What's Up Magazines

illustration by Jeff Diesburg

Medical Privacy in the Information Age
By Bridget Avila

In an age in which government surveillance of citizens is no longer just the stuff of some futuristic novel and the term identity theft can send chills of fear through anyone with a bank account, medical records can be added to the growing mound of personal information that we must safeguard.

While health-care providers increasingly rely on electronic data retention and transmission, such as electronic medical records or implantable chips holding a patient’s medical history, consumer advocates are concerned about the security of personal health information.

But where do you even begin to secure the details held in personal medical records? Many of us wrongly assume that our medical records are, well, ours. In general, medical records are the physical property of the health-care provider who maintains them and the release of information from the record is controlled by patients.

So what kind of access do we have to our own records, and who else has access to them? There are really two sets of answers to these questions, involving federal and state law.

Anyone who’s been to the doctor or picked up a prescription in the last 3 years has probably been asked to sign a form confirming receipt of the health-care provider’s privacy policy. These policies outline how health-care providers are complying with federal legislation intended to secure medical confidentiality.

In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) and tasked the U.S. Department of Health and Human Services (HHS) with writing rules on the privacy of medical information. HIPAA and its companion privacy rule comprise the federal standard for electronic transfers of health data and regulations regarding the privacy and security of medical data.

Additionally, Maryland law sets standards for records held by health-care providers within the state. If a standard is different under the HIPAA Privacy Rule than it is under Maryland law, then the health-care provider must follow the law that is most protective of a patient’s rights.

So what are my rights for accessing my medical record?

The Georgetown University Center on Medical Record Rights and Privacy outlines rights for patients accessing their medical records in each of the 50 states. Marylanders have a right to see and get copies of their medical records, amend them, and file a complaint or even sue if they feel their rights have been violated.

Health-care providers usually must let patients see medical records or provide a copy of them no more than 21 working days after receiving a request. Providers are allowed to charge for copies as well as postage.

Patients may have information added to their records to make them more complete or accurate. However, the health-care provider has the final say in any changes made to the record and may refuse to make an amendment. If this happens, the patient may add a short statement to the record.

illustration by Lisa Hamilton

Who else has access?

Under the provisions of HIPAA, health-care providers have the right to share your data for several purposes: to treat you, which means, for example, they may discuss your case with and send data about you to a radiologist regarding which ankle to x-ray; to process your insurance claim; and to respond to requests from public-health authorities, law enforcement, and your employer if you were hurt at work.

But beyond such reasonable uses is the blurry territory where health-care providers can share information with health-care business associates. This can mean that the details of patients’ history and physical exams are used for training employees, or demographic information is used for fund raising supported by the health-care provider.

Your medical information also may be available to many who are not covered by the HIPAA Privacy Rule. Here are some examples of who is not covered.

Life insurance companies

• Insurance companies that process Workers Compensation claims
• Agencies that deliver Social Security and welfare benefits
• Automobile insurance plans that include health benefits

Internet self-help sites

• Those who collect health data you give voluntarily for surveys or research projects
• Those who conduct screenings at pharmacies, shopping centers, hometown fairs, or other public places for blood pressure, cholesterol, spinal alignment, and so on
• Researchers who obtain health data directly from health care providers

Law enforcement agencies

Even though these institutions are not covered by HIPAA, they may receive information from a covered entity.

How do you protect your medical information?

That so many entities are not covered by HIPAA regulations can seem daunting. But you can take active steps to protect sensitive information.

The Privacy Rights Clearinghouse, a nonprofit group whose mission is to inform about and advocate consumer privacy, offers the following tips for safeguarding your medical information:

• Educate yourself and find out as much as you can about the privacy practices of your health-care provider and health plan. Read notices and ask questions if you don’t understand.
• Talk to your provider about your confidentiality concerns. Ask how the provider shares patient data within the office and with affiliates.
• Remember, you are not just a patient but also a consumer of health care. Like any consumer, you can shop for the best privacy deal around. Be sure to stay on top of your medical bills and dispute matters in writing with both the health-care provider and the insurance company when you think errors have been made.
• Read authorizations carefully. Make your choices about restrictions on authorizations known, and refuse to sign any you are not comfortable with. Because HIPAA authorizes so many different types of disclosures without patient approval, you should be suspicious anytime someone asks you to sign an authorization form for disclosure of health information. Make sure that the authorization is for your benefit and not someone else’s.
• Exercise your right to obtain a copy of your medical records. Make sure information is accurate. Request that incorrect information be corrected or amended. Keep in mind, your health care provider has the final word on changes and amendments to health records.
• Request that communications be made in a way that you choose. For example, you can request that you be called at your cellular telephone number rather than your home phone or that mailings be sent to your post office box rather than your home.
• Complain if you feel your rights have been violated or your concerns have been ignored. You can file a complaint with both the provider and the Office of Civil Rights Within the U.S Department of Health and Human Services. Many problems can be resolved by going directly to the health care provider before filing a complaint. Detailed information on the how to file a complaint is available on the Office for Civil Rights website at www.hhs.gov/ocr/hipaa/ and Human Services.
• Contact your representatives in Congress and in your state legislature if you feel stronger laws to protect your medical privacy are needed.
• Remember that the HIPAA Privacy Rule is new to record keepers and many providers and insurers are struggling to implement the rule. Stand up for your rights and let everyone know that you are concerned about privacy, but demonstrate patience and understanding. It will take a lot of effort and time before there is universal compliance with the HIPAA Privacy Rule.

Privacy in perspective

Medical privacy is a complex issue. Even with HIPAA, privacy standards vary from state to state. There is a movement afoot in Washington to “harmonize” state laws to create a national medical privacy standard. What such a uniform set of rules would mean to consumers is unknown.

But just as Franklin Delano Roosevelt warned us against the dangers of fear, the medical community cautions against letting fear of privacy leaks interfere with proper and thorough medical treatment. While you should always be cautious about your personal information, withholding information from a health-care provider can be hazardous to your health.

The balance between adequate information and privacy will become even more delicate as the nation moves toward a national medical record system. Deborah Peel, a psychiatrist and president of the Patient Privacy Rights Foundation in Austin, Texas, believes that while HIPAA is not stringent enough for health-care consumers, technological advances will improve patient care and medical research. “To protect our medical privacy, technology now provides the tools to segment our most sensitive medical information. It also allows the sharing of aggregated health information for research to improve health care. Privacy and research can benefit from technology. It’s not an either-or proposition.”

Peel also suggests that adequate privacy controls can be built into a national medical record system. “If we are smart and we care about sound scientific medical practices, we will build patient-controlled access to medical records into the network. That will ensure that information in the electronic medical record is accurate and reliable.”

Patients will expect medical privacy protections to be in place before they will trust a high-tech national health system. If the medical community and patients work together to influence the legislation that will create this system, then the chances we can have both greatly improve.

Bridget Avila is a freelance writer living in Annapolis. She has a background in the life science and medical fields. Questions concerning this article can be sent to Askwhatsup@whatsupmag.com.