|
|
For other articles and previous issues click here. March 11, 2002 PATIENT
PRIVACY: A BROKEN TRUST It’s a fear shared by many: What
if my medical record falls into the wrong hands? This naturally sensitive information is ostensibly conveyed in trust to medical professionals. Yet, this trust has been and continues to be broken in clinics, billing offices, research labs, and insurance claims offices nearly anywhere medicine is being practiced, including both brick and mortar clinics as well as those that open their doors to an online clientele. Whether it be in-person or via electronic data, patient information may be shared with many, ranging from benign to potentially damaging. The spectrum can cover doctors, hospitals, pharmacies, employers, relatives, schools, researchers, insurance companies, pharmaceutical companies, public health officials, government agencies, and even the facility’s press and marketing offices. Healthcare organizations rely upon patient data for a multitude of reasons, such as processing payment claims, analysis of medical benefit use, and measurement and quality improvement of healthcare services.2 Healthcare organizations fear that government-imposed regulations will limit these activities. However, patients want to know that their sensitive information is private and will be protected not only during the course of their treatment but also in the future as the information is maintained and/or transmitted within and outside the healthcare system.3 Given the significance of medical information,
it is important to note that one in four U.S. adults admit they
never trust health plans and government programs, such as Medicare,
to keep their information private and confidential.4 One in seven
Americans have done something out of the ordinary to keep personal
medical information confidential.5 To protect their privacy and
avoid embarrassment, stigma, and discrimination, people withhold
information from their healthcare providers, provide inaccurate
information, doctor-hop to avoid a consolidated medical record,
pay out-of-pocket for care that is covered by insurance, and—in
the most extreme cases—avoid care altogether. Research by the Health Privacy Project indicates that stories like this are taken quite seriously by healthcare consumers. In fact, people are becoming increasingly concerned about their privacy—one-fifth of the survey respondents believed that their medical information had been improperly used. One-sixth of the respondents reported providing inaccurate information to avoid misuse. In general, privacy advocates support strong protections to keep prying eyes from viewing confidential medical information and then making inappropriate use of it.7 The lessons learned by the pharmacy chains obviously were not taken to heart by telecommunication giant, Qwest, which invariably raises the question: Just how much do American corporations value their clients’ privacy? The answer to this question seemed quite bleak; Qwest included glossy notices in December bills telling customers they had 30 days to contact the company if they wanted to keep their information private. This marketing strategy angered and confused many customers and regulators in the company’s 14-state region because it was not clear whether or not Qwest would sell the information to outside companies. In response, Qwest sent out a second flier to explain that it was only planning to share customer information with divisions such as Qwest Wireless or Qwest Dex. At the very least, it appeared that the information would be used to generate calling lists for other Qwest divisions. Translation: more dinnertime telemarketing calls. Just as it seemed that another erosion of the ever-diminishing sanctity of privacy was certain, Qwest announced it had withdrawn its plans to share customer information.8 A national campaign led by the Electronic Privacy Information Center, with the support of state attorneys general and consumers nationwide, certainly had some effect. Also influential in their decision was a lawsuit that the Arizona Corporation Commission planned to file in order to stop Qwest from violating the privacy of its customers. With awareness raised, all but 4% of Qwest customers had opted out of the program by January 27, three days before the deadline. Days before Qwest rescinded its plans,
another major privacy news story broke. The Federal Trade Commission
(FTC) announced that pharmaceutical manufacturer Eli Lilly agreed
to a settlement for the unauthorized disclosure of personal information
received from consumers through company Web site, Prozac.com. On
the site, consumers were able to subscribe to e-mail notifications
that reminded them to take Eli Lilly’s drug, Prozac. When Eli
Lilly notified these subscribers in June 2001 that this service
was to be discontinued, the company disclosed the e-mail addresses
of everyone who had signed up for this service. The FTC found that
the company’s privacy statement published on its Web site was
deceptive because Eli Lilly had neither implemented nor maintained
internal measures that would have protected personal information.
