1 of 3
Ravell Call, Deseret News
University Hospital Dr. Brian Hughes, left, talks with medical students Manuel Zarandona and Scott A. Witt, and Dr. Jeffrey Anderson.

Beth was out of the hospital less than a week after her baby was stillborn when she was bombarded with offers for baby formula, mementos, children's books. The mailings continued for more than two years.

Later she realized someone — possibly her doctor or the local hospital — had provided her name, address and even her due date to a marketing list somewhere.

The result was unintentionally cruel junk mail; for others, lapses in medical privacy have even had life-altering consequences.

Just ask the South Carolina woman who didn't get a job because she was once diagnosed with a seizure disorder. Her current physician doubts she ever had such a disorder.

Americans are divided on many issues — but not on medical privacy.

They believe overwhelmingly that identifiable health information should be confidential, and some go to extraordinary lengths to protect themselves. Some patients doctor-hop and pay cash to keep information out of their medical records. Some lie to their doctors. An estimated 8 percent don't get medical help at all because of privacy concerns.

When the Association of American Physicians and Surgeons surveyed 344 members in July, 87 percent said patients had asked that sensitive information be left out of their medical records; 78 percent of the doctors did omit information in some cases.

The issue has floated to the top of the national agenda, prompted by recent release of privacy rules mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA privacy rules took effect in April but won't be enforced until April 2003. The first sweeping federal medical privacy regulation, it's the "floor" on which states may build even tighter rules.

The rules provide civil and criminal penalties for privacy breaches, though no individual federal right to sue.

Utah is among states that have not given patients comprehensive access to their medical records — except those kept in government databases. Even that has exceptions.

Hospitals must let you see your medical record, but your private physician is not required to.

"The physicians own them," said R. Chet Loftis, general counsel for the Utah Medical Association. "They can choose to share them. And they can be compelled."

Reluctant doctors can be compelled by state law that says an attorney who has your written, notarized authorization can examine and get copies of records.

Still, "As a matter of course, we strongly encourage physicians to work with patients in providing access to medical records without the involvement of an attorney," said R. Chet Loftis, general counsel for the Utah Medical Association. The American Medical Association has said that patients should be able to see their records.

HIPAA gave Congress a drop-dead deadline to pass a health privacy law or the job would go to the U.S. Department of Health and Human Services. HHS wrote the rules during the waning days of Bill Clinton's presidency. George W. Bush's administration accepted them. Considered "final," they're not "finished."

The Bush administration plans to revisit some issues, such as whether a teenager can get contraceptives, an abortion or mental-health services without telling parents in states without a parental consent law. The South Carolina and Louisiana medical associations plan to challenge the privacy rules' constitutionality. Some in the health-care industry want Congress to start over or let the industry prove it can do the job itself. Both seem unlikely, but change is inevitable.

"We have a complete primer on health privacy," said Joanne Hustead of The Health Privacy Project. "The only thing not current is the discussion of HIPAA because that's a story unfolding as we speak. It will be changing for some time to come."

Rumors and horror stories were flying even before the rules were released. For the record, family members and friends can still pick up a prescription for a patient, and doctors will still be able to talk to family members in the hospital waiting room. Hospitals needn't provide private rooms for such consultations.

Yours, mine or ours?

Privacy advocates say the federal rules are a good first step, though not a cure-all. Health-care providers worry that the measure won't change much, except bury them in paperwork. Critics say it will make it hard for everyone involved — the patient, the doctor called in to consult, the pharmacy, the insurance company.

The heart of the medical privacy issue is this: Who owns identifiable medical records?

"With sensitive information so easily accessible, patients want some control. There's real sensitivity to it being shared with employers, other insurance companies, even among other medical professionals who may or may not have a need to know. Up to now, it has been the viewpoint of doctors that they own the medical records, not the patient," said Steven Lucas, chief privacy officer at the Privacy Council. "This legislation goes a long way to allowing patients access to medical records."

The sharing of personal information is not necessarily bad. It can improve diagnosis and treatment, aid research and curb public health outbreaks. Treatment and provider reimbursement can't occur without exchanging some personal information. But polls show nine out of 10 Americans believe access to medical information has been too easy for people who should not have it.

To prove that, a researcher from Carnegie Mellon University used the then-Massachusetts's governor's birthday and ZIP code to get his health records from a supposedly anonymous database of state employee health insurance claims, then showed she could do the same for 69 percent of the thousands on the voting list in Cambridge, Mass.

Unquestionably, serious privacy lapses have occurred, some malicious. Consider these examples:

  • A Manhattan man sued drugstore CVS for buying his medical records, which showed he had AIDS. He was outraged to find his records in a chain where 100,000 employees and 4,000 stores are linked by computer. They refused to return his records.

  • The Washington Post reported last year that the medical records of a Maryland school board member were sent to school officials as part of a campaign to oust him. He had been treated for depression.

