Would American citizens object if they knew 4 million health-related businesses distributed private details about their mental illnesses, cancer diagnoses, sexually transmitted diseases, prescriptions, addictions and sensitive genetic information?
Psychoanalyst Dr. Deborah Peel told WND most patients don't know that their highly sensitive information is being shared with thousands of law-enforcement agencies, insurance brokers, life and health insurance companies, credit bureaus, transcription vendors, disease registries, employers and banks every day – and the data can be used to discriminate against Americans.
"Part of the language that keeps people assured is they say things like, 'No unauthorized users can see your information.' That sounds pretty good," she said. "The problem is, they don't tell you how many authorized users there are."
Peel, founder of Patient Privacy Rights, the nation's leading consumer health privacy advocacy organization, said patients often have a false sense of security when they sign Health Insurance Portability and Accountability Act, or HIPAA, forms in doctors' offices. She warned that those forms only affirm that the patient has received notice that health-related businesses can share records.
PPR's website warns that this information sharing can effect Americans in a variety of ways. It posted the following list of examples:
- If a school or university learns your child has ADHD or is being treated for depression, they may deny admission.
- If a boss knows you take Xanax or Zoloft, they may reconsider your promotion.
- If you or your spouse have a serious or costly chronic illness, an employer may not hire you or your children. A bank may deny a loan or credit.
- If you get a genetic test, most researchers and companies claim to own your DNA. Hospitals freely use the DNA of all newborns. If you carry the breast cancer gene, you, your children and grandchildren may always be stigmatized, even if they aren't sick.
Amending HIPAA 'Privacy Rule'
Congress passed HIPAA in 1996, but it did not include a medical privacy statute. Rather, the Department of Health and Human Services, or HHS, was required to submit detailed recommendations on patient health privacy regulations. In 2001, HHS released "Standards for Privacy of Individually Identifiable Health Information," also known as "the Privacy Rule," 65 Fed. Reg. 82,462. The HIPAA "Privacy Rule" recognized the patient's "right of consent":
164.506 "Consent for uses or disclosures to carry out treatment, payment, or health care operations.(a) Standard: consent requirement. (1) Except as provided in paragraph (a)(2) or (a)(3) of this section, a covered health care provider must obtain the individual's consent, in accordance with this section, prior to using or disclosing protected health information to carry out treatment, payment, or health care operations."
However, Peel said the HHS amended the "Privacy Rule" in 2002 and eliminated the patient's right of consent, granting permission to "covered entities" to share private health information:
"The consent provisions … are replaced with a new provision … that provides regulatory permission for covered entities to use and disclose protected health information for treatment, payment, and health care operations."
67 Fed. Reg. at 53,211
This amendment provides federal "regulatory permission" to more than 600,000 "covered entities" and millions of "business associates" to use and disclose identifiable health information for a variety of "routine" purposes.
PPR created the following chart to illustrate how various groups and companies might obtain and share private information about a single patient:
 PPR's chart of legal users who have access to medical records |
Legal users of patient medical records
Zone 1 includes the patient and his doctor. When a patient makes an office visit, private health information can be legally shared with Zone 2 "covered entities," including health and life insurance companies, labs, pharmacy benefits managers, insurance brokers, Centers for Disease Control and Prevention, disease registries, law-enforcement agencies, medical information bureaus, public health agencies, self-insured employers, hospital chains, third-party administrators and even the Food and Drug Administration.
By Zone 3, private health information may be shared with credit bureaus, legal services, hospital staff, data clearinghouses, data processing firms, pharmacy chains, pharmaceutical companies, accounting firms and even offshore transcription vendors as far away as Pakistan.
"Entities, like a hospital or doctor's office, have accountants, lawyers, people to maintain websites. If they have electronic software, they have many software and IT vendors that create the databases that hold and share and store the information and so forth," Peel said. "Those people get a hold of the information, too."
By Zone 4, the information may reach financial institutions, holding companies, banks and investment companies. She said banks can freely trade information with credit bureaus.
Asked whether those companies keep the private health information on file, Peel replied, "Oh absolutely. It's very scary. There's nothing regulating when they destroy information, nothing. Even if we had rules about them destroying it, who is going to follow up?"
She continued, "The big black sinkhole is the health-care operations phrase in the amendment, which means virtually any use that they can put to it. It's essentially sanctioned and legalized data theft."
Why was the privacy rule removed to allow information sharing without patient consent?
"I think there was naiveté on HHS' part," Peel said. "They thought, well these people are all in the health business, and they're all going to take care of patients."
But Peel said there's a major flaw in assuming the health-related businesses will regulate and protect the handling of private information.
