Hostname: page-component-cd9895bd7-gbm5v Total loading time: 0 Render date: 2024-12-26T08:35:14.006Z Has data issue: false hasContentIssue false
  • English
  • Français

The End of the HIPAA Privacy Rule?

Published online by Cambridge University Press:  01 January 2021

Mark A. Rothstein
Get access Rights & Permissions [Opens in a new window]

Abstract

The HIPAA Privacy Rule is notoriously weak because of its incomplete coverage, numerous exclusions and exemptions, and limited rights for individuals. The three areas in which it provides the most protection are fundraising, marketing, and research. Provisions of the 21st Century Cures Act, pending in Congress, and the Notice of Proposed Rulemaking to amend the federal research regulations (Common Rule), awaiting final regulatory action, would weaken the privacy protections for research. If these measures are adopted, the HIPAA Privacy Rule would have so little value that it might not be worth the aggravation and burden.

Type
Columns: Currents in Contemporary Bioethics
Information
Journal of Law, Medicine & Ethics , Volume 44 , Issue 2: Ethical and Legal Issues in Pediatrics , Summer 2016 , pp. 352 - 358
Copyright
Copyright © American Society of Law, Medicine and Ethics 2016

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

Pub. L. 104-191, 110 Stat. 1936 (1996).Google Scholar
45 C.F.R. Parts 160, 164. The security and privacy provisions are published in 45 C.F.R. Part 164. For simplicity, both the security and privacy provisions are referred to as the HIPAA Privacy Rule.Google Scholar
See Lo, B., Dornbrand, L., and Dubler, N. N., “HIPAA and Patient Care: The Role for Professional Judgment,” JAMA 293, no. 14 (2005): 1766-1771 (describing some of the misunderstandings by health care providers); Wilkes, J. J., “The Creation of HIPAA Culture: Prioritizing Privacy Paranoia over Patient Care,” Brigham Young University Law Review 2014, no. 5 (2014): 1213-1249 (asserting that the Privacy Rule has created “privacy paranoia”).Google Scholar
45 C.F.R. § 164.104.Google Scholar
45 C.F.R. § 164.520.Google Scholar
45 C.F.R. § 164.524.Google Scholar
45 C.F.R. § 164.530(b)(1).Google Scholar
45 C.F.R. Part 164, subpart C.Google Scholar
45 C.F.R. Part 164, subpart D.Google Scholar
45 C.F.R. § 164.508(a)(3).Google Scholar
45 C.F.R. § 164.514(f).Google Scholar
45 C.F.R. §§ 164.501, 164.508, and 164.512(i).Google Scholar
45 C.F.R. § 164.506(c).Google Scholar
Agris, J. L., “Extending the Minimum Necessary Standard to Uses and Disclosures for Treatment,” Journal of Law, Medicine & Ethics 43, no. 1 (2014): 263-267.Google Scholar
45 C.F.R. § 164.502(b)(1).Google Scholar
45 C.F.R. § 164.501.Google Scholar
Id.Google Scholar
45 C.F.R. § 164.512(a).Google Scholar
45 C.F.R. § 164.512(b).Google Scholar
45 C.F.R. § 164.512(c).Google Scholar
45 C.F.R. § 164.512(d).Google Scholar
45 C.F.R. § 164.512(e).Google Scholar
45 C.F.R. § 164.512(f).Google Scholar
45 C.F.R. § 164.512(g).Google Scholar
45 C.F.R. § 164.512(h).Google Scholar
45 C.F.R. § 164.512(i).Google Scholar
45 C.F.R. § 164.512 (j). See Rothstein, M. A., Tarasoff Duties after Newtown,” Journal of Law, Medicine & Ethics 42, no. 1 (2014): 104-109 (discussing the deficiencies in the HIPAA Privacy Rule and other laws relating to the obligations of health care providers to take appropriate action when there is a serious and credible threat).Google Scholar
45 C.F.R. § 164.512(k).Google Scholar
45 C.F.R. § 164.512 (l).Google Scholar
Rothstein, M. A. and Talbott, M. K., “Compelled Disclosures of Health Information: Protecting against the Greatest Potential Threat to Privacy,” Journal of the American Medical Association 295, no. 24 (2006): 2882-2885.Google Scholar
Rothstein, M. A. and Talbott, M. K., “Compelled Authorizations for Disclosure of Health Records: Magnitude and Implications,” American Journal of Bioethics 7, no. 3 (2007): 38-45, at 40.Google Scholar
45 C.F.R. § 164.514(f).Google Scholar
45 C.F.R. § 164.514(f)(2)(ii).Google Scholar
