Knowing Who's Messing with Your Medical Records
Thanks to the US Department of Health and Human Services, you may be able to deter people -- or businesses -- from rummaging around in your medical information. If a new rule is adopted, you would have the right to obtain a list of all those who accessed your electronic medical records and what they did with the data. The "access report" would be kind of like the credit report that you can get free each year (if you go to the government's website annualcreditreport.com and not to freecreditreport.com or those other outfits that get you to sign up for expensive and unnecessary credit monitoring services).
Sorry for the digression, but it steams me that credit report companies charge people for what the government provides for nuthin'.
Back to medical records. You may think that they are sacrosanct -- and maybe they are if you are attended by one lone physician who keeps everything in paper files that he (or she) locks in the office safe. But these days, most health care providers -- doctors, hospitals, labs, insurers, HMOs and so on -- feed your data into computer systems that can be invaded by snoopy employees or volunteers who want to know why you're in the hospital or how you mysteriously lost 97 pounds. In the most heart-breaking instance I can think of, an employee at the UCLA Medical Center in 2008 accessed Farah Fawcett's medical records without authorization. Information that her rectal cancer had recurred turned up in the National Inquirer before she could give the bad news to her family and friends. Fawcett died a year later.
Data breaches are another problem. In the last couple of years, hundreds of medical institutions have reported wholesale information losses.
Under HIPAA (the Health Insurance Portability and Accountability Act), which went into effect in 2003, patients have the right to see their own medical and billing records -- and to correct them if they contain an error. Consumers could also get a list of those who had peered at their records, but there were three important exclusions, according to Daniel Gottlieb, a partner with McDermott Will & Emery, a Chicago law firm. You couldn't see any requests involving treatment, billing or health care operations. What was left was "less than one percent of the requests," he estimates. Under the proposed rule, medical institutions would have to list all requesters and the time and date when they made their query. "That's a lot more information," adds Gottlieb.
Why would you want to see an access report? Well, there's a lot of material in your medical record that could potentially damage your employability, your reputation and even your financial security. Maybe you've tested HIV positive. Or had a venereal disease or a condition that was merely embarrassing, like psoriasis. Alcohol abuse might have cropped up at one point or use of medications for depression or anxiety. If you were mysteriously turned down for health insurance or a job, you would want to know whether there was a leak of information saying perhaps that you are unhealthy or make a lot of insurance claims.
The toughening of the rules may be helpful for patients. Whether they will actually request the access report is another issue, however. Already, insurers and health care providers have complained that since HIPAA was passed, barely anybody has exercised his or her right to the information. And the medical establishment is understandably unhappy about complying with more bureaucratic rules and regs, which add to their costs. Just think of all the privacy statements you've signed at your doctors' offices. Did you ever read one through? Or have you read one in the last year? I didn't think so.
Another problem: if the access report is anything like the one you get from credit reporting agencies, then I say, you may as well forget about the whole thing. In response to consumer requests, I have examined credit reports and tried to ferret out which banks or financial institutions had actually asked for the information; but the names are usually masked, and unless you hire a private detective to run them all to ground, you'll never know who wanted to snoop into your finances -- or why.
Finally, the access report may in fact deter your neighbor who happens to volunteer at the hospital from finding out that you just had weight-loss surgery or your appendix removed, all of which might be fodder for gossip. But there's nothing much such a disclosure can do to discourage the more frequent and dangerous invaders of medical records -- hackers on the hunt for social security numbers, medicare numbers and credit card numbers. For that the government or somebody will have to come up with another solution.
Meanwhile, HHS will accept comments on the HIPAA privacy rule through August 1 and then consider adoption. You can put your two cents in right here.
More on MoneyWatch