The HIPAA Privacy Rule: Choosing Privacy, Whose Choice Is It?

Sandra Rustam, George Fox University, May, 2004  

The Health Insurance Portability and Accountability Act (HIPAA) has been a developing Federal rule since the early 1990s (American Mental Health Alliance, 2002). AMHA (2002) outlines the chronology of HIPAA in “A Brief History of HIPAA – to the Removal of the Right to Consent.” On August 21, 1996 the Health Insurance Portability and Accountability Act was enacted. Section 264 of the Act required Congress, by August 21, 1999, or the Secretary of HHS, by February 21, 2000, to establish the rights that individuals “should have” with respect to individually identifiable health information. That aspect of the HIPAA rule drew tens of thousands of comments favoring patient control over personal information (AMHA, 2002 [65 Fed. Reg. 82,462]). On April 14, 2003, when HIPAA became effective, Federal Law eliminated individuals’ right to consent, or to deny consent to disclosure of their Protected Health Information (PHI).

At issue is the removal of individuals' right to deny consent for re-disclosure of PHI, unless the covered entity[i] chooses to grant that right. Under HIPAA, as it stands now, the choice about whether or not information is shared is given to the covered entity holding the information, whether that entity is the care giver, the hospital, the insurance company. All of HIPAA's restrictive mandates, that covered entities have protections in place for that information, that there be locks, secure computer terminals etc., do not change the fact that the individual has lost control of where information goes (AMHA, 2004).

When disclosure is for treatment, payment, and health-care operations the right to disclose or deny disclosure is given to the covered entity holding the PHI (Frank-Stromberg, 2003). The stated purpose of the privacy rule is to provide federal protection of patients health information while not sacrificing the kind of care they receive (Jacobson, 2003). The privacy rule sets the national groundwork for standards to protect all citizens (Clause, Triller, Bornhorst, Hamilton, & Cosler, 2004). The final HIPAA rule contains over 1500 pages of rule specification, details for implementation and estimations of costs to implement (Setness, 2002). State laws may preempt HIPAA when those laws are stronger, providing more protection than the federal laws. On May 24, 2003, Oregon statutes were changed to conform with HIPAA regulation; less than 60 days after the federal law went into effect (Chapter 86 Oregon Laws 2003; AN ACT; HB

2305). Oregon revised statutes now match those of the HIPAA rule.

The privacy rule, specifically the issue of patient consent to disclosure, weighs most heavily on the therapist-client relationship. The private communication between therapist and client has been a hallmark of mental health treatment (Appelbaum, 2002). Maintaining patient privacy is fundamental in establishing the relationship between therapist and client. It is challenging, and possibly harmful, to the therapeutic relationship, when the element of trust is compromised (Glosoff & Pate, Jr., 2002). Protection of the client’s privacy is the counselor’s responsibility. In the case of Jaffe v. Redmond, ([1996] as cited in Appelbaum, 2002) the United States Supreme Court ruled that without the guarantee of complete privacy, psychotherapy could not be useful. “Effective psychotherapy depends upon an atmosphere of confidence and trust in which the patient is willing to make frank and complete disclosure of facts, emotions, memories, and fears,” written by Justice John Paul Stevens (as cited in Corey, Corey, & Callanan, 2003, p. 198).

The HIPAA rule changes how we experience our right to privacy. This revision of our historic right to privacy is problematic. Professionals’ and other citizens’ interpretation of this new information may create dissonance, competing with individual fundamental values and beliefs. Dissonant cognitions become an ethical dilemma when the two competing thoughts hold principled values and beliefs inherent to one’s worldview (Smith, 2003). While researching the implications of the privacy rule, issues of ethical significance surfaced. Documentation, articles, and other writings present the privacy rule in highly complex language. The public’s response since the implementation of the privacy rule suggests there are those who are both unaware and misinformed. Ignorance may be manifested in avoidance and rationalization; thus, attempting to maintain a sense of perceived peacefulness or consonance.

