Column: Amid race for COVID cure, medical files ‘are not as confidential as we think’

To hear President Trump tell it, a COVID-19 vaccine is just around the corner.

“We think we’ll have a vaccine by the end of this year and we’re pushing very hard,” he told Fox News last week.

While many healthcare experts say that’s an unrealistically ambitious goal — most say a vaccine for widespread use is unlikely until next year at the earliest — Trump’s comment raises a few interesting questions.

How will researchers recruit subjects for COVID-19 vaccine or cure tests? Will scientists await infected or interested people to contact them? Will they use other means to find suitable research participants?

If the latter, it seems fair to wonder how confidential our medical records are. There’s no faster way to recruit research subjects than by going through people’s healthcare files and seeing who qualifies.

Joel Engel, a Westlake Village resident, suspects this happened to him the other day after he received two calls asking if he wanted to enroll in a UCLA sleep study.

Engel, a writer, said he was treated at a UCLA facility about five years ago.

“The callers said they needed people of a certain age in good health,” he told me. “I asked how they knew my age and condition. I couldn’t get a direct answer.”

Engel’s concern is that UCLA violated the federal medical-privacy law, the Health Insurance Portability and Accountability Act, which prohibits the unauthorized accessing of people’s medical information.

“How else would they know to call me?” he wondered.

It’s a reasonable question.

And with a global pandemic raging, perhaps all Americans should be wondering if their medical records are as confidential as they might think they are.

Are we all fair game for research in light of the extraordinary circumstances?

Short answer: No. And yes.

“You can’t just fish around in people’s medical records,” said Arthur Caplan, a professor of bioethics at New York University. “HIPAA prohibits that.”

Moreover, there’s no provision in the law that says a pandemic or any other public health emergency creates an exemption that allows researchers to skirt privacy protections.

“A public health crisis should have no bearing on recruiting for a sleep study,” said Mildred Cho, associate director of the Center for Biomedical Ethics at Stanford University.

However, she and other medical-privacy experts noted that loopholes to the law do exist.

Perhaps the most noteworthy HIPAA exception in the age of the coronavirus is what’s known as the “preparatory to research” provision.

This allows researchers to examine people’s medical records to ascertain whether a sufficient number of potential candidates exist for a study.

The provision does not give researchers the right to contact possible study participants. That would require upfront permission from the patient.

“Usually the only people who are allowed direct contact of patients for research are the patients’ healthcare provider,” Cho said, meaning that only your doctor can reach out in this regard.

But, once again, there are exceptions.

Nancy M.P. King, co-director of the Center for Bioethics, Health and Society at Wake Forest University, said a hospital’s institutional review board, which oversees ethical matters, can independently limit a patient’s privacy rights if circumstances warrant.

Such boards “have a whole range of protocols for investigators to follow, which could result in calls like your reader mentioned,” she told me.

This clearly has implications for the high-speed, high-stakes race for a COVID-19 vaccine.

If researchers believe specific types of patients show the most promise for testing, such work could be greatly accelerated if scientists know whom to contact.

Which brings us back to the question: How would they find you?

Engel said he was told the sleep study he was wanted for was being conducted by the Norman Cousins Center for Psychoneuroimmunology at UCLA, which he’s never had any dealings with.

He asked the women who called his home. He contacted the director of the Norman Cousins Center. Nobody could or would say how they’d gotten access to Engel’s information.

Phil Hampton, a spokesman for UCLA Health, told me by email that the campus medical center conducts “clinical trials and other research involving patients.”

“Consistent with laws governing patient privacy, when seeking patients to participate in research studies, our practice is to contact only patients from whom we have written consent,” he said.

I passed that along to Engel, who replied that he has “no recollection of granting them express permission to use my medical records for anything other than medical treatment.”

It turns out there’s a reason for that.

Acting on a hunch, I asked Hampton if there’s any fine print in the routine privacy forms people sign when they’re admitted to UCLA medical facilities that authorizes use of their info for research purposes.

He replied: “I can confirm that a patient’s signature on a privacy practices form authorizes UCLA outreach for the purpose of inquiring about the patient’s interest in participating in an approved research study.”

Bingo.

The practice appears to be widespread. Spokespeople for Cedars-Sinai Medical Center and USC told me their patients agree to similar language when they check in. They said this is “standard” among many hospitals.

If so, it’s yet another reminder about the importance of reading the fine print of documents. You never know what’s lurking in there.

While we’d like to think our medical records are under lock and key, this is far from the case.

“Our records are not as confidential as we think,” said Matthew Weinberg, an associate professor of medical ethics at the Philadelphia College of Osteopathic Medicine. “Lots of individuals and organizations have legally authorized access to our private medical information.”

If this keeps you from sleeping well at night, don’t worry. UCLA is researching that.