Privacy? What Privacy? Confidentiality Who?

by Emily Friedman

First published in Hospitals & Health Networks OnLine, June 6, 2006

The impending revolution in health care information technology offers tantalizing possibilities for quality improvement, more coordinated care, better communication and greater patient empowerment. But there are also real threats to privacy, the consequences of which can be devastating.

Several years ago, I was speaking at a conference on health care information technology, long before the topic was fashionable. I was there as the representative of patients and consumers, and, of course, I emphasized privacy of personal medical information. One of the other speakers was a federal official who was heavily involved in implementation of HIPAA (the Health Insurance Portability and Accountability Act, as if you didn’t know). We got to talking during a coffee break, and he told me that he found my presentation interesting, but he didn’t know why I was worried. “I don’t care who sees my medical records,” he said.

Well, I care who sees mine.

Back When

Once upon a time, sensitive medical information was protected from prying eyes, although the decision to conceal it was not always wise. Physicians commonly had a locked drawer in the office in which the “other” medical record was kept, detailing pregnancies, abortions, sexually transmitted diseases, mental illness and other stigmatizing conditions.

Often, such information did not make it into medical records at all. Indeed, during the early days of the AIDS epidemic, it was common for physicians to list the cause of death of AIDS patients as something else. This was relatively easy to do, given that the AIDS infection sparks the fatal condition but the cause of death itself can be otherwise described, usually as pneumonia or cancer. In the case of some celebrities who died of AIDS--who had begged their physicians for privacy--medical records were knowingly falsified.

Am I in favor of this? Of course not. In an emergency, or in the event of an illness or accident while someone is traveling, or when a patient does not have a physician who knows his or her health care history, complete medical records are necessary; there’s nothing like not knowing that someone is pregnant or is HIV-positive when you’re trying to treat him or her! There are significant risks for both patients and providers. And the need to protect the public’s health in the case of epidemic disease is extremely important--although there are limits.

But I can certainly understand how the concealment of critical health care information happened--and still happens. Despite the cavalier attitude of that federal official, most people are very worried about who can get into their personal health records.

Prying Eyes

And these days, a whole lot more people can get into those records than ever did before.

The final regulations for implementation of HIPAA’s privacy and confidentiality provisions weakened them considerably, most significantly by dropping the requirement that patients must give written consent before their records can be shared; the new provision just informs patients that their records can be viewed and used by others, authorized or not. One critic estimates that 600,000 providers, insurers and data processing firms can get into medical records without the patient’s consent. And compliance with even these relaxed provisions is down; a 2006 survey by the American Health Information Management Association found that only 85 percent of hospitals and health systems reported that they were “mostly compliant,” down from 91 percent in 2005.
HIPAA also contains a long string of exemptions from any protection of records, including some that are obviously appropriate--law enforcement, epidemiological investigation, insurers paying claims, providers consulting on a case--and some that are a bit dubious, such as “research.” The provision is so broad that many people posing as researchers could quite easily get into records that still contain patient-specific, identifiable information and use them for non research purposes--or for research that the patients in question might not want to participate in. And this is assuming absolute integrity on the part of legitimate researchers.
The Government Accountability Office reported in March 2006 that medical and financial patient information collected by the Medicaid and Medicare programs is highly vulnerable to theft or disclosure because of insufficient computer security at CMS. This included outdated anti virus software, lax control over computer passwords, and employees and contractors with access to the data who have never undergone background checks.
Although it seems increasingly unlikely that it will happen, some health care IT professionals are still pushing for a requirement that every American have a “unique personal health identification code,” which would, of course, be linked to personal health information.
As reported in Trustee magazine in April of this year, the Patriot Act allows the FBI and other homeland security entities to request medical records and other information from any source, including physicians and hospitals, in the pursuit of investigations of alleged terrorist activities.
Employers, especially self-insured ones, have broad access to employee and retiree health information.
A major American health system is considering joining with other academic medical centers to sell “aggregated patient data” to the government, pharmaceutical firms, biotech companies, insurers and publishers. “We would never do anything that would compromise the confidentiality of patient data,” said a system official. Of course not.
Banks have been lobbying for an exemption to HIPAA protections so that they can gain access to the medical records of people seeking loans and mortgages.
The Ohio Supreme Court ruled in March that the state’s open records law supersedes HIPAA protections (such as they are), and that certain personal health information must be made publicly available.
The state of Minnesota sought to establish a statewide comprehensive medical database with information taken from patient medical records. After vociferous opposition surfaced, the state tabled the proposal, but says it isn’t dead.
As the hysteria increases over avian flu (a disease that has yet to be proven to be transmitted through human-to-human contact), the Centers for Disease Control and Prevention announced in April that airlines and cruise ships should be required to collect detailed health and travel destination information from all passengers and report it to the government. The data would have to be stored for 60 days and provided to the government within 12 hours of its being requested (lots of time for an appeal there). The lucky passengers who flunk any government tests would then be held in quarantine.

