Skip main navigation
Close Drawer MenuOpen Drawer Menu
APA Publishing Logo

The American Psychiatric Association (APA) has updated its Privacy Policy and Terms of Use, including with new information specifically addressed to individuals in the European Economic Area. As described in the Privacy Policy and Terms of Use, this website utilizes cookies, including for the purpose of offering an optimal online experience and services tailored to your preferences.

Please read the entire Privacy Policy and Terms of Use. By closing this message, browsing this website, continuing the navigation, or otherwise continuing to use the APA's websites, you confirm that you understand and accept the terms of the Privacy Policy and Terms of Use, including the utilization of cookies.

×
Back to table of contents
Legal NewsFull Access

HIPAA Privacy Rule Legal, Federal Court Says

Published Online:21 May 2004https://doi.org/10.1176/pn.39.10.0004

A federal judge has dismissed a lawsuit in which several organizations and individuals concerned with protecting medical-record confidentiality sued Health and Human Services Secretary Tommy Thompson over the privacy rule, whose creation was mandated by the Health Insurance Portability and Accountability Act (HIPAA).

The rule at issue governs patients’ right to keep third parties from having access to their medical records—whether electronic or paper—unless the patients consent to divulge the records. The original wording required patient consent before patients’ confidential records could be used for “treatment, payment, and health care operations.” When the Bush administration amended the rule, it deleted the patient-consent requirement (Psychiatric News, January 16) and instead allowed—but did not require—consent forms to be signed before treatment can begin or payment initiated, for example. The consent became an implied rather than explicit requirement, as it was in the original rule.

The change gives health care providers the option of having patients sign a consent form before initiating treatment. Once patients begin treatment, they should assume that they are consenting to allow others involved in their medical care or payment for it to have access to their records.

In her April 2 ruling, Judge Mary McLaughlin of the U.S. District Court in Philadelphia stated that the privacy rule did not violate the plaintiffs’ constitutional rights “because the amended rule does not compel anyone to use or disclose the plaintiffs’ health information for routine purposes without the plaintiffs’ consent.” That is, the Constitution doesn’t give patients, or others, all the privacy rights they think are crucial, though laws can be enacted that do bestow such rights, she said.

The rule never gave patients the right to decide whether their records were to be released as part of judicial proceedings or for public-health purposes.

The American Psychoanalytic Association was one of the lead plaintiffs in the case, Citizens for Health v. Tommy Thompson, as was Texas psychiatrist and APA member Deborah Peel, M.D. The plaintiffs argued that the HIPAA privacy rule allows individuals in government agencies, private corporations, and even patients’ employers to gain access to records of medical treatment.

Are Privacy Rights Guaranteed?

Chief among the several issues on which the plaintiffs based their case was that the privacy rule violates privacy rights that patients and others are guaranteed in the First Amendment of the U.S. Constitution.

When patients lack the security of knowing that what they tell their therapist will remain confidential, the plaintiffs maintained, it is difficult to build trust and thus provide an optimal therapeutic experience. Some patients will refuse to take medications if pharmacists have access to their medical records, they claimed, while many others will shun all mental health treatment out of fear of who may be able to read their medical records.

The amended rule does not, however, permit disclosure of patient medical information that was prohibited before the original rule was written.

Thompson Says Rules Followed

Thompson, who was named as the defendant because he heads the agency that promulgated the privacy rule, argued that amending the rule was done according to required procedures—a charge the plaintiffs disputed—and was the result of a substantial amount of public comment protesting “unintended consequences” of the original rule’s patient-consent requirement, according to Thompson. Many of the comments suggested that allowing patients to keep their records from certain third parties could “substantially impair delivery of health care” by depriving those parties of “information necessary for quality assurance, accreditation, and fraud and waste detection.”

The judge ruled that Thompson had met federal rule-making requirements by considering “the relevant factors Congress intended the agency to consider, namely, the efficiency and effectiveness of the health care system and the privacy of health information.”

She pointed out that Thompson “took the privacy interests of patients into account by permitting health care providers to obtain prior consent” for limited release of medical records.

As for the constitutional violation charges, the judge ruled for Thompson, saying that “the amended rule does not compel anyone to use or disclose the plaintiffs’ health information for routine purposes without the plaintiffs’ consent.”

She continued, “Even assuming that the plaintiffs have a constitutional right to privacy over their medical records and to patient–health care provider communications, the amended rule does not violate those rights,” since it is “wholly permissive” regarding whether an entity covered by HIPAA “should seek consent from a patient before using his or her information for routine purposes. The amended rule neither requires nor prohibits that practice.” Moreover, the rule does not “place obstacles in the paths of patients seeking to have confidential communications with their health care providers,” since it does not require that clinicians breach confidentiality.

In giving strong weight to Thompson’s argument, the judge stated, “To the extent the amended rule mandates any actions, it protects the plaintiffs’ putative rights. For example, [it] prohibits covered entities from disclosing and using health information for reasons unrelated to health care without proper authorization.”

Peel, who is president of the organization Appeal for Patient Privacy, called McLaughlin’s ruling “very disturbing.”

“In the end,” she said, “somehow the judge came to the tortured conclusion that every citizen’s constitutional rights to privacy were not violated.”

Peel said that the battle over the HIPAA privacy rule is not over. Appeal for Patient Privacy has already raised $35,000 to fund an appeal, which must be filed by June 2. It will take a legal victory “to wake up Congress” about the need to undo parts of the privacy rule, she said.

Additional information about the appeal of the HIPAA ruling, including how to contribute to the appeal, is posted online at www.patientprivacyrights.org. McLaughlin’s ruling is posted at www.paed.uscourts.gov/documents/opinions/04d0102p.pdf.