Bush reduces privacy of medical records - a good thing?

Great Debates
1

http://story.news.yahoo.com/news?tmpl=story&u=/ap/20020809/ap_on_go_pr_wh/health_privacy_1

On Friday, the Bush administration announced new rules concerning the disclosure of medical records without the patient’s written consent.

Color me paranoid, but I’m not convinced this was necessary or will cause me benefits. If I am going to be honest and open with my health care provider, I’d like any records of that to be disseminated as little as possible. I never experienced a difficulty “running all over town” as suggested by HHS Sec Thompson. So I am wary of a cure for an ill I never perceived.

I can understand that this might be a boon to health care providers desirous of improved billing. But I am hesitant to potentially infringe upon my privacy to improve these companies’/organizations’ bottom lines.

Speaking with a pharmacist friend, she said one benefit would be that pharmacies can check with each other – which helps check potential drug interactions or abuse. She said this ability was very limited under the Clinton policies. Changing that I can understand. But it does not seem to be the primary gist of the new rules.

So much info is shared so freely these days, I fear the possibility of such info being shared with prospective employers, or prospective insurers to deny coverage based on “pre-existing conditions.”

The article in the Chicago Trib said records could be shared with drug companies, not for marketing, but for the distribution of gifts of nominal value. Once they have the info in their database for the purpose of giving me a “gift” I didn’t request … And I look forward to my friendly neighborhood mailman delivering me Viagra keychains, and Prozac pocket organizers.

And the suspicious part of me asks why, if this was such a good thing, did it get announced on Friday afternoon – primed to disappear in the Sat news black hole. Seems to happen a lot with this administration …

2

I would never again disclose anything to a medical provider that I didn’t want my boss, the police, or the people working in the pharmacy to know.

3

Whether or not it’s a good thing, it will be perceived as a bad thing. Everyone is in favor of medical privacy, but it’s harder recognize the downsides. Here are a couple:

  1. Suppose a patient is being treated by two specialists. e.g, an oncologist and a psychiatrist. The existing standards interfered with giving the psychiatrist records relating to the cancer.

  2. Under Workers’ Compensation, the employer of an permanently disabled employee often looks for different work within the organization that the injured worker can handle. E.g., a lumberjack with a bad back may get a desk job. The existing standards interfered with gving the employee the medical records, which are needed to make a sensible decision.

4

Both of these are easily addressed either by existing legislation, or by having the patient sign a release.

In the first situation, IME it’s routine for various mental health professionals to request access to speak to medical professionals treating their patients and vice versa. If the patient doesn’t want to grant the access, adults should have their privacy rights respected.

In the second, IANAL, but I used to work for a workers’ comp firm here in Illinois. IIRC employers are granted the right within the law to reassign injured employees to any job which they are medically able to do, and are allowed to request a second medical evaluation by a doctor of their choice (at the employer’s expense, BTW) for the purpose of clarifying what types of work the injured employee is able to perform.

I don’t think my medical records need to be the business of any more people than already have access to them. Peole should have to opt-in to greater access rather than having to opt-out.

5

Exactly. What’s your point?

6

I agree with Eva. I don’t see the need to cut the patient out of the loop in either of these cases.

In my job I regularly encounter instances where physicians are requested to provide employers and insurers with opinions of their patient’s ability to perform various exertional and nonexertional requirements of work. Generally, those bear the employee’s signature. Often, the employer will respond to the medical provider suggesting a specific position, describng the tasks and physical/mental/emotional demands, and requesting a second opinion concerning this specific job.

I don’t see why the employer should need access to more, or why the prior system was inadequate.

The situation described by my pharmacist friend did seem to make some sense to me. Individuals seeking prescriptions may be an unreliable source of info concerning other meds they are taking. Also, abusers seeking excessive or duplicate meds may understandably be less than open concerning their medication history.

7

My point is that a person is a holistic individual. A person’s mental and emotional conditions can be affected by her physical condition. That’s why psychiatrists are MDs.

8

True enough. However, social workers and psychologists are not MDs, but information about a patient’s medical situation will still be helpful in therapy, and vice versa for the M.D.

However, I still don’t see why you’d need to butcher privacy rights in this situation.

9

To some degree, this whole discussion is moot. Doctors’ offices have always had to have the patient’s permission to disseminate information to insurers. This is one of the forms you fill out, either at every visit or the initial visit, and is to be re-done when your insurance changes. There is a line on the HCFA-1500 claim form for the patient’s signature. If that line says “Signature on File”, then there had better be a signature on file.

That said, the patient has a vested financial interest in making sure information is releasable. It’s unusual to have to do so, but occasionally insurers have to see reports to adjudicate claims, generally because the information on the claim form is vague (for example, a nonspecific code is used and the insurance company needs to have the specifics on what was done or why it was done) or the procedure has been modified (e.g. if a surgeon had to reduce or enhance the procedure to the point where the actual code no longer fits and a modifier has to be used) and the insurance company has to decide how much reimbursement is appropriate.

If the patient refuses to allow us to send requested records to insurance companies, we’d have to ask for payment from the patient, and that sets up a catch-22 for the doctor’s office. We can’t release records without the patient’s permission, and the patient refuses to do so. The patient further refuses to make payment that is due the physician, telling us that’s what insurance is for. We can’t get paid from the insurance, because the patient refuses to release the requested information. So, the physician either eats the bill (not bloody likely), or the bill sits outstanding, and goes to collections, in which case we hear from the patient and/or his attorney. You can tell I’ve been through this once too many times.

Also, insurance companies are not allowed to share health information with employers, unless it’s a worker’s comp claim, and even then, the patient has to authorize that specific release of information.

From the article linked to in the OP, this would not affect medical records as disseminated from one doctor to another, or record copies that the patient requests for other uses. Those will still have to be authorized by the patient.

And one last time. Psychiatric, substance abuse, and HIV records are covered under a different set of laws. Those records are so tightly controlled that even the patient has to have a reason to request them, and “just because I want them” is not good enough.

All that having been said, that the Bush administration is willing to waive the signature requirement is very scary. Even though there are existing laws to cover privacy of records, and a bunch more coming, what’s to keep this regulation from being abused? I’ve had requests for information from private investigators pretending to be spouses; what’s to keep a PI from posing as an insurance company rep to get this stuff? (And FTR, I don’t release ANY information to ANYONE without authorization or instructions to do so.)

Robin

10

Scary and more than a bit hypocritical given Bush’s record on document sharing (energy task force, Harken, presidential records, etc).

There was a discussion about this on Talk of the Nation today. Although the drug companies supposedly can’t use these new rules to conduct marketing, pharmicists can use it to send “informational literature” to their clients. So it’s likely the drug companies will simply pressure/entice pharmacists to market their drugs for them. Wonderful.

11

I missed TOTN this afternoon, but there was an article in a professional journal I subscribe to about marketing by pharmacies and drug companies, specifically pharmacies sharing information on patients who take antidepressants. Seems the State of Florida is very interested in this, and the attorney general’s office is investigating. See this article for more information.

Robin

12

Coincidentally, yesterday my wife and I attended a session of the American Statistical Association annual convention on the topic of maintaining privacy and security of records for medical research subjects. Afterwards, we had dinner with one of the speakers and his wife – also a noted person in the field of medical statistics, as is my wife.

What I took away from the panel’s presentations and our subsdequent discussion was:

  1. A great deal of effort is going into this area.

  2. The effort is not cheap. E.g., one suggestion was to have a full-time data security manager at each statistical center.

  3. Although it’s proper to go to a big security effort, nobody could think of a single case where a subject had actually been harmed, because of a failure to protect their medical record.

I suspect the same may be true of ordinary patients. We all agree in principle that our medical records should be kept confidential. Still, where are the examples of people who were actually harmed when their confidentiality was breached?

13

Cite for the panel mentioned above

14

december: *Although it’s proper to go to a big security effort, nobody could think of a single case where a subject had actually been harmed, because of a failure to protect their medical record.

I suspect the same may be true of ordinary patients. We all agree in principle that our medical records should be kept confidential. Still, where are the examples of people who were actually harmed when their confidentiality was breached?*

Have you actually tried looking for any such people, or have you merely assumed that since none of the four of you around the dinner table could think of such a person off the top of your head, there aren’t likely to be any? Check out this report (PDF, sorry) from Georgetown’s Health Privacy Project, for example. I was especially appalled at the story of the woman whose medical records following post-abortion treatment were posted on a website by anti-abortion activists, but even the ones about medical records being sold to tabloids, or exemplary workers being fired after their employers obtained access to their records, are IMHO bad enough.

We should also not forget that in many respects—including, I believe, legally, though IANAL—breach of confidentiality itself is considered a harm. If you have a right to have certain information kept private, and that privacy is violated, you don’t have to show that the violation lost you your job or your savings or anything else specific in order to claim that it harmed you.

15

Since the two women have each done decades of statistical work on medical research, and since George is an expert in the field of security of subject information, I was assuming that if serious damage were widespread, these three people would be apt to know it/

Thank you for the cite. Of course, it’s always wrong to let such record fall into the wrong hands.

Still, your source actually supports my point. Presumably these cases were selected as the most glaring examples for the entire universe of American medical treatments – probably over 100 million per year. And yet, hardly any allege actual damage, other than embarassment. In the example of Arthur Ashe, he became even more of a hero after his condition was divulged. Even the case of Terri Seargant, who lost her job, is “suspected” of being due to a leak of medical information, but not yet proved.

Embarassing these people is wrong. Even one unfair loss of a job is one too many. Still, these examples go back, say, 20 years. Twenty times 100 million medical procedures and doctor visits is 2 billion per year. If over the course of 2 billion medical treatments, a dozen patients unfairly lost their jobs because of a leak of private information, this is a remarkably small percentage, namely 0.000006%.

OTOH consider how many people died during that period because they couldn’t afford proper medical care. The additional cost of more data security makes medical care unaffordable for that many more people.

If everything were free, then we would all support the very tightest of security measures. In the real world, things have costs. The benefit of tighter security procedures is offset by the downside of making medical care a more expensive.

16

I would never again disclose anything to a medical provider that I didn’t want my boss, the police, or the people working in the pharmacy to know.

That’s a pretty good policy.

17

december, the possibility exists that many folk who are harmed by disclosure of their private info may not know what happened. For example, if someone is denied a job or insurance, or their insurance rates are set at a certain level, they may not necessarily realize that disclosure of their records was to blame.

It also might be considered a disadvantage for someone to NOT be solicited - say for inclusion in a low cost insurance pool - because the insurer has cherry picked the pool.

Personally, I am not thrilled with much of the current health care in the US, where administrators often determine what is or is not appropriate medical treatment. I do not welcome efforts to make it easier for HMO bean counters to mine my doctors’ records in order to justify denying payment for prescribed treatment.

I still do not see any clear benefit to me of this changed policy. And, in the absence of any benefit, even a remote possibility of harm looms large.

18

*All quotes originally posted by Dinsdale:

If a person is applying for private insurance, it’s assumed that records are going to be involved. Part of the applications process is a medical history with signature on a release of information form. A doctor’s office is not allowed by law to release information without your express consent. Period. (And FTR, failure to disclose a medical condition is insurance fraud and can be prosecuted as such.)

If a person is applying for group insurance, and the person has had insurance at some point in the past 18 months, medical history and pre-existing conditions can’t be factored in. Think about it. When you change jobs and fill out the paperwork for the insurance plan, do you have to answer medical questions? Nope.

Health insurance premiums are figured by risk, just as any other insurance policy is. If a person is healthy, has no chronic health problems, doesn’t smoke or drink or use drugs, then the cost of insurance is going to be a lot less than someone who has a chronic condition, is a smoker or drinker. After all, the insurance company has to pay out claims, and someone in the latter group is going to have significantly more of them than someone in the former group.

You can’t have it both ways. You can’t say to an insurance company, “I want you to pay the bills without questioning what you’re paying.” Medical records are sometimes necessary for the proper adjudication of claims. As I said in my first post, occasionally, more information is needed to pay a claim. Medical records are the best source of this information. Furthermore, it’s very seldom that records are even necessary, barring a complicated claim, such as a complex surgery, or if the service might be paid by a third party, such as injuries from an auto accident. Some insurance companies also use diagnosis codes to identify patients who might be eligible for special programs; for example, diabetics may be eligible for dietician services which would not normally be a covered benefit. The insurance company figures it’s cheaper to pay the dietician the $35 for the visit than it is to pay a doctor or hospital thousands of dollars for a sicker patient. And they’re right.

