|
The new threat to your medical privacy
|
A national system of electronic medical records could easily save your life. And it could also jeopardize the security of
your personal health information.
Let’s say you have a heart attack. You could be swooshing down the water slide at Walt Disney World’s Typhoon Lagoon, teeing
off at the 16th hole at Pebble Beach, or raking leaves in your backyard.
Your odds of survival would soar because the emergency-room computer would let the doctor on duty connect to the Internet,
type in a password, and with a few clicks, view your medical history. He could see your most recent test and lab results,
a list of your allergies, and all your medications. With all that information, he could begin treating you immediately.
That scenario is not science fiction. The federal government is fostering the creation of a national system of electronic
health records (EHRs) under the leadership of David Brailer, a 46-year-old physician and former software company CEO who is
now at the U.S. Department of Health and Human Services. His charge: to help build the National Health Information Network,
which will electronically connect all patients’ records to health-care providers, insurers, pharmacies, labs, and claims processors
by 2009.
The network’s potential to save money, to make medical care more efficient, and to lower the incidence of deadly drug reactions
and interactions has spurred state government agencies, foundations, HMOs, PPOs, and hospital chains to develop their own
electronic records systems, some of which are already up and running. “Electronic health records will reengineer health care
in a way that will save thousands of lives and billions of dollars,” Brailer says.
But troubling questions come with the promises. Will such private information be safeguarded from marketers who might want
to sell you a new drug to treat your asthma, or from fund-raisers who target you because the diagnosis of your new disease
diagnosis might encourage you to contribute?
Could computer hackers or pranksters release the information onto the Internet, where your co-workers could learn, say, that
you are being treated for alcoholism? Might your record become available to potential employers or lenders who decide that
you’re not healthy enough to perform the job or handle a 30-year mortgage? And will you be able to control who has access
to or find out who has viewed your medical records?
Brailer says that consumers will be able to see their records and correct errors (assuming that they can decipher the medical
gobbledygook). But the cost to consumers remains unclear. Brailer initially told us that consumers will pay an access fee.
But he later said that access would be free. Jim Pyles, a Washington, D.C., constitutional lawyer and privacy expert, objects.
“There is no reason there should be access to your records without your consent unless required by law or your life is in
jeopardy,” he says, “and you certainly should not have to pay for access to your own information.”
|
What rights you are signing away at the doctor’s office
Chances are that in the last few years, you’ve been asked to endorse dozens of so-called privacy agreements while sitting
in doctors’ waiting rooms. Under the provisions of the Health Insurance Portability and Accountability Act (HIPAA), health-care
providers have the right to share your data for several purposes: to treat you, which means, for example, they may discuss
your case and send data about you to a radiologist about which ankle to X-ray; to process your insurance claim; and to respond
to requests from public-health authorities, law enforcement, and your employer if you were hurt at work.
All of that seems reasonable, but you might not realize that HIPAA also allows health-care providers to share information
with health-care business associates. So notes from your psychotherapy session may be given to your insurers’ employees for
“training purposes.” And don’t forget about fund-raisers. For example, the agreement of Michael Bermant, a plastic surgeon
in Chester, Va., says, “We may use or disclose your demographic information and the dates that you received treatment from
us in order to contact you for fund-raising activities supported by our office.“
Unfortunately, HIPAA does not give you the right to opt out in most cases, and the agreements can change at any time. But
there are ways to guard the shreds that are left of your medical privacy:
• Read notices of privacy practices carefully. If you do not understand something in the notice, ask questions. Your doctor
may agree to keep personal or very embarrassing information out of your record as long as its absence will not negatively
affect the quality of your care or your health.
• You do not have to sign the forms. Unfortunately, refusing to do so will not change the offices’ ability to share your information.
The notice is not a contract; it is merely a mandated disclosure form to prove that you were informed in writing about how
your data may be shared.
• HIPAA gives you the right to request that your health-care provider or your health plan restrict uses or disclosures of
your medical information. For example, you may say that you do not wish to receive fund-raising materials, a right that is
noted in Bermant’s notice. The provider or plan, however, is not obligated to agree to the restriction, which Bermant’s agreement
also notes. But if the provider or plan does agree to the restriction, which Bermant’s office says it does, it must abide
by that agreement, except in emergencies. Your request will probably have to be made in writing. The provider’s or plan’s
office will then let you know whether it has decided to abide by your wishes.
|
|
