Mark your calendars for April 14. On that day next year, say civil libertarians, the federal
government will move inside your body. The feds will know everything about your medical history --
yeah, Don Juan, even those genital warts -- because of a simple five-letter acronym: HIPAA.Spun to
the media as the best thing to happen to personal privacy since the bedroom door, the Health
Insurance Portability and Accountability Act will make sweeping changes to the health-care industry
in this country.
"Patients now will have a strong foundation of federal protections for the personal medical
information that they share with their doctors, hospitals and others who provide their care and help
pay for it," U.S. Health and Human Services Secretary Tommy G. Thompson said in August.
The new privacy rules will make personal medical records so secure, the feds say, that football
coaches are wondering if they'll still be allowed to release injury reports.
But HIPAA's many critics say that's simply not true. This new federal law gives government
agencies and private corporations unfettered access to some of your most personal information, they
contend.
"This isn't about medical privacy," said Sue Blevins, president of the Institute for
Health Freedom, a Washington, D.C. think tank that advocates consumer choice in health care.
"It's truly about making claims processing a faster and more efficient system."
Fifteen years from now, the health-care landscape will have changed dramatically, Blevins and
other HIPAA critics say. Buoyed by advances in technology, the federal government and health-care
providers will use personal medical IDs to link patients to a centralized database of personal
medical records.
Victims of a car accident, or just some random revelers caught on camera as they walk through
Ybor City, could be recognized using biometric identifiers and then associated with their medical
records. Everything, from a list of immunizations to physical examination dates, would be available
to government, medical and insurance personnel.
This, of course, has benefits. An emergency-room trauma team would have easy access to patient
information, such as blood type, pre-existing conditions and allergies. Insurers would also be able
to process claims more efficiently, speeding up the delivery of health care.
But this also has drawbacks. The federal government, which already has proven itself ineffective
at protecting secret Pentagon information from computer hackers, would be responsible for securing
medical records.
What's more, under HIPAA, there is little recourse for victims of deliberate or accidental
disclosure of sensitive medical information. If the public learned that a celebrity or public
official had AIDS, the damage would be done.
"We won't feel HIPAA right away," said Blevins. "But in about 10 to 15 years,
people are going to be feeling some pain."
Pain is what people began to feel 10 to 15 years after the federal government's 1973 creation of
HMOs. HIPAA might not be that different.
Hillary Health CareSince the Great Depression, the government has been expanding its control over
the health care of Americans -- from the Social Security Act of 1935 to the Health Insurance
Portability and Accountability Act of 1996.
For the government's more recent expansion, you can thank, in part, Hillary Clinton and her
failed proposal to guarantee quality medical care for all Americans.
The Health Security Act of 1993 was supposed to be the First Lady's grand entrance into public
policy. But Republicans in Congress killed it. The bill, however, wasn't an entire failure. Many of
its proposals became the framework for HIPAA three years later.
As the Health Security Act would have done, HIPAA stops the insidious practice of insurance
companies dropping members who file expensive claims. The law's portability provisions also ensure
that Americans will not be locked into jobs because of fears they will lose medical coverage while
changing employers. Additionally, because of HIPAA, insurers will not as easily deny coverage for
pre-existing conditions.
But not everything in "Hillary Health Care," as HIPPA critics like to call it, is so
benevolent.
As the Health Security Act would have done, HIPAA enforces the standardization of medical data,
the creation of personal medical IDs for every American, and the institution of strict penalties for
health-care workers who do not adhere to federal regulations.
"Many of the provisions that are most worrisome in HIPPA were literally copied
verbatim" from the Health Security Act, said Charlotte A. Twight, an economics professor at
Boise State University and author of Dependent on D.C.: The Rise of Federal Control Over the
Lives of Ordinary Americans.
HIPAA designs a medical environment that makes it easier for insurance companies to process
claims and turn profits. The law allows anyone to look at your personal medical information as long
as it is necessary for an insurer to process claims.
In 1996, up to 400 people would have seen at least part of an individual's medical record during
the claims process, according to the Congressional Research Service. Blevins, Twight and other HIPAA
critics believe that number can only increase.
And it isn't just fellow Americans who will see your private records. Your mental breakdown at
last year's company Christmas party could become the butt of lunch-hour jokes in India.
Yeah, India.
Or Pakistan.
Hell, maybe even the Philippines.
