It’s not surprising that hospital employees would be interested in the medical records of celebrities like Maria Shriver, Farrah Fawcett, Britney Spears and George Clooney.
But famous names may not be the only ones whose medical files are being snooped through, according to two medical experts.
Essentially, all medical records — including the average Joe's — are up for sale to large corporations, research facilities and drug companies, said Dr. Deborah Peel, founder and chairwoman of Patient Privacy Rights, a non-profit advocacy group in Austin, Texas.
By signing a Health Insurance Portability and Accountability Act consent form, she said, you not only are giving your doctor and insurance company access to your medical records, but you may be giving them permission to sell your information, as well.
"The privacy rule requires health care providers to give patients a notice of privacy practices to provide them with important information on how their health information may be used and disclosed, as well as what their rights are with respect to their information and how the individual can exercise these rights," says Linda Sanches, senior adviser for HIPAA Privacy Outreach, Office for Civil Rights, U.S. Department of Health and Human Services.
In other words, be sure to read very carefully before you sign on the dotted line.
"HIPAA is both good and bad," said Devon Herrick, a senior fellow and health economist at the National Center for Policy Analysis, a non-profit advocacy group in Dallas, Texas, that researches public policy.
"You want to know your information is protected, but if I’m your doctor and I see another doctor who may know more about your condition, and I want to consult with him on your condition, I can’t do that without your consent."
Herrick also said many drug companies and researchers buy aggregated information so they can figure out which drugs work and which ones do not.
"The other aspect is commercial," he said. "Let’s say AstraZeneca wants to know about heartburn or GERD. They want to know what you are taking, so they can sell you their drug."
Sanches said for a health care provider (including doctors), health care clearinghouse (including public and private third-party billers) or health insurance plan to obtain that kind of information, there must be a signed authorization.
Advocacy groups promoting privacy rights are stepping out in light of recent, highly publicized breaches of confidentiality. On Monday, the media reported that TV newswoman Shriver, who is California’s first lady, was among more than 30 high-profile patients who had their confidential records breached at UCLA Medical Center.
Lawanda J. Jackson, the woman responsible in the Shriver case, is the same employee who sneaked into actress Farrah Fawcett's medical records, officials told the Los Angeles Times on Sunday.
She resigned in May 2007, reportedly before officials could fire her, after UCLA learned of the widespread breaches, but patients were not notified, the hospital said.
In all, the employee improperly looked at 61 patients' medical records in 2006 and 2007, according to state and local medical officials. These included those of Fawcett, Shriver and 31 other politicians, celebrities and well-known people, according to the Los Angeles Times. Names of the other patients were not disclosed.
The head of the UCLA Hospital System, Dr. David Feinberg, apologized for the breaches and said the woman behind them had been a "rogue" employee.
After being informed last week that his wife's medical records had been accessed, Gov. Arnold Schwarzenegger issued a statement saying that "a breach of any patient's medical records is outrageous."
The secretary of the California Health and Human Services Agency, Kim Belshe, said Sunday that her agency is "very concerned about what appears to be a pattern of repeated violations."
The state will be taking action against UCLA, she said.
This is the same facility that fired several employees for looking at Spears’ records when she was hospitalized in January.
In a similar violation, the medical records of Clooney and his girlfriend, Sarah Larson, were exposed to the press in September when the two were in a motorcycle accident in New Jersey. Palisades Medical Center suspended 27 employees in October, about a month after Clooney's accident, for accessing the actor's records, Peel said.
"Nothing is less secure than a big storage room full of paper," Herrick said. "And when I’m in the hospital anyone can see me, or the drugs I’m taking are lying on the cart for anyone to see. These are all things that are privacy issues."
And the issue doesn't get resolved as paper records give way to electronic records, Herrick said, offering the following scenario:
If a patient sees Dr. Brown today and Dr. Black tomorrow, Dr. Black can access the notes Dr. Brown made with the patient's consent.
In this respect, HIPAA is good.
But this also means protocols and restrictions have to be created so that vendors who should not be snooping can’t access those records, he said.
So, what can patients do to protect their medical privacy?
Peel said patients can download a patient privacy toolkit from her organization’s Web site, which includes a list of questions to ask a medical provider, a list of privacy rights and instructions for privacy rights that patients can sign and bring to their medical provider.
Another advocacy group, Health Privacy Project, offers these tips:
— Read notice-of-privacy practices carefully
— Talk about confidentiality concerns with your doctor
— Ask how your medical information is shared in a large health care organization
— Read authorization forms before you sign; edit them to limit the sharing of information
— Request a copy of your medical records and review them
— Be cautious on Web sites that ask you to take surveys
— If you feel you have been violated, register a complaint with your local Office of Civil Rights
Contributing: The Associated Press