Home

Cover Story

Table of Contents

E-Newsletter

Article Archive

Editorial Calendar

Datebook

Writers' Guidelines

Orgs/Links

Opinion Polls

Reprints

Search

For other articles and previous issues click here.

March 11, 2002

PATIENT PRIVACY: A BROKEN TRUST
By Glenn Wachter

It’s a fear shared by many: What if my medical record falls into the wrong hands?

An excerpt from a true story published by the Coalition for Patient Rights1 tells of Karen, a woman who lost her job as a psychiatric nurse after one of her doctor’s associates told her employer that she had undergone a rapid drug detoxification treatment. Karen had sought the treatment and paid for it privately after realizing that she had become addicted to prescription painkillers following a work-related injury. While in the hospital for the detox procedure, she contracted pneumonia and had to miss more work than she had planned. She asked her doctor to fax a letter to her employer explaining the need for a longer absence because of pneumonia, and he did. In that fax was a statement mentioning the “rapid detox.” Her employer promptly suspended her without pay and took her keys and identification badge. Shortly thereafter, her health insurance was canceled and she quit her job. She filed a claim with the Equal Employment Opportunity Commission, stating that she’d been discriminated against under the provisions of the Americans With Disability Act. Fortunately for her, the commission agreed. Since then, she has left nursing and is taking public opinion surveys for a private firm. She is planning legal action.

Information Shared in Trust
In the course of receiving medical care, a great deal of private information is conveyed between patient and practitioner. Even a routine medical checkup might include a discussion—and subsequent entry into the patient’s medical record—of information regarding his or her physical condition, personal habits, mental state, medications, sexual practices, and family history. Add to this the advent of genetic testing that can give an otherwise harmless medical record profound significance if the information is transferred into the wrong hands.

This naturally sensitive information is ostensibly conveyed in trust to medical professionals. Yet, this trust has been and continues to be broken in clinics, billing offices, research labs, and insurance claims offices nearly anywhere medicine is being practiced, including both brick and mortar clinics as well as those that open their doors to an online clientele. Whether it be in-person or via electronic data, patient information may be shared with many, ranging from benign to potentially damaging. The spectrum can cover doctors, hospitals, pharmacies, employers, relatives, schools, researchers, insurance companies, pharmaceutical companies, public health officials, government agencies, and even the facility’s press and marketing offices.

Healthcare organizations rely upon patient data for a multitude of reasons, such as processing payment claims, analysis of medical benefit use, and measurement and quality improvement of healthcare services.2 Healthcare organizations fear that government-imposed regulations will limit these activities. However, patients want to know that their sensitive information is private and will be protected not only during the course of their treatment but also in the future as the information is maintained and/or transmitted within and outside the healthcare system.3

Given the significance of medical information, it is important to note that one in four U.S. adults admit they never trust health plans and government programs, such as Medicare, to keep their information private and confidential.4 One in seven Americans have done something out of the ordinary to keep personal medical information confidential.5 To protect their privacy and avoid embarrassment, stigma, and discrimination, people withhold information from their healthcare providers, provide inaccurate information, doctor-hop to avoid a consolidated medical record, pay out-of-pocket for care that is covered by insurance, and—in the most extreme cases—avoid care altogether.

What Could Possibly Go Wrong?
Well, a lot, actually. Consider the breech in privacy involving the well-known chain drug stores CVS and Giant Food that took place nearly four years ago. These companies admitted to making patient prescription records available for use by a direct mail firm and a pharmaceutical company. The intent was ostensibly to track customers who do not refill prescriptions and encourage them through mail correspondence to refill those prescriptions. However, in response to the anger expressed by their customers, both companies abandoned their marketing and direct mail campaigns.6

Research by the Health Privacy Project indicates that stories like this are taken quite seriously by healthcare consumers. In fact, people are becoming increasingly concerned about their privacy—one-fifth of the survey respondents believed that their medical information had been improperly used. One-sixth of the respondents reported providing inaccurate information to avoid misuse. In general, privacy advocates support strong protections to keep prying eyes from viewing confidential medical information and then making inappropriate use of it.7

