I was reading the debate about mandated vaccinations, and WhyNot made a remark in furtherment of his argument “without a national health records database, we just don’t know for sure what percent of our population is being vaccinated.”
That got me to thinking about the state of medical privacy in the US and I wished to understand the sides of this debate.
Why is medical privacy (either specifically or in whole to your belief on privacy) something that needs protection? Would this privacy of your information be protected from the general population or the government or both?
I have always had a personal thought that medical information should be available to at least organizations like the NIH or CDC on demand. Thus, if we switch to an EMR system, having the NIH and CDC and such snoop through that data I would consider in the public interest. I can see circumstances of individual to individual being creepy, but the government having that information is okay.
This is really more of a Great Debate. Medical information is currently strictly protected in the U.S. by HIPAA (the oddly named Health Insurance Portability Act of America). Most people agree that it is a good thing because privacy violations for certain kinds of health information can be very damaging to individuals (sexually transmitted diseases or even cancer for example).
To answer your question, the purpose is to protect individual medical privacy against threats from private individuals, the various various government agencies and even keep information away from family or other health professionals if the individual doesn’t want it disclosed. No, most Americans do not trust the government when it comes to confidential personal information and only using it ‘in the public interest’. Ever hear of the NSA?
Lots of things could potentially be in the public interest but that doesn’t mean that they are automatically a good idea that is justified by those criteria alone. The U.S. values person freedom and confidentiality as well at least nominally. When it comes to this type of data, there is no benevolent government to trust or not. That are a myriad of state, federal and local agencies that are made up of individuals, some of whom won’t respect their family and neighbor’s privacy if such data was collected in centralized databases.
I can see protecting it from other people, but wouldn’t the NIH or CDC want to have a good dataset on what is currently being suffered by Americans? As it is, only certain diseases are required to be reported. Wouldn’t it be useful in aggregate for most diseases?
So, would serving the public interest in this way come with an anonymized dataset, then? Say by adding diagnoses for each person in a zip code but not divulging their specific details?
Yes, HIPAA does allow for that, handing over aggregated medical information to agencies like the CDC that has been stripped of information that could identify individuals. Some work of that nature actually is done.
Yes, HIPAA is a pretty good and flexible act at least in my opinion. It is is extremely strict when it comes to personally identifiable information. It even makes it illegal for doctor’s offices to leave sign-in sheets in public view for example. Back office personnel like receptionists or billing agents can be fired or prosecuted for revealing any specific health information about any specific person.
However, HIPAA does allow rather generous use of data in which all personal identifying data has been stripped out. That is usually easy for large data sets but not always. For example, you run a risk of identifying an individual even when they are not explicitly specified. For example, a small area with only one Native American family that makes over $100,000 a year shouldn’t technically include ethnic or income data on a data set that looks at one disease because it is personally identifiable information for anyone that wants to look it the records in detail. That sounds like an extreme case but it really isn’t. It is surprisingly easy to do for the majority of people given enough information even if it isn’t explicitly personally identifiable.
HIPAA is a long and detailed act that requires some intense study to understand well but I think it has most of the basic ideas right.
I have read opinion articles that it’s poorly enforced, though I am no expert. I can, however, attest to the “leaving a sign in sheet on the desk” thing. I don’t think I’ve seen any doctor that manages to not have my name with 12 others on the desk. Is the enforcement lax?
As for medical data, how much of this information is submitted to places like the CDC? Or is that one of the reasons that the EMR requirement was written into the ACA - to give this data to the CDC?
I can’t speak for everywhere in the U.S. but HIPAA is rather strictly enforced in Massachusetts. I used to work in the IT health benefits industry and you better believe it was enforced there. HIPAA violations were one of the things that could get someone fired no questions asked. We went through constant retraining on it even though we only dealt with really bland and uninteresting data.
None of my personal doctors have publicly viewable sign-in sheets. That can’t leave messages to tell you anything about upcoming appointments other than one exists. They also cannot give any health information about you to anyone, even your immediate family, without explicit consent. They certainly can’t and won’t give information like test results even to your spouse without that prior consent.
They also have to provide signed HIPAA disclosures to every new patient detailing their responsibilities and your rights as a patient. Any doctor, hospital or pharmacy that doesn’t follow those rules is asking for trouble because the potential ramifications can be disproportionately large even for rather minor violations.
Even that is a technical violation of HIPAA rules. The doctor could be the leading HIV/cancer/drug abuse doctor in the area. Some people don’t even want others to know they need to see a cardiologist or a urologist. Sign-in sheets for primary care doctors may not be a threat to individual privacy but they are for lots of different types of specialists. That is why they aren’t allowed.
The flip side to this debate is that you never want individual patients to be reluctant to seek care for any condition, no matter how embarrassing because they think there is a threat of their condition and/or lifestyle to be revealed publicly.
I may need to make a correction. I just looked up some information on sign-in sheets and HIPAA. It seems that some types of sign-in sheets are allowed as long as they adhere to the ‘minimum necessary standard’ for disclosure. That gets complicated and may mean just referring by first name only with no other information presented.
However, the HIPAA training I had to go through was much more strict than anything I could find on the web and I worked for a very large company that specialized in handling it. I don’t know if they were just being overly conservative or if sign-in sheets themselves can be a violation for some specialists. We were taught that ANY POTENTIAL personally identifying information was a violation and that included a whole lot of mundane things like simple reports and spreadsheets that were transmitted to any non-certified parties. Even trusted entities could only receive (rather mundane) information using secure encryption technology.
nitpick! HIPAA=Health Insurance Portability and Accountability Act. The accountability is about the privacy. The portability was supposed to insure that you could maintain coverage when moving from one insurance to another.
