PrivacyRights.org

How Private Is My Medical Information?

Many people consider information about their health to be highly sensitive, deserving of the strongest protection under the law. Long-standing laws in many states and the age-old tradition of doctor-patient privilege have been the mainstay of privacy protection for decades.

Now, the federal Health Insurance Portability and Accountability Act (HIPAA) sets a national standard for privacy of health information, effective April 14, 2003. But HIPAA only applies to medical records maintained by health care providers, health plans, and health clearinghouses – and only if the facility maintains and transmits records in electronic form. A great deal of health-related information exists outside of health care facilities and the files of health plans, and thus beyond the reach of HIPAA. (PRC Fact Sheet 8a, “HIPAA Basics,” www.privacyrights.org/fs/fs8a-hipaa.htm)

The extent of privacy protection given to your medical information often depends on where the records are located and the purpose for which the information was compiled. The laws that cover privacy of medical information vary by situation. And, confidentiality is likely to be lost in return for insurance coverage, an employment opportunity, your application for a government benefit, or an investigation of health and safety at your work site. In short, you may have a false sense of security.This guide provides information on medical records not covered by the HIPAA Privacy Rule:

What do my medical records contain?

Medical records are created when you receive treatment from a health professional such as a physician, nurse, dentist, chiropractor, or psychiatrist. Records may include your medical history, details about your lifestyle (such as smoking or involvement in high-risk sports), and family medical history.

In addition, your medical records contain laboratory test results, medications prescribed, and reports that indicate the results of operations and other medical procedures. Your records could also include the results of genetic testing used to predict your future health. And they might include information about your participation in research projects.

Information you provide on applications for disability, life or accidental insurance with private insurers or government programs can also become part of your medical file.

What medical information is not covered by HIPAA?

Medical information that is not covered by the new federal privacy law might be found in your financial records, your child’s school records, and/or your employment files.

Financial records. The federal Gramm-Leach-Bliley Act (GLB) allows financial companies such as banks, brokerage houses, and insurance companies to operate as a single entity. GLB gives you the right to be notified about the information-sharing practices of financial institutions. And you must be given an opportunity to opt-out of third-party information sharing. But GLB does not keep information from being shared among affiliated companies.

Your credit card account and checking transactions are likely to include information about where you go for health care. Insurance applications and medical claims also contain health-related information. So it is possible for such medical information to be shared among affiliates of financial institutions. Such information is not protected by HIPAA.

Some financial companies promise extra protection for medical information. And insurance companies may be prohibited from giving information to an affiliated bank by state insurance laws. It pays to examine the privacy notices of financial institutions carefully. (Read PRC Fact Sheet 24, “Protecting Financial Privacy,” www.privacyrights.org/fs/fs24-finpriv.htm.)

Education records maintained by your child’s school contain vaccination histories, information about physical examination for sports, counseling for behavioral problems, and records of visits to the school nurse. Privacy of education records is under the control of the US Department of Education and the Family Educational Rights and Privacy Act (FERPA). These records are not covered by HIPAA. For more information about FERPA, visit the Department’s web site at www.ed.gov/offices/OM/fpco/ferpa/index.html.

Employment records and medical information may be mingled in situations not covered by HIPAA. Your employer may be covered by the Occupational Safety and Health Act (OSHA). If so, you have the right to access your medical records gathered for your employer’s OSHA responsibilities. (See the web site of the US Department of Labor for more on employee’s rights under OSHA, www.osha.gov/as/opa/worker/rights.html.)

In addition, the federal Family and Medical Leave Act (FMLA) gives most workers the right to 12 weeks of unpaid leave a year for personal and family health. If FMLA leave is because of a serious illness, your employer may request a doctor’s certification of the illness. But the employer cannot make you produce medical records. See the U.S. Department of Labor web site for more information on FMLA, www.dol.gov/elaws/esa/fmla/faq.asp.

If your employer is self-insured for employees’ medical benefits, its handling of insurance claims and other health-related information is covered by HIPAA. In this capacity, the employer would be considered a “hybrid” entity. For more information on HIPAA involving employer group health plans and self-insurance situations, read PRC Fact Sheet 8a on “HIPAA Basics,” www.privacyrights.org/fs/fs8a-hipaa.htm.

Who has access to my medical records?

Your medical information is shared by a wide range of people both in and out of the health care industry. Generally, access to your records is obtained when you agree to let others see them. In reality, you may have no choice but to agree to the sharing of your health information if you want to obtain care and qualify for insurance.

1. Insurance companies usually require you to release your records before they will issue a policy or make payment under an existing policy. This is especially true if you apply for individual health insurance as opposed to a group health plan available through your employer.

