There’s a lot of talk about the risks of storing health information in electronic medical records (EMRs). But, EMRs aren’t the problem. Those consent forms you sign at the doctor’s office… yeah, you should pay attention to the fine print. You may be giving permission to insurance companies, drug makers, and data aggregators to access your health information, regardless of how or where it’s stored. Sorry to get all sour grapes, but we just want to set the record straight. Here’s what you need to know about who can see your health information, how they can legally use it, and what you can do to protect yourself.
Your Doctor Isn’t the Only Person Who Knows Your Diagnosis
Have you heard of the Medical Information Bureau (MIB)? What about IntelliScript and MedPoint? These organizations, among others, build databases of Americans’ private medical information and sell it to other companies (MIB, a non-profit, only provides the information to its members). It’s perfectly legal. But, ethical? Well, you decide.
Data aggregators track down diagnoses codes, lab data, and prescriptions from databases such as those kept by pharmacy benefit managers. The data is later sold to health and life insurance companies to assess the risk of writing a policy. In other words, they can use it to determine rates, or possibly deny you service. However, we should point out that the MIB uses proprietary codes and only receives this information from member companies. The codes are “brief resumes” that act as “red flags” about a particular medical impairment or risk to a patient’s mortality or morbidity. MIB members aren’t supposed to make underwriting decisions based solely on a code.
Some of these organizations even perform analysis for insurance companies. For example, IntelliScript from Milliman provides insurers with drug profiles of patients. In each patient profile, they assign color codes to a drug – red, yellow, or green – in order to indicate its risk factor. Red means risk. It could be used to spotlight drugs for serious illnesses like cancer or AIDS.
In addition to data aggregators, several other types of organizations may have access to your health information. For example, anyone that hosts informal health screenings can collect information for marketing purposes. These screenings could include tests for cholesterol, blood pressure, and physical fitness hosted at pharmacies, health fairs, and other non-medical settings. So, be forewarned. If you sign something before participating, don’t be surprised if you find a direct-mail piece about the latest cholesterol-lowering drug in your mailbox.
Of course there are many others in the circle of trust with your personal health information. Check out this chart from the Patient Privacy Rights Foundation for a quick view of who else might see your medical details.
HIPAA Doesn’t Always Apply
Many types of organizations with access to your health information are not required to comply with HIPAA regulations. For example, companies such as IntelliScript don’t have to abide by HIPAA policies. Fortunately, they are subject to the Fair Credit Reporting Act (FCRA). If you do get turned down for coverage, you have legal authorization to obtain copies of your public reports and make corrections to inaccurate information.
Joy Pritts, a research professor at Georgetown University’s Health Policy Institute, was once quoted in the Washington Post saying:
As health care moves into the digital age, there are more and more companies holding vast amounts of patients' health information. Most people don't even know these organizations exist. Unfortunately the federal health privacy rule does not cover many of them. . . . The lack of transparency with how all of this works is disturbing.
You Can Protect Your Health Information, But It’ll Cost You
So what can you do to protect your health information? Here’s our full prescription in three doses: collection and correction, prevention, and education.
- Perform a personal health information audit. Just as with your financial credit report, you have legal authority to obtain your personal health records and request that errors be corrected. Bound by HIPAA, doctors and insurers are required to share this information with you. Or, as previously mentioned, third parties are required to share information under the FCRA. So, if you have reason to believe your records contain erroneous information – or if you’re just curious – you should call your physician and ask to see a copy. Of course, tracking down your entire history might be challenging depending on past medical treatment and how many offices you’ve visited.
- Prevent the spread of your health information. This will likely be easier than the first step, but it will still take discipline and a keen eye. Moving forward from here, make sure you read the details on any forms you sign. Avoid signing a release that has general statements like one that authorizes your records to be released for “all legally valid purposes.” Secondly, don’t give out health information on the web. Be careful – or avoid – signing up for online prescription refill services like those offered by your local pharmacy. Finally, if you want to keep a treatment completely confidential, you’ll need to pay for it yourself and put together a written statement for your provider explaining that the visit should be kept confidential.
- Educate yourself. We’ve just exposed the tip of the ice berg. If you are really serious about protecting your health information you’ll need to dig in deep and learn about privacy laws in your state. You can do this by visiting the National Association of Insurance Commissioners website. The Patient Privacy Rights Foundation and the Privacy Rights Clearinghouse are also excellent resources. They provide libraries of articles on patient privacy matters.