Private medical information isn't so private -- Page 2

Doctors, hospitals, medical labs, health plans and companies that transmit health-care information electronically are all covered by HIPAA. But there are many companies that deal with health-care information outside of these health-care providers and health plans that aren't covered by HIPAA, according to the Privacy Rights Clearinghouse. These include:

While HIPAA provides that only the information minimally necessary to accomplish a particular purpose be disclosed, you have no say in regard to what is minimally necessary; that's up to the health-care provider. The minimally necessary standard doesn't apply if you consent to the release of your medical records. So, if you authorize release of your records to a specialist for the treatment of a particular disease or illness, that doctor and his staff will have access to your entire medical record.

Significant loopholes
There are areas outside of HIPAA where your medical information could be disclosed. For example, some online pharmacies -- particularly those operating outside the United States and Canada -- don't have privacy policies and, because they aren't based in the United States, aren't bound by HIPAA.

Mark Hochhauser, a consultant in Minnesota, conducted a survey of online pharmacies for the Privacy Rights Clearinghouse. He found that of 50 online pharmacies surveyed in July 2004, only 11 had privacy policies.

"The implications are startling," he says of his findings. "You have no idea who will get your medical information or your credit card numbers. It is hard to know where this data winds up, whether it will be rented or sold to half a dozen other companies or organizations or indeed if these pharmacies are even in the U.S."

Daniel Solove, author of "The Digital Person: Technology and Privacy in the Information Age," warns consumers to be careful about what information they post online about themselves. Many health-care Web sites have message boards where people with diseases or illnesses can post messages to each other or inform relatives and friends about their treatment. Unfortunately, these aren't covered by HIPAA, and there is no way to know who is looking at this information. It could be your employer, your neighbors or others.

"Be very careful about what health-care disclosures you make that are attached to your name on medical Web sites," Solove, a law professor at George Washington University, says. "Be careful about what information you give out about yourself. There is a lot of good information and tools on the Web, but it's better to be anonymous when posting private information about yourself."

If you are behind on your health-care bills, information about the health-care providers that you owe money to could be included in your credit report. For example, if you owe money to Dr. X's Oncology Clinic, your creditors, employers, potential employers and anyone with access to your credit report could learn that you are seeing an oncologist.

HIPAA & the USA Patriot Act
Under provisions of HIPAA and the USA Patriot Act, local, state and federal law enforcement authorities can obtain your confidential medical information without your consent. According to the American Civil Liberties Union, or ACLU, the Patriot Act's powers allow the director of the Federal Bureau of Investigations to get a court order to produce information on any person, if it is part of an investigation connected to terrorism. This includes medical records from health-care providers, pharmacies, research facilities and health-information clearinghouses.

In addition, law enforcement personnel can get medical information about someone without a warrant under certain circumstances, including for the purpose of identifying or locating a suspect, witness, or missing person or fugitive, according to the ACLU. So the police could just say that you are a suspect and get your medical records, even if the records have no direct bearing on what you are accused of doing.

Solove is troubled by the ease of access that law enforcement agencies potentially have to private medical information. "One of the biggest shortcomings in current medical records privacy law is the provision that law enforcement can get access to medical records as long as the information is relevant to an investigation," he says. "That is a very low standard. Law enforcement doesn't need to demonstrate probable cause, just relevance."

Lack of enforcement
HIPAA was passed by Congress in 1996, but it took years to write regulations and for them to become effective. Most health-care providers came under HIPAA provisions in April of 2003.

While HIPAA rules were written by Clinton administration officials, enforcement is up to the current administration, many members of which are less than enthusiastic about it, according to Peter Swire, a law professor, at the Ohio State University Law School, who was a Clinton administration official and instrumental in writing the HIPAA regulations.

Of the 13,000 complaints filed under HIPAA, only one case has actually been successfully prosecuted by the federal Department of Health and Human Services, or HHS, the only entity allowed to bring cases under this law. Consumers don't have the right to file suits under HIPAA, but must file complaints with HHS and then rely on it for enforcement.

Under a recently released ruling from the federal Department of Justice, virtually all employees of companies covered by HIPAA aren't liable for prosecution under HIPAA, only the companies and other organizations themselves can be prosecuted. Swire says that since companies can't go to jail, the option of criminal sanctions for violations of HIPAA won't happen.

This new ruling, coupled with the fact that HHS has only brought one case under HIPAA, means the law isn't being enforced. "Basically, there is zero enforcement, and this new ruling effectively stops criminal enforcement," Swire says. "I think it is unfair to patients and unfair to the many medical providers who work hard to follow the rules and then get the message from the government that the rules don't need to be followed."

Despite the lack of enforcement, HIPAA is still valuable, Swire says. "HIPAA has raised awareness within the health-care system that providers must pay attention to privacy," he says.

So what is the ultimate effect of the lack of privacy with medical information? For many people, the impact isn't that significant, says Gellman.

"For the most part, the average person doesn't know about any of these activities that go on with their medical records and doesn't suffer harm," he says. "But if your medical records are seen by people you know, you could suffer some harm in the form of gossip or something bigger."