Insurers: Records weren’t lost at health fair

See Story: Insurers: Records weren’t lost at health fair

This story just gets worse, highlighting the poor judgment of the insurance companies. Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan never even considered how sensitive patients are about the privacy of personal health information, from their prescription records to DNA.

Now Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan claim that taking the health records of 285,691 people to community health fairs is a way to “save lives”. That particular argument is often used to make people believe that a decision was made for important and worthwhile, even essential reasons. So let’s take a look and see if the decision to take health records to community health fairs is a good decision or makes sense.

The insurers want their employees to check people’s medical records and decide if a test is needed, like a mammogram, and schedule it—at a health fair. But as a matter of law, ONLY physicians can order tests like mammograms—not insurance company employees. Their employees cannot schedule doctor’s appointments, much less medical tests. Besides, most people are very uncomfortable with strangers, who are not health professionals that treat them, looking at their medical records.

Most people would never want their sensitive health records taken to health fairs in the first place. Obviously, Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan did not ask those enrolled for consent to take their records to health fairs, or anywhere outside of their offices where personal records are supposed to be used to ONLY to pay claims.

Most people strongly object to health insurers even having, keeping, or using their sensitive health records. Patients want insurers to have the bare minimum information about them to pay claims. Patients typically do not turn to insurers for advice about their health, about treatment, or to recommend tests.

And the insurers say conflicting things about what kinds of information and how much was on the flash drive. If only recent screenings were on a flash drive, a woman’s last mammogram might not be there. No physician would order a test like a mammogram without knowing the exact date of the last one and the details of her history, like what risks she has for breast cancer. Unnecessary mammograms expose women to radiation.

It appears that this example of helping women at health fairs to get needed mammograms doesn’t make any sense, because the employees of insurance companies cannot order or schedule mammograms—or doctor’s appointments.

The example of saving women from breast cancer at community health fairs is so far-fetched that it may have been fabricated to try and make it seem that the insurers had good reasons to take sensitive health records out of their offices. But it’s hard to judge their reasons and intentions without full disclosure, so we are left with the few things they said and did. They exposed 285,691 people’s sensitive demographic and health information to loss, sale, identity theft, and medical identity theft for reasons that don’t make sense.

Is it responsible to allow insurance employees access to people’s sensitive health records at health fairs and risk the loss or theft of that sensitive data?

If the insurers actually put complete or very detailed health information on enrolled patients on a flash drive that would enable a health professional to know enough to order certain tests, and the stated goal is to increase screening for needed tests, and there are far more effective and privacy-protective ways to do that. They do not have health professional staffing their booths at health fairs. Insurers could contact patients directly by mail or email or phone IF the patient had opted in to receiving advice or reminders from them. Or insurers could contact doctors if they think a test is needed, so doctors can evaluate full records and decide whether tests should be ordered.

Risking the privacy of 285,691 people at a health fair to improve screening for breast cancer or other unnamed conditions is a bad decision—whether they encrypt the data or not. Encrypting the data would have lowered the risk of loss, theft, or sale of the information, but would not solve the problem of using patients’ sensitive health information in ways that they would never want or agree to.

Electronic Health Records wired for abuse

“Oops! They did it to Britney again.” No, it’s not a song parody, but a reflection of the poor state of American health privacy – something Bay Staters should think about as their Legislature considers a bill to mandate Electronic Health Records (EHRs).

Staff members at UCLA’s Medical Center are under investigation over allegations staffers accessed Britney Spears’ medical records earlier this year. Sadly, this is not the first time individuals other than the paparazzi violated Spears’ privacy; staffers also took inappropriate peeks when her first child was born.

Most Americans think the Health Insurance Portability and Accountability Act (HIPAA) protects their privacy and that the HIPAA notice they sign at the doctor’s office lists all of their rights to privacy. In fact, that HIPAA notice lists the vast number of ways their private health information can be used, without asking and over objections.

HIPAA was originally intended to protect privacy. Regulators earlier in this decade rewrote the rule to sanction disclosure of medical information for treatment, payment or health care operations.

“Particularly troubling about HIPAA’s Privacy Rule is the governmental authorization for covered entities to use patients’ confidential information without their consent for health care operations that are unrelated to “payment or treatment,” writes Dr. Richard Sobel, senior research associate in the Program in Psychiatry and the Law at Harvard Medical School. Sobel explains that “health-care operations” can include using information for marketing purposes, which normally would require written consent.

Data-mining firms were given a gift by the rewriting of the HIPAA Privacy Rule. Data-mining firms can obtain information about your prescriptions, treatment for mental health and genetic predisposition to illnesses. That information can be passed on to credit firms, marketing firms and even prospective employers.


Patients need progress and privacy in this digital era. The only way to ensure we get both, and avoid the negative “celebrity treatment” Spears received, is to ensure the health IT bill signed by the governor fully recognizes the right of patient consent.

View the Full Story