Who's reading your medical files today?

By Sue A. Blevins Tue Aug 26, 4:00 AM ET How would you feel about your personal health information flowing freely over the Internet between public health officials, healthcare providers, insurance and data clearinghouse companies, and others – without your permission? If this doesn't sound like a good idea, it's time to become informed about federal health privacy law. Today, when Americans visit a healthcare provider for services (including dental and eye exams), they receive a form with a title such as "Notification of Privacy Rights." Many assume that signing the form guarantees that personal information won't be shared with third parties. But the form offers no such guarantees. And neither does federal law. In fact, the privacy rule established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) legally permits healthcare providers to share patients' information with more than 600,000 health- and data-related entities – without a patient's consent. Yet the notification form doesn't clearly explain this. Individuals control their information when they give consent; they don't with notification. When you sign a notification form, all you are doing is acknowledging its receipt. The HIPAA notification form offers no control over who sees your information and instead just tells you about some of the entities that can access your information, rather than asking for your permission. Consequently, many physicians and other healthcare providers are urging Congress to strengthen privacy rights. They know firsthand that the HIPAA rule fails to ensure true confidentiality. "...[T]he regulations under [HIPAA], which were intended to extend patient privacy as we moved from a paper-based system of medical records to a digital system, are a sham. HIPAA allows the routine release of personal health information without patient consent or knowledge, and even over a patient's objection…" stresses Dr. Janis G. Chester, president of the American Association of Practicing Psychiatrists. As the ACLU put it, "HIPAA has so many medical privacy loopholes, it makes Swiss cheese look solid." The organization also points out that under existing federal regulations, the term "privacy" hasn't been well defined. The ACLU is urging Congress to define medical privacy as "patient control of electronic medical records." Moreover, these organizations and others are lobbying for privacy amendments to key health Internet-technology (HIT) bills currently being considered in Congress. Lack of privacy has serious consequences. It fosters making personal health information a commodity that businesses sell and trade in the marketplace, notes ACLU. Weak privacy rights also interfere with doctor-patient relationships. When drafting the HIPAA privacy rule, the US Department of Health and Human Services (HHS) noted that "Privacy violations reduce consumers' trust in the healthcare system and institutions that serve them." The ACLU noted recently that at least one third of Americans are not sharing their complete personal medical histories because they feel their privacy will be weakened in the name of efficiency. Additionally, without strong privacy rights, individuals can't take steps to adequately protect themselves from bad, lost, stolen, or misused data. Meanwhile, more and more personal data is being collected during routine healthcare visits, including information about marital and sexual matters. A married woman (wedded for over 30 years) and mother of two adult children, said she was appalled when asked during a routine visit if she preferred men or women. She stressed that while she "has nothing to hide," she doesn't think it's anyone's business what her sexual preference is or when her first sexual encounter was (which is often asked during exams). What's more, it is becoming easier to share healthcare information with just a click of a mouse. As HHS has noted, "Until recently, health information was recorded and maintained on paper and stored in the offices of community-based physicians, nurses, hospitals, and other healthcare professionals and institutions.... Today, however, more and more health care providers, plans, and others are utilizing electronic means of storing and transmitting health information…. In a matter of seconds, a person's most profoundly private information can be shared with hundreds, thousands, even millions of individuals and organizations at a time." Do Americans really want the intimate details of their lives and families shared so easily without their consent? If not, they need to urge Congress to establish stronger privacy rights. Tinkering with HIPAA won't do it. That would just keep a lot of people busy rewriting regulations that don't guarantee privacy. Rather, Congress needs to pass a new law that defines "privacy" and upholds the precious ethic of consent. The new law should guarantee individuals' freedom to decide whether to be part of electronic medical-record and genetic databases for years to come. • Sue A. Blevins is president of the Institute for Health Freedom in Washington.

Letter to the AMA ... Privacy Considerations

Dear Mr. Nelson: My name is Marcy Zwelling. We have not met. I am a delegate to the AMA from California and a passionate advocate for my patients and quality health care. I am aware of a series of lawsuits in the Northeast involving IMS, a vendor of my patients' private health care data and physician prescribing habits. I know that the AMA has intimate details of the lawsuit(s) and that the case is now at the Appeals Level. I believe that the AMA allows physicians to opt out of the AMA Rx data mining program but not many doctors know about this. That said, I absolutely appreciate the fact that the AMA has made it is so much easier to find the opt out on the website. I opted out months ago and had to "re-do" my efforts today. I don't know how that glitch happened. The conflicts of interest are huge. I believe that the AMA suffers these conflicts more and more as our membership numbers go down. It is publicly quoted that the AMA made $46 million dollars on the "sale of data". I think that this lawsuit presents the proverbial "fork in the road". The AMA has the opportunity to finally stand up for physicians, our rights, and our patients privacy by standing with the State of New Hampshire against data mining. I want nothing more that the AMA's continued success but we cannot be successful if we continue to live in this world of conflict. Our AMA's patient privacy policies are well conceived and I applaud the efforts of those before me who had the wisdom to articulate the "line in the sand". I believe that this data mining violates our privacy policy and is only the tip of the iceberg. Companies like SureScripts (now Rx-Hub) sell my patients' data to any "covered entity" under HIPAA. This practice is a huge invasion of privacy, all legal under HIPAA. I would love for the AMA to work to legislate against any sale of any patient data but... to get to that place, I think you first must take a position in this appeals case. As they say....... "what are you going to do? Not what do you say or think?" We all know that clinical health data can be used wisely. We all want clinical data to be used by the right people in the right studies and at the point of service for individual patients. But, that is NOT what happens now. It is, however, the "umbrella" that others are using in order to give themselves access and that is wrong. The licensure to utilize patient data MUST be authorized on a case by case, one event at a time basis, with FULL disclosure to our patients. HIPAA, as you know allows for the use of data by "business associates" [Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.] We are all aware that patients receive inquiries from all "business associates" all the time proving to me that identified data is sold at will. Patients have brought this to my attention. (I don't bill insurance so if anyone has information about my patient that is privileged to THIS office it would be thru their PBM and an Rx). I was shocked to here that even Dr. Robert Kolodner, the current Coordinator of the Office of National Health Information Technology, was surprised to know that data was being exchanged and sold so freely (or so he said). it seems that there has been little conversation about this violation of our patients' privacy. Shouldn't this be a priority of the AMA? I took an oath. Every Medical Doctor receiving an MD degree in the US took that oath "All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal." I believe that the AMA has at its core the obligation to stand up for the profession and our patients and put a stop to the practice of data "mining" and the practice of data distribution and sale. Our patients' data is just that... belonging to our patients. It is a privilege to have the data and to use it for the specific betterment of their health and not for the utility of any other entity. While I believe that we must find a way to safely license the use of CLINICAL data after full disclosure and with our patients' informed consent, that must come after we have secured their privacy. This is our moment. We must seize it. The AMA has an amazing opportunity to re-examine its core values and to do the right thing. I eagerly await your reply and I thank you for your most serious consideration. Marcy