Even worse, half of all US states leave enough information in the records that YOU can be clearly identified. Action Alert!
Hospitals and other medical organizations are supposed to be bound by HIPAA (the Health Insurance Portability and Accountability Act) to keep medical records private. Patient information that is shared is supposed to be stripped of key identifying information (this is known as the Safe Harbor rule). However, HIPAA and other privacy legislation is riddled with loopholes—so many that it has been estimated that over 800,000 organizations can access your records.
Here is one big, fat loophole: state public health agencies are exempt from Safe Harbor rules when they sell private medical records as part of a health database. When this medical data is cross-referenced with other public information (such as news reports and other databases), it can reveal your identity.
Many states in the US voluntarily follow HIPAA guidelines when sharing electronic medical records, but at least twenty-five states leave some combination of identifying information that makes it possible for whoever buys the data to pinpoint anyone’s personal medical record—and then make it public. Records in Washington, New York, New Jersey, Tennessee, and Arizona were particularly vulnerable, according to records reviewed by Bloomberg News and Latanya Sweeney, director of Harvard University’s Data Privacy Lab.
Who would want this data? The drug industry, for one. Pharmaceutical companies are major buyers of these medical records—they use them to design ads to doctors and target potential patients. Other buyers include IMS Health, a provider of prescription data, also used by drug companies; OptumInsight, a division of UnitedHealth Group, the country’s biggest health insurer; and WebMD, which uses the data to tailor information found on their website.
As the public becomes more aware of just how vulnerable electronic medical records (EMRs) are, consumers may be more reluctant to seek medical care. Patients rely on doctor–patient confidentiality, and that sacred trust is meaningless if one’s information is sold to the highest bidder.
Case in point: there is a new form of gonorrhea that is resistant to cephalosporin and other antibiotics. This is a serious public health concern, and one that requires careful treatment (not to mention a great deal more research). While young people are at the highest risk for gonorrhea, they are also the most likely to hesitate to see a doctor—particularly for such a personal, potentially humiliating issue—if they fear their private information will be exposed.
In addition, EMRs can cost taxpayers money. The digital nature of the data means it is much easier for doctors to overbill, whether by mistake or through fraud. As we reported in February, doctors can claim to provide more services than they actually do; they can also cut and paste the same examination findings for multiple patients for the sake of expediency, even if those same findings only applied to one or two. EMRs can actually increase the paperwork burden, are subject to serious technological glitches, and of course are tremendously vulnerable to hackers and other security violations.
In an interesting new trend, many doctors are choosing to operate outside the system all together, providing “concierge” medical services to patients on a prepaid membership-fee basis rather than on a standard insurance model. Some concierge doctors stop accepting insurance altogether and can charge as little as $38 a month, though for most people the annual fee amounts to roughly $4 to $5 per day. This system can be a win/win for doctors and patients: patients’ medical records can more easily be kept outside of the huge medical record databases; it can cut down on unnecessary treatments and, of course, high insurance costs; and it allows doctors to see fewer patients and give the ones they have more personalized care.
Most of the medical industry, however, is still stuck in this miasma of messed up medical records, poor security, and legal loopholes that allow patients’ private information to be publicly exposed.
Action Alert! Ask Congress to amend HIPAA to allow patients to opt out—to keep their medical information from being sold or shared with any entity that is not currently giving the patient medical treatment.