Changes to HIPAA Could Seriously Threaten Patient Privacy

Imagine this: You’re the mentally ill adult child of an abusive parent and you’re finally getting safe, confidential treatment to get your life back on track. But then, your parent is allowed access to your medical record — something you weren’t expecting and didn’t think was possible. They use the information they learn about you to harass you, causing you to lose trust in your doctor and relapse.

If the Trump administration has its way, this won’t just be a nightmare scenario.

Right now, the Department of Health and Human Services is soliciting information as it considers making changes to the rules around HIPAA, the Health Information Portability and Accountability Act. There’s a lot in this law, but many of us know it primarily as “the patient privacy thing” — the law that, since 1996, has protected our medical information and allowed us to control who can access it and how.

The DHHS claims that HIPAA creates “regulatory burdens,” which should be a red flag to anyone reading along — because in conservative administrations, that’s usually code for believing that rules or regulations shouldn’t be in place at all.

The agency says it wants to “facilitate parental involvement in care,” specifically meaning in the context of adult patients, and encourage “information-sharing.” That may feel benign; after all, it would be nice if your doctors could more easily communicate, right?

But what are the limits on that information and who could gain access to it? Are there parts of your medical record that you would rather not have in general circulation?

These are questions to weigh as you consider how changes might affect yourself or others. And even if you’re in the position of feeling like you want access to someone else’s information — like that of an adult you’re caring for — think about the larger privacy implications of relaxing limitations on how and where information may be shared.

Some examples of policies that might change with a revision to HIPAA: . — and not just in the extremely limited “danger to yourself or others” way that already exists. You might not know who has access to your private health information, and you may have trouble obtaining documentation about your legal rights. Information about your mental health, history of substance use and genetics could also be shared more broadly.

Medical information is treated as highly sensitive because it is; the wrong information could lead to employment or housing discrimination, harassment, and difficulties obtaining health care. Any time an entity complains that privacy is a burden or says it should be easier to access your private health data, be suspicious, because it’s probably not for your benefit.

Take Action

You can submit electronic comments in response to the request for information at the Federal Register right here.

Attorney Erin Gilmer has written an extremely detailed guide on crafting comments that will be informative, useful and compelling as the agency considers whether — and how — it wishes to make regulatory changes. Set aside at least ten to 15 minutes to draft comments — because the more specific and clear they are, the more weight they carry; don’t just say “I think changes to HIPAA are a bad idea.”

The commenting deadline is February 11 — consider hosting a pizza and commenting party so you can break your research up across a group of collaborating friends.