Why we need a Health Information Privacy Bill of Rights

"One thing should be clear, even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever."

So said a constitutional law professor who is our current President on the issuance by the White House of the Consumer Privacy Bill of Rights on February 23, 2012. The President was right. The right of all Americans to privacy for personal information, and particularly their health information, has been recognized as a fundamental right by all three branches of the federal government--the Executive Branch, Congress and the Judiciary--as well as under the standards for the ethical practice of medicine and psychiatry throughout the history of the country. But, strangely, the Consumer Privacy Bill of Rights contains an exception for health information subject to HIPAA. So, under this policy, Americans have a right to control the use and disclosure of their personal health information under the Consumer Privacy Bill of Rights if the information is NOT covered by HIPAA, but no right to control the use and disclosure of their health information that IS covered by the HIPAA Privacy Rule. Americans now have a recognized right to privacy for health information handled by a law firm, but no right to privacy for health information handled by a hospital. Americans can control the use and disclosure of information about the music they purchase online but not their cancer treatment information. This is federal privacy policy that is untenable.

The problem began in August of 2002 when the Bush Administration eliminated the individual's right of consent under the HIPAA Privacy Rule issued by the Clinton Administration for the use and disclosure of health information for treatment, payment, and health care operations. When it was pointed out that this reversal of policy put the HIPAA Privacy Rule at odds with Constitutional law, prevailing tort law, the law of physician-patient and psychotherapist-patient privilege and established standards for the ethical practice of medicine and psychiatry, HHS responded that the HIPAA Privacy Rule was only intended to be a "floor" of privacy protections and was not even intended to be a "best practices" standard. So practitioners could add additional privacy protections. Of course, this ignored the fact that adding additional privacy protections to the HIPAA "floor" would expose the provider to civil monetary and perhaps criminal penalties under HIPAA. So the HIPAA "floor" of privacy protections has also become the "ceiling" leaving the patients little room to exercise their privacy rights. This departure from privacy standards set forth in law and ethics has also resulted in a loss of trust by the public that the laws will protect their right to privacy and confusion by the regulated health industry that now does not know what is expected of them.

It is time to bring health information privacy laws back into alignment with constitutional law, professional ethics and the public's expectation. We can have a health care delivery system without health IT, but we cannot have a health care delivery system without patients. We should build an electronic health information system that conforms to the patient's time-honored right to privacy rather than erode the right to privacy until it fits within the current capabilities of electronic health information systems. All health information begins under the patient's private control--in his or her head or body. And there the information will remain, unless patients believe it is safe to disclose. The White House issued the Consumer Privacy Bill of Rights to preserve the trust that is essential for individuals to engage in commerce. Trust is even more important for access to quality health care. It is time for a Health Information Privacy Bill of Rights to preserve the public's trust in the health care delivery system and to allow for the acceptance of an electronic health information system that serves rather than conflicts with the patient's interests. Health information privacy is not only at the heart of our democracy--it is at the heart of quality health care.