Although the federal health privacy rule known as HIPAA (Health Insurance Portability and Accountability Act) is more than 15 years old, not many are aware of its origins. The story of the early days of the HIPAA rule is important because accounts of this story gave birth to a myth that the first version of the privacy rule provided for robust patient consent and that a later version of the rule weakened that consent provision. It is the purpose of this document to review the history, dispel that myth, and show why the second version of HIPAA is more protective of privacy than the first.
The U.S. Department of Health and Human Services issued the first final version of the HIPAA privacy rule at the end of 2000, just before the end of the Clinton Administration. The incoming Bush Administration made changes, and the health care sector began compliance with the second final version of the privacy rule, as modified by the Bush Administration, in 2003. The Bush changes are the source of the misunderstanding.
Some look back on the Clinton version of HIPAA as providing a grand, privacy-affirming policy because it appeared to require patient consent for disclosures for treatment, payment, and health care operations. For example, in a 2012 article in HealthCare IT News, Erin McCann wrote: “In 2002, George W. Bush eliminated the right of patient consent as drafted by the Clinton Administration, and still to this day under the Obama Administration, this right has yet to be restored.” Attorney Jim Pyles made the same basic argument in 2013:
In August 2002, however, the Department of Health and Human Services (“HHS”) under the Bush Administration reversed the rule issued by the Clinton Administration and eliminated from the floor of federal privacy protections the individual’s right of consent for routine uses and disclosures, replacing that right with “regulatory permission” granted by HHS to use and disclose an individual’s health information for routine purposes regardless of the individual’s wishes or objections. 
But is this true? Did the United States almost have a better model of consent for sharing personal information for treatment, payment, and health care operations? Did the Clinton version of the rule really offer better privacy protection overall than the Bush version?
Debates over the proper role of patient consent in the use and disclosure of patient information are still current. The tradeoff between individual privacy interests and societal needs for health data for public interest purposes remains a relevant topic. New health care information technologies, including electronic medical records, that allow for increased patient involvement in their own health care and decision making may make it more practical to give patients a direct voice in the use and disclosure of their information for secondary purposes. Health apps that may or may not be subject to HIPAA could also give users more granular control over direct sharing of their health information.
As mentioned above, the U.S. Department of Health and Human Services (HHS) published two separate final HIPAA privacy rules. This document reviews elements of the two versions that pertain to obtaining consent for the use and disclosure of protected health information for the purposes that HIPAA practitioners often refer to as TPO (treatment, payment, and health care operations). It is the TPO disclosures that are at the heart of the Clinton HIPAA consent question.
As used in the HIPAA privacy rule, consent refers to the process by which a patient  gives approval for the use and disclosure of protected health information for TPO. The rule uses the term authorization to refer to the process by which a patient gives approval to the use and disclosure of protected health information for any purpose other than TPO. These two terms became the source of confusion, and some use the terms incorrectly or interchangeably. While a distinction between consent and authorization remains in the rule, the difference is not material.
HHS first published the HIPAA health privacy rule for comment during the Clinton Administration on November 3, 1999  and published the final version of this rule on December 28, 2000 . This publication happened just a few weeks before the end of the Clinton Administration. HHS intended that the effective date for the rule would be 60 days after Federal Register publication. The compliance date – the deadline for covered entities to comply with the rule – was two years later.
However, under 5 U.S.C. § 801, a rule cannot normally take effect until the later of 60 days following publication in the Federal Register or the date on which Congress receives a report of the rule from the agency that issued the rule . Because of an error, Congress did not receive the required congressional report until February 13, 2001. That date came after the start of the Bush Administration.
The Clinton Administration’s failure to submit the proposal on time may have contributed to the ability of the Bush Administration to reconsider the rule. Although the Bush Administration later modified the rule, the compliance date did not change. The rule required covered entities to comply two years after the date of submission to the Congress, or on April 14, 2003 .
On February 28, 2001, the Bush Administration sought public comment on the final Clinton rule . Thirteen months later, on March 27, 2002, HHS published for comment modifications to the final Clinton rule .
Finally, on August 14, 2002, HHS published the final rule with the Bush Administration modifications to the Clinton rule . The current rule is codified at 45 C.F.R. Parts 160, 162, and 164 .
The Clinton Rule on Consent for TPO
The final Clinton rule generally allowed a covered entity to use or disclose protected health information (PHI) for treatment, payment, and health care operations (TPO) pursuant to a written patient consent :
- Consent for uses or disclosures to carry out treatment, payment, or health care operations.
- (a) Standard: consent requirement.