Data Bandits

And these are all legal initiatives (at least until they are challenged in court)! There are too many examples of people and organizations playing fast and loose with personal health information on the fringes of the law, or just plain outside the law. Among the lowlights:

The CVS drugstore chain bought a man’s pharmaceutical records after his local pharmacy closed. He was HIV-positive.
Clients of a Walgreen’s pharmacy who were taking drugs for depression were startled to receive solicitations in the mail to try a new antidepressant. The letter was signed by the patients’ own physicians, who had apparently sold the patients’ medical information to a pharmaceutical firm.
A low-paid woman in Pakistan doing transcription work for a U.S. health system threatened to post patient medical records on the Internet unless she got a raise.
A disgruntled former health system employee posted links to confidential patient information on the Web.
Accidental Internet releases of confidential patient data have been reported in Davis, Calif.; Columbus, Ohio; Minnetonka, Minn.; Salem, Ore.; Arizona (statewide theft of information); San Jose and Palo Alto, Calif.; Durham, N.C.; Joplin, Mo.; Oregon (statewide theft, also involving Washington state); Seattle; Boston; Los Angeles; Hawaii (statewide theft); and Florida (statewide theft). And those are only the ones I have heard about recently.
This is not even to mention the rash of thefts and losses of laptop computers containing sensitive information that have been left in cars and other completely non secure locations. What on earth were they doing there?
The Wall Street Journal reported last year that identity thieves were finding a rich trove of victims among hospital patients whose Social Security numbers were listed on patient ID bracelets. Pretty easy to steal someone’s identity while she’s unconscious. One group of identity-theft creeps in New Jersey focused on the terminally ill.
And then there’s the poor lady being treated for psychiatric problems who found insulting computer printouts from Walgreen’s pharmacists stapled to her prescription: “She seems shady,” one said. Two other women suffered the same fate: One note read “CRAZY!” and another, “She’s really a psycho.” That should speed their recovery.

Now, I realize that prying and illegal violations of privacy are hardly confined to health care. Every day, it seems, I receive outrageous “privacy notices” asking me to hand over the crown jewels. As one such solicitation read, “You don’t have to do anything to permit us to use your information. We think that’s one reason you trust us.” Think again, guys.

Dreadful Consequences

In health care, the stakes are higher. If you don’t send the privacy statement back to the credit card company, refusing to allow them to sell your information to their friends and acquaintances, you’ll just get bombarded with offers to buy this or that. But if your personal health care information gets into the wrong hands, the consequences are slightly more serious, such as:

Loss of insurance. That federal official I quoted had generous taxpayer-paid health insurance, probably for life. Unlike him, I’m in the individual insurance market, along with 16 million other fortunate souls, and we are highly vulnerable to being considered “bad risks” or “uninsurable,” with payers either unwilling to provide coverage at all, or else charging more than anyone other than Donald Trump could afford. As I write this, Blue Cross of California is under investigation for “retroactive denials” of coverage, which they attempted after individually insured patients had large claims. The insurer then pored over their medical records to try to find a reason not to pay the claim. This, by the way, is illegal under California law.
Loss of job. Especially if you are working for a self-insured employer, your personal medical information could, if improperly used, affect your chances for a raise, for promotion, even for holding on to your job. And if illegally obtained, those records could prevent you from getting the job in the first place. And good luck trying to prove any impropriety!
Loss of privacy. In his brilliant book, Days of Grace, completed 10 days before he died of transfusion-induced AIDS, the great tennis star and humanitarian Arthur Ashe wrote of what he called “his outing”: receiving a phone call from a newspaper telling him that word was out that he had AIDS, and that they were running the story the next day, and did he have a comment? A colleague of mine who has survived cancer, upon hearing the story, was livid. She told me that the decisions regarding whom to tell about her illness, and how, and when, were among the most difficult of her life. “How dare they do that to him?” she demanded. I had no answer.
Loss of family. We should all live on the straight and narrow, and there should be no lying within the family, of course. But sometimes people make mistakes. And sometimes people who made mistakes in the past choose not to share the information with their loved ones, who may not even have been their loved ones when the mistake was made. The unexpected revelation of a pregnancy or an abortion, an STD, AIDS, mental illness or other stigmatized condition can destroy a family.

Can Anything Be Done?

OK , so is it hopeless? More than a few people have told me to abandon my quixotic quest for proper protection of personal health information, that there is no way to keep it private, and that whatever skimpy means we have had to make it safe will be washed away in the IT deluge of electronic health and medical records and community health information networks and data bases and lack of enforcement of whatever laws manage to survive.

To which I answer: As long as people’s lives can be ruined by the improper use and/or release of their personal health information, then it is a moral and ethical issue as well as a technical and legal one, and we have no right to abandon the field to those who would do us harm, especially because most of the time their goal is to make money from the suffering of others.

A Tiny Bill of Rights

So I would suggest the following tiny little Bill of Rights for People Who Have Ever Seen a Physician or Have Been in a Hospital or Ever Had Health Insurance:

Discrimination against the sick and those at high risk of getting sick should not be allowed in insurance, employment or treatment. If we could make it legally and financially undesirable to hurt those who are most vulnerable, a great deal of the problem would go away, because delving into medical records would no longer be profitable.
In the absence of strong federal laws for protection of personal medical and health information, and meaningful enforcement thereof, states should be able to enact and enforce their own statutes.
Protection statutes, whether state or federal, should be enforced, and penalties should be severe. A $100,000 fine is chump change for most insurers and employers and many providers. How about losing your license or your ability to sell your products or services in the state?
Social Security numbers should never be used for identification in any health care encounter or for insurance or other purposes. Although we are making progress on this, these numbers are still used far too widely for non-Social Security purposes.
Researchers should be limited in their access to medical records and other health information, and no personally identifiable data should remain on the records being used. There can be exceptions, but they should be granted by a responsible, objective entity that does not have a vested interest in the research.
Any employee of an organization that collects, stores or uses personal health information who takes laptops, paper medical records or other media containing that information out of the building should be fired. And, as a nice touch, let’s post their names, addresses, phone numbers and perhaps other personal information on a “scandal” site on the Internet. Let’s see how they like it. (Actually, this latter suggestion violates my principles, but it is a tempting thought.)
Use of medical records for any marketing or fund-raising purpose should be banned by law. They’ll give if they want to, without being prodded by providers.
The buying or selling of medical records under any circumstance should be prohibited by law. (The Missouri legislature is considering such a statute.
There should be constant, meaningful monitoring, through audit trails and other means, of those who are gaining access to personal information, why and what is happening as a result.
All organizations entrusted with this sensitive information should work to create a culture of privacy and confidentiality, in the same way that we strive for cultures of excellence. After all, one is heavily intertwined with the other.

And if you think that all this is just paranoid raving (in which case my paranoia is shared by the majority of Americans, all across the political spectrum), ask yourself a question: Do you have a deep, dark health care secret? Does anyone in your family have one? Do you think any of you might ever have one?

Do you want to see it as the lead story on the 6 o’clock news?

First published in Hospitals & Health Networks OnLine, June 6, 2006

Return to Emily Friedman home page