Moreover, it’s bad faith for an insurance company to seek to deny claims. Something like over 80% of claims (I got these figures from a training seminar, and I can’t find the source in my notes or in the handouts) are paid out the first time the claim is submitted. The remainder are either denied outright as non-covered or sent back for more information, either from the patient or from the physician’s office. Also, given the fact that humans don’t even see most claims (they’re submitted and adjudicated electronically; the ones humans do see are paper claims that usually pay out) makes it very unlikely that records will be needed.

Nobody’s really arguing this point at all. Even with all the legislation at both the state and federal levels, hospital regulations and Medicare regulations, removing the requirement of consent for release to insurance companies is a significant loophole. It doesn’t take a genius to see that the Bush administration is trying to erode these privacy regulations bit by bit. Insurance companies today, government tomorrow?

This new policy also makes my job a LOT more difficult, because no one will trust us to keep their information private. And it’s bad for the patient, because few will be completely forthcoming about their medical history, making effective healthcare decision-making next to impossible.

Thank you, Messrs. Bush and Thompson. :rolleyes:

Robin

19

december: Since the two women have each done decades of statistical work on medical research, and since George is an expert in the field of security of subject information, I was assuming that if serious damage were widespread, these three people would be apt to know it

Sure, you might expect them to know about the track record of medical privacy for medical research subjects, since that’s what they work on. But what you were asking about was the track record of medical privacy for ordinary patients, and I can’t see why you would expect their off-the-top-of-the-head guesses on that subject to provide an adequate answer.

Still, your source actually supports my point.

Not unless you make a number of unjustified assumptions, as discussed below.

Presumably these cases were selected as the most glaring examples for the entire universe of American medical treatments – probably over 100 million per year.

Horsehockey. The report does not tell us how the cases were gathered, what the selection criteria were, nor how much access researchers had to the entire universe of relevant data on medical privacy. Your “presumably” is completely unsupported.

And yet, hardly any allege actual damage, other than embarassment.

That depends on your creative definition of “actual damage” as tangible and identifiable loss of property, employment, etc.; as I pointed out above, that restricted definition does not jibe with the principle behind medical records confidentiality, which holds that the disclosure of private information is itself a harm.

*Still, these examples go back, say, 20 years. Twenty times 100 million medical procedures and doctor visits is 2 billion per year. If over the course of 2 billion medical treatments, a dozen patients unfairly lost their jobs because of a leak of private information, this is a remarkably small percentage, namely 0.000006%. *

!!! You’re blithely assuming that these selected individual histories are an adequate approximate measure of the total amount of medical privacy violations over twenty years, and you’re jumping to statistical conclusions based on that completely arbitrary assumption. Even I, with only an undergraduate degree in mathematics, know better than to pull statistics out of my ass in that way, and I’m kind of shocked to see a trained mathematician and professional actuary doing it.

OTOH consider how many people died during that period because they couldn’t afford proper medical care. The additional cost of more data security makes medical care unaffordable for that many more people.

Red herring. Yes, all administrative procedures cost money, but if we’re assessing what the biggest costs of health care really are, and what the most important reasons for inadequate health care coverage really are, I think we’ll find that the price of medical records security is pretty far down on the list. In any case, the story cited in the OP did not claim that the Administration’s proposed changes would reduce costs associated with medical records security, so the point is moot as far as we’re concerned.

As Dinsdale points out, the supporters of this measure have not made a convincing case that it will actually have any clear benefits for patients, certainly not enough to justify trashing the explicit-consent requirements.

20

I have a friend who would not have been able to buy the coop apartment she has if it had been known by the coop board that she has a chronic and progressively disabling disease. I have several friends and associates who might not have been employed where they work if it were known that they had been committed to psychiatric institutions in the past. I’ve heard that there is discrimination in both employment and housing against people who are HIV-positive.

Quite aside from which, when I go to a new doctor, I want that new doctor to have access to my existing medical history only to the extent that I choose to provide it. This is especially true in the modern era of managed health and abbreviated physicians’ office visits and insurance-driven health care decisions. If there were ever a time when a valid case could be made for doctors to be the primary decision-makers regarding people’s health care, that time is long gone. The primary decision-maker relevant to my health is me.