Jewel of the Medical EmpireVickie Julian isn't someone you'd expect to lead a grassroots campaign
against federal laws. A registered Republican, she never had an interest in public life. "I
never imagined I'd ever be called a radical," Julian said.
But a radical she's been called. Since August, Julian has been collecting signatures for her
campaign, "Tighten Up, America." As of the middle of November, she had more than 400.
The owner of a St. Petersburg medical transcription company, Julian, 48, is outraged by the
growing trend of outsourcing medical transcription to such countries as India, Pakistan and the
Philippines, where labor is cheap and plentiful. She wants Congress, or at least the Florida
Legislature, to require medical information to stay within our geographical borders.
Medical transcription is an unregulated industry worth an estimated $15-billion. For some
Americans, it offers the benefit of working from home. Julian's workers log on to her secure network
using broadband Internet connections.
For time-crunched doctors unwilling to record medical information by hand, transcription is a
solution. Doctors use a small Dictaphone to record a patient's ailment and treatment. The recording
is then uploaded to a medical transcription company, which transcribes the dictation into a
word-processing file that is later printed and inserted into the patient's medical record.
Oftentimes, the doctor's recording includes not only the names of patients but their Social
Security number as well.
"Little about a patient is more revealing than the dictated and transcribed or text portion
of the health record," Pat Forbis, associate executive director of the American Association for
Medical Transcription, testified before Congress.
Advancements in technology, coupled with a shortage of medical transcribers in this country, have
led to outsourcing overseas. When a doctor uploads the voice recording, the sound file is just as
easily sent to India as it is to Julian's St. Petersburg office.
Under HIPAA, doctors are not obligated to inform patients where information is sent. It's
possible, even likely, that doctors themselves do not know where the information goes. Most
companies using overseas labor are headquartered, and seemingly operate, in the United States.
According to HIPAA, an overseas medical transcription company is a "covered entity" that
must comply with U.S. laws and regulations as long as it has a stateside "business
associate."
Medical records are perfectly safe overseas, according to Donna Gustafson. A vice president for
the global health practice of a Michigan company that provides encryption and security technology to
companies that employ overseas transcribers, Gustafson believes medical records are just as safe, if
not safer, overseas.
"In these countries -- whether it's India, the U.K. or Australia -- they have very stringent
data-protection laws," Gustafson said.
The United States is in fact behind the rest of the world in establishing data-security laws.
Europe has been outsourcing medical transcription services for years, Gustafson added.
Tampa Bay area hospitals are among those following Europe into this brave new world of health
care. In August, Bayfront Medical Center and St. Anthony's Hospital, both in St. Petersburg, inked
deals with CBay Systems for medical transcription services. Maryland-based CBay Systems is known for
its large workforce in India. The deals with Bayfront and St. Anthony's mean a significant chance
exists that voice recordings created in St. Petersburg's two largest hospitals will be transcribed
overseas.
This outsourcing trend has divided the medical transcription industry. The Medical Transcription
Industry Alliance, an organization whose board includes chiefs of some of the nation's largest
medical transcription companies, promotes the use of overseas labor. The alliance has even been
known to serve Indian food at its U.S. conferences.
Conflicted by privacy concerns and the need to maintain its membership numbers, the American
Association for Medical Transcription does not take an official stance on overseas transcription
services. However, the testimony of association director Forbis before Congress indicated that the
organization does have concerns about the security of information once it travels outside our
borders.
"Events of the past decade have introduced outside influences that have created a dangerous
gap between the public and the confidentiality and security of health care information that they
deserve," Forbis testified. "The gap must be closed."
Meet Your Big BrotherAmericans value medical privacy. A Gallup poll commissioned by the Institute
for Health Freedom found that 78 percent of those polled said they considered the confidentiality of
medical records to be "very important." Even more, 92 percent, opposed granting the
government access to medical records, while 82 percent objected to insurance companies having
access.
These numbers explain why the most controversial part of HIPAA is not what it says, but what it
does not say.
HIPAA's proponents argue that it does not create a centralized database of personal medical
information. Critics maintain that HIPAA clears the way for the creation of one or more databases.
Both groups are correct.
Nowhere in HIPAA does the federal government legislate the creation of a medical database. Most
of the bill seems rather benign. It's filled with simple language intended to standardize data
formats and allow insurance companies to perform tasks more expediently.
