When It Comes to Medical Privacy, Your File Could Be an Open Book : Health: Medical records are easily accessible to hundreds of people. Experts cite a lack of regulations and poor confidentiality procedures.
Like most Americans, you probably believe any medical treatment you receive is a private matter. Think again.
The truth is your boss or co-workers, landlord or neighbors may know the most private details of your health history, simply because you signed a standard insurance release form.
In addition, experts in the field of medical privacy say lack of regulations or policies, computerization and poor to non-existent confidentiality procedures in doctors’ offices, hospitals and insurance companies may mean that your medical records are loosely guarded and easily accessible to hundreds of people.
Consider a sampling from those experts:
* After a bout with depression, an industrial plant employee sought psychiatric help. A few weeks later his supervisor asked him why he was seeing a psychiatrist. The supervisor had seen his record in the plant’s personnel office.
* A pharmacist who applied for a job at a New York hospital was denied the position after a physician recognized him as someone who had come in for an AIDS test.
* Until hospital authorities in a major city won an injunction, police routinely helped themselves to the records of every patient in the emergency room when they were searching for a suspect who might have been injured during a crime. The next day, using addresses gathered from the records, police would visit each patient with a similar injury for questioning.
* A doctor involved in a legal dispute with his neighbor used his authority to obtain the neighbor’s medical records through a local hospital. The neighbor dropped the suit after the doctor threatened to reveal he had once been treated for an embarrassing disease.
“You think that when you go see the doctor that that is a private occurrence,” says Caroline Smith DeWaal, an insurance issues expert for the consumer advocacy group Public Citizen. “The reality is different.
“Once information is obtained and available, that information is spread. It’s not just pieces of paper, it’s people talking.”
And the people talking probably have legitimate access to your medical records, according to Mary Joan Wogan, director of the Washington office of the American Medical Record Assn., a group of medical record professionals promoting standards to insure confidentiality.
The personnel departments of many companies process the insurance claims of their employees themselves, or have access to the records, Wogan said. Particularly in small firms, the result can easily mean a loose-lipped personnel clerk reveals that an employee has recently had an abortion, or been treated for alcoholism or mental illness.
While such violations of privacy can cause acute embarrassment and discrimination, revelations about costly major illnesses may also jeopardize a patient’s job.
“Particularly in the smaller companies, that one protracted illness can change the employer’s premium considerably,” Wogan said. “I’ve personally seen that happen where a person who is going to cost a significant amount of money is eased out.”
Wogan said it is also common for people to be denied jobs after they’ve signed a medical history release form as part of a pre-employment physical. Even a hint of previous back problems, for example, sends up a red flag because it’s the most common claim for on-the-job injuries. The applicant loses out “and they’re not even aware why they didn’t get the job,” she said.
“The real problem with medical confidentiality is that most breaches don’t result in a big scandal,” Wogan said. “They don’t make headlines. They don’t result in monetary awards. They cause patients personal distress and quite often interfere in their personal relationships, things like job discrimination, people are denied housing.”
The awful paradox is that patients give away their own privacy when they sign release forms for insurance reimbursement.
“One of the biggest problems is that there is no (legal) protection given to insurance records,” DeWaal said. “People may have a sense that there’s protection to the information they give to physicians, but when they forward that information to the insurance companies . . . that information is totally open.”
Robert Ellis Smith, publisher of the Washington-based Privacy Journal, says most insurance release forms are written so broadly that lack of confidentiality is almost guaranteed.
While no one expects insurance companies to pay coverage without being able to verify a doctor’s visit or hospitalization, many forms also allow them access to all of a patient’s previous medical and insurance records, allow for photocopying of originals, include release of the information to the patient’s employer or union, and allow medical service or health insurance data banks to obtain it--all for an unlimited time.
“I think the whole triangle among the provider, the insurance company and the place where you work is one of concern,” Smith said. “Most people don’t know that when information is supplied to an insurer it is also supplied to the employer.”
Unless they can afford to forgo insurance, patients are caught in a Catch-22 situation, according to Rita Finnegan, executive director of the AMRA headquarters in Chicago.
“Many people, when told that their signature is needed, sign without fully understanding what they’re signing,” says Finnegan. “If you want your life insurance, then you have to sign the release and if you want your hospital bill paid then you have to sign the release. . . . You’re concerned about getting care and so you just do what they tell you.”
Public Citizen’s DeWaal is especially critical of the growing insurance industry practice of collecting and trading information on patients through medical record data banks that work much like credit bureaus, but without similar regulations for protecting privacy.
The most used data bank, DeWaal said, is the Boston-based Medical Information Bureau, which holds records on some 15 million people. “Very few consumers even know that it exists. Its presence has been fairly well hidden by the insurance companies for many, many years,” she said.
“What the Medical Information Bureau is set up to do is prevent fraud to the insurance companies and that’s a very good purpose,” DeWaal said, “but given the sensitive nature of the information . . . there’s no real protection” of privacy.
DeWaal and others interviewed also caution that the multiple handlings of medical records being channeled into data banks means that release of incorrect or incomplete information is too common.
“Even assuming the data bases are protected,” she said, “it’s an issue of accurate information. There have been many instances of people having been refused insurance and finding out that the reason they can’t obtain insurance is because of bad information contained in the Medical Information Bureau.”
DeWaal cited the case of one man whose insurance record “said he was an alcoholic when in fact he was a teetotaler. He was denied insurance. When he finally got insurance, it was at a much higher premium because in that record it said he was alcoholic.”
“It took him probably a year or so to get the record expunged,” DeWaal said. “The Medical Information Bureau doesn’t have to change the record. They just have to make a note that you said the record was wrong. They set their own standards.”
Medical privacy is also an issue in hospital computer systems, according to Vincent Brannigan, an associate professor of consumer law at the University of Maryland who has done extensive research on the subject.
“My rule of thumb is that anything you tell anybody in a hospital is available to anybody who is interested enough to go and get it,” Brannigan said. He added that most American hospitals today use computers extensively for billing, record keeping and diagnostics, with few safeguards for patient privacy.
“Previously your privacy was protected by the fact that your records were almost inaccessible, they were unreadable, they were disorganized and they were hidden away somewhere in the basement,” Brannigan said.
“With a manual system you couldn’t say ‘Give me every person who’s had an abortion.’ Now it’s a piece of cake. . . . The patients become a data base.”
Unless hospitals have set up security systems, computerized information is also easily obtained by the unscrupulous from without. Brannigan said he has heard of computer-knowledgeable “investigators” in Washington who will make unauthorized forays into medical records systems for a fee.
“If you want to find out if someone has AIDS, they can ferret that information out,” Brannigan said.
Conversely, because there is so little privacy protection, “you find a lot of record altering,” Brannigan said. To protect patients, “the doctors put in fake diagnoses because they know everybody can get to it. This is very common for AIDS.”
Even with greater computer security, Brannigan said patient privacy will always be vulnerable “as soon as you plug into the (insurance) reimbursement system.”
Brannigan’s advice: “If for some reason a medical procedure is of big personal sensitivity . . . like an abortion, just do not have it done by anybody who’s in the medical reimbursement system. If you want to have a nice quiet abortion, go to a qualified doctor and pay cash.”
