Myth of medical record privacy
You know those HIPAA (Health Insurance Portability and Accountability Act) Notice of Privacy Practices papers we sign at the doctor’s office or hospital that appear to be reassuring us that the privacy of our personal health information is protected?
We’ve frequently examined how HIPAA protects that privacy much less than many consumers believe — whether from the prying eyes of people without a need to know or from being misused. But anytime we have an opportunity to see the reality of HIPAA for ourselves and expose the myths surrounding this law, it shouldn’t be missed. Dr. Maurice Bernstein, M.D., at Bio Ethics Discussion gives us just such a valuable opportunity.
In a shocking article, “Your Medical Prescription: Who Gets to See it?”, he reveals who can legally learn all about the medications that have been prescribed for us and about our medical conditions — without our permission. Electronic pharmacy records have made it easy, and it’s all legal under HIPAA. Now, if it’s ethical is another issue....
He reproduces the CVS Pharmacy Privacy Policy (you can pull up the one for your state using the drop-down menu), which says: “Our pharmacy staff is required to protect the confidentiality of your PHI [personal health information] and will disclose your PHI to a person other than you or your personal representative only when permitted under federal or state law.” His article and this policy is valuable to read in its entirety. Here is just a sampling of what the HIPAA law allows: How We May Use and Disclose Your PHI Without Your Permission ...We may contact you to provide treatment-related services, such as refill reminders, treatment alternatives (e.g., available generic products), and other health related benefits and services that may be of interest to you. We may contact your insurer, payor, or other agent and share your PHI with that entity to determine whether it will pay for your prescription and the payment amount.... We are permitted under federal and applicable state law to use or disclose your PHI without your permission to: Business associates: We provide some services through other companies termed “business associates.” .... We may disclose your PHI to a friend, personal representative, or family member involved in your medical care.... If you are a minor, we may release your PHI to your parents or legal guardians when we are permitted or required under federal and applicable state law.... We may disclose your PHI to the extent authorized and necessary to comply with laws relating to worker’s compensation or similar [benefit] programs.... We may disclose your PHI for law enforcement purposes... If you are involved in a lawsuit or a legal dispute, we may disclose your PHI in response to a court or administrative order, subpoena, discovery request, or other lawful process.... Public health: We may disclose your PHI to federal, state, or local authorities, or other entities charged with preventing or controlling disease, injury, or disability for public health activities. [JFS has examined government databases for identifying people with diabetes and who are HIV positive, for example.] ... Health oversight activities: We may disclose your PHI to an oversight agency for activities authorized by law. These oversight activities include audits, investigations, and inspections, as necessary for our licensure and for government monitoring of the health care system, government programs, and compliance with federal and applicable state law.... Under federal law, we are required to disclose your PHI to the U.S. Department of Health and Human Services to determine if we are in compliance with federal laws and regulations regarding the privacy of health information. [As JFS has examined, the HHS is developing policies now on how it can collect, use and sell our electronic medical records for secondary uses]... Research: Under certain circumstances, we may use or disclose your PHI for research purposes..... Military and veterans: If you are a member of the armed forces, we may release your PHI as required by military command authorities. We may also release PHI about foreign military personnel to the appropriate military authority.... National security and intelligence activities: We may release your PHI to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.... Protective services for the President and others: We may disclose your PHI to authorized federal officials so that they may provide protection to the President, other authorized persons, or foreign heads of state, or conduct special investigations. Pretty vague and all encompassing, isn’t it? This is why it is so critical to safeguard our medical records and educate ourselves on what government agencies are doing in their efforts towards a nationalized electronic health database.
<< Home