Health Information Privacy - extensive patient healthcare data sharing done without any consent.

This thread is intended to provide awareness that all of our healthcare patient PHI data(personal healthcare information), medical records, prescriptions, etc. is increasingly shared among hundreds of thousands of healthcare entities that are exempt from HIPAA PHI distribution restrictions. You are not permitted to opt out via a consent form. Cash payment for healthcare services is also frequently recorded, as well. This is a 2+ Billion dollar a year business that is largely unregulated. Healthcare records have huge repercussions that can impact an individual's ability to attain employment and insurance. Healthcare records also influence government and law enforcement action. Many healthcare experts are alarmed at how extensive and out of control healthcare data sharing has become, and urge citizen action to enact government regulation to limit the practice. We need to discuss this and get congress to address this. For more info, see: http://patientprivacyrights.org/ http://thedatamap.org/

from: http://patientprivacyrights.org/
FAQs
Basic Health Privacy FAQ’s

What information can be found in my health record?
Who has access to my health records?
“Can my personal health information be used and disclosed without any notice to me or without my informed consent at the time of treatment?”
Can my insurer or employer get my medical records without my permission?
What is a “self-insured employer”?
I thought I signed a Privacy Notice at my doctor’s office giving consent to use my information. What’s in that Privacy Notice?
What is a “Covered Entity”?
Can I prevent my doctor from reporting a certain procedure to my insurance company?
Are my prescriptions private?

Q: What information can be found in my health record?
A: A health record is created any time you see a health professional such as a doctor, nurse, dentist, chiropractor, or psychiatrist. You could find the following in your health record:

Your medical history and your family’s medical history
Labs and x-rays
Medications prescribed
Alcohol use and sexual activity
Details about your lifestyle (smoking, exercise, recreational drug use, high-risk sports, stress levels)
Doctor/nurse notes
Results of operations and proceduresGenetic testing
Research participation
Any Information you provide on applications for disability, life or accidental insurance with private insurers or government programs
Driver’s License
Social Security Number
Financial information such as credit cards and payment info

Q. Who has access to my health records?
A. Many more people than you would ever want, including people outside the health care industry.

Insurance companies
Government agencies especially if you receive Medicare, Medicaid, SCHIP, SSI, Workers Comp or any local, state or federal assistance
Employers
Banks, Financial Institutions
Researchers
If you are involved in a court case, your health records can be subpoenaed and available to the public
Marketers
Drug companies
Data miners
Transcribers in and outside the U.S.
Many health websites collect information about you

Q: Can my personal health information be used and disclosed without any notice to me or without my informed consent at the time of treatment?
A: Yes.

The Amended HIPAA Privacy Rule states only that you must receive a Privacy Notice telling you how your personal health information will be used and disclosed. Section 164.520(c) (2) (i) (A).
Privacy Notices are often mistaken for consent forms, but they are simply notices telling you what will happen to your medical records.
Example: information about a depressed person’s attempted suicide and hospitalization can be used and disclosed without any notice to him/her without his/her consent and even if he/she objects.

Q: Can my insurer or employer get my health records without my permission?
A: Yes.

The Amended HIPAA Privacy Rule gives health plans and self-insured employers broad authority (“regulatory permission”) to get information without consent that is far more extensive than is needed for billing or any other reason related to a specific individual’s health care. Other uses for which health plans and employers are authorized to obtain use and disclose an individual’s health information without consent include:

Due diligence in connection with the sale or transfer of assets;
Certain types of marketing;
Business planning and development;
Business management and general administrative activities; and
Underwriting, premium rating and other activities relating to the creation, renewal or replacement of a contract of health insurance. Section 164.501

Example: A depressed person’s health plan or employer would have regulatory permission from the federal government to obtain the information about his/her attempted suicide and hospitalization without his/her knowledge or consent if the information was needed for any of the above business purposes, as well as for treatment or payment.

Even more disturbing, the Amended Rule would authorize the individual’s health plan or employer to use and disclose that information even if the suicide attempt and hospitalization occurred before the Amended Privacy Rule went into effect on April 14, 2003.

Q. What is a “self-insured employer”?
A. A self-insured employer does not contract with an insurance company to insure their employees. Instead they have enough employees to do their own risk pooling like an insurance company would. These employers are called “Self-Insured.” During the past couple of decades, the number of employers who have become self-insured has increased dramatically, starting with large employers and spreading to those with fewer employees. Some examples of self-insured employers are: Walmart, Microsoft and IBM.

Q: I thought I signed a Privacy Notice at my doctor’s office giving consent to use my information. What’s in that Privacy Notice?
A: Those are not “consent forms” but a list of the ways in which your doctor or provider may use or share your information.

“Covered entities” are required to provide notice to individuals of the uses and disclosures of identifiable health information that may be made under the Amended HIPAA Privacy Rule as well as the rights of the individual and legal duties of covered entities. Section 164.520 (a). These notices are called Privacy Notices.

