ICBioethics Blog 

HIPAA Regulations and Privacy

Written by: Dr. Kathy Gennuso

It is as old as Hippocrates, that patients have a right to have personal medical information kept private.

Physicians have an obligation to keep medical information secret. The chief public-policy rationale is that patients are unlikely to disclose intimate details that are necessary for their proper medical care to their physicians unless they trust their physicians to keep that information secret. Basic privacy doctrine in the context of medical care holds that no one should have access to private healthcare information without the patient’s authorization and that the patient should have access to records containing one’s own information, be able to obtain a copy of the records, and have the opportunity to correct mistakes in them.

Without informed consent, outside the context of treatment, a patient’s entire medical record can seldom be lawfully disclosed. The HIPAA regulations set a federal minimum, or floor, not a ceiling, on the protection of privacy. Thus, when other federal laws (such as laws protecting drug and alcohol treatment records) or state laws (such as laws that provide special protections for mental health or genetic records) provide more protection for patients’ privacy than the new regulations, the more protective federal and state laws will continue to govern.

Enforcement of the regulations rests in the Office of Civil Rights. The secretary of Health and Human Services has the authority to impose a civil money penalty of not more than $100 for each violation, not to exceed $25,000 annually for violations of the same requirement.

Specifically, HIPPA permits persons who knowingly obtain or disclose individually identifiable health information to be fined not more than $50,000 and imprisoned for not more than one year. Even with these methods of enforcement, there are certainly computer experts who share the view that personal control of private information is an illusion in the computer age and that privacy is already dead. The privacy of the information that is maintained in electronic storage and the freedom it provides is dependent on the personal integrity of those who will never see the patients or meet those who could be adversely affected by the systems being developed. IT professionals have no standard code of ethics. Not surprisingly, it comes down to moral agency and personal ethics. However, human beings by nature have the capacity to recognize normative standards expected of their role or position. It is well accepted, that this capacity brings with it accountability for ones actions, even without a code of ethics. Personal integrity will provide this type of accountability but without checks and balances, personal policing may not be enough to compensate for human errors.

Mitch GennusoComment