The American health care industry is undergoing a transformation in several respects, including the substantial integration and consolidation of health care providers. Three of the leading ways in which this is taking place are through mergers of hospitals and health systems, development of accountable care organizations (networks of providers that share responsibility for coordinating patient care), and hospitals purchasing physician practices. There has been considerable discussion about the effects of consolidation on health care cost and quality, but there has been virtually no discussion about the significant effects of consolidation on health privacy.
A brief example involving a hospital purchasing a physician practice will illustrate how health care consolidation threatens health privacy. Assume that you received mental health treatment from a psychiatrist in private practice, and your mental health records were stored at your psychiatrist’s office and not disclosed without your authorization. Further assume that a local hospital subsequently purchased your psychiatrist’s practice. When you later visit the hospital’s emergency department for treatment of a sprained ankle sustained in the company softball game, the physicians and nurses access your integrated electronic health record (EHR), including records from all of the hospital-owned practices. As a result, your mental health records, which you assumed were confidential, are now accessible by the physicians and nurses treating your ankle.
Eventually, the interoperability of EHRs will permit health information exchanges (HIEs) or comparable entities to aggregate individual health information stored by various providers. It is not clear, however, whether individuals will have the ability to opt out of participating in an HIE or to segment certain sensitive information. Another possibility is that broader information sharing among affiliated providers will simply be another small print item in the notice of privacy practices made available to new patients. In any event, the consolidation now taking place in health care is having the same effect as an HIE, by expanding the breadth and depth of individual health information accessible by numerous providers.
Bear in mind that consolidation is taking place at the same time as widespread conversion to EHRs. The comprehensive and longitudinal nature of EHRs means that some sensitive health information that long ago lost any semblance of clinical utility will never go away and can be retrieved with the click of a mouse. The prospect of sensitive information being widely accessible for an indefinite period of time will likely dissuade many individuals from seeking timely treatment for sensitive conditions (e.g., sexually transmitted infections), and a lack of timely treatment has the potential to adversely affect public health and safety in many ways.
Consolidation also means that a wide range of sensitive health information generated by an increasing array of providers is accessible by all of an institution’s physicians and dozens of other types of health care providers (e.g., nurses, pharmacists, and medical technicians) in both in-patient and out-patient settings. Some examples of customarily accessible, sensitive health information include information about domestic violence, genetics, mental health, sexuality and reproductive health, sexually transmitted infections, and substance abuse. Even though most health care providers do not have the time or inclination to troll through patient health records to search for sensitive information, the fact that they could inadvertently or intentionally access such information without any medical need may be of great concern to individuals with sensitive information in their records. In addition, consolidated health records mean that disclosures pursuant to an authorization (e.g., in applying for employment, life insurance, disability insurance, or other important matters) will also include sensitive information.
Unfortunately, there are few legal protections. Health record consolidation resulting from mergers or other business combinations does not require any prior notice to or consent from patients. The HIPAA Privacy Rule does not require consent or authorization for uses and disclosures of health information for treatment, payment, or health care operations. Similarly, the Privacy Rule’s “minimum necessary” standard does not apply to treatment. In practice, the most common limit on providers’ access to health information is that some hospitals and other entities protect against entirely unauthorized access (i.e., providers accessing the records of individuals who are not their patients) through password entry, timed log-out, audit trails, and other measures.
Two main policy initiatives are needed to address the loss of privacy through consolidation. First, the Department of Health and Human Services (HHS), the agency responsible for enforcement of the HIPAA Privacy Rule, and the health care industry should expedite development, adoption, and regulation of role-based access, contextual access criteria, data segmentation, and other technical methods that give patients greater control of disclosures or grant access to certain sensitive health information only on a need-to-know basis. Second, HHS should, through rulemaking or administrative interpretation, amend or clarify the definition of a “covered entity” under the Privacy Rule to account for the increasingly integrated and consolidated nature of covered entities. It is unreasonable to assume that individuals who receive, at best, a covered entity’s indecipherable notice of disclosure policies, are agreeing to grant broad access to their protected health information at numerous affiliated entities locally or nationwide.
Unless prompt attention is given to the effects of changes in the health care industry resulting from consolidation, before long, informational health privacy will exist only in theory.
Mark A. Rothstein, J.D., is the Herbert F. Boehl Chair of Law and Medicine and Director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine.