In Rhode Island, where everyone knows everyone, how safe are our own “confidential” medical records?
Any visit to a local health facility carries the risk of bumping into a friend or acquaintance. We may tolerate this at less intimate treatment centers — for sports medicine, podiatry, or dentistry, for example — but seeing a doctor for substance abuse, reproductive health, STDs, or cosmetic surgery may have patients longing for greater privacy.
If the records of Britney Spears and Maria Shriver can be breached, as was recently reported to be the case at the UCLA Medical Center, it can happen to us.
It’s not just the impact of celebrity, as evidenced by how, as the Atlanta Journal-Constitution recently reported, the federal government has told 71,000 poor and low-income Georgians that their medical records were mistakenly placed on the Internet.
Last month, wire services reported that the Social Security numbers, phone numbers, and personal data of 50,000 New York-area patients were allegedly sold by a former worker at New York-Presbyterian/Weill Cornell Medical Center. The suspect told authorities he sold two batches of data: one for $750 and one for $600, placing a street value on the intimate details of anyone’s life and health at about 33 cents.
In 2003, the federal government implemented the bureaucratically labeled Health Insurance Portability and Accountability Act (HIPAA). The law was supposed to strengthen patient privacy.
Instead, HIPAA is seen as having made it more difficult for caregivers to communicate on behalf of sick and often confused loved ones, while patient confidentiality remains as compromised as ever.
HIPAA was on a collision course with technology. Just as Uncle Sam was deciding to plug holes in the privacy system, health-care bureaucracies and providers — awash in paper — saw electronic medical records as the answer. As a result, “private” records, once locked in steel cabinets with limited access, were placed on the Internet, available to enterprising hackers.
More terrifying is the persistence of human curiosity, error, greed, and the other failings that make a UCLA clerk want to know what’s ailing Spears and Shriver, results in the Georgia Medicaid computer nightmare, or tempts folks to sell Social Security number for pennies.
I switched facilities for my annual mammogram, because I could not, despite HIPAA guidelines, convince the former desk personnel to stop shouting out each woman’s full name across a crowded waiting room. It was suggested that they use first names, or better, a number system.
They said, “Older patients think first names are disrespectful.” They also declined to confront “older persons” with a copy of federal (and state) laws protecting confidentiality.
At local laboratories, patients seeking HIV- or drug-abuse screening, or routine blood work, all sign in on the same sheet. Everyone signing in subsequently sees patient names, insurers, and other personal information.
This doesn’t factor in the possibility that neighbors, disgruntled employees, ex-lovers working at local hospitals, labs, or medical insurance companies might be just plain curious about someone’s psychiatric or physical history, and more.
Let’s face it: the worldwide Web is making privacy obsolete.