I don’t like the HIPAA law. I believe it’s been singularly useless to consumers whose information has been breached because it typically provides for no consequences that are meaningful in terms of maximum pain financially or otherwise to organizations that breach your privacy (because of the difficulties in meeting the standards required to impose more serious consequences on breaching individuals or organizations) and because there is NO REMEDY for individuals under HIPAA.
In fact few if any individuals have been successful in obtaining financial compensation for breaches of their medical information because proving “DAMAGES” is difficult even when there is a state law that provides a cause of action for identity theft.
But when it comes to our so-called protected health information, the situation is even worse. If you go to the HHS.gov website’s information on, “How do HIPAA authorizations apply to an electronic health information exchange environment?” http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/554.html , you’ll find that our basic rights are not great.
“HIPAA Privacy Rule requires the individual’s written authorization for any use or disclosure of protected health information (PHI) not otherwise expressly permitted or required by the Privacy Rule. For example, authorizations are not generally required to disclose PHI for treatment, payment, or health care operations purposes because covered entities are permitted to use and disclose PHI for such purposes, with few exceptions.” (http://www.hhs.gov/ocr/privacy/hipaa/faq/health_information_technology/554.html)
Sort of leaves you asking exactly where does your privacy kick in.
In the August 5, 2014 article, “Two Insurers to Pool Medical Records in California, Blue Shield of California, WellPoint Unit to Include 9 Million Plan Members in Health-Information Exchange,” http://online.wsj.com/articles/two-insurers-to-pool-medical-records-in-california-1407211305?mod=WSJ_LatestHeadlines, you’ll find one instance where individuals WILL have the opportunity to CHOOSE to OPT-IN or OPT-Out.
The article describes how two INSURANCE COMPANIES (Blue Shield and Well Point’s Anthem Blue Cross are setting up Cal Index, are setting up an exchange that will allow patients’ records to be shared. It’s important for consumers to know that in this context, patients DO have the right to opt-in and opt-out. BUT opt-in is AUTOMATIC SO PATIENTS MUST OPT-OUT. ,” http://online.wsj.com/articles/two-insurers-to-pool-medical-records-in-california-1407211305?mod=WSJ_LatestHeadlines
The article also explains that by opting into sharing their patient information that there is one group who initially will NOT have access to the patient records, the patients themselves. “Patients initially won't be able to see their own records but should get that ability later, the insurers said.” http://online.wsj.com/articles/two-insurers-to-pool-medical-records-in-california-1407211305?mod=WSJ_LatestHeadlines. (The article notes that only 15% of HIEs “let” patients to view their own data).
Marketing has been fairly effective in this area, with less attention to the money opportunities for business of these exchanges and more emphasis on the “benefits” to consumers, using the frequently cited scare tactic… (see if you can guess the argument in favor of to test the marketing success of the campaigns) The proponents for HIEs (health information exchanges) say, “[E]mergency physicians could quickly access the medical history of a comatose accident victim.”
But this article is a little more honest than many informing us of the real motivation, to “make it easier for doctors to track what care patients get from other providers, as well as prescriptions and other services, and potentially cut out waste and duplication, the companies said.” (http://online.wsj.com/articles/two-insurers-to-pool-medical-records-in-california-1407211305?mod=WSJ_LatestHeadlines).
I LIKE the Opt-In Opt-Out formula even with its skew in favor of opting in as the default choice (if you don’t opt out). I think patients should have it for ALL their health information. Why? Here’s my take.
First, HIPAA does NOT provide adequate protection to patients whose health information is breached. You can read more about this in my post, “The Privacy Illusion: HIPAA April 2014,” http://conoutofconsumer.blogspot.com/2014/06/the-privacy-illusion-hipaa-april-2014.html, where I cite the government’s HIPAA statistics.
Second, because of the increase in medical identity theft in healthcare, (“The Rise of Medical Identity Theft in Healthcare,” by Michael Ollove, 2/7/2014, as published in Kaiser Health News, 2/7/14, http://www.kaiserhealthnews.org/stories/2014/february/07/rise-of-indentity-theft.aspx.
The article cites instances where imposters use another person’s medical records to obtain medical services AND that “…the imposter left behind a medical history in his victim’s name.” So now a person’s health care records would include SOMEONE ELSE’S medical status. Clearly a threat to health and safety.
This threat is also discussed in “Healthcare IT News,” in an article from 9/12/2013, “Medical Identity theft hits growth phase,” http://www.healthcareitnews.com/news/medical-identity-theft-numbers-grow. The article states, “Some 1.84 million people in the U.S. are currently affected by medical identity theft…” In addition to the cost, Larry Ponemon of the Ponemon Institute identifies the health risks to patients, “Because your medical file could change on blood type, on allergy, on previous procedures."
In the face of such documented and tremendous risks to patient privacy, I believe that our OPT-IN, OPT-OUT option should cover ALL of our medical information. Naturally, even before health information exchanges, many of us had to sign away meaningful privacy in order to gain insurance coverage (look at your claims forms that provide for information sharing with insurance companies) but further weakening such protections seems all wrong, especially when it’s being “sold” to consumers as a way of improving their health safety and care.