The lessons learned by the pharmacy chains obviously were not taken to heart by telecommunication giant, Qwest, which invariably raises the question: Just how much do American corporations value their clients’ privacy? The answer to this question seemed quite bleak; Qwest included glossy notices in December bills telling customers they had 30 days to contact the company if they wanted to keep their information private. This marketing strategy angered and confused many customers and regulators in the company’s 14-state region because it was not clear whether or not Qwest would sell the information to outside companies. In response, Qwest sent out a second flier to explain that it was only planning to share customer information with divisions such as Qwest Wireless or Qwest Dex. At the very least, it appeared that the information would be used to generate calling lists for other Qwest divisions. Translation: more dinnertime telemarketing calls.

Just as it seemed that another erosion of the ever-diminishing sanctity of privacy was certain, Qwest announced it had withdrawn its plans to share customer information.8 A national campaign led by the Electronic Privacy Information Center, with the support of state attorneys general and consumers nationwide, certainly had some effect. Also influential in their decision was a lawsuit that the Arizona Corporation Commission planned to file in order to stop Qwest from violating the privacy of its customers. With awareness raised, all but 4% of Qwest customers had opted out of the program by January 27, three days before the deadline.

Days before Qwest rescinded its plans, another major privacy news story broke. The Federal Trade Commission (FTC) announced that pharmaceutical manufacturer Eli Lilly agreed to a settlement for the unauthorized disclosure of personal information received from consumers through company Web site, Prozac.com. On the site, consumers were able to subscribe to e-mail notifications that reminded them to take Eli Lilly’s drug, Prozac. When Eli Lilly notified these subscribers in June 2001 that this service was to be discontinued, the company disclosed the e-mail addresses of everyone who had signed up for this service. The FTC found that the company’s privacy statement published on its Web site was deceptive because Eli Lilly had neither implemented nor maintained internal measures that would have protected personal information. Eli Lilly has agreed to increase existing security and to create an internal program to prevent future privacy violations. No fine is involved in this settlement because the incident was unintentional, but it would appear that if privacy were a genuine concern, more robust safeguards would have been in place.

Regulatory Landscape Responds
Over the last few years, For the Record has featured several articles discussing the legislation that is changing how healthcare facilities and providers handle patient information. Readers will recall that the Health Insurance Portability and Accountability Act (HIPAA) sought to find middle ground amid tensions between privacy advocates and commercial healthcare interests.9
HIPAA gives considerable attention to the protection of individually identifiable health information. According to Joanne Hustead, senior counsel for the Health Privacy Project, “HIPAA represents the first time the federal government set national standards to protect the privacy of medical information in the hands of private healthcare providers and health plans.” Indeed, before HIPAA, people relied on a patchwork of state laws and often incomplete and inconsistent corporate ethics, all of which left many gaps for protecting patient privacy.

Hustead continues, “Now, we have a federal standard that applies across the country, with states still having the freedom to enact stronger, more privacy-protective laws. For the first time, people have a federal right to get more information about how their private health information will be used and disclosed, and they will be able to exercise more control over how it is used and disclosed.” Additionally, the establishment of national privacy standards is expected to encourage appropriate and increased use of electronic medical information while simultaneously protecting the privacy of patients.10

“Among the new federal privacy rights people now have is the right to see and copy their own medical records and to correct information that is incorrect. Among other protections, HIPAA requires that disclosure of identifiable patient information is approved by the affected patient,” Hustead explains.

