Medical Record Privacy Violations

Private Records Made Public

Written by Joseph Carducci
Posted June 6, 2013 at 4:21PM

Your medical and health care records and information may not be nearly as private as you would like to think.

In fact, there are major companies looking to buy this information in an effort to better target their marketing information to prospective customers. Records are currently being collected by data clearing houses, retail pharmacies, marketing companies, and even employers in many instances.

digital medical recordsIn many cases, medical data is even more valuable than a social security number, as Dr. Deborah Peel explained to Fox Business. Identity thieves can typically buy (or steal) social security numbers for as little as a dollar each, she said. On the other hand, medical records can often be bought online with considerably less effort for around $20 each. 

A recent audit of 115 health care providers and insurers showed that most of these institutions actually failed to comply with the federal rules, regulations, and guidelines regarding medical record privacy. This audit, conducted by the Health and Human Services Agency, also indicates the fact that many of these health care providers and insurers are actually unaware of the rules.

Why Medical Records Are No Longer Private

The main reason that medical records are no longer private is because of money. This industry is predicted to be worth more than $10 billion by the year 2020. The primary driver of this growth is the new ObamaCare legislation. This legislation even mandates that electronic medical records be kept, updated, and maintained, along with data sharing policies.

Some of the largest buyers of medical records and data are WebMD Health Corp. (NASDAQ: WBMD), IMS Health Inc, and OptumInsight – a division of UnitedHealth Group (NYSE: UNH). These companies use this data in an effort to better understand costs, prescription drug use, and even help the pharmaceutical industry better tailor their advertisements to both doctors and patients. With over $10.5 billion spent on advertising last year by drug companies, it is easy to see that this is big business.

Even assuming the uses these types of businesses and organizations intend for this information is handled in a responsible and proper way, there are still numerous other problems. First of all, this information is currently very easy to obtain. A number of states actually outright sell their medical record databases to anyone who can come up with the $150-200 or so that they charge.

What would happen if this information fell into the wrong hands? Perhaps this information could be used for blackmail purposes? Or for discrimination against people with certain types of conditions?

States Selling Hospital Records

A number of different states are currently selling their hospital and other medical records. This includes Washington, Arizona, Tennessee, New York, and New Jersey...and this may be only the tip of the iceberg. Despite the fact that this information is supposed to be kept private, it is being added to public record databases, many of which can either be accessed free of charged or simply purchased outright.

Personally identifiable information is supposed to be removed or redacted from the records before they go into the public databases. However, several journalists and researchers have demonstrated that with even just a little bit of knowledge about someone, one can fairly easily connect the person to his or her specific medical records and other information.

Washington state, for example, has a database of 650,000 hospitalizations for 2011, and a recent investigation was able to connect specific subjects to their actual medical records.

Why is this occurring? The states have an exemption from federal regulations in regard to hospital discharge information. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 as an effort to help institute some privacy rules and regulations. Unfortunately, these rules did not apply across the board; instead they effect only health care providers, insurers, billing and claims processors, and their contractors.

The IRS Gets into the Fray 

If this were not bad enough, the IRS has also had some recent failings when it comes to medical records violations. It is actually now facing a class action lawsuit claiming that it stole over 60 million medical records during a 2011 action. According to the lawsuit, the IRS was executing a search warrant for financial data of a former employee.

These records contained medical information for over 10 million American citizens, including all of the California state judges. This included some very private information such as gynecological testing, psychological treatment, and more that could be embarrassing and even damaging if it were to be publicly released. 

These records were taken without any type of search warrant or other legal reason for doing so. None of those 10 million people were under any type of investigation, civil or criminal. There were IT personnel on the scene and a HIPAA warning on the building, and company executives warned the 15 IRS agents who executed the search that this was private and privileged information that they had no right to take. 

The records were searched and seized without any attempt to segregate what they were actually looking for from other private information. This is just another example of an overreaching government agency thinking it is above the law. Hopefully, justice wins out in the end as a result of this lawsuit.

Fighting Back? 

Of course, this all begs the question of what can be done to fight back against this apparent lack of real privacy in our medical records. The first thing you can do is at least get an idea of who has actually accessed your medical records. Under HIPAA, citizens do have the right to find out who has accessed their medical records for the past six years.

But as with any other federal laws aimed at privacy, there are a number of exceptions to this. You will not be able to see a listing of those who accessed your records in the name of treatment, payment, or health care operations (called TPO). Also, other incidental disclosures permitted under HIPAA do not need to be disclosed.

Unfortunately, at the present time, this may be the best we can do. In other words, simply understand the situation better. Since most states have exemptions under HIPAA, filing lawsuits and complaints is really pointless.

This is a complicated problem with many competing interests. Perhaps the best that can be done right now is to simply stay informed and look for whatever opportunities present themselves. 


If you liked this article, you may also enjoy:


Investing in Marijuana Without Getting Burned