Covered entities must “make a good faith effort” to obtain written acknowledgement of receipt by the individual of the Privacy Notice. Section 164.520(c) (2) (ii). When you sign those notices you are only acknowledging that you’ve received a copy of the many ways your provider may use your information.

Privacy Notices are likely to be lengthy, because HIPAA authorizes so many broad uses and disclosures of identifiable health information. Unfortunately, your rights are quite short. You cannot REQUIRE anything of your provider. You can only make REQUESTS.

These are NOT consent forms. You no longer have the “right of consent” with the Amended Rules, effective April 2003.

Q: What is a “covered entity”?
A: According to the amended HIPAA Privacy Rule “covered entity” is a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.

Over 4 million businesses, corporations, government agencies, professionals, and individuals handle personal health information (PHI) electronically and therefore must comply with the HIPAA Privacy Rule.

Consultations between direct and indirect treatment providers are expressly permitted under the Original Rule. 65 Fed. Reg. at 82,510. The Amended Rule did not change this permission.

Q: Can I prevent my doctor from reporting a certain procedure to my insurance company?
A: No. The Amended HIPAA Privacy Rule does not provide any method for an individual to prevent any procedure, treatment, medical test, or prescription from being reported to his/her insurance company.

This is because the Amended Rule provides regulatory permission for the individual’s insurance company to obtain virtually any personal health information from an individual’s doctor as long as they can assert that they need it for treatment, payment or health care operations.
Even if the individual asks the doctor to not report the procedure, the doctor need not agree. Any medical treatment can be reported over the individual’s objections.
Even health information about procedures paid for privately can be reported. The original Privacy Rule stated that information about procedures paid for out of pocket would not be disclosed, but that statement was in the context of a discussion of the right of consent which was included in the original Rule but repealed in the Amended Rule. See 65 Fed. Reg. at 82,512.
Since the Amended Rule allows for the use and disclosure without consent of personal health information for the insurance company’s business operations, clearly such information can be used and disclosed regardless of whether the individual paid out-of-pocket.
Example: a depressed patient could not prevent the health information about his/her hospitalization from being reported by his physician to his insurance company.

Q. Are my prescriptions private?
A. No. All 51,000 pharmacies in the U.S. are wired for data mining. You cannot keep your prescriptions private, even if you pay cash. Selling prescription records is a multi-billion dollar a year industry: In 2006 IMS Health reported revenues of $2 Billion for selling prescription records (that’s just one company!).

Not ONE DIME of the billions in annual revenues go to help a single sick person.

HIPAA Related FAQ’s

What is HIPAA?
How did the Amended HIPAA Rule eliminate my right to medical privacy?
Will drug companies be able to find out what medications I take for marketing purposes?
Will drug companies will be able to find out about my health problems and market new medications or disease management programs to me?
Will the rule prevent me from picking up a spouse’s or neighbor’s prescriptions?
If a friend of mine loses consciousness and I take him to the emergency room, will the physician be able to tell me what’s going on?
If I lose consciousness and am taken to an emergency room in Alaska, will the physician be able to access my electronic medical records?
Do the rules allow teenagers to keep their medical information secret from their parents?
Will I be able to find out whether a friend or relative is in the hospital?
Can hospital employees see my medical records?

Q: What is HIPAA?
A: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a 1500 page complex set of rules enacted by Congress which began as a “portability act” to help individuals keep their health insurance coverage as they moved from one job to another.HIPAA evolved to include much more than portability, to cover medical privacy and the use of information technology to transfer your medical records.

Q: How did the Amended HIPAA Rule eliminate my right to medical privacy?
A: It eliminated the traditional rights and expectations of individuals not to have their personal health information used or disclosed without their consent.See our webpage: HIPAA, the Intent v. the Reality.In place of upholding our privacy rights, HIPAA only gives us the right to “request” restrictions on the use and disclosure of our personal identifiable health information.It does NOT guarantee that we can restrict who can see and use our medical records. Section 164.522(a) (1). The new Rule is quite specific that “a covered entity is not required to agree to a restriction” requested by an individual. Section 164.522(a) (1) (ii). Accordingly, the “right to restrict” is really a “right to beg” for restrictions.Covered entities will have a disincentive to grant requests for restrictions on use and disclosure because, because if they agree, they must abide by those agreements and then could be sued for violating the agreements. Section 164.522(a)(iii)Further, covered entities, such as physicians and other direct treatment providers, are unlikely to be able to enter into such agreements even if they wanted to, because such agreements will conflict with policies and procedures imposed by health insurers who require the full disclosure of all health information regardless of the individual’s wishes.

The demands of health insurers will be very difficult for physicians to oppose since insurers were granted “regulatory permission” by the federal government to use and disclose our personal health information for all “routine” purposes.

