When it comes to matters of personal privacy, medical records can be thought of as the Holy Grail. To most of us, there's probably nothing higher on the list of things to keep private and secure. We simply don't want the world to know about our medical conditions, or treatments we're undergoing.
Medical records may also contain other information best kept private and secure. Social security numbers and financial information are good examples. Because of the personal nature of these records and the wealth of information they contain, there are federal and state laws that protect your privacy. But just how private are they?
Late in 2009, some incidents were reported that may make you wonder just how private your medical records really are:
Health Net, a managed health care company, is based in Delaware but provides health benefits to approximately 6.6 million people across the US. In May 2009 a computer disk containing medical and financial information of over 400,000 customers was discovered missing from its Connecticut office. It's assumed the data was stolen.
In December 2009, Health Net informed state and federal authorities about the theft. The company also began mailing letters to affected customers. The letters told them about the security breach, assured them that the information was encrypted and not easily accessible to the thieves, and offered free identity theft and credit protection from May 2009 through December 2011.
The disk contained customer information from 2002 to mid-2009. An investigation undertaken by the company determined that the disk drive included basic patient information, like social security numbers, as well as protected health and financial information.
Records Revealed in Court
Aurora Health Care, Inc., a health care provider based in Wisconsin, has been sued by a number its customer-patients because their medical records were disclosed. How? Sometimes doctors file for bankruptcy protection when they can't afford to keep their doors open. When this happens, a doctor may owe money to a health care provider, like Aurora.
Aurora files claims against doctors filing for bankruptcy to try to recover the money owed to it by bankrupt doctors. The patients' lawsuit alleges that the company revealed their personal medical information when it filed claims in bankruptcy courts. Those court records are public records and are open to anyone who cares to look at them.
The patients are asking that their medical information be removed from the court files, and they're also asking for $25,000 each as damages for the breach of their privacy.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the primary federal law that protects the privacy of medical records and information. It covers medical records that are kept, stored, and transmitted electronically by health care providers like your doctor, and health plans like your insurance carrier.
HIPAA covers all information about your mental and physical health, including your past treatments or conditions, future treatment plans, and even information about how you pay for medical care. HIPAA also covers identifying information, such as your name, address, telephone number and social security number. Generally, HIPAA requires your consent and authorization before your medical records and information can be disclosed to practically anyone, but there are some exceptions.
Most states have laws protecting medical records, too. In fact, some state laws are stricter than HIPAA. For example, some states, like Wisconsin, allow individual patients, such as customers of Aurora Health Care, to sue anyone who wrongfully discloses their medical information.
Here are some things you can do to protect your privacy before there's a breach of security:
- At least once a year, ask to review the HIPAA statement and disclosure form that your doctor is required to have in your records
- Also at least once per year, review the information in your doctor's medical files, and contact your insurance company and ask about any medical information they may have on file
- Discuss with your doctor any specific conditions or treatment that you don't want to be disclosed to anyone under any circumstances, and give him a written request that the information not be shared or disclosed
- Ask your health care provider and insurance company about its privacy policies and the security measures it takes to protect your records
If you've been the victim of a security breach, or if you have a good reason to believe your information has been disclosed wrongfully:
- File a complaint with the HHS or with your state's attorney general
- Contact an attorney or check the laws in your state to see what legal options you have, if any
- Consider enrolling in an identity theft and/or credit card protection plan. If you've been contacted by a provider about a breach, it's likely the provider will offer these services to free of charge. Don't hesitate to accept the offer
It's reasonable to expect that your medical records will be kept private. Unfortunately, mistakes happen or thieves prevail and information falls into the wrong hands. You can protect yourself by being vigilant and taking proactive steps.
Questions for Your Attorney
- My medical information was stolen from my insurance company, but it's not offering to pay for identity theft and/or credit card protection. Is there anyway I can get it to pay? If not, are the costs tax deductible?
- Can my former employer tell my new employer about any medical information it has in my personnel file?
- Are medical records held by my child's school covered by HIPAA?