"A lot people took as part of this that the government used [HIPAA] to get access to medical
information that it wasn't able to access," said Tracy M. Field, an Atlanta medical claims
attorney specializing in HIPAA regulations.
The federal law does not create a national database, said Field, and you'll only hear wild-eyed
conspiracy theorists crying wolf. "It's not that Big Brother is now keeping track of you any
more so than could have happened before," Field said.
That's true, agreed Blevins of the Institute for Health Freedom. HIPAA doesn't create a database.
But, then, it doesn't stop one from being created, either.
HIPAA reinvigorates the 50-year-old federal National Committee on Vital and Health Statistics and
charges it with being the principal advisory group for health information policy. If the federal
government creates a national health database, this committee will be responsible for it.
The committee maintains that it is building only a system by which information can be shared
between physicians and insurance companies -- a system known as the National Health Information
Infrastructure (NHII).
According to committee proposals and reports, every American will have an NHII profile known as a
"personal health dimension." While the individual will have ultimate control over what is
and is not included in the profile, the NHII will likely have your patient identification and
emergency contact information, health history, insurance provider, list of allergies and current
medications, and any recommended preventative treatments available to you based on your information.
Physicians will have immediate access to your relevant health information. You'll receive
electronic reminders to take medications and vitamins. Patients will be able review physician
ratings on the Internet as easily as they view those of eBay sellers.
Americans will be able to transmit their health information to select doctors or insurance
companies at their discretion. Indeed, if you listen to Uncle Sam, HIPAA will deliver medical power
to the people.
But, then, you also might want to listen to Dawn Richardson. She co-founded Parents Requesting
Open Vaccine Education, or PROVE, a citizen group fighting the Texas Department of Health's
vaccine-tracking database.
Known as ImmTrac and signed into law by then-Gov. George W. Bush, the database tracks the
immunizations of Texas children. Under Texas law, doctors must release child-patient identification
and immunization records to the state.
Richardson believes that the law not only represents a breach of privacy, but a way for her state
to force immunization on her children. Immunization shots can have serious if rare side effects,
some resulting in death. "There are a lot of parents whose children have had bad reactions to
vaccines," said Richardson.
While Richardson has been successful in spreading the word about ImmTrac, she has a loftier goal
-- taking on HIPAA. ImmTrac and databases like it represent a foundation from which the feds can
build a national health database, Richardson believes.
"It burns me up that they're calling these medical privacy rules when they give numerous
government agencies access to your records without your knowledge or consent," Richardson said
of HIPAA.
The federal government could easily fold databases such as ImmTrac into a single, more
comprehensive database of personal health information, according to Dependent on D.C. author
Twight. "Even if the databases are decentralized, they can be centralized at the click of a
mouse," Twight said.
In 2001, Richardson joined a lawsuit filed by an association of physicians and surgeons against
HHS and Secretary Thompson that requested a ruling on whether HIPAA violates constitutional rights
by granting unreasonable searches and seizures of private medical information and
"chilling" doctor-patient communications.
In addition to Richardson, other plaintiffs included PROVE co-founder Rebecca Rex, Darrel
McCormick of Gainesville, Fla., and, most notably, U.S. Rep. Ron Paul (R-Texas), a physician by
trade and one of HIPAA's most outspoken critics.
"It puts people in an adversarial position with their physicians," said McCormick,
former billing manager at Shands Healthcare System at the University of Florida, speaking of HIPAA.
"Why should the government put something between me and my physician?"
Rep. Paul maintains that HIPAA in no way enhances privacy. In fact, the Texas congressman
believes it does the opposite.
"Only in Washington can so-called 'medical privacy' regulations actually authorize such
blatant invasions of privacy by the government," Paul wrote in one of his online columns.
A federal court in June dismissed the lawsuit. "Because there has been no government
attempts to access plaintiffs' medical records, plaintiffs have not experienced any unwarranted
invasion of their privacy," U.S. District Judge Sim Lake wrote in his ruling.
A similar fate befell a lawsuit filed by the South Carolina Medical Association, which claimed
HIPAA violates the due-process clause of the Fifth Amendment. Both dismissals are under appeal.
Field, the medical claims attorney in Atlanta, believes the federal courts made correct
decisions. But could the constitutionality of HIPAA be challenged after next April 14, when the law
goes into effect? "I'm going to give you the standard lawyerly response," said Field.
