Fox News legal analyst Andrew Napolitano baselessly claimed that the Affordable Care Act (ACA) will require doctors to disclose patients' health information to law enforcement and encourage patient dishonesty about health concerns, ignoring the fact that the ACA expands existing doctor-patient confidentiality protections.
On October 10, Fox & Friends co-host Steve Doocy claimed that "the fine print" on the new health care exchange sites reveals that "your information can be used by law enforcement and for audit activities" and that "your e-mail could become public record." Napolitano further claimed that digital health records meant the Department of Health and Human Services (HHS) could now share private health information like cocaine use "with law enforcement or with the IRS," and suggested that the law would encourage doctors to report private health information to law enforcement rather than treat their patients, "incentiviz[ing] us to keep the truth from our doctors."
Doocy and Napolitano's claim that the ACA will incentivize lying to doctors relied on the false suggestion that the new law negates the 1996 Health Insurance Portability and Accountability Actess (HIPAA), which in part established standards on how electronic medical information can be shared. But according to the American Medical Association, the new health law actually "expands" HIPAA rules. The National Conference of State Legislatures explained that under the ACA, the new rules "expand privacy measures," strengthening patients' rights and protections and strengthening the government's ability to enforce the privacy law against other business interests.
Under the ongoing HIPAA privacy standards, "covered entities" -- including doctors, clinics, nursing homes, pharmacies, health insurance companies, health care clearinghouses, Medicare, Medicaid, and the military and veterans health care programs -- are explicitly required "to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information."
Without patients' written authorization, the Privacy Rule prohibits these entities from sharing confidential health information with law enforcement officials except in very limited circumstances, including when a court order has been issued or when required by law. University of Virginia's Health Sciences Center summarizes these instances (emphasis added):
Confidentiality is the basis of the Physician-patient relationship. If the patient is uneasy about disclosing pertinent and privileged information, the ability of a physician to provide adequate care is severely compromised. It should be made clear to the patient that this information will not be disclosed unless required by law. The medical record is to be kept private with certain exceptions including:
- Treatment of minors
- HIV+ Patients
- Abuse of a Child or Adult
- Transportation Safety
- Duty to report harm/wounds
The digital privacy standards established by HIPAA continue to apply under the ACA, but the law includes some modifications to the Privacy Rule to expand patient protections. From the ACA's "Final modifications to the HIPAA Privacy, Security, and Enforcement Rules":
- Make business associates of "covered entities" directly liable for compliance with certain of the HIPAA Privacy and Security Rules' requirements.
- Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
- Expand individuals' rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
- Require modifications to, and redistribution of, a covered entity's notice of privacy practices.
- Modify the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others
- Adopt the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final rule (referenced immediately below), such as the provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.