How to Keep Prying Eyes off Your Medical Records

Will a new federal privacy regulation go far enough?

A North Carolina woman lost her job after her boss found out she had a costly, incurable genetic disease. In Illinois, anti-abortion activists somehow got the medical record of a woman hospitalized after an abortion and posted it on the Internet along with a photo of her leaving the abortion clinic. Meanwhile, angry CVS (CVS ) customers are suing the giant drugstore chain for sharing its prescription information with a marketing company.

These days, with medical records flying between computers and everyone from your company's benefits manager to irksome telemarketers fingering through your personal information, privacy has become a gnawing worry. Soon, with breakthroughs in DNA research, not just the diseases you have but also the ones your genes predict you will get could become part of that record. Last year, 61% of those surveyed in a Gallup poll said they were very concerned their information might be available to others without their consent.

And they should be. Until April, no federal law barred disclosure of an individual's health records. But a new federal privacy rule will make it illegal for health providers and insurers to improperly release patients' medical details without their consent (table). For example, any doctor or nurse who gossips about your medical care or shares the information with your boss will be subject to fines and a possible prison sentence. Health providers and insurance plans have until Apr. 14, 2003, to comply. Small plans have until Apr. 14, 2004.

The new law has its limits. It does nothing, for instance, to protect information gathered by life or disability insurance companies, or to curb marketing companies that already have your personal data or can get it from nonprotected sources. However, advocates argue the new reg is better than the hodgepodge of state laws and widely varying (and often unenforceable) professional ethics that now protect your file.

Stories of abuse abound. Privacy consultant Larry Ponemon tells of the New Jersey drug company he worked with a few years ago that used an outside call center to remind patients it was time to refill their psychiatric drug prescriptions. Curious call-center workers soon began looking up lists from their hometowns, he says, spotting people they knew. When word got back to one affected patient, she called in her lawyer. In another case, the Equal Employment Opportunity Commission this year sued the Burlington Northern and Santa Fe Railway to end its practice of secretly testing workers for a genetic trait thought to be linked to carpal tunnel syndrome. The company was demanding a blood sample from employees filing workers' compensation claims for carpal tunnel. Not until one described the test to his wife, a nurse, did the reason became clear.

LITTLE RECOURSE. Of course, laws forbid discrimination against someone in the workplace or in obtaining consumer mortgage loans because of such things as a disability, handicap, or pregnancy. But a victim must first find out the reason for the firing or loan denial. Then, he or she has to sue or file a complaint with the EEOC, the Federal Trade Commission, or the U.S. Department of Housing and Urban Development--and come up with proof to support the allegation. People simply embarrassed because, say, their small-town pharmacist gossiped about a Viagra prescription have even less recourse. Absent a state law, they could be limited to complaining to the offender's professional licensing board.

For most of us, having a current or prospective employer find out about an embarrassing or expensive medical condition is the biggest worry. Large companies often self-insure, which means a health-plan administrator working down the hall from the boss may be reviewing employee claims for AIDS treatments and medications for depression. Terri Seargent of Wilmington, N.C., thinks that's how her boss found out about her genetic disease, Alpha 1 antitrypsin deficiency, which causes a progressive loss of lung function and forces sufferers to take expensive drugs. Her small company's in-house health-plan administrator, who was also in charge of accounting, noticed the cost of her medication. Two months later, Seargent was forced to resign. She filed a complaint with the EEOC, which issued a ruling in her favor. The company says she was fired for poor performance.

Even companies that don't do the paperwork often can find out what ails their workers. Sometimes, all an employer has to do is ask the insurer--which it pays--which employees are responsible for the leap in prescription drug use, says Robert Gellman, a privacy consultant in Washington. Mary Henderson, an executive with Kaiser-Permanente, the large health maintenance organization, says her company refuses to give information that would identify specific patients. "But it has always been a difficult conversation," she adds. "They're our customers. No one likes to say no to their customers."

BEFORE THE FIREWALL. The new law will make it clear insurers have to do just that. It will also require employers that process claims in-house to maintain a firewall between the benefits office and the rest of the company.

