This story just gets worse, highlighting the poor judgment of the insurance companies. Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan never even considered how sensitive patients are about the privacy of personal health information, from their prescription records to DNA.
Now Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan claim that taking the health records of 285,691 people to community health fairs is a way to “save lives”. That particular argument is often used to make people believe that a decision was made for important and worthwhile, even essential reasons. So let’s take a look and see if the decision to take health records to community health fairs is a good decision or makes sense.
The insurers want their employees to check people’s medical records and decide if a test is needed, like a mammogram, and schedule it—at a health fair. But as a matter of law, ONLY physicians can order tests like mammograms—not insurance company employees. Their employees cannot schedule doctor’s appointments, much less medical tests. Besides, most people are very uncomfortable with strangers, who are not health professionals that treat them, looking at their medical records.
Most people would never want their sensitive health records taken to health fairs in the first place. Obviously, Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan did not ask those enrolled for consent to take their records to health fairs, or anywhere outside of their offices where personal records are supposed to be used to ONLY to pay claims.
Most people strongly object to health insurers even having, keeping, or using their sensitive health records. Patients want insurers to have the bare minimum information about them to pay claims. Patients typically do not turn to insurers for advice about their health, about treatment, or to recommend tests.
And the insurers say conflicting things about what kinds of information and how much was on the flash drive. If only recent screenings were on a flash drive, a woman’s last mammogram might not be there. No physician would order a test like a mammogram without knowing the exact date of the last one and the details of her history, like what risks she has for breast cancer. Unnecessary mammograms expose women to radiation.
It appears that this example of helping women at health fairs to get needed mammograms doesn’t make any sense, because the employees of insurance companies cannot order or schedule mammograms—or doctor’s appointments.
The example of saving women from breast cancer at community health fairs is so far-fetched that it may have been fabricated to try and make it seem that the insurers had good reasons to take sensitive health records out of their offices. But it’s hard to judge their reasons and intentions without full disclosure, so we are left with the few things they said and did. They exposed 285,691 people’s sensitive demographic and health information to loss, sale, identity theft, and medical identity theft for reasons that don’t make sense.
Is it responsible to allow insurance employees access to people’s sensitive health records at health fairs and risk the loss or theft of that sensitive data?
If the insurers actually put complete or very detailed health information on enrolled patients on a flash drive that would enable a health professional to know enough to order certain tests, and the stated goal is to increase screening for needed tests, and there are far more effective and privacy-protective ways to do that. They do not have health professional staffing their booths at health fairs. Insurers could contact patients directly by mail or email or phone IF the patient had opted in to receiving advice or reminders from them. Or insurers could contact doctors if they think a test is needed, so doctors can evaluate full records and decide whether tests should be ordered.
Risking the privacy of 285,691 people at a health fair to improve screening for breast cancer or other unnamed conditions is a bad decision—whether they encrypt the data or not. Encrypting the data would have lowered the risk of loss, theft, or sale of the information, but would not solve the problem of using patients’ sensitive health information in ways that they would never want or agree to.