Health Information Compliance Alert

Attention patients, health care providers and lawyers: Consent has left the building. Everyones talking about it, but surprisingly, major privacy rights players are split over whether the repeal is genuine or whether its full of sound and fury, signifying nothing more than increased bureaucracy.

The final Health Insurance Portability and Accountability Act privacy rule takes effect on April 14, 2003, and Department of Health and Human Services Secretary Tommy Thompson is excited about its health information privacy ramifications: "The rule protects the confidentiality of Americans medical records without creating new barriers to receiving quality health care. It strikes a common sense balance by providing consumers with personal privacy protections and access to high quality care."

The final rule replaces patients consent forms with privacy rights acknowledgement forms, however, and this change has some privacy groups questioning Thompsons sanguinity. According to Janlori Goldman, Director of Georgetown Universitys Health Privacy Project, the consent repeal "will undermine patient control over private medical information and further erode patient trust in the health care system."

Since the final HIPAA rule wont force health care providers to obtain the written consent of patients before using or disclosing protected health information, health privacy watchdogs like Goldman are up in arms with concern. Consent requirements, they argue, empower patients to decide whether to entrust others with their private health information.

"A patient consent requirement," Goldman maintains, "is the best way to ensure that patients actually know how their health care information will be used or disclosed and know what their privacy rights are."

HHS hasnt completely eroded health privacy paperwork: Health providers still have to ask patients to acknowledge receipt of a privacy notice. But Goldman doesnt believe this is a fair trade. "Notice alone does not provide a comparable opportunity for dialogue or understanding," she contends.

Many health information experts believe, however, that the repealed consent requirement was little more than an acknowledgement to begin with. Michael Roach, an attorney with Michael Best & Friedrich in Chicago says, "Under the current rules, if a person goes to a provider and that person refuses to sign the consent, the provider in ost cases is almost assuredly going to refuse to treat because the provider cant use the information they get to bill for the patients care."

Even some privacy groups dont share Goldmans alarm. Jim Harper, with Privacilla.org tells Eli that the consent requirements elimination is "more symbol than substance."

If a patient needs medical care, it wont make a bit of difference to her if she has to sign an acknowledgement form or a consent form thats why Harper calls the hullabaloo surrounding the consent repeal a "tempest in a teapot." Patients effectively cant "not consent" and still receive medical care, so they have no choice.

More importantly, patients have always had effective redress for abuses of their private health information through tort and contracts law. Harper points to overt or implied contractual limits that have always governed health care treatment agreements. HIPAAs consent repeal doesnt change the fact that patients are still empowered to sue for privacy abuses or gaffs.

What concerns Harper is the sheer cash investment that went into creating the bureaucracy that is the HIPAA final rule. He isnt alone in wondering whether the money might have been better spent on actual patient care than on a meaningless consent requirement repeal.

And though there are legitimate concerns regarding the abandonment of the consent requirement, a source tells Eli that that stems in part from a misunderstanding about what the consent requirement actually did, according to Kristen Rosati with Coppersmith Gordon Schermer Owens & Nelson in Phoenix.

Since providers were required to condition treatment on getting a patients consent, patients had to walk away from treatment if they didnt want to sign the form, she says.

"Thats not really protection at all, and I think the real goal of the privacy standard is not to create these types of barriers to how health care providers structure their practice, but to make the use of health information transparent so patients know whats going on, and that they have a really good understanding of what happens to their health info so that they have the ability to control it."

Providers should be pleased as punch that the consent requirement has been dropped, since it eliminates the barriers that the consent requirement may have created, maintains Abby Pendleton, an attorney with Wachler & Associates in Royal Oak, MI.

As the rule holds now, "providers are only required to make a good faith effort to obtain written acknowledgment that the patient was given the notice. [They] have some flexibility on the acknowledgment form and also are only required to make good faith efforts. Thus, if a patient refuses to sign, the providers hands are not tied. They simply just need to document the refusal."