When Congress passed HIPAA, the Health Insurance Portability and Accountability Act, in 1996, we still had paper medical records, no smart phones, and no cats with Instagram accounts. The world has changed a wee bit in the last 20 years.
Now we keep medical records electronically and those records are poured into vast databases. Both researchers and businesses that barter in your health information mine that data. Genomic research has exploded. And the federal government is pushing precision medicine, connecting disparate streams of patient data to find cures for chronic diseases.
This research offers tremendous hope for human health. It also relies on the use of deeply personal information — information that you’re hoping HIPAA protects. But the law is not perfect, and neither is the balance between privacy and third-party access to patient data. Here are five things to think about as HIPAA approaches its next 20 years.
Your data are out there
Many consumers think HIPAA ensures that hospitals can’t share patient information except with their insurance company. In reality, it only protects personally identifiable information. That means hospitals and other entities can, and do, share plenty of data about patients as long as it is de-identified and doesn’t include your name, birth date, and social security number. It can still include your diagnosis and other medical details.
This information trade helps to advance research and improve the coordination of medical care. But there’s also a temptation to reidentify information for marketing or other commercial purposes.
“It exponentially multiplies the threat environment for prospectively bad people to get access to this incredibly sensitive data,” said Doug Pollack, chief strategy officer at ID Experts Corp., a Portland, Ore.-based firm that investigates data breaches.
Your data inform research
Privacy is important, but not sharing anything could stifle medical advances. Some researchers are concerned that fear of data breaches is causing consumers to say no to participating in clinical trials and research studies.
Dr. Robert Green, a medical geneticist at Brigham and Women’s Hospital in Boston, said general anxiety about protecting personal information stymies his work.
“The number one reason people decline to participate in these studies is their fear of privacy issues,” Green said. “People don’t necessarily understand these laws or believe them.”
He said he spends a lot of time explaining privacy laws and data security to potential participants, but he said legal protections offered by HIPAA and the Genetic Information Nondiscrimination Act — which focuses on securing information obtained through genetic research — are only helpful to a point.
“You can’t make progress in genetic research if you can’t reassure people that their information is private and isn’t going to be used against them,” he said. “It totally obstructs participation in clinical research.”
Private third parties have better access to your medical information than you do
Though consumers have a right to request their medical records, that doesn’t mean they can get them easily, or correct inaccuracies.
“There are companies out there that know more about me medically than I am able to get and aggregate personally,” said Ben Heywood, cofounder of PatientsLikeMe.com, a Cambridge, Mass. business that allows patients to share information about their conditions to crowdsource effective treatments.
That’s because, despite HIPAA’s protections, there is no standard set of steps consumers can follow to get their information from hospitals, putting them at a disadvantage compared to third parties that can get their records with relative ease and use them for their own purposes.
Heywood said the lack of transparency in how data is used and shared is creating a dangerous imbalance. “It’s not acceptable,” he said. “As a patient trying to get the best care, it’s hard for me to aggregate this data. And yet companies can do it pretty straightforwardly. There is a moral underpinning to that, that needs to be fixed.”
Our expectations of privacy are changing
Heywood said privacy is too often discussed in a vacuum that is sealed off from the practical concerns of patients who are struggling to find the most effective treatments.
“Do we not talk about medical issues because we talk about medical data in such a privacy-restricted way?” Heywood said. “The reality is there are 100 million people in the US with a chronic illness. Everyone’s dealing with someone, or has a friend, or family member. If we were talking more about this, would some of that stigma go away?”
A greater willingness to discuss medical problems might support his company’s business model. But it also is an appropriate question to ask on a societal level, he said, especially with so much medical information being shared outside the view of the people whom it most directly affects.
Medical identity theft is rising
A data breach is one concern. Another is the medical identify theft that springs from it. The theft and fraudulent use of patient information results in about $80 billion in excess medical costs per year, according to government estimates.
Pollack, the chief strategy officer at ID Experts, said theft is most commonly committed by an unscrupulous medical provider who assumes a patient’s identity in order to bill the government or another payer for services that were never delivered.