Insurance companies are considered financial institutions under the federal GLB law. Like banks and brokerage houses, they must provide you a notice of how they gather and use your customer information. You may have the right to opt-out of sharing some information with other companies.

To learn more about GLB and the insurance privacy laws in your state, visit the web site of the National Association of Insurance Commissioners, www.naic.org/state_contacts/sid_websites.htm. Medical information gathered by an insurance company may also be shared with others through the Medical Information Bureau (see below).

2. Government agencies may request your medical records to verify claims made through Medicare, MediCal, Social Security Disability, and Workers Compensation.

3. The Medical Information Bureau (MIB) is a central database of medical information shared by insurance companies. Approximately 15 million Americans and Canadians are on file in the MIB’s computers. About 600 insurance firms use the services of the MIB primarily to obtain information about life insurance and individual health insurance policy applicants.When you apply for life or health insurance as an individual, you are likely to be asked to provide information about your health. Sometimes you are required to be examined by a doctor and/or to have your blood and urine tested. If you have medical conditions that insurance companies consider significant, the insurance company will report that information to the MIB.The information contained in a typical MIB record is limited to codes for specific medical conditions and lifestyle choices. Examples include codes to indicate high blood pressure, asthma, diabetes, or depression. A code can signify participation in high-risk sports such as skydiving. A file would also include a code to indicate that the individual smokes cigarettes. The MIB uses 230 such codes.It’s important to remember the following about the MIB:

  • The MIB is not subject to HIPAA.MIB files do not include the totality of one’s medical records as held by your health care provider. Rather it consists of codes signifying certain health conditions.
  • A decision on whether to insure you is not supposed to be based solely on the MIB report.
  • The MIB is a consumer reporting agency subject to the federal Fair Credit Reporting Act (FCRA). If you are denied insurance based on an MIB report, you are entitled to certain rights under the FCRA, including the ability to obtain a free report and the right to have erroneous information corrected. See the Federal Trade Commission’s web site on insurance decisions, www.ftc.gov/bcp/conline/pubs/buspubs/insurers.htm.

The MIB does not have a file on everyone. But if you have an MIB file, you will want to be sure it is correct. You can obtain a copy for free once a year by calling (866) 692-6901 (TTY for the hearing impaired (866) 346-3642) or by visiting the company’s web site at www.mib.com/html/request_your_record.html.

In general the MIB can be contacted at Medical Information Bureau, P.O. Box 105, Essex Station, Boston, MA 02112, or by sending an email to infoline@mib.com Web: www.mib.com.

4. Employers usually obtain medical information about their employees by asking employees to authorize disclosure of medical records. This can occur in several ways not covered by HIPAA. Unfortunately, the laws in only a few states require employers to establish procedures to keep employee medical records confidential. (For example, California Civil Code §56.)

A potential employer may ask for medical information as part of an employment background check, with limitations as explained below. To learn more on employment background checks and an employer’s obligations under the FCRA, read PRC Fact Sheet 16 on background checks, www.privacyrights.org/fs/fs16-bck.htm, and the FTC’s web site, www.ftc.gov/bcp/conline/pubs/buspubs/credempl.htm.

According to the federal Americans with Disabilities Act in workplaces with more than 25 employees (ADA text, www.eeoc.gov/laws/ada.html, 42 USC §12101 et seq.)

  • Employers may not ask job applicants about medical information or require a physical examination prior to offering employment.After employment is offered, an employer can only ask for a medical examination if it is required of all employees holding similar jobs.
  • If you are turned down for work based on the results of a medical examination, the employer must prove that it is physically impossible for you to do the work required.

Report violations of the ADA to the U.S. Equal Employment Opportunity Commission (EEOC). Phone: (800) 669-4000. Web: www.eeoc.gov.

5. Your medical records may be subpoenaed for court cases. If you are involved in litigation, an administrative hearing, or a worker’s compensation hearing and your medical condition is an issue, the relevant parts of your medical record may be copied and introduced in court.

6. Other disclosures of medical information occur when medical institutions such as hospitals or individual physicians are evaluated for quality of service. This evaluation is required for most hospitals to receive their licenses. Your identity may or may not disclosed when medical practices are evaluated. Evaluations for accreditation are called “health care operations” under HIPAA. Consent to use your information for these purposes is usually not required.

