The right to privacy is one of the bedrocks of the American value system — but when it comes to your medical records, there are questions about how far that privacy really extends. If you’ve ever wondered who has access to your medical records, you’re not alone.
The confidentiality of your medical records depends on the people who handle them. Insurance companies use medical information to underwrite policies. Not only does your insurance company share information about your health with other insurers, they receive this information directly from your doctor and other sources.
Insurance companies use “underwriting standards” to determine whether they will issue the policy the customer requests and what the price will be. When underwriting a policy, life insurance companies factor in your age, height, weight, personal medical history, family medical history and whether you smoke. Underwriting standards for members of a group (such as group life insurance purchased through work) are less stringent than for someone who wants to buy an individual policy, but there is still an underwriting process. According to the National Association of Health Underwriters, large health insurance policies are medically underwritten, but only at the time of purchase. Rates are generally based on prior claims experience.
If you have applied for an individual life, health, disability, long-term care or critical illness insurance policy in the past seven years with an MIB Group, Inc. member, and you have a medical condition severe enough to impact your health or longevity, your information (stored as codes, not “medical files”) may be in a database at MIB (formerly named the Medical Information Bureau). MIB provides medical information to its nearly 475 member life and health insurance companies — information taken from individuals’ insurance applications. Member companies report information to the MIB.
Insurance companies pay a fee to become members of the MIB, and they also pay a fee every time they request information from the company’s database. You will be notified when you apply that the insurance company plans to check the MIB for any record of you, but that notification may be buried in fine print of the authorization you sign. Ask an agent when you fill out the application if pre-existing medical conditions might raise your rates or nix your application altogether.
Getting your hands on your MIB records
According to the MIB, its database contains files on about 18 million individuals. The easiest way for you to check to see if the MIB has a file on you — and whether that file is accurate — is to request a copy of your record from MIB.com. You can request a free copy of your report (if one exists) once a year.
The MIB is similar to consumer credit reporting services. For instance, it purges records that have been in the system for more than seven years. Under the Fair Credit Reporting Act, you have a right to see and correct the information the MIB has on you. Some states have also adopted laws specifically dealing with the confidentiality of medical records. The MIB and member companies doing business in those states are also subject to those laws.
Member companies of the MIB must also comply with the MIB’s own privacy standards. The information is only exchanged within the insurance companies they work with and is only used for underwriting an application, or for claim adjustments. Member companies generally use this information to detect lies or inconsistencies on insurance applications. For example, if you applied for life insurance five years ago and noted a history of cancer, and now you submit an application to another company without that information, the company will want to know why.
Patient privacy and insurance claims
Although there are federal patient privacy standards, and most states have additional privacy standards for health care providers, your patient information could still travel to other places.
One of the problems with keeping medical records confidential is the number of people who handle such information. Every time you visit the doctor, you leave a paper trail that passes through numerous hands.
While state and federal privacy laws may require a doctor to keep records private, an insurance company can demand to review all necessary records before reimbursing the physician for services rendered.
Does your employer administer your benefits in-house? That means someone in your own company may know the intimate details of your medical history.
Even if you pay for your health care out of your own pocket, eschewing insurance altogether, your medical records could still end up in the hands of your insurer. That’s because most doctors are part of health care networks that require access to all records, not just their own enrollees.
Hospitals also keep records on patients they’ve served. Pharmacies store and sell information about the medications that customers use. Considering the fatal consequences of certain drug combinations, tracking a patient’s medication is necessary for safety reasons.
In this age of outsourcing, insurance companies often contract with other companies to help with data collection. Sometimes, you may not even know that you’re dealing with a third-party company that is engaged in a practice called data mining. About half of all life, health and disability insurance companies contract with a third party to collect your medical records. Companies that routinely acquire medical records and physician statements for their insurance company clients include SAS Business Analytics and Insurity Inc. (a division of a subsidiary of ChoicePoint/LexisNexis, which also provides auto insurers with DMV records).
The federal Health Insurance Portability and Accountability Act (HIPAA) requires the simplification of electronic data transactions, and procedures to protect patients’ privacy.
The Department of Health and Human Services issued the privacy rule to “address the use and disclosure of individuals’ health information or “protected health information” by organizations subject to the Privacy Rule (covered entities) and set standards for individuals’ privacy rights to control how their health information is used, under HIPAA.
Entities that have to be in compliance of HIPAA include:
- Health insurance companies, HMOs, group health plans, Medicare and Medicaid.
- Anyone that conducts business electronically to bill your health insurer, including physicians, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies and dentists.
- Health plan clearinghouses, including billing services, repricing companies and community health-management information systems.
Each organization governed under HIPAA is required to set up procedures to protect patients’ privacy. Each also has to designate an official to monitor that system and notify patients about their privacy-protection practices. The regulations call for penalties, ranging from fines to criminal charges, against people who violate a patient’s right to privacy.
President Obama signed the American Recovery and Reinvestment Act of 2009, which includes protections for how medical information is used. The act prohibits:
- Unauthorized sale of medical records, unless they are being used for research, public health and treatment.
- Limits marketing practices.
- Requires health providers and business associates to keep an audit of personnel who have access to sensitive medical information.
- Sets strict standards for technology systems, including data encryption and breach notifications.
- Implements monetary penalties for violations.
- Monitors contracts and reporting practices.
Other protections provided by the American Recovery and Reinvestment Act include the right for patients to request an “audit trail” of their electronic medical records to learn who has been looking at their health information. Patients also have the right to be notified of unauthorized use and can obtain an electronic copy of their records.
HIPAA privacy regulations
- Allow consumers to see their medical records, request corrections, and obtain documentation of disclosures of their health information.
- Penalize companies that violate patients’ privacy rights with fines or criminal charges.
- Allow some health information to be disclosed without patient consent, including data used by medical researchers, law enforcement and banks that process health care payments and premiums.
- Require each organization governed under HIPAA to set up procedures to protect patients’ privacy and designate an official to monitor that system.
Source: U.S. Department of Health and Human Services
- Related Articles
- Know your COBRA rights
- Tips for buying individual health coverage
- Health insurance basics