"One thing should be clear, even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever."
The problem began in August of 2002 when the Bush Administration eliminated the individual's right of consent under the HIPAA Privacy Rule issued by the Clinton Administration for the use and disclosure of health information for treatment, payment, and health care operations. When it was pointed out that this reversal of policy put the HIPAA Privacy Rule at odds with Constitutional law, prevailing tort law, the law of physician-patient and psychotherapist-patient privilege and established standards for the ethical practice of medicine and psychiatry, HHS responded that the HIPAA Privacy Rule was only intended to be a "floor" of privacy protections and was not even intended to be a "best practices" standard. So practitioners could add additional privacy protections. Of course, this ignored the fact that adding additional privacy protections to the HIPAA "floor" would expose the provider to civil monetary and perhaps criminal penalties under HIPAA. So the HIPAA "floor" of privacy protections has also become the "ceiling" leaving the patients little room to exercise their privacy rights. This departure from privacy standards set forth in law and ethics has also resulted in a loss of trust by the public that the laws will protect their right to privacy and confusion by the regulated health industry that now does not know what is expected of them.
It is time to bring health information privacy laws back into alignment with constitutional law, professional ethics and the public's expectation. We can have a health care delivery system without health IT, but we cannot have a health care delivery system without patients. We should build an electronic health information system that conforms to the patient's time-honored right to privacy rather than erode the right to privacy until it fits within the current capabilities of electronic health information systems. All health information begins under the patient's private control--in his or her head or body. And there the information will remain, unless patients believe it is safe to disclose. The White House issued the Consumer Privacy Bill of Rights to preserve the trust that is essential for individuals to engage in commerce. Trust is even more important for access to quality health care. It is time for a Health Information Privacy Bill of Rights to preserve the public's trust in the health care delivery system and to allow for the acceptance of an electronic health information system that serves rather than conflicts with the patient's interests. Health information privacy is not only at the heart of our democracy--it is at the heart of quality health care.