With the push to move Electronic Health Records (EHR) "into the cloud," and my recent article about "the cloud" being vulnerable, I was curious as to what extent the Health Insurance Portability and Accountability Act (HIPAA) protects our privacy.
To start, I thought it best to define what is considered sensitive health-care information. According to the Health and Human Services (HHS) Department:
Individually identifiable health information" is information, including demographic data, that relates to:
- The individual's past, present, or future physical and mental health or condition.
- The provision of health care to the individual.
- The past, present, or future payment for the provision of health care to the individual.
[A]nd that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social-Security Number).
I see all sorts of scenarios, where well-meaning and not well-meaning individuals would love to get their hands on this kind of information. For example, would not an advertising network, after learning I had an embarrassing itch, be more than willing to send me targeted pharmaceutical ads describing the perfect antidote.
Or, what if an enterprising blackmailer stumbled upon a document stating I failed a drug test? Whether my binge-eating poppy-seed muffins the morning of the test was the reason or not; I'd still have some explaining to do in order to retain my security clearances.
What are the chances?
A colleague told me I was "over the top" paranoid. I didn't think so. But I needed proof to convince him. And I found my proof at the Privacy Rights Clearinghouse (PRC) website. PRC offers:
A referral service for journalists and policymakers who are seeking victims of privacy abuses who have indicated a willingness to talk with the media and/or testify in legislative and regulatory agency hearings.
The non-profit's website has a search feature and I configured a search using the following settings.
Here are the results.
221 breaches in 2012 alone and that was just reported breaches. The search results also provide a detailed listing of each breach. I was surprised, one after another reported stolen medical records as well as other sensitive data like Social Security numbers. Here is one example:
A handheld electronic devices used by XXXXXX pharmacists was discovered missing on October 5. The device was not encrypted and contained patient names, addresses, diagnoses, medications, and health insurance identification numbers. Some health insurance identification numbers were Social Security numbers or contained Social Security numbers.
So there is a problem. Yet, in every one of the 221 cases, there was little if nothing we as individuals could have done to prevent the theft of medical data.
HIPAA is supposed to help
HIPAA was created in 1996. It consists of Title 1, which focuses on preserving health insurance coverage if a person loses their job. Title 2 creates standards for electronic healthcare records and addresses the security and privacy concerns surrounding healthcare data.
To that end, Title 2 incorporates the following rules:
- Privacy Rule: Protects the privacy of individually identifiable health information.
- Security Rule: Sets national standards for the security of electronic protected health information.
- Patient Safety Rule: Protect identifiable information being used to analyze patient safety events and improve patient safety.
This HHS website goes into more detail about each of the rules, methods used by the Office of Civil Rights to enforce the rules, and how individuals can file a complaint.
What HIPAA does not protect
With HIPAA in place there are laws, and a way to enforce them. As to its effectiveness, I'll let you decide. I'm more concerned about what I hinted at in the Takeaway -- medical-record usage that HIPAA seemingly ignores.
As I was scanning through the PRC website, I came across two webpages that delineated what was covered by HIPAA and what was not. First the Medical Privacy FAQ webpage -- PRC wanted to clear the air right away:
Does HIPAA guarantee privacy for my medical information?
No. This is a major misconception about privacy in general. There is no universal privacy rule, even for sensitive medical information. Any privacy you do have depends on a number of things, primarily who has your information.
HIPAA provides some limited privacy protections. But, HIPAA only applies to covered entities, that is health-care providers, health plans, and what HIPAA calls "health-care clearinghouses", that is, those that transmit payment information electronically.
Next PRC introduces a term I was not aware of: Medical Information Bureau (MIB). It appears the MIB:
[G]athers information about individuals' health history and issues reports to insurance companies when you apply for private health, life or disability insurance.
Is MIB covered by HIPAA?
No. MIB is a consumer-reporting agency that falls under the Fair Credit Reporting Act (FCRA) and triggers certain consumer rights.
Update: A representative of Medical Information Bureau took issue with the statement by Privacy Rights Clearinghouse, claiming that MIB is required to follow HIPAA:
Under HIPAA, MIB is a business associate of its members engaged in the business of certain types of health insurance and, accordingly, MIB has certain privacy and security obligations and restrictions regarding protected health information. Under the Health Information Technology for Economic and Clinical Health Act, MIB must have administrative, physical, and technical safeguards that meet the requirements of the HIPAA Security Rule, as well as written policies and procedures that meet the requirements of both the Privacy Rule and the Security Rule.
For further information about MIB, please visit their website.
Can I find out who has accessed my health records?
Yes, for the most part. A listing of disclosures of your health information is required by HIPAA. You can find out who has accessed your health records for the prior six years, although there are several exceptions to the disclosure requirement.
For example, a listing is not required when records are disclosed to the many individuals who see your records for treatment, payment, and health care operations (TPO). Those involved in TPO do not need to be listed in the disclosure log. Incidental disclosures permitted under HIPAA also do not have to be accounted for.
The Medical Privacy FAQ webpage provides more information than I covered as well as links to sites providing additional help. Next, the most important question of all was on the Medical Records Privacy web page.
What medical information is not covered by HIPAA?
Financial records: Your credit card account and checking transactions are likely to include information about where you go for health care. Insurance applications and medical claims also contain health-related information. So it is possible for such medical information to be shared among affiliates of financial institutions. Such information is not protected by HIPAA. Education records: Maintained by your child's school contain vaccination histories, information about physical examination for sports, counseling for behavioral problems, and records of visits to the school nurse. These records are not covered by HIPAA. Employment records: Employment and medical information may be mingled in situations not covered by HIPAA.
Again, I barely touched all the questions on the web page. If you have any concerns, please visit the website, as the answers are more detailed, and include references to organizations related to each type of record.
Our sensitive medical records are under attack from two fronts -- outright theft and gaping loopholes. I try to have some kind of solution, temporary or otherwise, but not this time. I'm at a loss. My only hope for this article is that you walk away with a better understanding of the current situation.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.