- (1) Except as provided in paragraph (a)(2) or (a)(3) of this section, a covered health care provider must obtain the individual’s consent, in accordance with this section, prior to using or disclosing protected health information to carry out treatment, payment, or health care operations.
- (2) A covered health care provider may, without consent, use or disclose protected health information to carry out treatment, payment, or health care operations, if:
- (i) The covered health care provider has an indirect treatment relationship with the individual; or
- (ii) The covered health care provider created or received the protected health information in the course of providing health care to an individual who is an inmate.
The first of the consent exceptions – indirect relationship – applies to a significant number of health care activities. Still, the Clinton requirement for affirmative patient consent applied to most treatment and payment activities.
The Clinton consent rule included two important implementation specifics. The rule provided that a health care provider may condition treatment on an individual’s signing of a consent that met the requirements of the rule. The second provision allowed a health plan to condition enrollment in the plan on the signing of a consent that met the requirements of the rule :
- Implementation specifications: general requirements.
- (1) A covered health care provider may condition treatment on the provision by the individual of a consent under this section.
- (2) A health plan may condition enrollment in the health plan on the provision by the individual of a consent under this section sought in conjunction with such enrollment.
Had the rule been implemented as written by the Clinton Administration, it is highly likely that nearly all health care providers and all health plans would have insisted that patients sign consents for TPO uses and disclosures as a condition of treatment or enrollment. It is also likely that health plans would have required providers to obtain patient consent as a condition of participating in the health plan’s network.
Prior to the HIPAA privacy rule, it was common for patients to be asked to sign consent forms when they visited a doctor’s office. In a typical consent form, a patient authorized the provider to disclose “any or all information” to a health insurer and to others. Patients signed the forms, often without reading or understanding them. Patients rarely had the opportunity to negotiate changes. If patients changed the form on their own, their changes had little or no effect on actual practice.
In a pre-HIPAA paper, I wrote about the shortcoming of consent as a method for protecting patient privacy . I called it the paradox of informed consent. The paradox is that “giving the patient more of a say in the disclosure of health records for payment results in the patient having less actual control.” The following explanation reflects the state of health care payments in the late 1990s:
Because third party payment is the rule today rather than the exception, the signing of a consent form is not an event that triggers concern or suspicion. Written by insurance companies and health care providers, consent forms allow broad disclosure without any conditions or restrictions. Health care providers – who may share their patients’ concern about confidentiality – nevertheless want to be sure that they can make disclosures necessary for payment. The effect of the informed consent model is to protect the interests of all parties except the patient. 
The Clinton rule did not give patients any clear rights to refuse demands by a provider or an insurer. It did not require providers or plans to negotiate terms governing the use and disclosure of PHI for TPO. If a provider or insurer asked a patient to sign a consent form, the patient who refused to sign the form as presented could be denied treatment or coverage.
In effect, the Clinton rule gave patients the theoretical right to refuse to sign a consent form, but the price of not signing was denial of treatment or insurance. The policy might be called sign or die. The patient who refused to sign the consent could be lawfully denied treatment by any covered health care provider and coverage by any health insurer. The right to consent under these circumstances is a figment. Coerced consent is not consent. 
While the Clinton rule offered the appearance of a right to consent to use and disclosure of information for TPO, the rule also allowed for many non-consensual uses and disclosures . The non-consensual uses and disclosures included those (1) required by law, (2) for public health activities, (3) for health oversight activities, (4) for judicial and administrative proceedings, (5) for specified law enforcement purposes, (6) for research purposes, (7) for national security and intelligence activities, among others. The Bush rule retained all of these non-consensual uses and disclosures with minor adjustments. Thus, neither the Bush nor the Clinton versions relied exclusively on patient approval for the use and disclosure of PHI. Both allowed for many non-consensual uses and disclosures. The biggest difference between the two versions regarding consent, at least nominally, related to consent for uses and disclosures for TPO.
The Bush Rule on TPO Uses and Disclosures
The Bush Administration changed the Clinton approach to uses and disclosures for TPO. In place of the requirement that a patient sign a consent form to allow the uses and disclosures for TPO, the Bush rule provided that uses and disclosures for TPO could be made without patient consent. In explaining the change when publishing the final rule in 2002, HHS discussed some of the practical problems that would have resulted had consent been required :
- Pharmacists would not have been able to fill a prescription, search for potential drug interactions, determine eligibility, or verify coverage before the individual arrived at the pharmacy to pick up the prescription if the individual had not already provided consent under the Privacy Rule.
- Hospitals would not have been able to use information from a referring physician to schedule and prepare for procedures before the individual presented at the hospital for such procedure, or the patient would have had to make a special trip to the hospital to sign the consent form.
