Privacy watch: Medical records privacy law threatened

If you don't think the issue of medical privacy hits close to home, consider the following examples from the US:

In 1994, a loan officer for a bank who also served on his county's health board discovered that he had free access to the patient records of people who lived in his county. He cross-referenced the names from his customer databases with the names of people who had been diagnosed with terminal illnesses. The banker called due the loans of dozens of people who had been diagnosed with cancer.

In 1998 an employee of Motorola Inc. received startling news at work: She had been automatically enrolled in an antidepression counseling program by the company's human resources department. Eventually, the company admitted that they had received a list of drugs her mail-order prescription company was sending her on a regular basis. Included on the list was a prescription antidepressant.

Even if you don't give a second thought to junk mail, spam, or dinnertime telemarketing calls, you should worry about the protection of your personal medical history--because right now, there isn't any. And horror stories such as those above aren't just urban legends. The unauthorized release of medical records is perhaps one of the greatest threats we face in the information age. With hardly any rules in place to stop anyone, companies are free to trade and barter the most personal aspects of our lives. And as we all increasingly use the Internet to connect with doctors, pharmacies, and insurance companies, the risks multiply.

Privacy politics

Despite exhaustive campaign promises to protect individual privacy, the Bush administration's first move on the privacy front was to delay enacting the tough new privacy rules in the Health Insurance Portability and Accountability Act. The 1996 law, also known as HIPAA, allows the federal Department of Health and Human Services to set national rules that dictate how doctors, insurance companies, pharmacies, and other businesses can and cannot share or distribute sensitive patient data.

The unfortunate reality of politics, however, has dwarfed the massive wave of public opinion that favors such rules. Unexpectedly and without any explanation, the Bush administration put the entire process of approving the new rules on hold in late February. News reports from Washington indicate that the new administration's resolve has been eroded by heavy insurance industry lobbying to weaken these rules or eliminate them altogether.

Privacy protection almost takes center stageBy a wide margin, participants in a medical records privacy poll last September said that they feel strongly about protecting the privacy of their personal medical data. More than 80 percent of the respondents in the survey object to insurance companies or the government being able to access their medical records without their knowledge.

Silly me: I thought politicians actually paid attention to polls--especially polls in which 78 percent of those polled say they think it's very important to protect the confidentiality of medical records.

Why fight the public interest?

Among other things, the HIPAA rules would allow individual patients to sue insurance companies, pharmacies, or even their own doctors for releasing confidential information to an unauthorized entity--a direct-marketing company, for example. The law would prohibit the release of health data for a nonmedical use, such as determining employment. It would also set severe criminal penalties for people who use deception to obtain medical data illegally, or who act on information they were never intended to have.

The kinds of things the act is designed to prevent aren't just theoretical breaches of protocol. Many health privacy advocacy sites have published real accounts of medical information misuse, and without these rules being enacted, the problems will only get worse.

The insurance industry might want to use your medical information for other purposes, though industry spokespeople vehemently deny that. Dean Rosen, a lawyer for the Health Insurance Association of America, writes that the health insurance industry wants "strong, uniform national standards that protect Americans' private medical records from inappropriate use." Meanwhile, he also criticizes the proposed regulations, saying they would "impose unnecessarily burdensome rules" for insurers.

But if the insurance industry isn't planning to use the information in ways we don't want them to, why is the industry blatantly opposing a law that addresses a concern of such high public interest?

For one thing, there's a lot of money to be made in direct marketing. Think about it. Why should a large facial-tissue manufacturer take out ads in national newspapers when it could mail (or e-mail) coupons directly to those people most likely to buy their products: people who regularly take prescription allergy medication? The insurance companies and pharmacies could make a killing selling names, addresses, phone numbers, and other data about their customers to businesses that make products targeting those groups of people.

Taking a stand

Once, your medical records would live in a dusty old file cabinet at your doctor's office. But now, according to the Health Privacy project, a nonprofit advocacy organization that lobbies for strong health privacy regulation, as many as 77 people and entities have access to your medical records after you spend one night in a hospital. And with every medical office--from Cicely, Alaska, to New York City--computerized and using the Internet, the potential for misuse, theft, or inappropriate marketing of that data exponentially increases.

It's time we stood up to lobbyists and insurance industry naysayers. I don't want to live my life under the constant threat of an embarrassing medical disclosure hanging over my head.

Join the newsletter!

Error: Please check your email address.

More about Department of HealthMotorola

Show Comments