Occasionally your medical information is used for health research and may be disclosed to public health agencies like the Centers for Disease Control. Specific names are usually not given to researchers. Their use of patient information is covered by HIPAA. (U.S. Dept. of Health and Human Services, www.hhs.gov, and PRC Fact Sheet 8a, www.privacyrights.org/fs/fs8a-HIPAA.htm)

7. Medical information may be passed on to direct marketers when you participate in informal health screenings. Tests for cholesterol levels, blood pressure, weight and physical fitness are examples of free or low-cost screenings offered to the public. Screenings are often conducted at pharmacies, health fairs, shopping malls, or other nonmedical settings. The information collected may end up in the data banks of businesses which have products to sell related to the test.

8. A tremendous amount of health-related information is found on the Internet. Many Usenet news groups and “chat” rooms are available for individuals to share information on specific diseases and health conditions. Web sites dispense a wide variety of information. There is no guarantee that information you disclose in any of these forums is confidential. Always review the privacy policy of any web site you visit.

Electronic Health Records — Benefits and Dangers for Consumers

In January 2005 the Bush Administration called for the creation of a nationwide network of electronic health records (HER) within 10 years.

There are both benefits and very real pitfalls to such a grandiose scheme. Certainly, access to electronic records would have greatly assisted emergency health teams in the aftermath of Hurricane Katrina in August 2005. And most individuals can easily envision the benefits to hospital emergency rooms when assisting unconscious patients. But the challenges regarding security and confidentiality are profound.

To become better informed about this initiative, visit these web sites:

Government resources:

Patients’ rights resources:

HIPAA Basics:
Medical Privacy in the Electronic Age

Today, you have more reason than ever to care about the privacy of your medical information. Intimate details you revealed in confidence to your doctor were once stored in locked file cabinets and on dusty shelves in the medical records department.

Now, sensitive information about your physical and mental health will almost certainly end up in data files. Your records may be seen by hundreds of strangers who work in health care, the insurance industry, and a host of businesses associated with medical organizations. What’s worse, your private medical information is now a valuable commodity for marketers who want to sell you something.

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to set a national standard for electronic transfers of health data. At the same time, Congress saw the need to address growing public concern about privacy and security of personal health data. The task of writing rules on privacy eventually fell to the U.S. Department of Health and Human Services (HHS). After several modifications, DHHS issued the HIPAA Privacy Rule.

The Privacy Rule was effective on April 14, 2003, for most health care providers, health plans, and health care clearinghouses. Small plans have until April 14, 2004, to comply.

If you expect HIPAA to restore your confidence that sensitive medical data is a matter between you and your doctor, you will be disappointed. HIPAA sets the standard for privacy in the electronic age where health industry, government, and public interests often prevail over the patient’s desire for confidentiality.

This guide explains the complex provisions of HIPAA’s Privacy Rule. It covers HIPAA’s high points and low points regarding your health privacy. For more information on HIPAA and additional rules that are not explained here, go to the References section at the end of this guide.

What are HIPAA’s shortcomings?

Like it or not, you are not the only one with an interest in control of personal health information. The balancing act between your interests and those of other stakeholders is often tipped on the side of government, the medical profession, related businesses, and public interests. Consumer and patient advocates are critical of HIPAA for its numerous weaknesses.

Here are some of the ways that patients’ rights to privacy come up short:

  1. Your consent to the use of your medical information is not required if it is used or disclosed for treatment, payment, or health care operations (TPO). In many situations such as emergencies, this makes perfect sense. You don’t expect the ambulance driver to get your permission to call the hospital emergency room when you are having a heart attack. On the other hand, since your consent is not required for payment, your health care provider could submit a claim to your insurance company – even for a procedure you wanted to keep private and intended to pay for yourself. In addition, treatment, payment, and health care operations have broad definitions that encompass many activities that most people are not familiar with.
  2. Your past medical information may become available, even if you thought the information was long buried and would remain private. An event, treatment, or procedure from your distant past can be disclosed the same as information about current conditions. Of some comfort, old information is given the same protections under HIPAA as current information. In addition, HIPAA’s “minimum necessary” rules applies to old as well as new records. This means that the amount of information disclosed should be limited to what is necessary to accomplish the purpose.
  3. Your private health information can be used for marketing and may be disclosed without your authorization to pharmaceutical companies or businesses looking to recall, repair or replace a product or medication. (For more on the marketing of your medical information see Part 5 below.)
  4. You have no right to sue under HIPAA for violations of your privacy. In other words, you do not have a “private right of action.” Only the HHS or the U.S. Department of Justice has the authority to file an action for violations of the Privacy Rule. All you can do is complain to the one who violates your privacy or to the HHS. However, you may be able to sue under state law using the HIPAA Privacy Rule to establish the appropriate standard of care.
  5. Business associates of a covered entity can receive protected health information (PHI) without a patient’s knowledge or consent. Before entering into an agreement with a business associate, a covered entity must receive assurance that information will be handled appropriately, After that, handling of sensitive data by business associates is left only to an honor system. Even when the limitations of the Privacy Rule are applied, many people can still see your medical records when carrying out the business of the plan or provider. Business associates may include billing services, lawyers, accountants, data processors, software vendors, and more. Your doctor may, for example, disclose your health information to a business associate that processes medical bills. A written contract for this arrangement is required, but the doctor doesn’t have to check to see that your information is being handled correctly. If there is a violation, the business associate is supposed to report it.
  6. Law enforcement access to protected health information under HIPAA is a significant concern of privacy and civil liberties advocates. Some disclosures may be made to law enforcement without a warrant or court order.