- Providers who do not provide treatment in person may have been unable to provide care because they would have had difficulty obtaining prior written consent to use protected health information at the first service delivery.
- Emergency medical providers were concerned that, if a situation was urgent, they would have had to try to obtain consent to comply with the Privacy Rule, even if that would be inconsistent with appropriate practice of emergency medicine.
- Emergency medical providers were also concerned that the requirement that they attempt to obtain consent as soon as reasonably practicable after an emergency would have required significant efforts and administrative burdens which might have been viewed as harassing by individuals, because these providers typically do not have ongoing relationships with individuals.
- Providers who did not meet one of the consent exceptions were concerned that they could have been put in the untenable position of having to decide whether to withhold treatment when an individual did not provide consent or proceed to use information to treat the individual in violation of the consent requirements.
- The right to revoke a consent would have required tracking consents, which could have hampered treatment and resulted in large institutional providers deciding that it would be necessary to obtain consent at each patient encounter instead.
- The transition provisions would have resulted in significant operational problems, and the inability to access health records would have had an adverse effect on quality activities, because many providers currently are not required to obtain consent for treatment, payment, or health care operations.
- Providers that are required by law to treat were concerned about the mixed messages to patients and interference with the physician-patient relationship that would have resulted because they would have had to ask for consent to use or disclose protected health information for treatment, payment, or health care operations, but could have used or disclosed the information for such purposes even if the patient said no.
Experience in the State of Maine with a patient consent regime supports the concerns expressed by HHS. In 1998, a Maine health privacy law required written consent for many health disclosures. The patient consent law was so unpopular and impractical that the Maine legislature suspended the law shortly after it took effect. The revised law replaced many of the requirements for written consent with expanded authority for nonconsensual disclosures  and provided for nonconsensual treatment and payment disclosures.
The Bush rule added two features. First, it allows a covered entity to obtain consent from a patient for TPO uses and disclosures . Thus, any covered entity that chooses to operate under a TPO consent regime is free to do so. It appears that few do today. Second, the rule generally requires a direct treatment provider to make a good faith effort to obtain a written acknowledgment of receipt of the provider’s notice of privacy practices . Thus, when a patient appears in a doctor’s office for treatment, the patient should be presented with a form to sign.
However, there is often misunderstanding about the meaning of the signature. Many patients and many receptionists think that the form is an authorization for disclosure of PHI and that a signature is mandatory. However, the rule does not actually require that a patient sign the acknowledgment. Signing has little legal significance . The value and expense of obtaining these mostly meaningless signatures is questionable. The collection of a signature has become its own ritual activity, frequently disconnected from actually offering or providing the patient with a copy of the notice of information practices.
The Bush rule did not change one partially relevant aspect of the Clinton HIPAA privacy rule. HIPAA provides that stronger state laws (“more stringent”) remain in effect and that the federal rule does not preempt the state law . Thus, HIPAA did not preempt any state law requiring affirmative patient consent for TPO.
Rules on Marketing
The Clinton rule permitted several uses for communications with patients that might be seen as marketing uses :
- Standard: uses and disclosures of protected health information for marketing.
- A covered entity may not use or disclose protected health information for marketing without an authorization that meets the applicable requirements of § 164.508, except as provided for by paragraph (e)(2) of this section.
- (2) Implementation specifications: requirements relating to marketing.
- (i) A covered entity is not required to obtain an authorization under § 164.508 when it uses or discloses protected health information to make a marketing communication to an individual that:
- (A) Occurs in a face-to-face encounter with the individual;
- (B) Concerns products or services of nominal value; or
- (C) Concerns the health-related products and services of the covered entity or of a third party and the communication meets the applicable conditions in paragraph (e)(3) of this section.
- (ii) A covered entity may disclose protected health information for purposes of such communications only to a business associate that assists the covered entity with such communications.
- (3) Implementation specifications: requirements for certain marketing communications. For a marketing communication to qualify under paragraph (e)(2)(i) of this section, the following conditions must be met:
- (i) The communication must:
- (A) Identify the covered entity as the party making the communication;
- (B) If the covered entity has received or will receive direct or indirect remuneration for making the communication, prominently state that fact; and
- (C) Except when the communication is contained in a newsletter or similar type of general communication device that the covered entity distributes to a broad cross-section of patients, enrollees, or other broad groups of individuals, contain instructions describing how the individual may opt out of receiving future such communications.
