Imagine for a moment that you’re former President Bill Clinton. Sure, you can think of all the perks, privileges, rights and responsibilities given you. It’s a nice thing to imagine, isn’t it?
But remember that time in September 2004 when you had heart surgery? According to a story by Bob Sullivan on MSNBC.com “17 hospital employees – including a doctor – peeked at the former president’s health care records out of curiosity.” Not all of those health care workers were working on his case. They should NOT have looked at his records.
And if you’re Bill Clinton, 17 more people on this planet know some very personal things about you, things you would probably have liked to have remained private.
In fact, since you’re Bill Clinton, you probably thought your health records for your surgery would be kept private and available only to those health care workers who had a direct connection to your care and an explicit need to look at your records. Because, after all, it was during your presidential administration that the Health Insurance Portability and Accountability Act (HIPAA) became law.
Ah, the irony.
A little background on HIPAA and what it means to you and your health records.
According to the Privacy Rights Clearinghouse HIPPA was passed by Congress in 1996
"to set a national standard for electronic transfers of health data. At the same time, Congress saw the need to address growing public concern about privacy and security of personal health data. The task of writing rules on privacy eventually fell to the U.S. Department of Health and Human Services (HHS). After several modifications, DHHS issued the HIPAA Privacy Rule".
Note that “electronic transfers of health data.” Paper records are not covered by HIPAA.
The Clearinghouse, in language that shows it’s not exactly gungho about HIPAA, goes on to state:
"If you expect HIPAA to restore your confidence that sensitive medical data is a matter between you and your doctor, you will be disappointed. HIPAA sets the standard for privacy in the electronic age where health industry, government, and public interests often prevail over the patient's desire for confidentiality."
The Clearinghouse continues about the HIPAA Privacy Rule:
"Health care providers are covered if they transmit health information electronically. Even a doctor in a small practice who keeps only paper records will almost certainly use a billing service that transmits information electronically. In short, it is nearly impossible to provide health care today without using electronic means in some way."
Electronic medical records are not all bad, of course. Having one’s records accessible online can save lives. Just ask Richard Peck, a 65-year-old Florida resident. His story, featured in the “Patient Stories” section at Ending the Document Game, tells of the time he suffered a heart attack, yet the ambulance workers and his ER doctor was able to access the medical records his family physician had placed online. Having access to the records so quickly probably saved his life.
Health care providers, privacy rights and consumer rights organizations and others have proposed some solutions to electronic health records privacy and access. Maxwell J. Melman, J.D., director of the Law-Medicine Center at Case Western University School of Law, posits at the website The Doctor Will See You Now that ,"the basic solutions that are being proposed are, first, to require record makers and keepers to implement a set of technical steps to protect the security of medical records and, second, to impose penalties on makers and keepers of records who release them for unauthorized or inappropriate purposes.
Technical steps being touted include unique patient and access identifiers; "audit trails," which are electronic methods of detecting and recording the identities of anyone who accesses a record; encryption of external transmissions of record information; appointment of internal information security officers with responsibility to police record-keeping practices; and "firewalls," which are electronic barriers that isolate records systems from unauthorized access or penetration."
So what should you do?
Meanwhile, what does this all mean for you and me, since the age of electronic records of all
types – banking, medical, educational – is here and there’s no going back to the days of paper filed in boxes in your bank, your doc’s office and your alma mater’s basement?
It means we become aware. And vigilant. And activists when it comes to our records. The Clearinghouse also has some tips, regarding HIPAA, including “educate yourself;” “talk to your provider about your concerns;” “make your choices about restrictions on authorizations known, and refuse to sign any you are not comfortable with,” as well as:
"Exercise your right to obtain a copy of your medical records . Make sure information is accurate. Request that incorrect information be corrected or amended. Keep in mind, your health care provider has the final word on changes and amendments to health records"
Yet the Clearinghouse also recommends that we:
"Keep a personal health record. This may include copies of your medical files and other information related to your health such as diet and exercise programs. For more on keeping a personal health file, see the PRC's Alert www.privacyrights.org/ar/keepmedfile.htm and the American Health Information Management Association resources on personal health files: www.myphr.com/what/index.asp."
Having patients’ medical records online brings a wealth of opportunity – opportunity for improved patient care as it becomes easier to access a patient’s records from anywhere. Yet with that wealth of opportunity comes responsibility – the responsibility of patients, care providers and the builders of the systems that create the online records and their security systems to oversee and monitor the privacy of those records.
If you were Bill Clinton, you’d expect nothing less.
Original written by J. Henshaw. Last modified: 10 September 2008