Until then, you can take some precautions on your own. You can pay your doctor for treatments out of your own pocket so there's no insurance claim report. You can then ask that details of certain ailments be omitted from your chart. To be extra safe, you could simply go to a doctor outside your managed-care plan. HMOs often demand access to participating physicians' files to evaluate their practices. Even when your insurer is paying, you can edit the authorization clause on your claim form to limit the information released to only that which is necessary to process the claim.

Despite fears of loose-lipped docs and cavalier insurers, patients themselves are probably the biggest source of leaks, says Beth Givens, director of the Privacy Rights Clearinghouse, a consumer group in San Diego. Companies such as Medical Marketing Service sell lists of consumers according to ailment--everything from Alzheimer's to yeast infections. Companies like Equifax and Experian--that's right, the credit agencies--gather the data.

And they say they get it from you, through surveys mailed to consumers. For the chance to win prizes or get coupons, millions of Americans provide their name, address--even phone number--along with a list of illnesses afflicting family members. Other marketing information is gleaned from forms filled out in return for free health screenings at malls. Even those little plastic cards shoppers use to get discounts at the grocery store can provide medical information if drugs or medications are purchased. Registering on a medical Web site, subscribing to a newsletter, or calling an 800 number equipped with number identification to ask about a drug can also land you on a marketer's list.

NEW DANGERS. Some disclosure is unavoidable. If you've ever applied for an individual life or disability insurance policy, you probably had to give the insurer authorization to obtain medical information. Even under the new privacy rules, insurers won't be restricted from sharing such records unless they are prohibited by state law or constrained because of a provision of the 1999 Gramm-Leach-Bliley Act that lets consumers opt out of some information sharing. Insurers routinely pool their data via MIB, a Boston-based company that serves as a central repository to cross-check information and look for fraud.

Meanwhile, passage of Gramm-Leach-Bliley, which allows banks, brokerages, and insurers to consolidate, has created new dangers. Now, the mortgage company reviewing your loan application may be an affiliate of the life insurance firm that knows you have cancer. Under the law, these merged financial institutions must allow customers to "opt out," or decide not to have their information shared with outside entities. But there is no provision allowing you to demand that information not be shared in-house. The risk that a bank will use health information from an affiliate to reject a loan application is real, says Thomas McInerney, chief executive of the U.S. financial-services arm of conglomerate ING Group. "As a consumer, you won't know. They'd just say, `You don't meet our underwriting criteria."' (Remember, you can limit disclosure to outside companies by returning those confusing opt-out notices you've been getting from financial institutions. Only a tiny percentage of consumers has done so thus far.)

Once the new privacy regulation is in force, you will have the right to see your medical file, and health providers must show you their privacy policy. Many will do so now if you ask. But the new regulation may lead to less medical privacy in the areas of marketing and law enforcement. The regulation specifically allows doctors, hospitals, and health insurers to use patient information for marketing purposes--and even to collect money to do so. It also allows providers to contract with outsiders to handle mailings, as long as the material clearly states your doctor was the source. Patients can say "no," but only after they have already been marketed to once by each provider.

In another twist, the regulation makes it clear providers can give your records to police without a subpoena or court order. Before, says Gellman, the Washington privacy expert, no federal law covered these situations, but many would have assumed such behavior was verboten and refrained.

In the end, the rule's biggest benefit may be to raise awareness--on all sides. In fact, Givens says one of the most important things you can do as a patient is make it clear to doctors and pharmacists how important discretion is to you. Ask how your medical information is handled and what privacy protections are in place. If the data is transmitted electronically, find out if it's encrypted. Last year, a hacker gained access to the records of 5,000 patients at the University of Washington Medical Center in Seattle, then released them to the media.

Become more careful yourself. Think before you give private information to someone other than a medical professional treating you. Put limitations on disclosure authorizations you sign. Opt out of financial information sharing. Learn what is protected under the laws of your state.

Remember, once a medical secret is out, you have no way to get it back.

By Carol Marie Cropper

    Before it's here, it's on the Bloomberg Terminal.