USA Today

Most patients assume that what they tell their doctor is confidential. But it might not be.

Blame the loss of privacy on the Internet or on the growing use of computer records. Blame it on cost-conscious managed-care insurance companies that demand justification for treatment. Blame it on a desire to reduce medical errors.

Just don’t assume that no one knows about your health except you.

“In many respects, the battle for health privacy has already been lost,” says Robert Gellman, a Washington, D.C., privacy consultant and member of the National Committee on Vital and Health Statistics.

“Of all the records about you that are maintained by third parties, health records are the most widely circulated,” says Gellman, “more than financial records, school records, even video rental records.”

Although that’s long been true, patient advocates now fear the growing use of computerized medical records compounds the loss of medical privacy.

“Once you put the medical record in a computer, it can wind up anywhere,” says HMO industry critic Jamie Court of Consumers for Quality Care. “That’s the direction we’re going and it’s frightening, especially when you talk about genetic information.”

The recent cyberattacks on such high-profile Internet sites as Yahoo and Amazon highlight the concern: If hackers can disrupt major players in the e-commerce world, how safe is your doctor’s Web site?

Properly encrypted and password protected, it might be safer than paper files left lying on a counter or in a storeroom, say some advocates. But sometimes things go wrong.

In February, for example, medical records on several thousand patients at the University of Michigan Medical Center were inadvertently placed on the Internet, where they sat for two months. A student doing an online search discovered the files, which included names, addresses, Social Security numbers and other data. The site was promptly shut down.

“I’m certainly not happy about it,” Cary Johnson told the Associated Press. Her 2-year-old son’s record was on the site. “I guess technology is helping us to do some things and hurting us in other ways.”

Even before medical records went online, patient information was anything but private. Some patients have learned that the hard way:

* An HIV-positive Pennsylvania man employed by a state transit agency sued in 1995 after the agency learned of his condition through a review of prescription drug records. A federal appeals court ruled against him. The court’s decision said that since the employer paid for the drug plan, it had a right to see the information.

* An Atlanta truck driver lost his job in early 1998 after his employer learned from an insurance company that he had sought treatment for drinking problems.

* Following a state review of a doctor in Kentucky, an investigator called one patient’s employer — the FBI — to say the man was being treated for depression. As a result, the FBI took the employee’s gun away and ordered him to undergo a two-day psychiatric exam, which found him fit for duty.

Access to records

Researchers, public health officials, police and others can get medical records. Apply for life insurance and your health problems might go on file at the Medical Information Bureau, an insurance industry clearinghouse with files on more than 15 million Americans and Canadians.

Insurers often demand detailed information from providers, including mental health counselors and doctors, in order to justify continued treatment.

“Managed care companies are requesting much more information than they need to make coverage decisions,” including “comments about suicide attempts, extramarital affairs, job-related problems and drug or alcohol abuse,” says Paul Appelbaum, vice president of the American Psychiatric Association.

Employers — the very group most patients fear will get their private information — are able to get medical information from insurers and others, says Janlori Goldman of the Health Privacy Project at Georgetown University.

“Employers may say, ‘You just doubled our premium, what’s going on?’ There’s no federal law that prevents the insurer from giving that information to employers,” she says.

The first federal standards aimed at guarding electronic medical records are now under review by the Department of Health and Human Services, which received more than 40,000 comments on the draft proposal. The proposed privacy safeguards don’t cover paper records.

If upheld as written, the standards would reduce access by employers, allow patients to get copies of their own records and require permission from patients in certain circumstances to release information.

No consent, however, would be needed to release information related to medical treatment, payment or health-care operations, such as auditing, checking credentials of staff or quality assurance work. (Patients often give consent to release information, sometimes unknowingly, whenever they sign up for health insurance or fill our forms at doctors’ offices).

Some patient advocates say the standards don’t do enough to prevent abuses, while insurers fear the proposed standards are too costly and burdensome. Congress could pass broader legislation, but so far has not done so.

“Right now, once information leaves a doctor’s office, there are no federal regulations that protect the privacy of that information,” says Goldman of Georgetown University.

Medical information routinely leaves doctors’ offices: After a patient sees a doctor or fills a prescription, claims are sent to insurers and third-party bill collectors.

In turn, that information is sometimes given to drug companies or marketers. Insurers can “mine” prescription data, looking for patients with chronic health conditions such as asthma, diabetes or heart failure to enroll them in special programs .

Sometimes office-visit and prescription information is used in ways patients don’t expect.

Lisa Greenbaum, of Santa Barbara, Calif., was surprised to get a call at home last summer from a local Rite Aid pharmacy, reminding her to refill her prescription. Later, a letter came.

“As much as I’d like to assume they have my best interest in mind, I suspect it’s based on financial considerations,” says Greenbaum. “It is good for me to take my medication regularly, but it’s also good for them because I have to refill.” She asked that the calls stop.

Finally, a magazine about diabetes — filled with drug company ads — arrived at her home. Greenbaum doesn’t have diabetes, but takes a drug commonly used by diabetics.

“If I had had housemates or others I didn’t want to know (that information), I wouldn’t appreciate that,” she says.

Rite Aid says it reminds patients who take medication for chronic conditions to refill prescriptions as a public service, says spokeswoman Sarah Datz.

“Many patients, particularly the elderly, thank us for reminding them,” she says.

The reminders are made by Rite Aid call-center workers. As for the magazine, Datz says it was the first-of-a-kind and is nondescript on the outside, so prying housemates would have to unseal it for more information. Patients can call to request that the calls or magazines stop.

The drug-store chain CVS is being sued by patients in Massachusetts who say they were targeted for direct-mail advertising in 1998 from pharmaceutical companies — based on information gathered by CVS when they filled prescriptions.

“CVS got zero consent (for this program),” says Arthur Shingler of Finkelstein & Krinsk, which brought the class-action suit.

“If consumers understand what information is going to be stored on a database and how it’s going to be used, then it’s their right to choose whether to be included,” he says. “But when you take that right away, the potential abuses are phenomenal.”

CVS says it never sold the patients’ names to drug companies, but did provide them to a mailing house, which then sent written materials.

“The suit has no merit whatsoever,” says Todd Andrews, spokesman for CVS.

Medical necessity

The threat to privacy strikes at the heart of medicine.

“Confidentiality of communication within the doctor-patient relationship is one of the cornerstones of good medical care,” says Donald Palmisano, co-chair of the American Medical Association‘s task force on medical privacy.

Without confidentiality, patients are reluctant to tell doctors what they need to know. The California Health Care Foundation noted that one out of six people surveyed last year took some kind of action to prevent misuse of health information — including lying to their doctors, paying out of their own pockets for care covered by insurance or avoiding medical care altogether.

Some privacy experts say the fear that technology will make medical records less private is misplaced. But nearly all agree that more protection is needed, for both paper and electronic records.

“Threats to health information are driven by greed and economics, not technology,” say Jack Segal, spokesman for the American Health Information Management Association, a group representing 40,000 medical record managers.

“People shouldn’t be afraid of the technology,” he says. “What should concern them is the lack of a federal law that says, ‘You company (drug manufacturers, insurers, etc.) have to handle this information in a certain way that protects it.’ ”