Health Insurance Quotes
Prying eyes: Medical records at risk
When the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was amended in 2003, something happened to your medical records: You lost control of them, along with the health privacy of you and your family.
"HIPAA was gutted," says Dr. Deborah Peel, a practicing physician in Austin, Texas, and founder of Patient Privacy Rights, a medical privacy watchdog group.
For example, privacy provisions in place prior to 2003 were replaced by a "disclosure" provision: That's the HIPAA form you've been signing all the time and the doctors office and hospital. Now anyone even tangentially associated with your medical care (billing firms, pharmacy benefit managers and business associates you don't even know about, referred to as "health care operations").
Here's how it happened: Congress in 1996 recognized the need for national patient privacy standards and set a three-year deadline for itself to enact such protections as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). When Congress failed to meet that deadline, the law required the Health & Human Services Department (HHS) to adopt such protections via regulation.
Here's what HHS came up with: "The consent provisions in [the previous HIPAA law] are replaced with a new provision . . . that provides regulatory permission for covered entities to use or disclose protected health information for treatment, payment, and health care operations." Translation: Requirement for your consent is replaced by broad permission from the federal government for others to use your data. And thus, your medical records opened up like a gusher.
HHS touted it as an advance, even though it stripped your consent rights: "The patient privacy rule will provide strong protections for personal health information while maintaining the high quality of care that Americans expect," said then HHS Secretary Tommy Thompson says."
Further, these HIPAA provisions apply to "past, present, or future" medical records, so that brief condition you had 20 years ago is fair game.
HHS admits the rules do not establish "appropriate" restrictions on the use or disclosure of medical information by such recipients as researchers, life insurance issuers, marketing firms, or administrative, legal, or accounting services. In addition, HHS does not have the authority to give you the right to take court action if your medical information is misused. These HIPAA provisions apply mainly to your electronic medical data — which is extensive, considering the increased use of electronic claim filing by health care providers and the databases that record every prescription you fill, no matter how you pay for it.
In addition, these HIPAA provisions mean you will not know who has seen, touched or sold your personal medical data. You will receive no notices when your health records are disclosed, nor will you be able to find out, even if you ask, because there is no requirement for an "audit trail," says Patient Privacy Rights.
One undesirable consequence Peel foresees is that patients who are aware of this lack of privacy may lose trust in their doctor-patient relationship, because anything recorded in a medical record is at risk.
HIPAA says that identifying information should be stripped from your medical data if it's not needed — for example, if your data is given to a researcher — but there has been strong doubt in the privacy-advocacy community about whether this will be put into practice.
Your health as a matter of national security
In addition, under the HHS rules, parts of your medical records can be disclosed for a variety of reasons that concern "national priority activities" and for "activities that allow the health care system to operate more smoothly." In addition, you would be assigned a permanent health ID, similar to a Social Security number, so your medical records could be more easily traced no matter which doctor, police agency or researcher wants them.
Here are some of the agencies and purposes for which "prying eyes" could review your medical records under the HHS' rules:
- Oversight of the public health care system, including quality assurance activities
- Public health
- Judicial and administrative proceedings
- Law enforcement
- Emergency circumstances
- To provide information to next-of-kin
- For identification of a deceased person, or the cause of death
- As authorized for governmental health data systems
- For facility patient directories
- By banks and other financial institutions, to process health care payments and premiums
- For activities related to national defense and security.
The American Civil Liberties Union (ACLU) worries about the access law enforcement will have to your medical records. "The police should not be able to say to a hospital, 'Give us Mr. Smith's medical charts because we think something's fishy,'" says Ronald Weich, an ACLU legislative consultant. "One of the most basic principles of American justice is that police must obtain a warrant from a judge before searching through your property. Medical records should be treated no differently."
The ACLU accused HHS of ignoring thousands of faxes sent through the ACLU web site from consumers seeking stronger regulations.
State privacy laws
If the HIPAA regulations conflict with state privacy law, whichever has the stronger privacy protections would prevail. These laws cover consumers who are privately insured or uninsured, and recipients of public assistance, such as Medicare and Medicaid.
How to take back control
Regaining control of personal medical information will be no small feat. Most important is strong federal privacy regulation to counteract what has been done by the HHS rules.
Patient Privacy Rights offers an online "Patient Privacy Toolkit" with forms that you can use to assert your right of consent before your health data are disclosed.