Example: It is unlikely that a depressed person would have the presence of mind, after having attempted suicide, to ask the hospital and physicians to restrict the use and disclosure of his/her health information. It is likely that a depressed person, like most other Americans, would assume that their medical records would never be used or disclosed without his/her consent. (This is a “common belief” among citizens today, according to the original Rule. 65 Fed. Reg. at 82,472.)

Even if a depressed person had requested that the use and disclosure of his/her sensitive medical treatment records be restricted, the hospital and physicians would have been under no obligation to agree to any such restriction.

Q: Will drug companies be able to find out what medications I take for marketing purposes?
A: Yes. Marketing that is health related and done on behalf of a covered entity is permitted under the Amended Privacy Rule. Section 164.501.Example: The Amended Rule permits drug companies to conduct unlimited marketing of drugs and other health related items to patients for an unlimited period of time without their permission (and even over their objections) as long as the marketing is conducted on behalf of a covered entity like a pharmacy or health plan. If you take Prozac, you could get samples of Wellbutrin in the mail without your doctor’s knowledge or permission.

Q: Will drug companies will be able to find out about my health problems and market new medications or disease management programs to me?
A: Yes. The Amended Rule provides regulatory permission for pharmacies to obtain virtually any information about an individual without his knowledge or consent if they can assert that they need the information for treatment, payment or health care operations.The pharmacy may then disclose the health information to any drug company (or any other entity) that “performs or assists in the performance of a function or activity involving the use or disclosure of identifiable health information” on behalf of the pharmacy. Section 160.103Example: A depressed patient’s pharmacy can obtain the information about his/her depression and attempted suicide and disclose it to a drug company if it is in the context of some “function or activity” performed by the drug company for the pharmacy.

Q: Will the rule prevent me from picking up a spouse’s or neighbor’s prescriptions?
A: No. Pharmacies are supposed to make sure the person picking up the prescription was actually sent by the patient.The Original Privacy Rule allows others to pick up patient prescriptions with written consent. In cases where written consent could not be obtained, such as where the pharmacy did not have a prior relationship with the individual, others could pick up prescriptions if the individual’s consent was “clearly inferred from the circumstances”. 65 Fed. Reg. at 82,810.

Q: If a friend of mine loses consciousness and I take him to the emergency room, will the physician be able to tell me what’s going on?
A: Yes. This information is available under either the Original Rule or the Amended Rule. The difference, however, is that it would appear to be disclosable under the Amended Rule regardless of the patient’s wishes.For example, if two people got into a fist fight and one was knocked unconscious, he would be unable to prevent the person he was fighting with from finding out about his condition under the Amended Rule.

Q: If I lose consciousness and am taken to an emergency room in Alaska, will the physician be able to access my electronic medical records?
A: Yes. Your electronic medical records will be used and disclosed in emergency situations to save your life.This falls under “routine purposes”. However, your electronic medical records will also be used and disclosed to an unlimited number of covered entities for all “routine” purposes without your knowledge or consent, purposes that have nothing to do with your medical care or with emergencies.How would you like:

a pharmacist to read your mental health records?
your dentist to read about your breast cancer?
an accounting clerk to read about your sexual orientation or that you have a sexually transmitted disease?
a medical records clerk in Pakistan to transcribe your identifiable information, such as social security number and address?

Those are all “routine” and legally permitted uses of your personal health information under the Amended HIPAA Privacy Rule.

Q: Do the rules allow teenagers to keep their medical information secret from their parents?
A: No. Not unless stronger state laws exist. The Amended Rule eliminates any right that teenagers have to keep their health information private from their parents unless state law prohibits such disclosures. Section 164.502(g) (3).This is a change from the Original Rule which would have permitted teenagers to exercise their right to privacy with respect to their parents if state law permitted them to consent to medical treatment without a parent’s approval. 65 Fed. Reg. at 82,806As with uses and disclosures of health information for routine purposes, this change in the Amended Rule reverses the presumption that teenagers have a right to medical privacy where the state recognizes a right of consent to treatment, and replaces it with a presumption that teenagers have no right to medical privacy unless it is expressly granted by state law. Here again, the individuals’ rights to medical privacy are curtailed by the Amended Rule.Example: a 17 year old girl would not be able to obtain a clinical test to determine whether she had contracted a venereal disease without having the results of the test disclosable to her parents under the Amended Rule. The likely result is that the test will not be requested, the diagnosis will not be made, and the parents may never be grandparents, if the infection causes sterility.

Q: Will I be able to find out whether a friend or relative is in the hospital?
A: Yes. Hospitals can give out basic information — generally a one-word description of the person’s condition, sometimes a room number — to callers asking about a patient by name. However, the hospital must give the individual an opportunity to object to certain “directory “information being given out. Section 164.510(a).

