According to the six-page privacy notice, the details of my checkered medical (and psychiatric) history are now open to people I do not trust, including my employer (note to New Times headquarters: just kidding), insurance salesmen, HMO executives, bill collectors, Walgreens clerks, steak fajita-eaters, and the spies with nests inside the Federal Building at 450 Golden Gate Ave.
Like many San Franciscans, I've expressed myself politically over the years in ways that (my suspicious mind has always assumed) might draw some measure of governmental notice. Somehow, though, it's more unsettling to think that the FBI might have a file on my weird bumps, adverse reactions, poxes, rashes, major medical events, psychic abrasions, and infected pimples, too. And it could.
As of April 14, physicians, dentists, therapists, health maintenance organizations, and insurance companies are required by federal law to tell patients that their medical records -- long considered private and available to the government only if it showed a judge probable cause that a law had been violated -- can be scooped up by the FBI, the CIA, state troopers, or even the local police, on the spot, as a result of a simple, oral request. The new law, called the Health Insurance Portability and Accountability Act Privacy Rule (HIPAA), is being promoted by the Bush administration as an act of privacy protection.
In important ways that have gained little publicity, however, HIPAA vastly decreases the privacy privileges traditionally afforded to medical records, and organizations on the political left and right -- from the American Civil Liberties Union to the Heritage Foundation -- are united in their opposition to the new law. They contend that HIPAA requires doctors to violate the Hippocratic oath, the ethical code that has governed the confidentiality of the physician-patient relationship since the days of the ancient Greeks; that it strips patients of any meaningful control over their medical records; and that it increases the investigatory powers of federal, state, and local police agencies in violation of the Constitution's prohibition against warrantless searches.
Psychiatrists are suing the federal government to limit HIPAA's reach; there are several bills pending in Congress to repeal or rewrite it. Hundreds of thousands of California retirees are trying to stop HIPAA dead in its tracks. In San Francisco, a key city official is prepared to defy any law enforcement official who comes snooping around City Hall for personal medical information without a search warrant.
At the same time, though, state officials in Sacramento have written a bill to weaken California's strong privacy laws in favor of the far more invasive law enforcement privileges of HIPAA. And until something changes on the HIPAA front, you will probably never know if police agents decide to comb through your family's intimate medical information on the basis of an unwarranted suspicion and a simple verbal request.
The foundation of medical ethics is contained in the Oath of Hippocrates, which says, in part, "All that may come to my knowledge in the exercise of my profession, which ought not to be spread abroad, I will keep secret and never reveal." The power of the oath has kept medical records largely confidential through the centuries in societies built on slavery, feudalism, and industrial capitalism.
Our world is, of course, more complex than ancient Greece. Studies show that in the age of computerized record-keeping, as many as 150 people, including neurosurgeons, pharmacists, billing clerks, and janitors, are privy to the contents of a hospital patient's chart. Now, the Hippocratic oath may be rendered essentially meaningless by a combination of federal law and the Information Age's propensity to create ever larger medical databases for reasons of efficiency, profit, and social control.
Until the mid-1990s, federal laws on medical privacy applied only to federal agencies, intending to limit possible misuse of this sensitive information for political purposes. Still, medical records were largely presumed to be private, and that presumption was backed by state statutes and the common law traditions.
But in 1996, Congress passed the Health Insurance Portability and Accountability Act, sponsored by Sens. Edward Kennedy (D-Mass.) and Nancy Kassebaum (R-Kan.). This legislation was intended to make health insurance portable for people who changed jobs. It required the government to develop guidelines for the secure transmission of electronic medical data. It called for the creation of a national standard for protecting the privacy of personal medical records.
Responsibility for writing the details for the implementation of HIPAA fell to officials at the U.S. Department of Health and Human Services. They were intensely lobbied by hospital and medical groups, HMOs, privacy rights advocates, pharmaceutical companies, medical equipment suppliers, software manufacturers, and law enforcement agencies. In the end, the law did not fully satisfy any particular interest groups (except, perhaps, law enforcement and intelligence agencies). Most medical providers were allowed more than two years to fully comply with the regulation's labyrinth of bureaucratic requirements, which includes training a HIPAA specialist inside every medical organization and practice.
HIPAA governs the privacy activities of all professionals who transmit medical and billing data electronically -- which includes just about every medical professional, as well as group health plans and companies that handle financial and billing matters for providers. It also covers networks of lawyers, accountants, consultants, and pharmacists associated with health plans and doctors. Under HIPAA, patients cannot prevent their electronic and paper records from being used by any of these groups for health delivery and payment purposes, and some direct marketing is allowed. The medical industry is expected to police itself for unauthorized uses of patient information; the penalty for noncompliance is $100 per occurrence.