  • New York Congresswoman Nydia Velazquez's medical records, which revealed a bout with depression and a suicide attempt, were faxed from a hospital to the media on the eve of her primary. She won and testified about it before the Senate Judiciary Committee.

  • At least 141 employees at Kaiser Permanente Northwest, a hospital in Oregon, looked at skater Tonya Harding's medical file when she sought treatment for a sprained wrist.

  • A hospital employee's daughter got a list of patients' names and phone numbers while visiting her mother at work, then called them and told them they had HIV. She thought it was funny. One attempted suicide.

  • A Tampa public health worker stole a computer disk with names of 4,000 people who had HIV and sent them to two newspapers.

  • A banker who served on his county health board compared his customer's accounts with medical information and called in mortgages of anyone who had cancer.

  • A pharmaceutical manufacturer accidentally revealed 600 patient e-mail addresses when it sent a message to everyone registered to receive reminders about taking an anti-depressant.

  • A hacker downloaded medical records and Social Security numbers of more than 5,000 patients at the University of Washington Medical Center.

  • Thousands of medical records on their way to be destroyed fell out of a vehicle and were blown across Arizona.

  • A Michigan-based health system inadvertently posted medical records of thousands of patients on the Web.

  • A family practice in South Carolina sold its medical records to a speculator for $4,000, who then tried to sell some of them back to the patients.

Privacy 'simplified'

The federal medical privacy rule governs how "covered entities," including some health-care providers, HMOs and health-care clearinghouses, disclose personal medical information, whether on paper, orally or in electronic databases. The latter, particularly the Internet, has linked data and broadened who might be able to access information.

Privacy Council's Lucas notes that medical privacy only existed when files were on paper in a doctor's file cabinet.

Now they're everywhere.

The complicated rules took up 32 pages in the Federal Register (the preamble was 337 pages, much of it comments HHS had received). The "clarification" is more than 50 pages, with more to come.

Basically, they allow patients to review and copy their records, ask who has seen them and how the information was used. They can request corrections.

Health-care providers must get written authorization to share information for treatment, billing or other purposes. If a patient refuses, treatment can be denied.

"It hinges on how the authorization is written," notes Chip Yost, chief of staff for Sen. Robert F. Bennett, R-Utah. "The authorization can give away the moon."

The rule bars employers from using medical records to make employment decisions. How much access an employer has to personal medical information varies. Companies that self-insure have more access than those that don't. If an employee seeks help through an employee assistance program or an on-site clinic, the information can still go straight to the boss — something many workers don't realize.

"Covered entities" cannot sell personal data to marketers. But they can use it to promote their own health services. And there's nothing to stop marketers from hiring doctors or hospitals to send special offers to selected patients for them, though patients must be able to get off the mailing list.

Hospitals and other covered entities must have "business associates" sign contracts that say they will live by the privacy protections, which greatly expand who is covered by the rule. That's a big undertaking, said Dr. Brent James of Intermountain Health Care. IHC, for instance, has more than 8,000 doctors and contractors.

IHC boasts a long history of such privacy protections. While it "fully supports the concepts" of the federal rule, James said, "our patients gain nothing for privacy, and it does add administrative hassles."

Other hospitals agree.

"We have an obligation to patients that when they are seen here, their medical information is kept secure," said Dr. Pierre Pincetl, chief information officer for the University of Utah Health Sciences Center. "So we have a longtime practice of having employees sign a patient-confidentiality agreement."

So does the Huntsman Cancer Institute. Violating a patient's confidence, said executive director Dr. Stephen M. Prescott, is a foolproof way to get yourself fired.

Many hospitals monitored the audit trail on electronic records systems to see who looked at information long before the privacy rules required it. That just shows who called up the record, though, not whether they told someone else, who might have told someone else.

What James calls the privacy rules' "hassles" are expected to be costly. The U.S. government said the rules will save money over time but predicts the implementation cost at $17.2 billion over 10 years. First Consulting Group says it will cost $22 billion over five years to implement just three of 15 elements.

Free-flowing information

Even consumer advocates who like the new rules say they don't address all privacy concerns. And they caution people not to think they now control their personal medical information. They have more control, but that's all.

Law enforcement can use medical information for specific purposes, without patient consent, though only what's relevant to an investigation and as little of that as is necessary.

States can still demand identifiable information, including sexually transmitted diseases, for public health surveillance. What gets reported varies from state to state.

Even foreign governments can get information deemed necessary for "public health" without the patient knowing.

Researchers are supposed to get permission to use identifiable information, but an Institutional Review Board can waive that requirement, something the National Institute for Health Freedom decries. Researchers say it's absolutely essential that privacy not hinder research.

Privacy — or lack of it — can't hinder the practice of medicine, either.

"Providers have to be able to do their jobs and get paid for it," said IHC's James. "But patients have to have confidence in the health-care system. If they don't feel they can be honest, none of it works."

E-mail: lois@desnews.com