Mollifying the burdens that healthcare institutions and practitioners face to comply with HIPAA, President Bush signed HR 3323 into law on December 27, 2001. This legislation delays the HIPAA transaction and code set regulation compliance date by one year. Larger health plans and healthcare providers are now required to submit a compliance plan to the secretary of Health and Human Services by October 16 of this year and must come into full compliance by October 16, 2003. According to the statute, this plan will include a budget summary, an implementation schedule with work plan, and an overall strategy for achieving compliance by the deadline. The bill does not change the compliance date of the HIPAA privacy regulation, which remains April 14, 2003.

Even when HIPAA does reach full implementation, there may be some weaknesses with regard to patient record privacy. Hustead explains, “The limited range of entities that must comply with it and the lack of a meaningful enforcement mechanism reflect a shortcoming in the HIPAA statute passed by Congress in 1996. Other shortcomings, such as the regulation’s approach to access by law enforcement and the green light given to certain marketing communications, reflect policy decisions made by Health and Human Services.”

Privacy and the Changing Face of Healthcare
As HIPAA implementation proceeds, healthcare continues its integration of technology. Many healthcare institutions are using electronic medical records, and patients themselves are becoming more comfortable with online healthcare functions, popularly known as e-health. And, as you would imagine, privacy concerns are present here as well. In fact, many believe that although electronic records arguably could be made more secure than paper records, computers change the scale of the risk involved. This may be due to the fact that electronic medical files can be more easily and quickly copied than large paper-based records. Physicians and patients are more afraid of someone gaining unauthorized access to online medical records than they are about exchanging personal medical information over a cordless phone—reportedly, a riskier activity.11

Hustead offers, “Electronic medical records have the potential to be more secure than paper records because of security precautions like passwords and encryption, but there are real dangers given the ease with which inadequately secured information can be accessed or disclosed, intentionally or inadvertently, with the click of a mouse.”

Hustead provides the following three recommendations to protect patient privacy when seeking health information and interacting with health professionals online:
* “Try to determine whether the provider or Web site has to comply with the federal privacy regulation. This will not be an easy task. The Health Privacy Project recently wrote a report called ‘Exposed Online: Why the New Federal Health Privacy Regulation Doesn’t Offer Much Protection to Internet Users.’ This report is available free of charge through our Web site (go to www.healthprivacy.org and click on Resources).
* “Read the Web site’s privacy policy. If the HIPAA privacy regulation does not apply (and often it won’t), the only privacy protections that apply are the ones the site itself says it follows. Read those carefully before submitting any health information via the Internet, and don’t submit any health information if you are uncomfortable with or do not understand those policies.
* “Find out how the provider or site secures information as it is being transmitted and how it secures information once it is received.”

Beyond simply learning about a particular disease process or e-mail exchanges between patients and practitioners, telemedicine presents numerous new opportunities for breaches in patient privacy. Often, telemedicine systems are connected through a network or modem hookup, which increases the risk for unauthorized data access, interruption, interference, and corruption. Compromises to data integrity can result in harm to patients and corresponding liability to providers.12

Tips to Protect Patient Privacy
The Health Privacy Project’s Web site furnishes seven suggestions that will help patients protect their private medical information from prying eyes:13

1. Request a copy of your medical record. Currently, approximately one-half of the states give individuals a legal right to inspect and copy their medical records. Even if your state does not provide such a legal right, you may be able to inspect and copy your record upon request.

2. Request a copy of your file from the Medical Information Bureau (MIB). The MIB is a membership organization of more than 600 insurance companies. When applying for insurance, you may be authorizing the insurance company to check your records with MIB to verify that the information you have provided is accurate. For more information, call 617-426-3660 or visit www.mib.com.

3. Read authorization forms before you sign. Before you sign any forms, find out to whom you are authorizing the release of your medical records and for what purpose. You may be able to limit distribution and restrict secondary disclosures of the information by revising the authorization form. Be sure to initial and date your revisions.

4. Register your objection to disclosures that you consider inappropriate. Registering objections may not result in immediate change, but sharing your concerns will help to educate your providers, plans, and others seeking health information to diminish the chances of future inappropriate disclosure.

