It’s a truism to state that your medical records are extremely sensitive. Health care files could include details of treatment for a sexually transmitted disease, depression, or drug addiction – not to mention any number of more mundane treatments. And because these records contain such intimate data, we should be able to control how they’re used.
Physicians have long recognized the sensitivity of health information. That’s one reason why nearly every physician practicing medicine has sworn to uphold the 2,500-year-old Hippocratic Oath. Among other provisions, a physician taking the oath makes the following pledge:
“I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know.”
However, in the United States, this aspect of the Hippocratic Oath is at best aspirational these days. Because when it comes to your medical records, very little privacy exists.
It wasn’t supposed to be this way. In 1996, Congress enacted what was purported to be an omnibus medical privacy statute, the Health Insurance Portability and Accountability Act (HIPPA).
In 2001, the Department of Health and Human Services issued preliminary regulations under HIPPA requiring patient consent for third party use of “protected health information,” including its use for such common activities as treatment, billing, and “other healthcare operations.”
But starting in 2003, changes made to HIPAA eliminated your right to control the disclosure of your own medical records. The phrase “patient permission” was changed to “regulatory permission.” This one rule change means your medical records can now be disclosed to any “covered entity,” including data clearinghouses, accounting firms, law firms, and banks without your permission. In certain circumstances, your employer can obtain “regulatory permission” to view your medical records.
Your medical records can even be released to marketing companies if what they’re selling is related to your condition or how it’s treated; the management or coordination of your care; or involves alternative treatments, therapies, health care providers, or other care settings.
What’s more, a federal rule that went into effect in 2006 allows lenders to obtain or use medical information for determining if you qualify for credit. They can’t do it directly, but if they gain access to your medical records, they can legally share it with their “affiliates.” This magically converts the data into credit information, not medical data.
Indeed, your “protected health information” can be disclosed without your authorization in 12 different scenarios. Consider this diagram from thedatamap.org showing where the data of “You, the Patient” is shared.
Thus, when you visit a physician or health care facility in the United States, never assume that what you disclose to them will remain private. And the “HIPAA Notice” almost every medical facility requires you to sign as a condition of treatment virtually guarantees your medical records will be used, disclosed, and disseminated without your consent.
You can, of course, request that your physician or other health care provider restrict disclosure of your personal medical data. But they are under no legal obligation to comply. Nor do they have to state a reason for denying your request, or for that matter, respond to it at all. And even if they agree to a restriction, in some cases, they might be prohibited from honoring it.
What can you do to take back your right to medical privacy? One suggestion that once was feasible was to seek out medical care in a fake name and pay cash for it. That’s increasingly difficult today. Most health care providers now require you to present a photo ID to obtain service, purportedly to prevent “medical ID theft.”
This strategy is also risky because if you need a prescription and are asked for ID (as may be required for some medications, particularly those that are frequently abused), you might not be able to pick it up.
However, you have a legally enforceable right to insist that a health care provider not disclose your medical information if you pay for your own care in full, or if someone else pays for it in full. The only exceptions are if the payment pertains solely to medical care or if disclosure is required by law (e.g., if you’re diagnosed as being HIV-positive).
But it’s hard to meet all the required qualifications for these restrictions to apply. You must pay for every aspect of your treatment in full and notify every service provider involved in it along the way of your insistence not to disclose details of it. For instance, if you pay a physician in cash but let your insurer pay for blood tests, you aren’t exclusively paying for your treatment. As well, some insurance companies (including Medicare in certain cases) don’t permit patients to pay their physicians directly.
Plus, you might find that if you want to pay cash, you’ll pay more. That’s because you won’t qualify for the negotiated lower prices that insurance companies receive.
However, some physicians will accept payment directly from their patients without involvement of insurance companies or the government. There’s a list at this link. Another good resource is Medibid.com, which offers a forum for physicians and health care facilities to list their prices in advance.
Finally, you can opt for private treatment in another country. Indeed, “medical tourism” is booming, although it’s been hobbled by the border closings put in place to fight the COVID pandemic.
One popular destination for medical tourism, though, remains open to Americans – Mexico. No border restrictions are in place for visitors from the United States entering Mexico, and it remains a popular choice for private – and lower-cost – medical services.
The threats to the privacy of your health data aren’t going away. Indeed, it’s likely they’ll get worse as the relentless rise in the cost of medical care forces employers and insurance companies to develop new tools to control expenses. But by taking these precautions, you can reduce the likelihood that your data will be used against you.