Manasquan, N.J. -- Although the federal government allows the use of patient data in special circumstances without the patients authorization, only one in four managed-care professionals approve of the practice, according to a survey by The Managed Care Information Center (MCIC).
Those circumstances medical research, law enforcement and emergency public needs are sanctioned by the Health Insurance Portability and AccountabilityAct of 1996 (HIPAA), which distinguishes the difference between patient consent and patient authorization.
According to the HIPAA guidance issued by the Department of Health and Human Services (HHS), authorization is a document that gives healthcare providers permission to use specific protected health information (PHI) for specific purposes, or to disclose PHI to a third party.
Consent, on the other hand, is a brief, broadly worded document in which the patient consents to treatment and the use of PHI for that treatment. But PHI may be used without prior consent in an emergency, according to HHS.
The MCIC survey asked readers whether they agreed that "patient data could be used without authorization for medical research, law enforcement and emergency public needs," as allowed under HIPAA.
Seventy-five percent of respondents said they disapproved of using PHI without authorization.
The results conflict with an earlier survey, by Maryland-based Phoenix Health Systems, in which more than half of the respondents said the data could be used without authorization.
Although the MCIC results conflict with the PHS findings, they point toward PHS conclusion that there is no pattern to suggest that particular segments of the healthcare industry are biased for or against the privacy rules.
Respondents in the MCIC survey were from HMOs, health systems, physician groups, professional associations, technology companies and consulting firms; all were represented in votes for and against the unauthorized use of PHI.
Respondents who disapproved generally cited breach of confidentiality.
The representative of a healthcare group said that using PHI for purposes given in the survey question "sounds very risky."
"It violates patients rights," said an HMO employee.
Another HMO worker took a more global approach, noting, "it violates human rights" (italics added for emphasis).
But comments from respondents who voted against using PHI without authorization indicated that the issue is open to debate.
For example, the member of a consulting firm said that the categories, as presented in the survey question, were "too broad to preclude unethical, and possibly unconstitutional, invasion of privacy."
And, a respondent from a government agency said it depended on how much PHI was involved.
"If the data [do] not include names and [are] codified so that persons cannot be recognized, then it is fine to use [PHI] for research," the respondent wrote. "But if you are talking about ONE patient, with data that [are] labeled as belonging to that patient, then, no, not for research. Law enforcement can access anything with a duly granted subpoena."
The same respondent added that a patients data should be accessed if the individual were involved in an emergency and it was necessary to access PHI "for the good of the patient."
Respondents who approved using PHI without authorization did so either without comment or citing a condition, such as not divulging the patients name or otherwise "sanitizing" the data.
Said a respondent from a government agency: "As long as all identifying information is removed, this is legal."
HIPAA went into effect April 14. Most health plans and providers must comply with its requirements by April 2003, according to HHS.
Addresses: The Managed Care Information Center, 1913 Atlantic Ave., Suite F4, Manasquan, NJ 08736; (732) 292-1100, www.themcic.com. U.S. Department of Health and Human Services, 200 Independence Ave. SW, Washington, DC 20201; (202) 690-2000, www.hhs.gov/ocr/hipaa.
For more information contact The Managed Care Information Center, 1913 Atlantic Avenue, Suite F4, Manasquan, NJ, 08736, toll-free telephone 1-888-THE-MCIC (1-888-843-6242), fax 1-888-FAX-MCIC (1-888-329-6242), e-mail email@example.com or online at http://www.themcic.com.