- (ii) If the covered entity uses or discloses protected health information to target the communication to individuals based on their health status or condition:
- (A) The covered entity must make a determination prior to making the communication that the product or service being marketed may be beneficial to the health of the type or class of individual targeted; and
- (B) The communication must explain why the individual has been targeted and how the product or service relates to the health of the individual.
- (iii) The covered entity must make reasonable efforts to ensure that individuals who decide to opt out of receiving future marketing communications, under paragraph (e)(3)(i)(C) of this section, are not sent such communications.
The Clinton rule allowed face-to-face communication by a covered entity to a patient. Another provision allowed promotional gifts of nominal value by the covered entity. These provisions remained substantially unchanged in the Bush rule and are not at issue here.
However, the Bush Administration prohibited another class of marketing activities that the Clinton rule allowed – third party marketing. The third party marketing provision in the Clinton rule allowed a marketing communication to a patient that concerns the health-related products and services of the covered entity or of a third party if the communication meets the applicable conditions. The conditions were that the marketing communication must (1) identify the covered entity making the communication; (2) disclose any payment to the covered entity for making the communication; (3) provide an opt-out except for general communications via newsletter or the equivalent; and (4) explain why a communication based on health condition targeted the individual.
The scope of the Clinton third party marketing provision was broad. Any covered entity could deliver marketing communications to an individual at the behest of any third party. Covered entities include health care providers, health plans, and health care clearinghouses. When a patient visits a physician, information about that encounter could routinely be shared with a health plan, pharmacy, pharmacy benefit manager, one or more laboratories, x-ray facility, health care clearinghouse, and others. A family of four with routine health care encounters could easily have relationships with dozens of covered entities. Under the Clinton rule, every one of those covered entities (and, perhaps, their business associates as well) could use PHI to make marketing communications. To opt out of further marketing, that family might have to send dozens of opt-out requests, some to indirect providers previously unknown to the family.
Information about a patient who responded to a marketing communication could easily leak out from the privacy protections of HIPAA and become available without restriction for additional use and disclosure. The Clinton third party marketing rule would effectively allow a covered entity to disclose patient information to a non-covered entity. Consider a diabetic patient targeted by a pharmaceutical manufacturer (not a HIPAA covered entity) through a communication from the patient’s health care provider. If the patient responded to the communication directly to the pharmaceutical manufacturer, the manufacturer would know by virtue of the targeting that the patient had diabetes, along with any other status or conditions specified by the targeting conditions (e.g., age, other diagnoses, type of insurance, current treatment, etc.) agreed to by the health care provider. Any patient information in the hands of that pharmaceutical manufacture would not be subject to HIPAA or any other health privacy law. The information could be freely sold, shared, and used for the remainder of the patient’s life. The Clinton third party marketing policy may have been the most anti-privacy feature of the HIPAA rule.
The Bush changes to the marketing provisions made the rule clearer, simpler, and more privacy protective . The first change eliminated entirely the possibility of non-consensual marketing communications on behalf of third parties. That was a major advance for privacy. Other changes were relatively modest, clarifying the definition of marketing and requiring an express patient authorization for marketing communications .
In conclusion, the written patient consent required by Clinton Administration’s rule for uses and disclosures of PHI for TPO was not a meaningful consent. It was not true consent because any patient refusing to sign a standard consent form could be denied treatment by a health care provider or enrollment by a health insurer. Under those conditions, the ability to consent is illusory. It is a Hobson’s choice, a coerced consent. Nearly all patients would have no choice at all. The Bush rule basically took away the illusion of consent.
Further, the Clinton rule allowed any covered entity to use patient information for marketing of third party goods and services without patient authorization and subject to an opt-out. The Clinton marketing rule would have allowed much patient information to leak into the databases of marketers and others not subject to the HIPAA privacy rule or any privacy law. The Bush Administration dropped the Clinton marketing rule and replaced it with a more standard provision that required express patient authorization.
The Bush Administration’s change to the TPO consent rule did not meaningfully change patient rights, while its change to the marketing rule was a substantial improvement for patient privacy. On balance, the Bush Administration changes on consent for TPO and for marketing represented a significant gain for the privacy of patients.
The argument here is a narrow one. The argument should not be read to suggest that the HIPAA rule is without flaws; that the Bush changes are uniformly good or that the Clinton rule was uniformly bad; that there either is or is not a role for consent in controlling the use and disclosure of patient information. On these broader subjects, there is much to debate.
Finding the right balances between the interests of individual patients, the interests of other participants in the health care system, and the interests of the public at large remains a challenge for health privacy and for the health care system in general. There are many different perspectives on striking those balances. However, it should not be assumed that patient consent for TPO disclosures always is good or practical, benefits patients, or is actually something that patients really want.