Privacy: Where Are We Headed?

Gary Baldwin, for HealthLeaders Media, March 25, 2008
Let it be said that I am no big fan of legislating healthcare privacy. After all, many people among us willingly blab about the very health conditions that privacy advocates insist are sacrosanct. And the laws that attempt to regulate access to privacy can quickly become confusing and burdensome--just look at the massive industry attempt to comply with HIPAA and its disclosure requirements for personally identifiable health information. But I understand that the burdens of legalese and human nature are not ample reason to throw privacy to the wind. Other than my doctor, it's really nobody's business what my diagnosis is, or was, or could be.

That's why I did a real double take when I saw two recent news stories. First, the state of Texas became the first in the nation to pass a law that compels insurance companies to pass along sensitive health information to employers. Second, the state of New Hampshire killed a proposed law that would have required additional privacy restrictions on electronic medical records.

The new Texas law entitles employers to receive lists of employees whose healthcare bills exceeded $15,000 annually. According to the article, "employers must pledge they won't use the protected information for anything except plan administration." And a state spokesman says he "trusts employers to do the right thing." By that he means, he trusts employers not to fire people simply because they are ringing up too big a healthcare tab and therefore driving up the company's premium. As one of the readers of the article wrote on the Houston and Texas News' online commentary board, if you believe that, I have a bridge to sell you in New York.

The article also states that the Texas law does not violate the overarching HIPAA law, which sent hospitals and medical groups into a compliance tizzy not that many years ago. I am not questioning the validity of that assertion. However, I imagine many people, like me, would be surprised by the news. I have been assuming, falsely I guess, that the HIPAA law would have thrown up more roadblocks to an employer's rights to view personal health information. To me, the spirit of the law was that your personal health information belonged to you, and viewing rights belonged to a defined circle of caregivers with a legitimate need to see it.

I know that staff in hospitals and medical groups who take a peek at someone's health record without a legitimate need are subject to punishment and even termination. Healthcare providers take this responsibility seriously. That's one of the big attractions of EMR technology. While the EMR may be hacked, in fact it is far easier to monitor for inappropriate access compared to the paper chart. The electronic audit trail can reach far and wide. And in many electronic record systems, access is role-based--if not heavily debated. The defeated New Hampshire law would have obliged hospitals to create such audit trails--in addition to banning fund-raisers and marketers from gaining access to patient records. Now they're off the hook.

Both states cite economics as the motivators behind their actions. In Texas, letting employers know about their employees' diagnoses, dates of services, amounts paid, prognoses, treatment plans, and future costs enables them "to get a clear snapshot of health expenses." And in New Hampshire, strengthening EMR privacy requirements would have cost too much money.

Curiously, New Hampshire legislators were worried about the cost of producing gigantic audit trails. Whereas in Texas, they want to do precisely that. Only these patient records would be circulating around corporate headquarters, not the hospital's compliance department.

Editor's note: Don't forget to submit your entries for the 2008 HealthLeaders Media Top Leadership Teams Conference and Awards. Deadline for entries is March 27.

Gary Baldwin is technology editor of HealthLeaders magazine. He can be reached at
Facebook icon
LinkedIn icon
Twitter icon