Since 2005, some 60 million Americans have had their private health information compromised or disclosed electronically - a fact that has privacy experts, political players and consumers alike demanding reform.
In an epoch of health IT, is the government doing enough to address and quell the privacy worries of the American people? Depending on whom you ask, this notion of reform varies significantly.
James Pyles, an attorney specializing in patient privacy rights and healthcare law, for example, opines that bringing back patient consent should be the federal government's highest priority, but, currently, that doesn't appear to be on the Administration's agenda.
Under current HIPAA statutes, some 600,000 covered entities and business associates, for specific circumstances, have the legal right to a patient's personal health information without the patient's consent. This, Pyles says, betrays the American people's fundamental right to privacy.
"There really hasn't been an adequate effort by the government to protect that right to privacy that's essential for the trust needed for quality healthcare," says Pyles.
In 2002, George W. Bush eliminated the right of patient consent as drafted by the Clinton Administration, and still to this day under the Obama Administration, this right has yet to be restored.
"It's a misnomer of epic proportions," says Pyles. "Nowhere in the entire HIPAA Privacy Rule does it state the patient's actual right to privacy over their health information."
It's crucial, Pyles adds, that the U.S. designs health IT systems to accommodate traditional privacy laws and standards of professional ethics instead of revising privacy laws and standards of professional ethics to fit the current capabilities of health IT systems.
Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, takes a different stance, arguing that patient consent is secondary when compared to other provisions included in the final rule.
"Relying disproportionately on consent shifts the burden for protecting privacy to consumers, vs. placing the obligation on data holders to strictly limit access and disclosure of health data," McGraw said. "There is mounting evidence that consent does very little to protect privacy," she adds. "And ideally our policies should be based on the most effective approaches to keeping data private, confidential and secure."
McGraw says patients will not have additional consent rights in HIPAA final rules, firstly because they were not included in the proposed rule, and secondly because federal agencies - such as the Office for Civil Rights - have limited power to alter or introduce new requirements.
The most important thing, she says, is to finalize the rules, allowing federal regulators to begin enforcing them. McGraw says the proposed rule includes some "groundbreaking changes" to HIPAA, such as tightening the rules for when data can be used for marketing, in addition to giving patients a right to ask that their health data not be shared with their health plan if they want to pay for a service out of pocket.
"If they haven't issued final regulations on how they're going to interpret these statutes, then they're not going to run around holding providers accountable for them."
Deborah Peel, MD, founder of the nonprofit privacy advocacy group, Patient Privacy Rights, says the problem is not that the regulations go unenforced, but rather that the "grossly inadequate" forms of consent themselves need to be changed.
"The government's job is to protect citizens' rights, not to protect industry profits and illegal business models," Peel said.
Obama on patient privacy
In a February 2012 cover letter introducing the new Consumer Privacy Bill of Rights, President Obama writes, "One thing should be clear, even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever."
Despite Obama's strong assertions in support of privacy, the Bill of Rights does not actually extend to health information subject to the HIPAA Privacy Rule, Pyles says. "The privacy protections in the Bill of Rights would apply, according to the Commerce Department, to health information not covered by the HIPAA Privacy Rule."
Despite this, McGraw says the Administration has made significantly more progress in resolving privacy and security issues than was previously the case, such as enforcing HIPAA and establishing the SHARPS (Strategic Healthcare IT Advanced Research Projects of Security) grants, where groups are in the process of creating cryptology software that better protects a patients health information.
McGraw anticipates they'll reveal some "interesting and innovative approaches to protecting privacy and security." Seeing as how the programs are not ubiquitous, however, McGraw in unsure whether the government will be able to capitalize on the models they provide, saying it will depend on if the 2013 Administration remains focused on these issues.
Romney on patient privacy
Both Pyles and McGraw agree that very little is known about the stance of Republican presidential candidate Mitt Romney on the issue of privacy and patient consent. What's more, they say, is that health privacy doesn't typically follow party lines like other platform issues.
"This health privacy issue is an interesting issue because some liberal types - like Congressman Ed Markey - and some more conservative types - like Congressman Joe Barton - they reach around and clasp hands on this," says Pyles.
He suspects, that if Romney were to be elected (Healthcare IT News went to press before the election), consent rights wouldn't return to the patient because Romney is considered a big business Republican. "It is the big business Republicans that are not in favor of privacy because the big business Republicans are supported, of course, by the technology companies and the insurance companies," Pyles adds.
