How would you feel about your personal health information flowing freely over the Internet between public health officials, health-care providers, insurance and data clearinghouse companies, and others — without your permission?

If this doesn't sound like a good idea, it's time to become informed about federal health-privacy law.

Today, when Americans visit a health-care provider for services (including dental and eye exams), they receive a form with a title such as "Notification of Privacy Rights." Many assume that signing the form guarantees that personal information won't be shared with third parties. But the form offers no such guarantees. And neither does federal law.

In fact, the privacy rule established under the Health Insurance Portability and Accountability Act of 1996 legally permits health-care providers to share patients' information with more than 600,000 health- and data-related entities — without a patient's consent. Yet the notification form doesn't clearly explain this.

Individuals control their information when they give consent; they don't with notification. When you sign a notification form, all you are doing is acknowledging its receipt. The HIPAA notification form offers no control over who sees your information and instead just tells you about some of the entities that can access your information, rather than asking for your permission.

Consequently, many physicians and other health-care providers are urging Congress to strengthen privacy rights. They know firsthand that the HIPAA rule fails to ensure true confidentiality.

"The regulations under HIPAA, which were intended to extend patient privacy as we moved from a paper-based system of medical records to a digital system, are a sham. HIPAA allows the routine release of personal health information without patient consent or knowledge and even over a patient's objection," stresses Dr. Janis G. Chester, president of the American Association of Practicing Psychiatrists.

As the ACLU put it, "HIPAA has so many medical privacy loopholes, it makes Swiss cheese look solid." The organization also points out that under existing federal regulations, the term "privacy" hasn't been well-defined. The ACLU is urging Congress to define medical privacy as "patient control of electronic medical records."

Moreover, these organizations and others are lobbying for privacy amendments to key health Internet-technology bills currently being considered in Congress.

Lack of privacy has serious consequences. It fosters making personal health information a commodity that businesses sell and trade in the marketplace, notes the ACLU. Weak privacy rights also interfere with doctor-patient relationships. When drafting the HIPAA privacy rule, the Department of Health and Human Services noted that "Privacy violations reduce consumers' trust in the health-care system and institutions that serve them." The ACLU noted recently that at least one third of Americans are not sharing their complete personal medical histories because they feel their privacy will be weakened in the name of efficiency. Additionally, without strong privacy rights, individuals can't take steps to adequately protect themselves from bad, lost, stolen or misused data.

Meanwhile, more and more personal data is being collected during routine health-care visits, including information about marital and sexual matters. A married woman (wedded for over 30 years) and mother of two adult children, said she was appalled when asked during a routine visit if she preferred men or women. She stressed that while she "has nothing to hide," she doesn't think it's anyone's business what her sexual preference is or when her first sexual encounter was (which is often asked during exams).

What's more, it is becoming easier to share health-care information with just a click of a mouse. As Health and Human Services has noted, "Until recently, health information was recorded and maintained on paper and stored in the offices of community-based physicians, nurses, hospitals and other health-care professionals and institutions. ... Today, however, more and more health-care providers, plans and others are utilizing electronic means of storing and transmitting health information. In a matter of seconds, a person's most profoundly private information can be shared with hundreds, thousands, even millions of individuals and organizations at a time."

Do Americans really want the intimate details of their lives and families shared so easily without their consent? If not, they need to urge Congress to establish stronger privacy rights. Tinkering with HIPAA won't do it. That would just keep a lot of people busy rewriting regulations that don't guarantee privacy. Rather, Congress needs to pass a new law that defines "privacy" and upholds the precious ethic of consent. The new law should guarantee individuals' freedom to decide whether to be part of electronic medical-record and genetic databases for years to come.


Sue A. Blevins is president of the Institute for Health Freedom in Washington.