Medical Records Privacy Issues

Seeking medical record privacy? Try renting a movie instead

In debates over health privacy proposals, it was often said that video rental records had better privacy protection than medical records.

Unfortunately, now that the final privacy rules have been issued under HIPAA, the Health Insurance Portability and Accountability Act, it is still true that video rental records have better protections from marketing uses and disclosures than medical records.

The act, approved by President Clinton and Congress in 1996, gives the Department of Health and Human Services (HHS) the authority to craft health privacy regulations.

The new HIPAA health privacy rules,  authorize health providers and health plans to use and disclose patient records, including results of genetic testing, for many marketing purposes without patient consent or authorization.

So, how will this affect the public? Marketing permitted under the rule would far exceed current practices. In fact, the Clinton-Shalala marketing rule is the most anti-privacy proposal that I have seen in more than 20 years of work on health privacy policy and is likely to result in more junk mail and telemarketing calls to individuals from marketers who have obtained detailed information about the medical history of the individual.


“However, the final rule permits an alternative arrangement: the covered entity can engage in health-related marketing on behalf of a third party, presumably for a fee.

Moreover, the covered entity could retain another party, through a business associate relationship, to conduct the actual health-related marketing, such as mailings or telemarketing, under the covered entity’s name.”

This language says expressly that marketing is permissible for a fee, that marketing is permissible on behalf of third parties, and that telemarketing is permissible.

For example, the rule would permit telemarketers and even door-to-door sales people to obtain diagnostic or treatment information from a physician, health plan, pharmacy, laboratory, pharmacy benefit manager or other health care institution and use that information to sell products and services. They may contact individuals and say, “Hi. We understand from your doctor that you have hemorrhoids, and we have a product that will make your life easier.”

Without the marketing language, the health privacy rules would be a mixed bag, with some things to like and others to dislike.

Janlori Goldman of the Health Privacy Project called the rules a “great victory for consumers.” I disagree strongly, as the marketing provision is so anti-consumer and anti-privacy that it outweighs any other positive features of the rest of the rules.

(Interestingly, the marketing rule was not in the draft rule published for comment.)

Here are some highlights of the rules:

  • The rule expressly authorizes disclosures for marketing without patient consent.
    For example, information about a woman’s pregnancy can be used by health providers or plans for marketing and disclosed to others for marketing. A woman can only object after the fact.
  • All medical information held by providers and payers can be used by them for marketing without affirmative patient consent or with no opportunity to opt-out in advance.
  • All protected health information can be disclosed for marketing.
    The rule does not protect information about diagnoses, prescriptions, pregnancy, sexually transmitted diseases, mental health treatments, or confidential communications.
  • Patients have the right to opt-out of marketing only after receiving a marketing communication.
    If a family of four has a dozen doctors, clinics, health plans, hospitals, laboratories, pharmacies or pharmacy benefit managers, the family may have to write 48 separate letters to opt-out of each organization’s marketing activities.

    Does not allow video operators to disclose the names of movies that an individual rented without affirmative consent. Allows use and disclosure of any protected health information for many marketing purposes without the affirmative consent of the individual.
    Allows video operators to disclose the categories of movies rented (not actual titles) only if an individual was given an opportunity in advance to opt-out. Allows disclosure of any protected health information for many marketing purposes without mandating an advance opt-out.
  • Patients do not have to be offered toll-free numbers to opt-out, the ability to opt-out online, or postpaid opt-out letters. A covered entity could require an individual to send a separate “snail mail” letter to each marketing organization in order to opt out.

Nothing in the rule says that a covered entity cannot charge patients who want to opt-out.

HHS has defended the marketing rule by saying that it allows physicians to make recommendations to patients. However, the definition of marketing expressly excludes these recommendations. A rule allowing broad uses and disclosures for marketing is certainly not necessary to permit physicians to make treatment recommendations.

Robert Gellman is a Washington, DC-based Privacy and Information Policy Consultant.

Editor’s Note:

Privacy and confidentiality are essential components of the provider/patient relationship and can be part of policies to enhance the benefits of genetic information while limiting adverse discrimination. Robert Gellman, a nationally recognized expert on privacy policy, comments here on the new medical privacy policies enacted as part of the Health Insurance Portability and Accountability Act (HIPAA; Kennedy/Kassebaum Bill).

About the Author

has written 7 stories on this site.

Write a Comment

Gravatars are small images that can show your personality. You can get your gravatar for free today!

Copyright © 2017 Gene Letter.