Tuesday, April 8, 2008

It seems medical records are as good a read for celebrity-watchers as a tabloid.

UCLA Medical Center announced this week that it fired an employee who peeked into the private medical files of California first lady Maria Shriver, actress and cancer patient Farrah Fawcett, and 31 other high-profile patients.

The breach, which occurred more than a year ago, was at the same medical center where several employees were recently fired and suspended, reportedly for snooping in pop star Britney Spears’ file.

If the files of the rich and famous can be easily tapped, what about those of regular patients?

Granted, US Weekly might not be interested in the details of the Average Joe’s gallbladder, but it brings up the question of who is able to look at health records and what they can do with that information.

The answers: A lot of parties can see your records, and the information can wind up all over the place, the gossip column notwithstanding.

In the computer age, everything from your blood pressure reading to risky health behavior history may be stored in your file. That makes it easy for health care workers to access a wealth of patient information, but it may also be easy for all sorts of individuals and companies to know private details as well.

Part of the problem is in the move to electronic records. These systems simplify and streamline record keeping, but security standards are still being worked out.

“There is good and bad about electronic records,” says Robert Gellman, a District-based privacy consultant. “There is a lot of promise about medicine going to electronic records. Those who are promoting it talk about its appeal to consumers. But the principal beneficiaries are the health care organization, research facilities and insurance companies.”

Once the information is in the hands of those large companies, its final destination is limitless. That is because institutions such as law enforcement, life insurance companies and researchers are not covered under the federal government’s Health Insurance Portability and Accountability Act (HIPAA).

Could that personal medical information end up in the hands of potential employers? What about banks, who may turn you down for a 30-year mortgage if they know you have a potentially fatal condition? Say you have an unpaid medical bill on your credit report; might the information about what treatment you received be available?

All of these are possibilities, says Mr. Gellman.

“Saying that medical records are private is really cheap rhetoric,” he says. “The truth is that they are widely circulated among institutions. because that is the kind of system we have.”

Mr. Gellman says the problem begins with HIPAA, which went into effect in all 50 states in 2003. The good news under HIPAA is that doctors are required by the law to give you a privacy statement, which states how your medical information may be used and your rights to file a complaint with the U.S. Department of Health and Human Services’ Office of Civil Rights. Patients also have the right to see an accounting of who is accessing their records.

Now the bad.

Your consent is not needed if your medical information is used or disclosed for treatment, payment, or health care operations. Your records can be disclosed without authorization to pharmaceutical companies if they need to recall a part or replace a medication.

And even though you have the right to file a complaint, you do not have the right to sue if you feel your privacy has been violated.

“The privacy policy is your protection,” says Pam Dixon, executive director of the World Privacy Forum, a California-based public interest research group. “But that is one flimsy piece of protection. Doctors have access to the information. They need that access. However, more can be done to limit who sees what files.”

Both Mr. Gellman and Ms. Dixon point out that there are many limits that need to be clarified under HIPAA. One example: a patient’s rights to obtain an accounting of who is accessing their records. The facility has to let you know who has seen your records from outside the organization, but not within the organization.

“Let’s say you are in a hospital to have surgery,” says Mr. Gellman. “The number of people who see your records could be in the thousands. Doctors, nurses, pharmacists, interns, dieticians, billing staff. Multiply that by two or three shifts over a number of days. So if you get an accounting of who is in your records, what are you going to be able to do with that?”

In the celebrity cases, HIPAA and high-tech security can’t trump human curiosity, says Mr. Gellman.

“I am sure celebrity records are flagged ‘only to be looked at by people providing care,’ ” he says. “It is irresistible to some people. Hospitals fire people, yet [snooping] seems to happen with some regularity. That is why some celebrities go into the hospital under an assumed name.”

Geoff Brown, senior vice president and chief information officer for Inova Health Systems, says Inova, like most large health care facilities, has a number of security tools in place to ensure patient privacy.

When physicians log into access records, a security code is beamed to a personal device,says Mr. Brown. This not only records who is gaining access, but ensures that passwords are not being shared. Information going to outside companies is encrypted to make sure it does not fall into the wrong hands. High-profile patients are given a special designation, says Mr. Brown.

“They get a code,” he says. “We are able to track all movements on their records.”

Codes can’t compensate for gossip, though. There isn’ta government regulation to prevent a hospital staffer from saying “Hey, guess who is a patient on my floor?” to their friends and family.

For a regular patient, medical information might not be newsworthy, but employee access and gossip could make for an embarrassing situation. Mr. Gellman says this is a particular problem in small communities.

“The more people who see those records — even those who see them with consent — the better chance someone is going to know something about you,” says Mr. Gellman. “There is a real risk thata co-worker, a neighbor or a relative could get that information.”

Joy Pritts, founding director of the Center for Medical Rights and Privacy atGeorgetown University’s Health Policy Institute, says this is why many who work in health care seek treatment at a different facility.

“If you have concerns about people who work in your doctor’s office, you might want to rethink if that is where you want to get your health care,” she says. “This type of breach is most common.”

Copyright © 2022 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.

Click to Read More and View Comments

Click to Hide