Shagnasty has provided good information here. Considering the volume of medical record entries produced daily and the number of people with access to them, security is pretty damn tight. You have a much better chance of having money disappear from your bank account than having your medical information leaked. I see private information daily, sometimes because it’s for a legitimate reason, and sometimes because someone isn’t thinking before allowing me to see it, but it’s rarely anything anyone would care about being seen anyway. I work in IT and luckily most of the technical issues can be resolved with dummy data now. Without a doubt medical records are much better protected now than ever before.
I’m not really worried about people finding out that I have allergies to trees. I’m just curious about why people are so uptight about their privacy. Shagnasty said that Americans in generally don’t trust the government and I get that. I’ve met some very special troglodyte-types in several governmental areas. But otherwise, what fear is there if someone gets to your information? I do get the “we don’t want people to know I have AIDS” thing. They’ll get ostracized. And I could see that happening for new diseases (like back when HIV was new to the first world.) especially. But, as an example, wouldn’t the spread of HIV have slowed considerably if you could check your partner’s status from their last checkup on the 1975 version of Google?
I don’t know why most people care about this, I’m far more concerned with keeping my money safe, but even though my own medical records are growing rapidly there just isn’t anything all that exotic there.
I’ll point out a couple of things, AIDS wasn’t known to exist in 1975, though maybe you meant a later year. There was nothing like Google either, and there wouldn’t have been any effective mechanism at that time to check on other people, and an accurate means of diagnosis wasn’t available for a while either. I think AIDS was spread rapidly among people who were not being cautious about their sexual partners, and making the information public would have stopped people from getting diagnosed and getting treatment, and they wouldn’t have been on any list anyway.
During the late 80s for some reason I was being told by many people how valuable a list of AIDS patients would be, I didn’t want to know why I was being told that, but it seemed obvious that insurance companies wanted to know so they wouldn’t have to cover those costs. That would have resulted in less treatment available and even more reason for people not to get diagnosed.
So all in all I don’t think public information like that would have made much difference. It’s not something I researched at all because it strikes an emotional chord with me because of the loss of a dear friend, so I don’t really want to dig that deep, but your reasoning just doesn’t make a lot of sense. I think fear of AIDS was a major factor in the spread of the disease and your plan would have just increased the level of that fear.
The basic problem is as simple as people can and will use it against individuals in many circumstances without tight controls. It may be people that are out to target a semi-public figure, it could be a distressed ex-lover or it could be simple busy-body. No one has any right to be able to look that stuff on a type of Google health site. If you doubt the person you are with that much, you don’t need a public search. You either need better judgement or condoms. The bottom line is that it isn’t anyone else’s business according to my life philosophy or the semi-prevailing American one.
Always keep in mind my second point from above. Aggregate data is good in general but it can be quite bad if people with treatable medical conditions are hesitant to get them treated because they believe that their condition can be exposed. It doesn’t have to be AIDS. It could be anything, even something that sounds innocent to others but people value privacy in different ways and the #1 goal of doctors should always be to treat people that need help to the best of their ability and not to serve as informants to the government.
Yes, I rounded my date (I could have gone “Late 70’s” I admit) and then used Google as an illustration (after all as you said, what would they have looked it up in? ) of how to use our resources to make this information available.
I agree with the first part of this, that it was sexual behavior that drove the infection rate of HIV. But I’m not convinced the second follows. If you are sick why wouldn’t you go to the doctor to find out why? HIV is a little different, as you get what amounts to a “bad cold” at onset and then have no symptoms for, potentially, years. But other diseases have actual symptoms that you’d get checked for.
This, though, does make sense. I can definitely see insurance companies trying to use that sort of information to avoid paying on “social problems.” Is it possible to mandate around this or would you believe the insurance lobby to powerful?
Please enlighten me on this because it seems disjointed: How did a fear of catching HIV lead to a spread? If anything, from that time period, I think a misunderstanding of the disease caused a lot of it’s spread. Anecdotally, I heard the phrase “It’s a gay disease. Straights can’t get it.” several times.
According to a study in 2004, one of the largest factors in avoidance is doctor engagement. If your doctor makes you feel like he cares, you’ll seek more medical attention. (Note: Survey of limited sample size. )
So, would you avoid medical treatment if it showed you had something if that information would be made public?
Do you know of any studies that outline the social/cultural avoidance factors for medicine? I have found several studies about psychotherapy avoidance due to culture and mental disease, but none directly addressing this concept.
I didn’t say fear of catching AIDS. The fear was ostracization, that you would lose your job, your friends, your family, your health insurance. All of that even if you didn’t have AIDS, you only had to be suspected of it, or know someone who did. This led people to avoid diagnosis and treatment even without the public disclosure, it would have been worse if there was a ‘list’.
I love electronic medical records. Accessing that information makes my job much easier than if I had to request charts or hunt down elusive docs on the phone.
At the same time, I give no unnecessary information out that could find its way onto those records. Those long survey forms you get at the doc’s office? Forget about it. If it’s not relevant to my complaint, you don’t need to know*, and neither do potential employers/snoops/government agencies (who have trouble enough making sense of the information they already have).
*the alternative option is providing conflicting answers at different places, which will confuse 'em even more. Blood type and severe allergies you’d want to keep straight. Other stuff, keep 'em guessing.