            The proponents supporting the HIPAA privacy rule purport greater protection of patient’s privacy. Supporters assert that optional authorization (consent) allows organizations to disclose individual information at times when seeking consent may interfere with health care (Setness, 2002). The following conditions represent situations where disclosure of information without patient consent is warranted, “…emergency circumstances; identification of a deceased person or determination of a cause of death; public health needs; formal research; oversight of the health care system; judicial and administrative proceedings; limited law enforcement activities; and activities related to the national defense and security” (Setness, 2002, p.16). Frank-Stromberg (2003), describes how greater protection of patient privacy is argued under HIPAA:

In other words, any procedure or scheduling that falls under the definition of “treatment,” “payment,” or “health care operations” exempts a covered entity from first obtaining the patients consent before using or disclosing the patient’s PHI for treatment of the patient….health care providers can consult with other providers about a patient’s condition without the patient’s written consent, because consulting is within the HIPAA’s Privacy Rule’s definition of “treatment” (p. 382).

       The implications read in the above paragraph appear more as an entitlement that covered entities bestow, rather than protecting the individual’s right to privacy.

           Recognizing this profound change in our right to privacy presents discrepancies in our thoughts. Acknowledgment of the federal government’s power to abolish the right to privacy creates tension, and discomfort for most people. When individuals ignore the meaning behind the HIPAA language, they possibly retreat to thoughts that are more homeostatic. Cognitive dissonance, originally researched by Leon Festinger in 1957 (as cited in McElrath, 2004), indicates that when faced with incoming information we perceive as threatening, we are more likely to retreat to what we think we know. By avoiding conflict, we are able to achieve perceived congruence. This is also referred to as “’hiding our head in the sand’, which is what ostriches do in the hopes that whatever is terrifying them will go away if they can’t see it” (Heath, 2001, ¶ 6).

            The ethical dilemmas behind the privacy rule motivate those who choose to confront their dissonance. The lawsuit Citizens for Health, et. al. v. Thompson, challenges the removal of the right of consent. The Plaintiffs represent people aware of the violation of their right to privacy.

The Plaintiffs…are ten national and state consumer and provider associations and nine individuals who are consumers and providers representing the interests of approximately 750,000 individuals residing in every state and the District of Columbia including AMHA-USA and The National Coalition of Mental Health Professionals and Consumers (AMHA, 2004).

           The HIPAA final revision of the privacy rule removed patients’ consent, replacing it with more permissive law. To counteract the removal of client’s approval to release private information, another requirement was reinforced, a “Notice of Privacy Practices” (Appelbaum, 2002). The notice of privacy practices gives individuals a written declaration with information about how their records may be used, and must list all the covered entities, which may receive private information in absence of the client’s consent or authorization. The provider of services needs only to attempt to obtain written concession from the patient in acknowledgment of that notice. Current medical information, as well as any past and future information is no longer private. Instead, confounding the individuals’ choice to disclose information is the legal power of covered entities to propagate patient’s private information (Frank-Stromberg, 2003).

      In summarizing the need to Appeal, concerning the HIPAA consent issue, lead attorney, Jim Pyles for Plaintiffs in Citizens for Health, et al. v. Thompson, states the following practical effects of the Amended Privacy Rule were undisputed by the respondents or the judge on April 2, 2004 (The National Coalition of Mental Health Professionals and Consumers, 2004, Practical Impact section, ¶ 4):

1) Individuals will no longer have a reasonable expectation of medical privacy in routine situations.

2) Identifiable health information that can be used and disclosed without an individual’s knowledge or permission includes even the most highly sensitive information regarding genetic testing, mental health treatment, abortion, treatment for sexually transmitted diseases, and treatment for cancer and other serious illnesses.

3) Medical privacy is eliminated retroactively because the Amended Rule permits and authorizes the use and disclosure of health information that was created or placed in the medical record prior to the compliance date of the Amended Privacy Rule and even prior to the enactment of the underlying HIPAA statute. So, the reasonable expectation of medical privacy that citizens have enjoyed throughout their lives has been eliminated by this rule.

