RATS! — My Lab Results Have Fallen Into the Wrong Hands

Written By Blair Koster

The secret pathways of medical test results and private health information.

How comfortable would you be if you had an electronic tablet on which you recorded your most private information—but then you discovered that secret databases, the Internet, vendors and marketing firms were compiling that data, and you had no way to stop the flow of information? A sci-fi nightmare? Not so much.

Decades ago, people went to the doctor for tests, and only the patient and the doctor shared that information. Today, test results and medical records are shared with multiple parties. There are benefits, such as insurance paying for treatment, researchers finding cures for diseases and public health authorities alerting people of contagious diseases. But many people are sharing their medical test results with invisible bedfellows. Because of the 1996 Health Insurance Portability and Accountability Act (HIPAA), people assume their individually identifiable health information is protected, but that’s not necessarily true. Keep reading to learn the many ways in which medical test information is shared and how to better protect yourself.

“Everybody’s record”
“Ownership is a terrible way to talk about health records,” says Robert Gellman, privacy and information policy consultant in Washington, D.C. “The lab keeps a copy of the test results, and they may be required to report to the state, and the doctor has a legal and ethical obligation to the record. The doctor owns the record.” Gellman says to think of medical test results—and health records—in terms of shared rights and responsibilities. “It’s everybody’s record.” In fact, he says the number of government and private institutions that can request and receive health records without your permission numbers in the tens of thousands. Health care operations do not require patient consent.

Williamsburg-based attorney Peter Mellette says that by Virginia law, the health care provider is the owner of the medical test record. “There is a right of disclosure to the individual with some limitations, for example, whether someone can receive information in a way that won’t trigger behavioral issues,” Mellette says. “It’s not a matter of preventing access
to information.”

The stupefying world of privacy legislation
But whom you share that information with isn’t so clear-cut. Privacy legislation is puzzling. In 2003, an amendment rescinded the 1996 HIPAA rule that required patient consent in “routine” cases involving payment, treatment and “health care operations.” This meant that patient permission was no longer needed for private records, which include test results, to be shared with doctors, dentists, hospitals, HMOs, insurance companies, billing firms and others.

Two years later, a judge and a U.S. Department of Justice lawyer were still trying to figure this out.

In her 2005 Philadelphia Inquirer article, Virginia A. Smith describes how a judge asked the government’s lawyer to “explain again, who, exactly, is entitled to see a patient’s private medical records under federal law.” The government’s lawyer hesitated. The judge sprang: “’If you’re not sure what the rights of patients are, how is Miss Williams down the street, at age 89, supposed to know?’” Finally, two judges worried aloud in court that “just about anything could be construed as payment, treatment and health care operations—and thus could be shared.”

The privacy secrets in the small print
The Gramm Leach Bliley (GLB) Act, which Congress passed in 1999, had significant ramifications for patient privacy. The law authorizes the widespread sharing of personal information by financial institutions such as banks, insurers and investment companies. In Daniel J. Solove and Paul M. Schwartz’s book, Privacy, Information, and Technology, the authors note that the act permits financial institutions that are joined together to share the “nonpublic personal information” that each affiliate possesses. Suppose an affiliate has access to a person’s medical information. That information could be shared with an affiliate bank that could then deny a person a loan. Although affiliates must disclose that they are sharing such information, there is no way for individuals to block it.

Similarly, you have to notify your insurance company that you want to opt out of sharing your personal information. The details are hidden in the fine print of your privacy policy.

Anthem Blue Cross Blue Shield did not return phone calls and failed to respond to e-mailed requests for an interview regarding ownership of medical test results and patient privacy. Aetna also failed to respond to phone and written inquiries.

Marcy E. Peek, assistant professor of law at Whittier Law School, argues in her October 2006 Seton Hall Law Review article, “Information Privacy and Corporate Power: Towards a Re-Imagination of Information Privacy Law,” that the GLB Act has done more to enable information sharing than to protect privacy: “Allowing customers the right to opt out of the trafficking of their personal information is explained in lengthy, legalistic privacy policies that most people throw away as just more junk mail.” Peek also argues that several laws claiming to protect privacy often “represent a façade of protection for consumers, keeping them complacent in the purported knowledge that someone is protecting their privacy interests.”