For patients, the theft leaves behind a messy medical record that can be maddeningly difficult to correct.
“There are not clear regulatory guidelines that allow you to ensure your records are made correct if they are incorrect,” Pollack said. “We do that in the credit world, but there is no mandated way of doing that in health care.”
As the scope of the problem increases, Pollack said, fixing HIPAA, or coming up with some other regulatory solution will become more important.
“We don’t have a universal system, so my health records are scattered across many different health providers,” he said. “The decentralized nature of the way we deal with it in the US has created a challenge for resolving this.”
About the Author Reprints
Mandatory privacy breaches: Months after my cancer treatments ended I started receiving disturbing advertisements and clinical trial offer in the form of postcards and letters. I contacted the SEER database staff and was referred to my state cancer registry. After some investigating, I learned: 1. By law cancer reporting is mandatory 2. By law, your cancer records cannot be deleted or sealed and are often not protected. 3. HIPAA has numerous exceptions and loopholes. 4. Anyone with a reason can apply for access to all cancer records in the database. Multiple names with unknown backgrounds can be submitted by one person. 5. Researchers, students and others can have immediate access to your records however if you want a copy you will be required to fill out forms and verify your identity. 6. Cancer Registry WebPages will tell you “Your information is safe” and “your information is de-identified” and how very important your privacy is to them. This is all lies. The convoluted disclosures, advertisements and clinical trial offers will indicate otherwise. The only deterrent a patient can try is submitting a formal opt-out request for clinical trials to his or her state cancer registry. However, this may only give partial confidentiality. The responsibility will be left to the patient to submit the request, the patient will not be informed or contacted by the registry otherwise.
HIPAA non-compliance makes any organization much more susceptible to attacks as well. http://bit.ly/2q4U5hS
HIPAA also helps keep medical malpractice and malfeasance from view, behind the shield of patient privacy.
The Definition of Medical Records is what? In my case of being isolated as I was for 3 years after birth, not breastfed, head dented in 3 places and spine straightened causing a baker’s cyst at age 5 and spondelolisthesis is not included. Lies, Gossip, and Perceptions are continually dispensed as Medical Records. Someone did just not that I’m 54. 9 months to being considered, but not in Medical Records as a senior citizen. In fact, the people that look at “the records” are 20 years younger than I am. Am I to wait for the Medical Records to catch up to the idea that what has been considered as Medical Records are Gossip, Lies, and Perceptions, mostly from a Christian point of view? I think my “Medical Records” simply indicate that I’m Heathen. Sorry this or simply my existence is offensive to some folks enough to produce gossip, lies, and perceptions. (Jesus will not be returning. Even if he wanted to… they wouldn’t let him because he was tortured and killed. He continues to pray, “Lord, they still not know what they do.”)
Medical “professionals” act as though only they should access to and create medical records, leaving the lowly patient out of the loop when possible. That’s the way CalINDEX wants it. And it is nearly impossible for the patient to access the records and note corrections or missing data.
“This information trade helps to advance research and improve the coordination of medical care. But there’s also a temptation to reidentify information for marketing or other commercial purposes.” This graf makes it seem like (a) there really IS something like care coordination happening via HIPAA (no, not much); and (b) that deIDed data isn’t being used for commercial purposes (it is, hourly).
Hospitals and insurers sell “de-identified” data daily, with nary a blink from the HIPAA cops ’cause it’s “de-identified.” Which LaTanya Sweeney debunked the whole myth of de-identification in her groundbreaking work at MIT (http://arstechnica.com/tech-policy/2009/09/your-secrets-live-online-in-databases-of-ruin/).
I am one of a rising chorus of policy wonks calling for us to kill HIPAA and come up with something better. The only thing that the Health Insurance Portability and Accountability Act (notice that -information- appears nowhere in that acronym) is good for at this point is for hospitals to throw the I Ching when calculating the per-page price to charge patients asking for their medical records … digitally.