4) Medical privacy cannot be protected by the individual paying out of pocket since the Rule authorizes the use and disclosure of an individual’s medical record regardless of whether it is needed to determine insurance coverage or payment for a health service.

5) Medical privacy of health information already in the medical record cannot be protected even if the individual avoids obtaining health care in the future.

6) Many individuals, including many of the Plaintiffs in this lawsuit, are avoiding seeking needed health care services in order to prevent the use and disclosure of additional health care information.

7) The Amended Privacy Rule is having a “chilling effect” on communications between patients and their health care providers that are essential for quality health care because patients are refusing to communicate with their health care providers in order to preserve their medical privacy.

Cognitive dissonance is a phenomenon one experiences when new information, or interpretation of situations presented, is contrary to what they believe or know (Atherton, 2003). The strength of the dissonance depends on significance and degree of discrepancy. Psychological discomfort results from inconsistent beliefs, attitudes or actions. The tension motivates humans to reduce or remove the dissonance. We can avoid or reduce the dissonance in one of three ways by (McElrath, 2004, ¶ 3), “changing one of the dissonant elements, adding consonant cognitions, and decreasing the importance of dissonant cognitive elements (trivializing the situation).” Typically, we defend the less intrusive cognition, which also offers the less incentive, because it is more familiar, and less anxiety provoking (Smith, 2003). Although the new information may be more logical, healthy, or rational, we will discount or discredit it, in order to justify our refusal to let go of old beliefs. Thus, we may choose to look the other way, not being open to ideas, change, and opportunities. It is more efficient for our minds to retreat and hold onto old beliefs, values and cognitions we perceive as congruent rather than endure the discomfort of adjusting and adopting new ways of thinking (Williams, 2003). This explains one reason why it is so difficult to change our beliefs and much easier to slip into avoidance, rationalization, and defensiveness when discrepancies arise.

Perplexities interwoven into language of the HIPAA privacy rule challenge all of us to examine our own principles. Is the individual’s privacy being protected or violated? Does the removal of the right to consent help or hinder patient’s privacy? Cognitive dissonance theory tells us new information introduced will create tension, discomfort, and anxiety. Mental health professionals have a responsibility to their clients to protect and provide a safe therapeutic environment. Rationalizing or avoiding when faced with new cognitions perceived as different, may hamper clinicians’ personal opportunities for growth and change. The therapist’s ability to offer quality care for the client requires self-reflection and self-awareness. The six moral codes for counselors most often mentioned in relation to ethical practices include (Glosoff & Pate, Jr., 2002, ¶ 2), “1) veracity, 2) justice, 3) nonmaleficence, 4) beneficence, 5) autonomy, [and], 6) fidelity.” The HIPAA privacy rule alters the client’s right to privacy. The privacy rule undermines the clinician’s ability to uphold the moral codes, by potentially sacrificing the trust necessary for the therapeutic relationship. Under the HIPAA privacy rule, all six moral codes are compromised. This risks leaving the therapist-client relationship in a questionable position.

References

American Mental Health Alliance. (2004). Ring the bell for round two. Plaintiffs in

Citizens for Health v. Thompson.  Retrieved May 23, 2004 from http://www.legalchallengestohipaa.org/

American Mental Health Alliance. (2002). A brief history of HIPAA – to the removal of the right

to consent. Retrieved June 5, 2004 from http://membership.americanmentalhealth.com/hipaa-abriefhistorytotheremovaloftherightofconsent.page

American Mental Health Alliance. (2002). Federal health privacy rule amendments: Impact

on health care. A Briefing for Members of Congress and their Staffs (August 19, 2002). [Plaintiffs in Citizens for Health v. Thompson]. Retrieved May 23, 2004 from http://membership.americanmentalhealth.com/legalchallengestohipaa.page

Appelbaum, P. S. (2002). Privacy in psychiatric treatment: Threats and responses.