Electronic Medical Records (EMRs)
Since the passage of the American Recovery and Reinvestment Act of 2009, which allocated $19 billion to expedite the use of computerized medical records in doctors’ offices and hospitals, electronic medical records (EMRs) have become increasingly common. EMRs are closed systems kept by doctors’ practices, hospitals and networks, which have their own set of advantages.

Dr. Charles Frazier, vice president of Clinical Innovation for Riverside Health System, explains: “You can pull up the patient record immediately, view prescriptions and send them to the pharmacy; you can see all problems,
X-ray testing.” For Frazier, the technology allowed him to log into the EMR and treat a patient before going on a three-day vacation, enabling the patient to see a neurosurgeon while Frazier was away. The neurosurgeon, using the EMRs, had access to Frazier’s electronic notes and data about the patient.

“I can pull up in seconds which percentage of my diabetic patients has their blood sugar under control, when I saw them last and what medicines they are taking,” Frazier says of the benefits to EMR. “Before the EMR, this data was not readily available. Finally, the EMR expedites good medical care when the regular doctor is away. In earlier days, the doctor on call had no patient information.

Bert Reese, Sentara Healthcare’s senior vice president and chief information officer, also touts the benefits of EMRs. “With EMRs, you have a virtual world,” Reese says. “You and another doctor can both look at the record at the same time.”

Lynne Zultanky, director for Corporate Communications and Media Relations at Bon Secours Hampton Roads Health System, notes that with EMRs, a patient’s providers will have only one medical record, allowing access to all tests and medications. This permits all of a patient’s doctors, whether outpatient or in the hospital, to have the patient’s health information. Zultanky says this adds to patient safety, preventing repeat tests and ensuring that medications are documented to prevent medication interactions.

The electronic risks
Many privacy advocates decry the electronic storage of personal information, wary of too many prying eyes. In the Information Age, nothing can ever be absolutely secure, but many health care providers are doing their best. For example, Reese explains that Sentara Healthcare uses a secure network, encrypted data and an electronic tracking record of who views information. “We have terminated people who had no business viewing personal medical data,” he says. “In the old world, someone could walk out with your chart, and who would know? With the EMR, we can see exactly who has logged on.”

Riverside and Bon Secours also closely monitor EMR access. Riverside has firewalls and maintains the EMR database and encryption themselves. Zultanky notes that Bon Secours grants access to medical information based upon the person’s professional role and the “HIPAA minimum necessary standards.” An audit team monitors access and activity in Bon Secours’ EMR, ConnectCare.

One concern is that patient records are often stored on computer servers owned by outside companies, not the hospital or doctor’s office. But Zultanky notes that Bon Secours owns and manages ConnectCare. “The application is maintained on servers within the Bon Secours Health System Inc., enterprise data center, the network is private and access to the network and data center is restricted from the public Internet,” she explains.

In an e-mail to The Health Journal, Marion Swaim, Sentara’s vice president of Health Information Management, notes that Sentara owns its eCare system and stores patient records on servers at their data center. “The patient information is protected within the Sentara Information Technology Infrastructure in several ways: Firewalls secure the data, each user of eCare has a defined role and a unique password, and Sentara maintains policies that govern the use of protected health information,” Swaim writes.

The perils of personal health records
Increasingly, organizations are offering personal health records (PHRs) that allow patients to control their health data. PHRs are generally Internet-based and accessible to patients, allowing them to enter health data, summarize personal health information from different sources and control who views the data. In an e-mail to The Health Journal, Rachel Seeger, spokesperson for The Department of Health and Human Services Office for Civil Rights, states that “most vendors hired to create PHRs for a hospital system or maintain PHR software are largely covered under HIPAA.” This is because they are deemed business associates under federal law and therefore fall under HIPAA regulations.