Q: Can hospital employees see my medical records?
A: Yes. The Amended Rule permits an unlimited number of hospital employees to have access to an unlimited amount of health information about you without your knowledge or consent as long as they can say they reviewed the information for purposes of treatment, payment or health care operations.Example 1: “A patient in a Boston-area hospital discovered that her medical record had been read by more than 200 of the hospital’s employees. (The Boston Globe, August 1, 2000)”. 65 Fed. Reg. at 82,467Example 2: A hospitalized depressed patient can rely on the fact that, under the Amended Rule, countless individuals employed by the hospital, the hospital’s “business associates” (including lawyers, accountants and consultants), employees of the physician practices from whom he received treatment, and employees of the pharmacies where he had prescriptions filled (and their business associates) will all have access to the health information concerning his/her attempted suicide and hospitalization for an indeterminate period into the future. This individual would have to live in a very large city in order for his attempted suicide and hospitalization to not become common knowledge in the community.Under the Amended Rule, he/she has the opportunity to feel “violated” each day for the rest of his/her life simply because he/she sought desperately needed health care. One can only imagine the effect this will have on his/her depression.

What You Can Do FAQ’s

How can I protect the privacy of my health records?
What can I do if I think my medical privacy has been violated?
How can I prove that my medical privacy was violated?
Should I have a copy of my medical records?

Q: How can I protect the privacy of my health records?
A: Check out Patient Privacy Rights Toolkit. You can also read additional suggestions from Privacy Rights Clearinghouse.

Q: What can I do if I think my medical privacy has been violated?
A: You have the right to complain to the U.S. Dept. of Health and Human Services (HHS). You can also contact Congress.

Unless you can cite a law in your state that gives you the right to sue whoever violated your privacy, your only option is complaining to HHS. HHS investigates all complaints and reports any potentially illegal violations to the Dept of Justice (DOJ) for further investigation. DOJ may file charges on your behalf.

To date, more than 30,000 medical privacy complaints have been made to HHS. Only a handful of complaints were sent on to DOJ, because the vast majority of violations were found to be legal uses and disclosures of medical records as defined by HIPAA. (i.e., “routine” uses).

The DOJ has charged, prosecuted, and obtained a conviction of only one privacy violator to date. The case was one of identity theft based on identifiable information found in someone’s medical records.

We also encourage you to contact your elected officials. If you’d like, Patient Privacy Rights will send a joint letter to your Congressman with a copy of your complaint.

Q: How can I prove that my medical privacy was violated?
A: Under the Amended Rule, it will be virtually impossible for an individual to know when his privacy is violated, as no “audit trails” are required of the unlimited disclosures the Privacy Rule allows to covered entities.

Since identifiable health information can be used and disclosed for all “routine” purposes without the individual’s knowledge or consent, the individual will not know when or to whom most disclosures are made. Further, since the Amended Rule provides “regulatory permission” for most uses and disclosures, very few such uses and disclosures will be “unauthorized”.

Example: Consider the burden that a depressed patient would have to bear in order to show that a violation of his/her rights under the Amended Rule has occurred.

He/she would first have to find out, without any notice, that a use or disclosure of his attempted suicide and hospitalization has occurred.
He/she would have to find out, without any accounting or audit trail, which entity improperly disclosed this information.
He/she would have to overcome any contention by the disclosing entity that the information was needed for treatment, payment or health care operations.
If the disclosure was for one of those “routine” purposes, he would have to show that the information disclosed was more than the “minimum necessary” amount of information for that purpose (the Amended Rule states that covered entities are to make this determination for themselves “based on their own assessments of what protected health information is reasonably necessary for a particular purpose”).
He/she would have to convince the Office of Civil Rights within the Department of Health and Human Services to launch an investigation.

Q: Should I have a copy of my medical records?
A: You might want them if you’re switching doctors, seeking a second opinion or have complicated health problems, applying for a job, credit, or insurance.

Some patients may want to check for errors, much like they would a credit report.
Also, the information in your medical records can directly affect your ability to get life insurance, employment, promotions, credit, loans, and health insurance.

The Medical Information Bureau (MIB) is a central database of medical information shared by insurance companies. The information contained in a typical MIB record is limited to codes for specific medical conditions and lifestyle choices. If you have ever had health insurance, the MIB has a file on you and you can request a free copy of your record once/year. They will report to you:

The nature and substance of information, if any, that MIB may have in its consumer files pertaining to you;
The name(s) of the MIB member companies, if any, that reported information to MIB; and,
The name(s) of the MIB member companies, if any, that received a copy of your MIB consumer file during the twelve (12) month period preceding your request for disclosure.
Go to: http://www.mib.com/html/request_your_record.html or call MIB’s toll-free number for disclosure is 866-692-6901 (TTY 866-346-3642 for hearing impaired)

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.