Deborah Peel, MD writes in an e-mail that is quoted here with permission:
Fortune Magazine lauds one of the nation’s largest data miners of medical records, without any awareness that one major reason for the corporation’s success (revenue of $88 billion/year) is the illegal and unethical use of Americans’ medical and prescription records.
Yes, they ‘wire the world’, but McKesson does so by ignoring strong state and federal laws and 2,400 years of medical ethics that require informed patient consent before medical records can be used, disclosed, or sold. Stronger state laws and medical ethics are supposed to trump the HIPAA Privacy Rule, which was intended to provide a ‘floor’ for privacy protections, not become the ‘ceiling’ for privacy. Instead, McKesson and the IT industry are ignoring state laws and medical ethics, because the unconscionable profits from selling medical data are irresistible.
McKesson’s CIO said,”So along with those records needs to travel the access rights that the patient grants for use of those records. Will someone ever view a medical record that perhaps they shouldn’t have? They probably will, but in an electronic world we’ll know that it happened. We’ll know who did it, which is far superior to a chart lying around on a nurse’s station for anybody to walk by and glance at.”
The CIO is wrong. Patients will never know who saw their records that shouldn’t have because: 1) audit trails are NOT required under HIPAA for routine uses and 2) under HIPAA virtually all of the users patients would not want to access their records have federal”regulatory permission”to use them without consent or notice. Further, patients are NOT granting”access rights”to their medical records.”Access rights”are otherwise known as the right of consent, which HIPAA eliminated in 2002.
what are “routine uses ” of medical data?
Great question! “Routine uses” can include a lot of things. In this case:
http://www.ca3.uscourts.gov/opinarch/042550p.pdf
(in which Dr. Deborah Peel is a listed Appellant, btw) a federal appeals court reviewed and upheld the Department of Health and Human Services’ regulation which allows providers and payers to disclose protected health information (“PHI”) for “routine uses” (characterized as uses and disclosures of PHI for “treatment, payment, and health care operations”) without “jumping through the hoops” of HIPAA’s consent requirements.
the term health care operations is unclear. After reading the info (and as I have only limited legal expertise) this seems to put the fox in charge of the henhouse.
Yep, I think so too. And I suspect the lack of clarity is intentional.