It’s important to remember, however, that HIPAA applies to “covered entities” and not information—so people should be cautious of an online PHR that is not offered through a health care organization.

Pam Dixon, founder and executive director of the nonprofit public interest research group World Privacy Forum, says many PHRs, such as Google Health and Microsoft Health Vault, are not covered under HIPAA. Frank Dorman, Federal Trade Commission (FTC) spokesperson, says the FTC is not regulating vendors. Even more worrisome: these companies not covered under HIPAA are not federally liable for privacy or security.

“If you authorize a company that engages in advertising-supported activity (such as a PHR) to obtain your records,” warns Dixon on her Web site, “it is possible that your information could be used for marketing and shared with almost anyone. Once a marketer gets your health information, that information is ‘in the wild.’”

Dixon also warns of insurance companies seeking PHR records. Others interested in the records may be government investigators working on a security clearance, or an employer conducting a post-hiring review of health.

What about the Internet?
Thanks to the Internet, information that was once private is now in the public domain. HIPAA has not kept pace with the availability of information online, so personal information leaks can occur in subtle and insidious ways. According to Gellman, your test results can show up online, and even your social networking posts can be used against you. “Employers all over the world are using Facebook when making hiring decisions,” Gellman says.

Furthermore, if you subscribe to medical newsletters, such as a diabetes pamphlet, that information goes into the hands of marketers. Drug company Web sites that offer coupons collect information, and disease-specific Web sites track Internet users. If you have a blog or purchase over-the-counter medications with a store card, that information goes into the public domain. If you mail in a warranty for a medical-testing product, marketers can obtain your personal information. It is not protected by HIPAA.

The Pharmacy Benefit Manager (PBM) that tracks how much you pay through insurance knows a lot of information about prescriptions, and life insurance companies get their information from PBMs. “It’s quick, and they don’t have to wade through insurance company information,” Gellman says.

Finally, many physicians in large offices and hospitals are outsourcing their
coding services. “That information goes to third parties, such as coders in the Philippines. Good luck in enforcing HIPAA,” Gellman says.

Your information, sold to the highest bidder
With the human genome now sequenced, consumers are buying direct-to-consumer (DTC) genetic tests that claim the ability to predict disease risk. Buyer beware. In July 2010, the U.S. Government Accountability Office testified before the House of Representatives’ Subcommittee on Oversight and Investigations, Committee on Energy and Commerce, about such deceptive marketing. The Food and Drug Administration (FDA) has cracked down on some firms, but upholds that  “a genetic test is only subject to FDA oversight if it is a medical device.”

Michelle Bolek, M.P.H., the FDA’s Office of Public Affairs spokesperson, said in an e-mail that there are currently no FDA-approved DTC genetic tests on the U.S. market. She says manufacturers of these products are often making unsubstantiated medical claims, and product safety has not been proven.

Many of these DTC companies are not covered under HIPAA. “Depending on the business model, it appears that in many cases the genetic testing company owns the results,” Bolek says. “Privacy of the consumers’ genetic information may be compromised if a DTC company decides to sell its database, for example, in the case of financial difficulties.”

According to Gellman, “If you have a genetic condition, people can figure out that your relatives do as well. Also, do you want to burden your child with the knowledge that they have a disease? There are people who have put their entire genetic sequence on the Internet. Is that something you really want in the public domain?”

Keeping information in the right hands
With loopholes in HIPAA and a patchwork system of controlling medical information, how can people protect the privacy of their medical test results? Mellette offers these suggestions: Limit the number of pharmacies you use, and under HIPAA, restrict who has access to your information. Also think about limiting the number of providers you use, and which vendors can access your information. “It always pays to read the fineprint [of privacy statements],” he says. That way, you can keep your dystopian medical nightmares from becoming real-life headaches.

 


Blair Koster: Blair Koster is a freelance writer with The Health Journal. She has worked for Boomer Magazine as well as the Richmond Times-Dispatch as a copywriter for four years. Her hobbies include hiking, camping, walking her spunky hound Abby, and reading.