Eli Lilly has agreed to increase existing security and to create
an internal program to prevent future privacy violations. No fine
is involved in this settlement because the incident was unintentional,
but it would appear that if privacy were a genuine concern, more
robust safeguards would have been in place. Hustead continues, “Now, we have a federal standard that applies across the country, with states still having the freedom to enact stronger, more privacy-protective laws. For the first time, people have a federal right to get more information about how their private health information will be used and disclosed, and they will be able to exercise more control over how it is used and disclosed.” Additionally, the establishment of national privacy standards is expected to encourage appropriate and increased use of electronic medical information while simultaneously protecting the privacy of patients.10 “Among the new federal privacy rights people now have is the right to see and copy their own medical records and to correct information that is incorrect. Among other protections, HIPAA requires that disclosure of identifiable patient information is approved by the affected patient,” Hustead explains. Mollifying the burdens that healthcare institutions and practitioners face to comply with HIPAA, President Bush signed HR 3323 into law on December 27, 2001. This legislation delays the HIPAA transaction and code set regulation compliance date by one year. Larger health plans and healthcare providers are now required to submit a compliance plan to the secretary of Health and Human Services by October 16 of this year and must come into full compliance by October 16, 2003. According to the statute, this plan will include a budget summary, an implementation schedule with work plan, and an overall strategy for achieving compliance by the deadline. The bill does not change the compliance date of the HIPAA privacy regulation, which remains April 14, 2003. Even when HIPAA does reach full implementation,
there may be some weaknesses with regard to patient record privacy.
Hustead explains, “The limited range of entities that must
comply with it and the lack of a meaningful enforcement mechanism
reflect a shortcoming in the HIPAA statute passed by Congress in
1996. Other shortcomings, such as the regulation’s approach
to access by law enforcement and the green light given to certain
marketing communications, reflect policy decisions made by Health
and Human Services.” Hustead offers, “Electronic medical records have the potential to be more secure than paper records because of security precautions like passwords and encryption, but there are real dangers given the ease with which inadequately secured information can be accessed or disclosed, intentionally or inadvertently, with the click of a mouse.” Hustead provides the following three
recommendations to protect patient privacy when seeking health information
and interacting with health professionals online: Beyond simply learning about a particular
disease process or e-mail exchanges between patients and practitioners,
telemedicine presents numerous new opportunities for breaches in
patient privacy. Often, telemedicine systems are connected through
a network or modem hookup, which increases the risk for unauthorized
data access, interruption, interference, and corruption. Compromises
to data integrity can result in harm to patients and corresponding
liability to providers.12 1. Request a copy of your medical record. Currently, approximately one-half of the states give individuals a legal right to inspect and copy their medical records. Even if your state does not provide such a legal right, you may be able to inspect and copy your record upon request. 2. Request a copy of your file from the Medical Information Bureau (MIB). The MIB is a membership organization of more than 600 insurance companies. When applying for insurance, you may be authorizing the insurance company to check your records with MIB to verify that the information you have provided is accurate. For more information, call 617-426-3660 or visit www.mib.com. 3. Read authorization forms before you sign. Before you sign any forms, find out to whom you are authorizing the release of your medical records and for what purpose. You may be able to limit distribution and restrict secondary disclosures of the information by revising the authorization form. Be sure to initial and date your revisions. 4. Register your objection to disclosures that you consider inappropriate. Registering objections may not result in immediate change, but sharing your concerns will help to educate your providers, plans, and others seeking health information to diminish the chances of future inappropriate disclosure. 5. Discuss confidentiality concerns with your doctor. Your healthcare provider should be able to help you understand the uses of your health information and may be able to offer certain assurances of confidentiality. 6. Be cautious on health Web sites. When providing personal information for “surveys,” health screenings, or medical information Web sites, be cautious about how much information you provide. Look for and read privacy policies before using the site. Ask how the information will be used and who will have access to it. 7. Educate yourself about medical privacy issues. The Health Privacy Project Web site includes many resources for consumers. You may also sign up for a news list to receive e-mails about new developments. Tensions between corporate interests and private individuals are not uncommon in this country, and there appears to be considerable support for both perspectives. In healthcare, the matter seems quite a bit more grave—healthcare institutions can ruin (intentionally or accidentally) an individual’s life depending on how private medical information is stored, accessed, and transmitted. Livelihoods can quickly be destroyed, and even sabotaged, from the beginning depending on what private healthcare information is accessed about an employee or candidate for employment. A family’s dreams for a new house can be quashed when mortgages are denied because information is gained about the purchaser’s health status. Public ridicule and embarrassment can also be one of the most damaging ramifications of privacy leaks. It would seem that as HIPAA turns another corner—possibly taking the scenic route—toward requiring healthcare entities to comply with federal privacy standards, corporate value of privacy continues to erode. Giant corporations, national chains, and even less massive employers seem to be looking at privacy as an exercise in academic utilitarianism. What advantage does sharing private data bring to the corporation? How will sharing this data provide leverage for marketing strategies? Ultimately, as these businesses continue
to ask questions such as these and face certain public outrage,
it comes down to the professionals on the front lines. Coders and
health information professionals who access private files regularly
must be the first line of defense, sharing a commitment to the sanctity
of patient privacy instead of participating in a climate of violating
trust. |
 |
 |