Authorized Personnel Only! by Nathan Johnson Who can view your medical record? Here's how to protect your online info print article      send to a friend

Imagine you are suffering from a condition that requires you to take a prescription. One day you receive a magazine in the mail, designed specifically to give you information and news about your ailment. Where did these people get your name and how did they know about your problem? And who else has access to this information? You may not realize it, but you yourself may have inadvertently authorized the release of your sensitive medical information.

There are currently no federal laws protecting your medical record. True, certain laws protect certain information that may be on your record - things like AIDS testing and the results - but, overall, the amount of protected information is spotty at best and, at the moment, is left up to each state's discretion.

Legislation vs. Industry Self-Regulation

In the face of growing consumer concern over privacy on the Internet, the government and the private business sector have been going head to head. The battle has escalated as it has become increasingly clear that the medical industry is having difficulties regulating itself. As a result, privacy advocacy groups have been calling on the government, more urgently than ever over the last year, to introduce legislation protecting the privacy of individual medical records. Congress did impose an August 21, 1999 deadline on itself to pass medical record privacy laws, but after the deadline passed with no action on their part, the responsibility went to the Department of Health and Human Services to propose standardized rules, which they released in November of last year.

Those rules have prompted major debates between privacy advocacy groups and health care professionals. Consumer advocates argue that even the new rules allow too many parties to access your information. "The scope just isn't large enough," says Deborah Pierce, staff attorney for the Electronic Frontier Foundation, a non-profit organization involved in freedom of expression and privacy on the Internet. "I would like to see federal legislation," she adds.

As the rules stand, only health care providers, health plans and health clearinghouses are restricted; none of the entities connected with these three groups, such as worker's compensation plans, employers, or life insurance carriers, are restricted by the rules. (HHS did try to extend the rules to cover those entities by referring to them as "business partners" and requiring they be contractually bound to adhere to the same principles as the organizations covered by the rules.)

On the other hand, health care organizations argue that limiting the amount of information transmitted between health professionals will only hurt the patient by reducing the quality of care.

There are also mixed opinions between health care professionals. Some health care web sites have accepted the inevitability of government intervention and have tried to get ahead of the game by complying with the rules, even before they take effect. "We delayed our launch date so that we could deal with issues of privacy and security," says Durjoy "Ace" Bhattacharjya, co-founder of medicalrecords.com. And Stephen N. Malik, Founder and CEO of VirtualMedicalGroup.com adds, "anything the government does regarding privacy is positive."

Other health care organizations believe that while the proposed rules are a good starting point, the amount of time it will take to implement them is a hindrance to their effectiveness. They advocate enhanced industry regulation as a way to ensure consumer confidence.

Privacy Seals

One privacy measure currently employed in the health care industry involves the use of privacy seals. These seals are an indication that a company's privacy policy passes a certain set of standardized rules. The company that issues a particular seal supposedly regulates its member companies. However, they are not a guarantee of security or enforcement, and civil rights groups have argued that only the force of the law can give consumers the feeling of security they need to feel comfortable utilizing health information web sites. So far, no member companies have ever been referred to the Federal Trade Commission for investigation.

Furthermore, the companies that issue the seals are often times sponsored and funded by some of the same businesses that display the logo. Could these business interests influence the standards?

Protect Yourself

What can you do to protect your medical information? Only a few options exist and they are not foolproof. If you are keeping your own personal medical record online, carefully check the host health web site's privacy policy. If it displays a privacy seal, then you know the privacy policy had to pass standardized rules. A couple of reliable seals are TRUSTe and BBBonline. While it's not a guarantee of privacy, your information may be better protected than in the absence of a seal.

According to Privacy Rights Clearinghouse, a San Diego based civil rights advocacy group, the following are a few of the actions you can take to protect your medical records:

• When you visit your doctor make sure not to sign a blanket waiver authorizing the practice to release your record. Instead, edit the waiver to limit the amount of information released - only authorize the release of the part of your medical record pertaining to the date of treatment and the condition treated.

• If you want a specific condition kept confidential, bring a written request revoking your consent for the release of your record for that particular visit. In this instance you will have to pay for the visit yourself. You may even want to see a different physician in order to be completely sure of confidentiality.

• Ask your doctor about his or her policy on the use of faxes and cordless and cellular phones when transmitting medical information. Wireless transmissions are less secure and can be easily overheard on electronic devices. Faxes are an even bigger problem. Many people in the office may have access to the transmissions and precautions should be taken when sending and receiving medical information.

While none of these options will ensure total privacy, they are a place to start. And until the government gets its act together, we'll have to hope the industry can give us something to believe in.