"It's possible."
Bad Data, Bad MedicineA database is only as good as its data. HIPAA's critics believe any
database the government creates will be so tainted with bad information that the database either
will be useless or will substantially decrease the quality of health care provided in this country.
Knowing that what they say could be put in a database and used against them, Americans will not
be honest with doctors, critics say.
According to a survey of 344 physicians conducted by the anti-HIPAA Association of American
Physicians & Surgeons, 96 percent of surveyed physicians opposed the law's privacy rules.
As proof of what the association characterizes as a "chilling" of doctor-patient
confidentiality, 87 percent of physicians reported having been asked to keep information out of
patient records, while 78 percent said they had indeed withheld information from records because of
privacy concerns.
"Patients are withholding information, and doctors are lying because of privacy
concerns," Kathryn Serkes, the association's public affairs counsel, commented in a statement.
"The obvious conclusion is that these rules will only exacerbate the situation to the point of
distorted, incomplete and potentially dangerous medical records becoming the norm. Physicians'
ethics will be further challenged, the choice between government compliance and lying for a
patient."
Despite maintaining that a database isn't in the works, federal officials do admit that patient
data will be shared for reasons including drug marketing and health studies.
But have no fear, fellow Americans. Your personal data will be de-identified, according to the
feds. If someone accesses your medical records, they will have no way of knowing that it belongs to
you because it will not include such identifying fields as your name and Social Security number.
After all, who cares if someone finds out that a man born on Feb. 18, 1968, and living in zip
code 33701 has a history of manic depression?
Latanya Sweeney does. An assistant professor of computer science and public policy at Carnegie
Mellon University, Sweeney proved how easily people could be associated with their purportedly
de-identified data. All you need is a person's five-digit zip code, gender and date of birth to
uniquely identify 87 percent of the U.S. population.
To make her point, Sweeney used de-identified medical data provided by a Massachusetts agency
that purchases health insurance for state employees and compared the data to a list of voters in one
Bay State city. Sweeney wanted to show that even then-Massachusetts Gov. William Weld's data was not
protected. The Carnegie Mellon professor compared Weld's gender, date of birth and zip code, all
provided in the de-identified medical data, to the voter roll in Cambridge, where the governor lived
at the time. The roll included the same data fields, plus the voter's name.
"Only six people had his birth date, only three of them were men, and he was the only one in
his five-digit zip code," Sweeney explained at a forum on technology and health reform.
Privacy can never be guaranteed. The more widely distributed your information, the higher the
chances it could be made public. "If you think the government can protect data, you're living
in a fantasy world," said McCormick.
That's one reason Vickie Julian won't give up on her quest to raise awareness of outsourcing
medical transcription services to India and other countries, where she speculates that medical
information could be bought and sold like spices at a bazaar.
"The dollar is worth a lot of money there," Julian said. "You can't secure the
safety of medical records."
But Florida legislators could.
Tally to the Rescue?If doctors in all 50 states and the U.S. territories use the same data
formats, insurance companies can streamline the claims-processing system and reduce labor costs. At
the same time, if one state or territory refuses to cooperate, HIPAA's power drops significantly.
Florida is among a handful of states that could challenge HIPAA. Because the state constitution
includes a privacy clause guaranteeing "the right to be let alone and free from government
intrusion into the person's private life," the Florida Legislature could enact privacy laws
that trump HIPPA.
That's exactly what Julian has asked Pinellas County's state legislative delegation to do.
"We would like to implement a state law that mandates ... all citizens' medical records be
processed within the U.S. geographical border, where our laws are fully enforced," Julian told
local lawmakers at a recent hearing in St. Petersburg.
That's the tack the Institute for Health Freedom has advocated for states such as Florida. But
our Legislature's willingness to throw a wrench into federal policy remains questionable. Pinellas
delegation members seemed uninterested in anything Julian had to say at the hearing.
Maybe it was because her speech involved the complexities of electronic data transfer. Maybe it
was because three minutes wasn't enough time to explain the risks of sending medical records
overseas. Or maybe, just maybe, Florida lawmakers haven't noticed or cared that the federal
government has usurped more of their power.
No matter the reason, Julian isn't planning to give up yet. "Let us close the gap," she
said. "One state may follow another."
Contact Staff Writer Trevor Aaronson at 813-248-8888, ext. 134, or [email protected].