Insurers: Records weren’t lost at health fair

See Story: Insurers: Records weren’t lost at health fair

This story just gets worse, highlighting the poor judgment of the insurance companies. Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan never even considered how sensitive patients are about the privacy of personal health information, from their prescription records to DNA.

Now Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan claim that taking the health records of 285,691 people to community health fairs is a way to “save lives”. That particular argument is often used to make people believe that a decision was made for important and worthwhile, even essential reasons. So let’s take a look and see if the decision to take health records to community health fairs is a good decision or makes sense.

The insurers want their employees to check people’s medical records and decide if a test is needed, like a mammogram, and schedule it—at a health fair. But as a matter of law, ONLY physicians can order tests like mammograms—not insurance company employees. Their employees cannot schedule doctor’s appointments, much less medical tests. Besides, most people are very uncomfortable with strangers, who are not health professionals that treat them, looking at their medical records.

Most people would never want their sensitive health records taken to health fairs in the first place. Obviously, Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan did not ask those enrolled for consent to take their records to health fairs, or anywhere outside of their offices where personal records are supposed to be used to ONLY to pay claims.

Most people strongly object to health insurers even having, keeping, or using their sensitive health records. Patients want insurers to have the bare minimum information about them to pay claims. Patients typically do not turn to insurers for advice about their health, about treatment, or to recommend tests.

And the insurers say conflicting things about what kinds of information and how much was on the flash drive. If only recent screenings were on a flash drive, a woman’s last mammogram might not be there. No physician would order a test like a mammogram without knowing the exact date of the last one and the details of her history, like what risks she has for breast cancer. Unnecessary mammograms expose women to radiation.

It appears that this example of helping women at health fairs to get needed mammograms doesn’t make any sense, because the employees of insurance companies cannot order or schedule mammograms—or doctor’s appointments.

The example of saving women from breast cancer at community health fairs is so far-fetched that it may have been fabricated to try and make it seem that the insurers had good reasons to take sensitive health records out of their offices. But it’s hard to judge their reasons and intentions without full disclosure, so we are left with the few things they said and did. They exposed 285,691 people’s sensitive demographic and health information to loss, sale, identity theft, and medical identity theft for reasons that don’t make sense.

Is it responsible to allow insurance employees access to people’s sensitive health records at health fairs and risk the loss or theft of that sensitive data?

If the insurers actually put complete or very detailed health information on enrolled patients on a flash drive that would enable a health professional to know enough to order certain tests, and the stated goal is to increase screening for needed tests, and there are far more effective and privacy-protective ways to do that. They do not have health professional staffing their booths at health fairs. Insurers could contact patients directly by mail or email or phone IF the patient had opted in to receiving advice or reminders from them. Or insurers could contact doctors if they think a test is needed, so doctors can evaluate full records and decide whether tests should be ordered.

Risking the privacy of 285,691 people at a health fair to improve screening for breast cancer or other unnamed conditions is a bad decision—whether they encrypt the data or not. Encrypting the data would have lowered the risk of loss, theft, or sale of the information, but would not solve the problem of using patients’ sensitive health information in ways that they would never want or agree to.

PPR on article: What ‘Patient-Centered’ Should Mean…

It is extremely helpful that the nominee to head of one of the largest federal agencies, the Centers for Medicare and Medicaid (CMS), stated he believes medical records should belong to patients.

You will be intrigued by Don Berwick’s terrific and very personal article titled “What ‘Patient-Centered’ Should Mean: Confessions Of An Extremist, A seasoned clinician and expert fears the loss of his humanity if he should become a patient.” He is a highly respected physician and scholar. Key quotes:

  • “Medical records would belong to patients. Clinicians, rather than patients, would need to have permission to gain access to them.”
  • “My proposed definition of “patient-centered care” is this: The experience (to the extent the informed, individual patient desires it) of transparency, individualization, recognition, respect, dignity, and choice in all matters, without exception, related to one’s person, circumstances, and relationships in health care . . .”

Interviews

Visit our Interview Page to see an archive of interviews Patient Privacy Rights took part in. Here are just a few:

Charting a New Course, September 13, 2009
CBS Sunday Morning covers electronic medical records, and Ashley Katz reminds all that privacy is a must.
Read more and Watch Video

Pushing E-Health Records, April 22, 2009
In this On Point Interview with Tom Ashbrook, Deborah Peel, MD explains that with the benefits of EHRs come the privacy risks.
Read more and listen to this interview

Hospitals consider paper-free records, April 10, 2009
Ashley Katz, in an interview with Marketplace, weighs the efficiency and easy of medical records against the real privacy concerns that lead to discrimination based on health.
Listen to this interview
Read this interview

See more

Re-Identification. From Netflix to Health Records.

Today’s NY Times story points out the FACT that is very easy to re-identify supposedly “de-identified” information. Singer starts with how the Netflix “de-identified” data base was proven to be re-identifiable and moves on to describe Latanya Sweeney’s famous re-identification of the medical records of Gov Weld.

See the NY Times Article: When 2+2 Equals a Privacy Question

Healthcare moving to Cloud Computing

Joe Conn looks more deeply into the problems of ‘cloud’ computing for the storage, exchange, and analysis of health data. See his article in Modern Healthcare: ‘Healthcare is slow to change’ to cloud environment

Today there is not yet a trusted organization to certify the privacy of electronic health records systems, whether on servers or in clouds.

Until the privacy of health data can be assured first with trusted security certification and then with a separate stringent privacy certification (proving that patients control the use and disclosure of their sensitive records) Americans will not trust that their data is safe.

Proof that consumers control personal data in clouds will be essential for trust in health IT.

So far all we have are promises of security and privacy. We won’t trust without verification .

Electronic Health Records wired for abuse

“Oops! They did it to Britney again.” No, it’s not a song parody, but a reflection of the poor state of American health privacy – something Bay Staters should think about as their Legislature considers a bill to mandate Electronic Health Records (EHRs).

Staff members at UCLA’s Medical Center are under investigation over allegations staffers accessed Britney Spears’ medical records earlier this year. Sadly, this is not the first time individuals other than the paparazzi violated Spears’ privacy; staffers also took inappropriate peeks when her first child was born.

Most Americans think the Health Insurance Portability and Accountability Act (HIPAA) protects their privacy and that the HIPAA notice they sign at the doctor’s office lists all of their rights to privacy. In fact, that HIPAA notice lists the vast number of ways their private health information can be used, without asking and over objections.

HIPAA was originally intended to protect privacy. Regulators earlier in this decade rewrote the rule to sanction disclosure of medical information for treatment, payment or health care operations.

“Particularly troubling about HIPAA’s Privacy Rule is the governmental authorization for covered entities to use patients’ confidential information without their consent for health care operations that are unrelated to “payment or treatment,” writes Dr. Richard Sobel, senior research associate in the Program in Psychiatry and the Law at Harvard Medical School. Sobel explains that “health-care operations” can include using information for marketing purposes, which normally would require written consent.

Data-mining firms were given a gift by the rewriting of the HIPAA Privacy Rule. Data-mining firms can obtain information about your prescriptions, treatment for mental health and genetic predisposition to illnesses. That information can be passed on to credit firms, marketing firms and even prospective employers.


Patients need progress and privacy in this digital era. The only way to ensure we get both, and avoid the negative “celebrity treatment” Spears received, is to ensure the health IT bill signed by the governor fully recognizes the right of patient consent.

View the Full Story