5. Discuss confidentiality concerns with your doctor. Your healthcare provider should be able to help you understand the uses of your health information and may be able to offer certain assurances of confidentiality.

6. Be cautious on health Web sites. When providing personal information for “surveys,” health screenings, or medical information Web sites, be cautious about how much information you provide. Look for and read privacy policies before using the site. Ask how the information will be used and who will have access to it.

7. Educate yourself about medical privacy issues. The Health Privacy Project Web site includes many resources for consumers. You may also sign up for a news list to receive e-mails about new developments.

Tensions between corporate interests and private individuals are not uncommon in this country, and there appears to be considerable support for both perspectives. In healthcare, the matter seems quite a bit more grave—healthcare institutions can ruin (intentionally or accidentally) an individual’s life depending on how private medical information is stored, accessed, and transmitted.

Livelihoods can quickly be destroyed, and even sabotaged, from the beginning depending on what private healthcare information is accessed about an employee or candidate for employment. A family’s dreams for a new house can be quashed when mortgages are denied because information is gained about the purchaser’s health status. Public ridicule and embarrassment can also be one of the most damaging ramifications of privacy leaks.

It would seem that as HIPAA turns another corner—possibly taking the scenic route—toward requiring healthcare entities to comply with federal privacy standards, corporate value of privacy continues to erode. Giant corporations, national chains, and even less massive employers seem to be looking at privacy as an exercise in academic utilitarianism. What advantage does sharing private data bring to the corporation? How will sharing this data provide leverage for marketing strategies?

Ultimately, as these businesses continue to ask questions such as these and face certain public outrage, it comes down to the professionals on the front lines. Coders and health information professionals who access private files regularly must be the first line of defense, sharing a commitment to the sanctity of patient privacy instead of participating in a climate of violating trust.

— As research associate for the Telemedicine Research Center in Portland, Ore., Glenn Wachter researches and writes content for the Telemedicine Information Exchange Web site, with specific interests in legal, political, and technological aspects of the healthcare industry.

References
1. National Coalition for Patient’s Rights Web site. Available at: http://www.nationalcpr.org.
2. Federal Register. Standards for privacy of individually identifiable health information. Washington, D.C.: Federal Register; 1999;64(212). Propose Rules. 45 CFR Parts 160-164.
3. Ibid.
4. California HealthCare Foundation. Survey conducted by Princeton Survey Research Associates; January 1999.
5. Ibid.
6. O’Harrow R. Prescription sales, privacy fear. The Washington Post. February 15, 1998:A1.
7. Otrompke J. Advocates gear up as privacy deadline draws near. Telehealth Magazine. 1999;5(7):27-28.
8. Qwest calls off plan to share customer information. Reuters. Available at: http://biz.yahoo.com/rf/020128/prn1sl073_1.html. Accessed January 28, 2002.
9. Goedert J. Proposed privacy rule holds some surprises. Health Data Manage. 2000;8(2):12, 20.
10. Federal Register. Standards for privacy of individually identifiable health information. Washington, D.C.: Federal Register; 1999;64(212). Propose Rules. 45 CFR Parts 160-164.
11. Chin T. Private lessons. Am Med News. March 27, 2000.
12. Belmont E, Brown-Beasley M. Confidentiality and security issues in telemedicine. NNEHII News. 1997;2(2)2-3.
13. What You Can Do To Protect Your Privacy. Health Privacy Project. Available at: http://www.healthprivacy.org/usr_doc/36440.pdf. Accessed January 21, 2002.

Additional Resources
Committee on Enhancing the Internet for Health and Biomedical Applications: Technical Requirements and Implementation Strategies. Networking Health: Prescriptions for the Internet. National Academy Press: Washington, D.C.; 2000.
Goldman J, Hudson Z. Promoting Health/Protecting Privacy: A Primer. California HealthCare Foundation & Consumer Union: Washington, D.C.; 1999.

Subscribe to For the Record Magazine!