American Journal of Psychiatry, 159(11), 1809-1818.

Atherton, J. S. (2003) Learning and teaching: Cognitive dissonance [On-line] UK:

Available: http://www.dmu.ac.uk/~jamesa/learning/dissonance.htm Accessed June 3, 2004.

Chapter 86 Oregon Laws 2003; AN ACT; HB 2305. Retrieved May 27, 2004 from

http://www.leg.state.or.us/orlaws/sess0001.dir/0086ses.htm.

Clause, S. L., Triller, D. M., Bornhorst, C. P., Hamilton, R. A., & Cosler, L .E. (2004). Conforming to HIPAA regulations and compilation of research data. American Journal of Health-System Pharmacy, 61, 1025-1031.

Corey, G., Corey, M. S., & Callanan, P. (2003). Issues & ethics in the helping professions.

(6^th ed.). California: Brooks/Cole.

Frank-Stromberg, M. (2003). They’re real and they’re here: The new federally regulated privacy

rules under HIPAA. MEDSURG Nursing, 12(6), 380-414. Retrieved May 24, 2004.

Glosoff, H. L., & Pate, Jr., R. H. (2002). Privacy and confidentiality in school counseling.

            Professional School Counseling, 6(1), 20-28.

Heath, H. (2001). The American ostrich. Idaho Observer. Retrieved June 3, 2004 from

http://proliberty.com/observer/20010607.htm

Jacobson, J. M. (2003). Stealth law: HIPAA’s back-door regulation of “business associates.”

Managed Care Quarterly, 11(1), 37-39.

McElrath, E. (2004). Cognitive dissonance identification in the institutional setting of the

academic library. Journal of Educational Media and Library Science, 41(3), 283-298. Retrieved June 5, 2004 from http://research.dils.tku.edu.tw/joemls/41/41-3/283_298-2.pdf

Setness, P. A. (2002). HIPAA and the changing face of patient privacy. Postgraduate Medicine, 111(1), p15, 3p. Retrieved May 26, 2004, from Academic Search Primer database.

Smith, K. (2003). Cognitive dissonance. Encyclopedia of Educational Technology. Department

of Educational Technology: San Diego State University.

The National Coalition of Mental Health Professionals and Consumers (2004). Considerations

regarding whether to appeal. Plaintiffs in Citizens for Health v. Thompson. Retrieved June 2, 2004 from http://www.thenationalcoalition.org/Memo.htm

Trotman, F. K., Greene, B., & Pressley, A. (2001). African americans and the independent

practice of psychotherapy: Factors affecting access to clinical services. The Independent Practitioner, 21(3). Retrieved June 3, 2004 from http://www.division42.org/MembersArea/IPfiles/IPSum01/Advocacy/trotman_etal.html

Williams, J. L. (2003). Cognitive dissonance theory & pastoral counseling. ODB Publishing Services. Retrieved June 3, 2004 from

 http://www.ourdailybreadmissions.org/Cog%20diss%20theory%20&%20Pastoral%20Counseling.htm 

Endnotes

[1] Covered entities encompass a conglomeration of affiliates too lengthy to mention within the text of the paper. This list from the American Psychoanalytic Association (2002) notes those covered entities documented in the HIPAA privacy rule:

A) A health plan (including a group health plan, a health insurance issuer, an HMO, and Part A and B of Medicare), B) A health care clearinghouse, C) Health care providers,

D) "Business associates" of all of the above including those outside the covered entity's work force who perform any of the following functions:
1) claims processing or administration, 2) data analysis, 3) utilization review, 4) quality assurance, 5) billing, 6) benefit management, 7) practice management or re-pricing, 8) legal services, 9) accounting, 10) actuarial services, 11) consulting services, 12) data aggregation, 13) management, 14) administrative services, 15) accreditation, 16) financial services, 17) anyone else performing a service on behalf of a covered entity which involves the use or disclosure of identifiable health information.