How Medical Privacy Regulations Can Backfire

Though privacy of medical information is an area of utmost importance, it is not easy to write laws or regulations that protect privacy without hindering needed and important uses of medical information. The experience of Maine provides a case study in how medical privacy regulations can backfire.

In January 1997, Maine legislators began writing a medical privacy law for their state. They worked diligently for two years and ultimately passed a law in the final hours of the 1998 session that took effect January 1, 1999.

Despite all the work of the legislature, serious unintended consequences became apparent quickly. The statute defined "health care information" very broadly, for example, to include any information that directly identifies the patient and relates to his or her physical, mental, or behavioral condition, or personal or family medical history or medical treatment. The law generally prohibited disclosure of health care information, as defined, without written authorization from the individual or a legally appointed representative.

As described in testimony to the the U.S. House of Representatives Government Reform Committee's Subcommittee on Government Management, Information, and Technology, these provisions had the following consequences:

• A hospital could not release "directory" information about an in-patient, so if a patient could not fill out appropriate paperwork, visitors and clergy could not visit, phone calls could not be connected, and even flower deliveries could not be accepted.
• Without specific written authorization from parents, health care providers could not tell school nurses, day care providers, and camp counselors about childhood allergies or immunization histories.
• Without specific written authorization, military officers and relief organizations could not learn about the medical condition of their enlistees or get information about the condition of a loved one hospitalized in this country to share with an enlistee overseas.
• Without specific written authorization, jails could not learn the condition of inmates or learn information about inmates' loved ones to share with them.
• Without specific written authorization, routine medical appointments could not be confirmed by telephone, nor could test results be released by phone.
• Without specific written authorization, the media could not learn summaries about the conditions of accident and disaster victims.
• Without specific written authorization, friends and family members could not purchase or refill prescriptions for their loved ones.
• Maine residents traveling out of state could not call for their medical records. Instead, they had to complete, sign, and submit a specific written authorization that complied with Maine law before their records could be sent as they wished.