By Robertson, Laurie
The Saturday Evening Post , Vol. 280, No. 3
The electronic medical record (EMIR) has gotten a lot of press over the past few years. In fact, President Bush and others--usually insurers and other private organizations rather than consumer groups--have made a national goal of converting all health records to electronic form.
The promise? No less than improved healthcare for all. A comprehensive database of patient records accessible by physicians and hospitals across the country would, in theory, reduce medical errors, allow patients to better manage their own care, reduce healthcare costs by, for instance, streamlining billing and avoiding duplicate tests, and even improve research and public health by making available (nonidentifiable) patient information.
This rosy picture has some potentially ugly blotches, though: Often missing from conversations about these exciting plans is a meaningful exploration of the security of all that sensitive data. Existing privacy laws are a patchwork of confusing exceptions and don't necessarily provide consumers with the level of protection they might expect. Even today, with most patients' medical histories still residing in a hodgepodge of paper and computer formats in a variety of different healthcare facilities, physicians and hospitals aren't the only ones accessing your records, and you may not like the ways in which the information in them is being used.
Furthermore, depending on who you ask, the number of data breaches--instances in which individuals' information, sometimes including sensitive health information, was lost, stolen, or inadvertently disclosed--ranges from 212 million to more than 272 million since 2005. It's often impossible to know what, if anything, has been done with that information, and what short- and long-term consequences people may suffer as a result. The organization involved may not even be aware that a loss has occurred.
FINDING THE SOURCE
The vast majority of inadvertent data breaches don't occur in your local doctor's office. A much bigger problem may be patients disclosing their own information without fully realizing they're doing so. "People think that if they give their medical information to this Web site or to that company, it'll be treated the same way their doctor would treat it," explains Pam Dixon, executive director of the World Privacy Forum. "This is how consumers' medical information gets abused."
Why on earth would any of us voluntarily reveal our most private details to an organization we know nothing about? "The biggest misconception that consumers have is that privacy travels with the information," says Dixon. In truth, "the privacy only resides at the business"--assuming that the business is what's called a HIPAA-covered entity.
The Health Insurance Portability and Accountability Act (HIPAA) was designed to protect patients' rights, including the privacy and security of their medical records. Most doctors' offices and hospitals are considered "covered entities" under this federal medical privacy law. However, "the definition of what is covered can be very tricky," says Dixon. To find out whether it's safe to disclose your information to a particular business, ask, in writing, if it's HIPAA-covered. "And not HIPAA-compliant," Dixon notes, "HIPAA-covered. The key word is covered."
Organizations that fall outside the scope of HIPAA--and therefore aren't bound by its rules--but still collect consumers' information include personal health record (PHR) companies, which allow patients to maintain copies of their own medical files, and even pharmaceutical-supported Web sites. Have you ever searched for information on a medical condition or taken a survey about your experience with an illness or a drug used to treat it? Did you register with your name and e-mail address to receive updates or maybe a newsletter on the condition? If so, your personal medical information has entered what Dixon refers to as "the bloodstream of marketing. …