Who is not covered by the HIPAA Privacy Rule?

Your medical information may be available to many who are not covered by HIPAA. Here are some examples of who is not covered.

  • Life insurance companies.
  • Workers Compensation.
  • Agencies that deliver Social Security and welfare benefits.
  • Automobile insurance plans that include health benefits.
  • Internet self-help sites.
  • Those who collect health data you give voluntarily for surveys or research projects.
  • Those who conduct screenings at pharmacies, shopping centers, hometown fairs, or other public places for blood pressure, cholesterol, spinal alignment, and so on.
  • Researchers who obtain health data directly from health care providers.
  • Law enforcement agencies.

Even though these institutions are not covered by HIPAA, they may get information from a covered entity.

Is the Medical Information Bureau (MIB) a covered entity?

No. The MIB is a member organization made up of insurance companies. Because the MIB is neither a health care provider, health care plan, nor health care clearinghouse, it is not a covered entity. Most of MIB’s members underwrite life and disability insurance, functions that are not covered by HIPAA. For more on MIB, see www.mib.com and Privacy Rights Clearinghouse Fact Sheet 8, “How Private Is My Medical Information?www.privacyrights.org/fs/fs8-med.htm.

Are there any limits on what can be disclosed from my medical file?

The Privacy Rule incorporates what it calls a “minimum necessary” standard when it comes to how much information should be disclosed. Doctors, hospitals, and others covered by the HIPAA Privacy Rule are required to limit the amount of information disclosed to others to the minimum necessary to accomplish the intended purpose.

What amounts to the minimum is left up to the health care provider, not you. And, the minimum necessary rule does not apply to information disclosed in connection with treatment. It also doesn’t apply if you authorize the disclosure of your health information.

When can information be used without my consent?

Consent for use of your information is not the same as consent for treatment. The HIPAA Privacy Rule does not change the general requirement that a health care provider needs your consent before treating you.

A covered entity is allowed to seek your consent, and some state laws require patient consent for treatment, payment, and other disclosures. A covered entity is required to make a good faith effort to obtain your acknowledgment that you received a notice of privacy practices, but this is not the same as obtaining consent.

Your consent is not required when your medical information is used for treatment, payment, or for health care operations (TPO). But it goes much further than that. Your consent is not necessary when your information is used by a business associate of your health care provider or plan.

Services provided by a business associate can include: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial. These business relationships are established with a written contract. Your personal medical information can be used to carry on the business association, but you are not a party to the arrangement.

Will I ever know how many people have seen my medical information?

HIPAA requires safeguards to limit the number of people who have access to personal information. Given the number of people who may have access to your information just to run the operations and business of the health care provider or plan, there is no realistic way to count the number of people who may come across your records. If you are hospitalized, for example, hundreds of hospital employees may see your health information.

When you add to this the number of instances listed below in which your medical information can be disclosed without your authorization, the numbers can be staggering. For an idea of how extensive routine disclosures can be, read “Health Privacy: The Way We Live Now” by Robert Gellman, reprinted on the Privacy Rights Clearinghouse web site, www.privacyrights.org/ar/gellman-med.htm.

Alert

Because HIPAA authorizes so many different types of disclosures without patient approval, you should be suspicious anytime that someone asks you to sign an authorization form for disclosure of health information. Make sure that the authorization is for your benefit and not someone else’s.

The above information is FYI to introduce you to excerpts from PrivacyRights.org that explains what is “true” about the legal privacy of your medical information under the HIPAA laws.

To learn all about HIPAA with all informational links that will educate you, answer your questions and make you aware about how limited your legal rights are. How easily your medical information is attainable because of the broad wording of HIPAA and the upcoming changes and additions proposed by the Bush Administration and Congress, please refer to http://www.privacyrights.org/fs/fs8-med.htm.

Are You Aware Of MIB?

http://www.mib.com

1 Comment »