Fundraising from patients also raises a variety of ethical issues, especially if it involves the participation of health care providers. For example, the AMA Code of Ethics Provides: “Physicians should avoid directly soliciting their own patients, especially at the time of the clinical encounter.” American Medical Association, Code of Medical Ethics § 10.018 (2015).Google Scholar
Unfortunately, there are still incidents of health care providers selling health information or leaking details of the treatments of celebrities and other noteworthy individuals. See Ornstein, C., “Farrah Fawcett Was Right — We Have Little Medical Privacy,” Pro Publica, December 30, 2015, available at <https://www.propublica.org/article/farrah-fawcett-was-right-we-have-little-medicalprivacy> (last visited May 9, 2016).+(last+visited+May+9,+2016).>Google Scholar
45 C.F.R. §§ 164.501, 164.508(a)(3).Google Scholar
45 C.F.R. § 164.501.Google Scholar
Id.Google Scholar
45 C.F.R. § 164.508(a)(3).Google Scholar
Id.Google Scholar
45 C.F.R. Part 46.Google Scholar
45 C.F.R. § 164.501. The same definition appears in the Common Rule, 45 C.F.R. § 46.102(d).Google Scholar
45 C.F.R. § 164.508(b)(3).Google Scholar
45 C.F.R. § 164.508(c)(1).Google Scholar
45 C.F.R. § 164.508(c)(2).Google Scholar
H.R. 6, 114th Cong., 1st Sess. (2015).Google Scholar
See Avorn, J. and Kesselheim, A. S., “The 21st Century Cures Act — Will It Take Us Back in Time?” New England Journal of Medicine 372, no. 26 (2015): 2473-2475 (asserting that the provisions dealing with the FDA approval of drugs and devices are unnecessary and would be a threat to the public).Google Scholar
The “public health activities” exception to the HIPAA Privacy Rule permits the disclosure of PHI to a person subject to the jurisdiction of the FDA “for the purposes of activities related to the quality, safety, or effectiveness of such FDA-regulated product or activity.” These purposes include to collect or report adverse events, to track FDA-regulated products, to enable product recalls, and to collect post-marketing surveillance. 45 C.F.R. § 164.512(b)(1)(iii). It does not expressly permit disclosures for research.Google Scholar
Dep't of Homeland Security et al., “Federal Policy for the Protection of Human Subjects; Proposed Rule,” 80 Federal Register 53,933-54,061 (2015).Google Scholar
Rothstein, M. A., “Research Privacy under HIPAA and the Common Rule,” Journal of Law, Medicine & Ethics 33, no. 1 (2005): 154-159.Google Scholar
45 C.F.R. § 164.514(b).Google Scholar
U.S. Dep't of Health and Human Services, Office for Human Research Protections, “Guidance on Research Using Coded Private Information or Specimens” (2008), available at <http://www.hhs.gov/ohrp/regulations-and-policy/guidance/research-involving-coded-private-information/index.html# (last visited May 9, 2016).Google Scholar
Id.Google Scholar
See Rothstein, M. A., “Is Deidentification Sufficient to Protect Health Privacy in Research?” American Journal of Bioethics 10, no. 9 (2010): 3-11.CrossRefGoogle Scholar
“Broad consent” is generally considered to require continuing IRB review for new research protocols. By contrast, “blanket consent” is generally used to refer to the one-time approval proposed in the NPRM. If this provision of the NPRM is finally adopted, the absence of ongoing oversight by an IRB would make the United States an international outlier, as other countries overwhelmingly require true “broad consent.” See Rothstein, Mark A., et al., “Comparative Approaches to Biobanks and Privacy,” Journal of Law, Medicine & Ethics 44, no. 1 (2016): 161-172.Google Scholar
See Dep't of Homeland Security et al., supra note 49, at 53,953.Google Scholar
See Fernandez Lynch, H. et al., “Confronting Biospecimen Exceptionalism in Proposed Revisions to the Common Rule,” Hastings Center Report 46, no. 1 (2016): 4-5.CrossRefGoogle Scholar
Patient Protection and Affordable Care Act, Pub. L. 111-148, 124 Stat. 119 (2010).Google Scholar