It is perfectly legal to share patients' medical records. Some are wondering why.
John knows how easy it is for medical secrets to "leak" out of the doctor's office. He has AIDS. John did not tell his employer - someone else did. The employer had a contract with a large pharmacy to provide services to its employees. As part of this arrangement, the pharmacy routinely sent the employer a list of employees and the drugs they were taking. John was taking Retrovir, a drug prescribed only for patients with AIDS.
"This was a gross invasion of privacy," asserts Clifford Boardman, a civil rights attorney from Philadelphia who represented John. "There is no doubt that this could happen to anyone. These pharmacy benefit managers have exercised no effort to ensure that privacy is protected." He explained that pharmacies use monthly reports as a marketing tool to sell their services. "Employers are buying the privacy of their employees," claims Boardman.
Unfortunately, John is not alone. A 1993 Harris poll revealed that over a quarter of Americans believed that health information about them had been improperly disclosed. Patients' medical records, which contain sensitive personal information - such as mental health history, past drug use, genetic predisposition to diseases, sexual orientation and sexually transmitted diseases - are being fed into computer data bases, faxed, e-mailed, shared with other health professionals and researchers, and even sold. And with few exceptions, this is perfectly legal.
There are plenty of legitimate reasons to share and store medical information that benefit the patient, the community and the advancement of medical research. Reading the medical records of women who have had mammograms for the past 20 years, for example, can help researchers to determine and improve the effectiveness of mammography. "We will never get the answers to medical questions if we cannot use the medical record as a research tool," claims Don Parsons, a surgeon and associate medical director for government relations at Kaiser Permanente. Our public health system also relies on data collection to identify and control communicable diseases. The quandary is determining the "legitimate" reasons.
At the core of this privacy issue is the advance of computer technology available for storing and sending medical information, and an increased demand for information from managed care organizations, insurers and self-insured employers. Medical records that were once locked in a cabinet in the doctor's office or the basement of the hospital are now stored byte by byte in large computer data bases. This raises concerns that medical secrets can be easily accessed, copied and distributed. The evolution of the Internet also has changed the rules, with hospitals and doctors contemplating storing patient files on the World Wide Web. Sure, there are safeguards to protect information once it has been digitized - such as encryption, voice activation, notepads, authorization codes and special coded cards - but most can be undone by the click of a hacker's mouse. And many of the cases where records were obtained unlawfully involve insiders - those who have the passwords but use them inappropriately, such as the Colorado medical student who sold patient files to malpractice lawyers and the Maryland Medicaid clerks who sold beneficiaries' profiles to HMO recruiters.
Managed care organizations, which today cover more people than traditional insurers, demand more medical information from physicians than ever before, for paying claims and performing utilization reviews and quality assurance. The Hippocratic oath compels physicians to keep any information divulged by a patient confidential. You may trust your physician and believe that he or she is taking every measure necessary to ensure your privacy, but it is a daunting task. Physicians are bombarded with requests from health plans and insurers for your …