The privacy of medical records is an oxymoron. It is also nonexistent. Given the practical publication of a person’s social security number demanded by every doctor’s office and medical lab, in large type by Medicare on your ID card, and given the ability of hackers to penetrate the files of the NSA, the CIA, the IRS and the FBI, the medical insurance industry, just about every government agency and private institution, how secure does anyone think their privacy is maintained? In addition, what those folks do not know about a person, the young reveal on their Facebook pages and most other social media.
Privacy and confidentiality may be just an illusion: Under the HIPAA law all access to your records is allegedly by a “Need to know” basis only, this is another exaggeration. Prostate cancer patients are asked to fill out a series of EPIC questionnaires and other standard questioners. The EPIC questionnaire asks several intimate details about patient’s sex life, urinary and bowl function. By a prostate cancer patient completing an EPIC questionnaire may be able to assist his doctor, nurse, office workers or database track his progress or decline. By refusing to fill out these questioners and supplying other unnecessary information one can help insure his privacy, dignity and insure he do not unknowingly become part of a study or clinical trial or other collective survey or have his information forwarded to multiple databases. He may be told these questioners and records are “strictly confidential” (as stated in some EPIC questionnaires); this statement is misleading. Most of the time a patient has no idea who has access to the records or why the records are being looked at. Who has access to your medical records? Probably everyone that works in a medical office or building has access to the records, except you (often you the patient may have limited or no access). Access may include/however not limited to non-medical employees, office workers, bookkeepers, janitors, insurance companies, temporary high school or college interns, etc. This may also include other medical facilities, programmers, hackers, researchers, etc. Very often records are placed on a Health Information Exchange (HIE), dozens, sometimes even hundreds or thousands of people may have access to the records. Some major databases like SEER are linked to Medicare records to determine “the final outcome” for researchers, studies, drug companies-often for clinical trials offers, etc. SEER is an appropriate name for this database! Your drug prescription history can also be tracked by insurance companies and others. Records may be packaged and offered for sale, this does happen. Your medical records can be downloaded to servers all over the world to countries that do not have any regulations for privacy. If a doctor, patient or insurance company is involved in a criminal or civil case, medical records may become public court or law enforcement records. If a patient has radiotherapy he may have a photo taken before treatment to verify identity. All patients should get a copy and read any confidentiality disclosures statements (HIPAA statements). Patients can also become the victims of financial or medical Identity theft. Under the HIPAA laws you are entailed to a copy of all your medical records, however if you try to obtain a copy of extensive records as in a hospital stay you may be met with resistance. I recently went to a new optometrist for glasses and I was given a form that asked details about my heritage, including my mother’s maiden name and a form for my complete medical history. My family doctors office hires summer time high school interns with full access to all records. One high school intern signed me in, took my temperature, weight, blood pressure and logged it in my chart. Would you like to have a high school or college student that possibly lives in your neighborhood or attends school with your children read over your extensive family member’s medical records and personal information? How much curiosity or self control does a high school or college student have? I also went to a hearing aid center in a department store to get a free hearing test and was given forms inquiring about personal information and my complete medical history. This is information I do not want filed in a department store. All patients should avoid supplying unnecessary information whenever possible. Supply relevant information only. In the USA identity theft is very common, growing problem and is often financial devastating. Medical forms can be a good source of information for thieves. Recently my friend with arthritis in her hips received a letter offering a clinical trial for a new medication; coincidently looking for patients with hip and knee arthritis. How did this company determine she and not her husband or other family member was a prime candidate for this new drug study without violating any HIPAA privacy laws? Even without HIPAA privacy law violations, office records can be accessed by multiple people and appear in multiple databases. Sometimes medical phone calls are recorded “for quality purposes only”. Calls about a clinical trial, calls to a large clinic toll free number and calls to insurance companies may be recorded. These conversations can include confidential or medical information. Some of the Obamacare goals wanted everyone’s medical records on servers (HIE) so they could be accessed by any medical facility or doctor. Your privacy and confidentiality is probably not that secure!