Originally created 05/26/01

Keeping medical information private



It's an article of medical faith almost as sacred as "Physician do no harm": What you tell your doctor will be held in strictest confidence.

Yet sometimes the intimate details of your health are being shared with third parties in ways you could never imagine.

Just ask the AIDS patient in New York who was shocked to find his prescription file had been sold by his local drugstore to the giant CVS Corp. pharmacy chain. A lawsuit against CVS is pending.

Or pay $8.50 to see if your coded medical history is stored in the insurance industry database, the Medical Information Bureau (http:/www.MIB.com), which sells that information to its life and health insurance company members.

Increasingly, medical records are being transmitted electronically - to insurers, hospitals and even doctors' homes. And while computerization can offer a higher degree of security than traditional paper medical files, the flip side is that breaches of security can have much greater consequences.

Last year, for instance, a computer glitch at Kaiser Permanente in California meant the HMO sent more than 850 e-mail messages containing confidential patient data to the wrong members. In another case, a hacker downloaded medical records, health information and Social Security numbers on more than 5,000 patients at the University of Washington Medical Center just to prove it could be done.

The hemorrhaging of supposedly private health records has grown serious enough to inspire government curbs.

In mid-April, the government ordered hospitals, doctors, pharmacies and insurance companies to implement sweeping new privacy regulations intended to protect an individual's medical records.

These regulations, mandated under the 1996 Health Insurance Portability and Accountability Act, set new nationwide standards for giving patients the right to review their health records and restrict disclosure of sensitive information.

And yet:

- Pharmacies and hospitals still will be able to use your health information to send you marketing pitches for drugs and treatments.

- If you get services through your company's employee assistance program or its on-site clinic, that information can go directly to your boss.

- Direct marketing companies still can compile detailed mailing lists of individuals with specific ailments, such as the one listing diseases and body counts by MMS Inc. of Wood Dale, Ill.: "Bladder control: 808,118; rectal itch: 38,501; yeast infections: 901,339."

Occasionally it's the individual who unwittingly puts confidential information on the street for sale.

Dumb moves that may open a Pandora's box of privacy infringements include having soul-baring exchanges in Internet chat rooms, filling out online health profiles and ordering drugs via the Internet.

An August survey of Internet users by the Pew Internet & American Life Project found that 36 percent had visited a support group site or one that deals with specific medical conditions; of those, 24 percent used their real name or e-mail. And though Web site privacy policies can seem comprehensive, they quickly can become null and void when a company goes bankrupt.

Joy Pritts, senior counsel for the Health Privacy Project at Georgetown University in Washington, said Web sites also often change their privacy policies without notifying members.

"I was on one site where you had to click through six different URLs (Web addresses) to learn about the new privacy regulations," Pritts said. "They don't make it easy."

Though the Internet is the flashiest new source of personal health information, even old-fashioned direct-mail surveys can put respondents on the junk mail merry-go-round. They lure participants by dangling offers of coupons or cash giveaways in exchange for detailed family health histories.

Junk mail from pharmaceutical companies may rank as little more than an annoyance. Other health privacy infringements have more serious consequences.

A Midwestern banker who served on his county's health board cross-referenced customer accounts with patient information, then called due the mortgages of anyone with cancer.

An Atlanta truck driver lost his job after the employer learned from his insurance company that he had been treated for a drinking problem.

And a North Carolina woman with a glowing work record was fired after her employer discovered she had a genetic disorder that required expensive treatment.

Just a few weeks ago, Burlington Northern Santa Fe Railroad agreed to stop secret genetic testing of its employees in response to a federal lawsuit. The test, which involved analyzing blood samples of workers with carpal tunnel syndrome, was intended to determine whether the employees were genetically predisposed to such injuries.

The government has taken steps to try to staunch the flow of private medical information. The new privacy regulations are being fine-tuned by government officials, and health providers have two years to implement the rules.

The new federal regulations guarantee the right to see and request corrections in medical records. The new rules also:

- Require that health care providers get a patient's consent before using or disclosing health information for treatment, payment or health care operations (which include marketing).

- Guarantee that psychotherapy notes remain confidential.

- Prohibit health claims information from being shared with employees who make hiring and firing decisions.

Privacy advocates see flaws in the regulations. Drug companies can pay a doctor, hospital or pharmacy to send marketing materials to diabetic patients, for instance, without the patients' prior consent. Patients can then ask to be removed from the mailing list.

Though the rules try to protect employees from being penalized for their health problems, the distinction between the person handling medical claims and the one doing the hiring is likely to be tenuous, especially in small companies.

"This is a good first step," said Pritts of the Georgetown privacy group. "But a lot of people and organizations that collect health information - like life insurers, workers' comp and employers - are not included under the regs.

"My biggest advice to the consumer is that if they get a notice and it concerns privacy of medical information, they should read it carefully. And if they don't understand it, they should ask questions."