If you look at your office bill or EOB (explanation of benefits), you'll see coded numbers (CPT and ICD9). Those numbers tell your insurance company or Medicare all of the information about your visit and treatment. They not only get the bill with all of its coding, they have the right to look through your chart and any other charts in any other doctor's office, any time.
According to the website Kevin MD:
"Can your loss of privacy hurt you? ... I think privacy is one of the most valuable assets you can have. I believe in the sanctity of the doctor-patient relationship and that what you tell me should be held in the strictest confidence ... Now that you know the medical world's dirty secret, the secret that has been right in front of your face all these years, it's time to answer the question, 'What's your privacy worth to you?'"
Most people recoil at the thought of having their personal medical records displayed for anyone to see, or worse, sold for marketing purposes. The privacy of medical records (or lack thereof) raises a number of issues with potentially unsavory ramifications. For example, if an employer, insurance company or malicious person gets their hands on this sensitive information, it could lead to much more than simple embarrassment. Jobs could be lost, insurance claims denied and entire reputations ruined, depending on your circumstances.
So, How Private are Your Medical Records?
It depends on whom you ask, but there are definitely plenty of loopholes that can put your privacy at risk. It's important to realize that the medical industry is a business, and personal medical records can be very valuable for the data they contain. Also, once you're "in the loop" it can be very difficult to get out.
There are companies that regularly purchase this type of information to profile doctor's prescription habits and improve drug sales, for example. Now, as far as I understand, identifying information is not supposed to be included, but I've heard of people receiving direct advertising from pharmaceutical- and medical companies that match their particular health problem, so I'm not entirely sure that there aren't loopholes there too.
As Dr. Stewart Segal says in the featured blog post, "you sell your privacy for the cost of your care." Granted, insurance companies need to know what services were rendered in order to issue a payment, but many disagree with the practice of rooting through past and unrelated medical records, which seems to be routinely done to try to deny claims based on "pre-existing conditions."
Furthermore, your medical records may be available online for just about anyone to see, without your explicit knowledge or consent. Back in 2008, CNN medical correspondent Elizabeth Cohen was surprised to discover her own health records online. Every diagnosis, treatment, and doctor's appointment she'd had in the past five years was on the Internet -- all she needed to get them was a phone call to her insurance company and a few pieces of information such as Social Security number, date of birth and address.
"There it was in black, white, and hypertext blue. My annual mammograms; the visits to the podiatrist for the splinter in my foot; the kind of birth control I use -- it was all on my health insurance company's Web site. And that's not all: The prescriptions drugs I use were listed on the Web site where I get my prescription drug insurance.
I had no idea this was all on the World Wide Web," she writes.
Online health records can let you, to some extent, double-check your doctor. And in a world where physicians are busy and medical errors are epidemic, that could be important. But online record keeping can also have significant drawbacks, and reduced privacy is definitely one of them.
Writing for About.com, Trisha Torrey helps bust 10 most common myths about the privacy protection of medical records provided by the Health Insurance Portability and Accountability Act, known as HIPAA. For example, the claim that medical information cannot be legally sold or used for marketing under HIPAA is untrue. Under certain circumstances your medical information can, and is, sold and used for marketing purposes. One of the primary loopholes here is that the rules are confusing, even to providers.
"That means these rights may get violated, whether that is intentional or unintentional," Torrey writes.
"An example of when information can be shared for marketing purposes is when a hospital uses its patient list to inform you of a new service it provides, a new doctor who has joined the staff, or a fund raising program. An example of when information cannot be shared without an additional authorization from you is when an insurer who has obtained your information from one of your providers, then uses or sells your information to sell you additional insurance, or another product related to services you have already received. You can see how these examples are confusing, and how the various entities that do have access to your records might take advantage of that confusion. "
HIPAA Laws Do Not Apply to All Storage of Medical Information
It's also important to understand that HIPAA laws do not cover privacy and security for all medical records. The laws only apply to entities specifically bound by them, such as healthcare providers, healthcare facilities, and sometimes insurers.
But there are plenty of other entities that may have your medical information that are not bound or regulated by HIPAA, such as online medical data storage services, and in those cases, no real privacy protection exists, other than what the company itself proclaims to have in place.
The bottom line?
Read the fine print with a magnifying glass! For the time being, online services to store your health information are entirely voluntary, and you have to sign up to use them. Just beware that these types of services can make you vulnerable to hackers, insurance companies, and yes, advertisers.
However, your insurance company, hospital or doctor's office may already be storing your health information online in their own databases, as Cohen discovered. It's definitely worth a few minutes of your time to contact your health providers and insurance company to find out just what personal information is available online. Some will only include basic test results, for instance, while omitting more personal information like substance abuse, mental health, sexually transmitted diseases, or reproductive health. Either way, if you don't want it online, request to have it removed.
After all, your privacy is under attack in many ways nowadays, by telemarketers, phone companies, advertisers, and technology like RFID tags, so it may be in your best interest to keep your health information under wraps as much as possible.
Sloppy Security Breaches May Be More Common than You Think
In another recent blog post, Dr. Pamela Wible, MD writes:
"On February 24, 2011, Massachusetts General Hospital was fined $1 million dollars by the federal government when an employee inadvertently left a stack of papers on the subway. These documents contained the protected health information of 192 patients, many with HIV/AIDS.
Where did these medical records go? Nobody knows. "
And according to an article in the American Medical News, published in March:
"[P]ractices and hospitals are more likely to experience a breach because of an employee losing a thumb drive, mobile device or stack of paper files than because they were targeted for a malicious hacking."
This could easily qualify as the stuff that nightmares are made of… However, medical practices and hospitals do have a strong incentive to clamp down on such sloppiness, as they may face fines of up to $1.5 million for every patient data breach according to the Health Information Technology for Clinical Health Act of 2009.
What Can You Do to Protect Your Privacy?
When it comes to your health information, staying out of the system is the best way to ensure your privacy. But is it the ideal solution for everyone? Probably not. Just beware that if you run to the doctor for every bump, scratch and rash, all of that information can end up in a number of different locations that you may or may not be aware of or have control over.
If you're concerned about your medical privacy, call your doctor and insurance company and find out where and how your information is stored and shared, and ask to have it removed if you don't approve. For general privacy protection, I like protectonlineprivacy.com. They do a marvelous job of providing resources to teach you how to rapidly and inexpensively remove your personal details from all the major databases.