By Diana Manos
11:12 AM

A panel of experts gathered at the 2nd International Summit on the Future of Health Privacy in Washington, DC on Wednesday all seemed to agree that the stakes are high when it comes to electronic medical records and privacy.

"Electronic technology is a game changer, legally, because the damage that can be done to someone is perpetual and the damages that can be awarded are incalculable," said James Pyles, co-founder and principal of the law firm of Powers, Pyles, Sutter, & Verville.

[See also: Mass General pays $1M to settle potential privacy violations.]

Much of the debate centered on the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its ability to provide protection.

Pyles said HIPAA only provides a bare minimum of privacy, not a template for best practices.

Members of the panel reminded the some 300 attendees of the conference that when HIPAA was written, it was done to help physicians get reimbursement, not necessarily to keep patients' privacy.

"One would think, if you were approaching healthcare privacy policy, the very first thing, the very top priority would be to ask what do the patients want?" Pyles said. "Unfortunately, we have laws on the books that do not put the patient first."

Pyles said the main problem is technology is moving faster than privacy laws can be written.

"I approach this in a simplistic way," Pyles said. "I look to see, do you have a right to privacy for your health information? So far, the courts say you do. The tort laws say you do. Standards of professional ethics of nearly every segment of the medical profession say you do. The HIPAA privacy rule does not say that at all."

HIPAA doesn't address the right to privacy, and it doesn't define the word privacy, he said, both of which need to be addressed today.

Marcy Wilder, currently a partner at Hogan Lovells law firm was the lead lawyer for the Department of Health and Human Services on the development of the HIPAA rules.

She said the beginning premise of HIPAA was designed to let information flow relatively freely to allow treatment, allow physicians to get paid and put fairly strong restrictions on that data once it starts flowing outside the healthcare system.

"It's true HIPAA is the floor," Wilder said. "There is a regime of laws working toward protecting privacy. Health data is some of the most regulated data in the world."

The goal should be to find a balance between providing patients with privacy rights and helping to build quality healthcare, Wilder said.

[See also: Privacy experts debate patient consent.]

Frank Pasquale, a professor of healthcare regulation and enforcement at Seton Hall University said making new regulations with granularity controls for patients to pick and choose how to share their information would go a long way to helping patients feel safe. If they don't feel safe, they won't willingly share their data.

Even deidentified data poses concerns for many people, Pyles said. "Some people believe you can reidentify anything. Others think we should be more permissible with it," he said. The litmus should be this: if a policy makes people more reticent to share even their deidentifed data, then there is not enough protection there.

Privacy rights encourage disclosure, he added.

Editors note: This story was updated on June 14 to reflect a correction in attribution. Some quotes were originally incorrectly attributed to Joy Pritts, chief privacy officer for the Office of the National Coordinator for Health Information Technology (ONC). They are now correctly attributed to Jim Pyles.