by Jeffrey Morgan

The ACA and the death of medical privacy

Aug 02, 2016
Electronic Health RecordsHealthcare IndustryIT Leadership

Do you read privacy policies and medical release forms? You should. Your medical privacy is disappearing rapidly.

Young female doctor interacting with tablet medical records and patient
Credit: Thinkstock

I’m not signing this

I never sign medical release forms anymore. That’s because I read them. These forms tend to be lengthy documents which ultimately state that your medical records can be shared with just about everyone on the planet.

Don’t believe me? Here’s the first paragraph of a 2,000-word explanation of how PHI (protected health information) can be used by a nationally recognized pediatric provider:

Quality Improvement Activities: Information may be shared to improve the quality or cost of care. For example, your PHI may be reviewed by XXX XXX or outside agencies to evaluate and improve the quality of care and services we provide.

Outside agencies? Are you kidding me? Who would you sign that release?

Three can keep a secret if two of them are dead

Maybe I’m just an old-fashioned Luddite, but I prefer to be treated by a doctor rather than a corporation. A private practitioner who has a personal relationship with me is much more likely to take steps to ensure my privacy. Once those records are on a corporate network, my chances of privacy are considerably diminished. If my records are accessible to a RHIO (regional health information organization), the probability that I have medical privacy is near zero.

The problem isn’t necessarily one of policy or procedure; it’s more human behavior. Clerks and bureaucrats at Giga Health Services or the RHIO don’t know me and aren’t likely to care if my records are released to someone who shouldn’t see them. Their pockets are too deep for me to sue, and chances are that I wouldn’t ever even know whether my information was inappropriately or illegally disclosed.

Opt-out programs are a privacy abomination

In the cases where I have refused to sign releases, I was at least presented with the option to opt in based on informed consent. Opt-out programs are far more insidious, and I know of at least one DSRIP (delivery system reform and incentive payment) program in New York that is using opt out as the basis for its privacy policy. The most vulnerable behavioral health clients, some of whom are paranoid or unable to understand the impenetrable legal jargon, will receive letters in the mail with an opt-out form to sign and return. If they don’t return the form, they have automatically agreed to the release of their medical information. Does that constitute informed consent? Will they understand it? Will they even open the letter?

Providers, CIOs, mental health directors, public health directors, and consumers should all be campaigning against the erosion of privacy that results from extensive sharing of health information. Instead, they are drinking the Kool-Aid and rolling over.

The Affordable Care Act has exacerbated the problem considerably, and I read all too much from healthcare IT industry pundits about the need for increased sharing of information and more “visibility.” This is all rationalized by dubious claims about saving lives and “improving outcomes.”

We’re all team players

In county and municipal government, it is often the case that consumers getting public or mental health treatment may also be involved with other departments, including social services, law enforcement, the court system and probation.

“We’re all on the same team, we’re all county employees. Why not show us what’s in those records?” asks the sheriff. The correct response from health officials should be “Get a subpoena, prepare to show cause, and we’ll see you in court buddy!” Unfortunately, a common response is “Sure, let’s have a look. We’re all team players here.”

close up of mens rowing team sports cooperation Thinkstock

I know what you’re thinking. “Those people might be criminals! They wouldn’t do that with my records.” Yes they will. Even worse, you might be saying “I have nothing to hide. I don’t care who sees the information.” Not everyone would feel the same way, and many public figures have refused to release their medical records and even their academic records.

Once we begin to get cavalier about disclosure of PHI and other personal information, we are way past the slippery slope stage. We’re already rolling down the mountain in an avalanche. Redisclosure is governed by federal and state law and the problem isn’t restricted to local government entities. State and federal law enforcement and intelligence officials are likely to be granted access to PHI and all sorts of other personal information as well, without any of the legal protections that should be in place.

What’s the role of IT in protecting privacy?

CIOs should be playing a greater role in protecting privacy, but very few IT professionals have had any training on the subject. How many IT people do you know who are familiar with 42 CFR Part 2?

There are so many questions. What happens when IT directors receive subpoenas to provide protected information? Would they fight, or comply? Would they have any idea of how to respond? And what if your SaaS vendor gets the subpoena, circumventing professionals who will know how to respond? Is that addressed in your contract? Extensive training in privacy should be part of the tool set of every IT professional, but this is not currently the case.

So, next time you go to the hospital, read the release and privacy policy before you sign it. Let’s all opt out together!