"Not only will they not self-regulate, but they have legal duty to make the best possible returns for their shareholders, which is completely at odds with our rights as Americans to control our sensitive information," she said. "The American public is very divided. On one hand, they want to trust their doctors. They know about the Hippocratic Oath, and they've also believed the lies coming from the administration and the industry that the HIPAA rule protects privacy. The language is tricky."
Danger of information sharing
Peel said Americans should be concerned when their information is shared because it could destroy their lives and futures.
"What is the worst problem cancer survivors have?" she asked. "No one will hire them, and no one will insure them because no one believes they are ever going to live. Even five and 10 years out, it's very difficult."
Peel also said patients who seek psychiatric care often worry that details about their condition will be shared.
"When I first started to practice, people came in and they asked, 'If I pay you cash, will you not send my information to anyone?'" she said. "Why did they ask me to do that? It's totally about jobs. I've heard nothing but complaints about reputations and jobs being lost for 30 years."
Furthermore, Peel said patients can pay cash for medical services, but cash will not prevent sharing of private information about prescriptions.
"You cannot get a private prescription in this country even if you pay cash. It doesn't matter if you pay them cash," she said. "Some people drive to Mexico to get prescriptions or they try to get them on the Internet, but the Internet is actually very traceable. It's a real dilemma because people are discriminated against based on their prescriptions. The lists of prescriptions you take are sold daily. People can get those, and if you are on an antidepressant, you might not get a job."
Asked if a patient can provide cash and an alias for services, Peel replied, "No. They make it illegal. The make it illegal to give a false name!"
She continued, "It's an insane system, and, unfortunately, the main use of the information really is to do things like to discriminate against you."
What's more, she said patient health records are often rife with errors, misdiagnoses, inconsistencies, incorrect billing information and even wrong medication. She said patients usually don't have access to their own electronic health information.
"A lot of the data about you, you need to see it because who knows if it's right or not?" she asked. "Who is going to edit your information to take to a new doctor so that new doctor knows which information is true about you? It has to be you. You have the most motivation to know the truth about yourself or your own life."
Fighting for patient privacy protections
Peel said PPR helped fight for patient privacy protections added to the recent stimulus bill.
"We did not get back the right to control our personal information, but we did get a ban on the sale of protected health information," she said. "We don't know when they're going to implement that. It's going to be a nasty fight."
She said citizens were also given the right to "segment" sensitive information.
"Under state laws, we all have the right to segment all kinds of sensitive information on genetics, sexually transmitted diseases, mental health, addiction, all kinds of categories of information that require higher levels of protections," she said. "We got that reinforced at the federal level so data miners can't preempt all the state laws."
The stimulus also provided a brand new right to audit trails so patients can see who handles their information.
"We got three years of audit trails in. We think people are going to faint when they see how many people get into their records that they never would have imagined for purposes that they've never heard of," Peel said.
But she said patients are still facing some major setbacks: "The stimulus funds are going to go out without the requirement that systems do any of these things for three to six years. So, all of our data is going to be sold. The administration and the committees advising the administration and the HHS and the Office of the National Coordinator have put all of the consumer protections dead last."
Furthermore, Peel said the stimulus bill requires every American to have an electronic medical record by 2014.
"That was in the stimulus bill," she said. "Every one of those records will be data mined without our consent for a myriad of uses that have never been discussed with the public."
What can patients do to protect their private health information?
Peel said PPR is setting up a petition for a national "Do Not Disclose" list. She said citizens should sign that petition when it is released.
"If you are on that list, anyone who holds your health data can't use it or move it without your informed consent," she explained. "We are trying to get this thing running in the next week or so. There has to be a way to opt-out and to control data. We have to start putting the control back in the hands of patients."
She continued, "We also have a consumer tool kit forms they can take to doctors and hospitals to assert their rights. Put them on notice that you can't do this to me under state law. Nobody knows to assert their rights. They will tell you they can't do it, but you've put them on legal notice."
Peel said patients can also write lawmakers, though she said they are up against several insurance company lobbyists who lobby Congress every day.
"The number of lobbyists is absurd, and they are paying millions of dollars because the information is worth millions to deny your claims, to deny payments, to deny insurance and to share the information with your bosses."
On one hand, Peel said, Americans have heard HIPAA protects privacy. On the other hand, there's a part of them that knows HIPAA doesn't offer enough protections.
"It's really our fundamental liberty," she said. "Are we going to become a giant surveillance state, or do Americans have a right to be left alone? Do we have a right to privacy, a right to have our sensitive data under our control?"
