Hi All. I called a local area health group to make an appointment. The office manager began asking questions, and I gave my name, birthdate, and current address. Within a few moments after her entries, she asks if my previous address is 123 N. Alphabet St.
I immediately asked how she knew that, because I’d never scheduled with them before, and she says that maybe I went to an urgent care at some point or to a medical event. I have done neither.
She continued to say that’s the only way it would come up and ultimately was unable to tell me how those details were in their system. I’ve lived in this city less than 2 years, and have only had interactions with 2 other groups, and the woman said that theirs was totally unaffiliated with the others I’ve used.
I’m totally aware that in our digital age almost nothing is private, but it seems odd that she didn’t know how else it could be there. Generally, when a place has your info you have a sense of how and where something could’ve been shared. So, has anyone heard of this or had this happen to them and know where they got it?
A couple of times, I visited the webpage to get the mandated free copy of my credit report. There’s a whole series of steps you have to go through to ensure that you are you and not a fraudster pretending to be you. And one of those is a multiple choice question, listing several addresses or cities and asking you which you lived at or in previously. So that sort of previous address information is in databases.
So, affiliation between medical groups doesn’t mean anything. There are only a certain number of medical databases. Just because St. Froods Hospital doesn’t know that J. Porkins Medical Center uses the same database doesn’t mean they can’t get your info if it’s in there. I just got a covid test done by a completely unaffiliated provider from the people who did my last test and had to download the exact same app and access the exact same database to get my results. The frustrating thing is that from my end I have two seperate records requiring two logins to access.
If you live in an opt out state and you didn’t specifically opt out of health information sharing then any of your records may be available to participating institutions. The address information would be there so your identity can be confirmed.
It is unlikely an office manager would have much knowledge about how this system works, and wouldn’t have any reason to know which specific databases information was derived from.
I understand what you’re referring to, but I was thinking that a medical appointment entry database would be entirely independent of everything web-based, and stored and accessed locally.
Seems normal (in Australia). Most medical office staff have no idea at all that they are sharing their medical records with a big (privately run) national database.
The Australian government medical record database has received a fair amount of publicity, and some medical staff would be aware that it’s possible to object to sharing your medical records with the government, but almost none are aware that the medical practice software is /also/ connected to a shared database, and that they have consented, among other things, to use of anonymized data for approved medical research, and that you can object to that too.
Regarding the USA, I can only add that most of the medical practice software companies are international, and Australians are using versions of the same software Americans are using.
Edit: Yes, common Medical Practice Software links your medical records to your address and to your appointments.
So, there is a large medical database where the info lives and can be linked/shared unbeknownst to me? It seems unlikely that I wouldn’t have opted out, given the choice.
Lots of good info there, thanks. To your last point, medical records are linked to an address, which makes sense, but why just an address without the records or institution’s names? When I kept asking her questions, she told me that all she had was the address, without any additional information.
In Australia, you can certainly opt out. You have to ask the medical office what the brand name of the software they are using is, they have to work that out, then you call the provider. The provider fully understands privacy and consent, removes you from the system immediately, and sends you confirmation. The medical office staff have no idea that there is any kind of shared database, so it doesn’t even occur to them that there might be privacy and consent issues. I assume they could handle it if they knew how – the providers seem to understand the issue, so I don’t believe they would have hidden the functionality – but they don’t anything about the system back end.
People routinely give permission to have their records shared without thinking about whether they are in an opt in or opt out state.
But after that, why do you care? You give out personal information all the time, your insurance company, pharmacies, labs, and any other health services you use have that info anyway. I understand people care about their privacy but your health information is probably more secure than your financial information.
I get what you’re saying, and appreciate the reminder on the state-based nature of opting in or out. I try not to give out any information that isn’t totally essential to some important life function. This includes all areas of my life, and it’s a fairly big deal to me. At the very least, I like to know what information I’ve provided and to whom. I’m the one reading the privacy practices disclosures on sites.
Really good to know…more fodder for the
data-privacy-paranoia-train, but good info nonetheless.
If you gave the office person your insurance info, it would have pulled up the address which you signed up with.
Yeah, that was asked for and provided after she revealed the previous address, so it wasn’t a factor.