Protecting your privacy
You have the power to control what aspects of your medical history may be shared, and with whom. Learn what the laws are and how to protect yourself.
by Beth Adelman
Imagine discovering that a confidential fax about your medical treatment that you had sent to your doctor had been discussed at an office party, and again at a private birthday party, without you or your doctor’s knowledge. That’s what happened to Elizabeth Carlson, an MS activist who was diagnosed in 2002. “I felt completely humiliated,” says the New Brighton, Minnesota, resident, who learned about the privacy breach through mutual acquaintances she and the doctor shared. “It was a painful thing, feeling I was fodder for gossip.”
While this type of incident is rare, it can happen under certain circumstances. In this case, the medical facility where Carlson received her treatment simply had not been careful enough to protect its patients’ privacy—a lapse that, as it turns out, is not legal under the Health Insurance Portability and Accountability Act, or HIPAA, a set of laws passed by Congress in 1996, in part to protect people’s medical privacy.
After learning what happened, Carlson decided to speak with a patient advocate at the facility in question. Afterward, the facility enacted much more stringent rules and policies to protect patients’ privacy, and implemented staff training.
This experience crystallized for Carlson the importance of self-advocacy. She says all people with multiple sclerosis could benefit from knowing more about HIPAA and how it protects their rights. “Having a chronic illness can be exhausting, but it’s important to be very present and aware during appointments,” she says. “You need to be your own best patient advocate.”
What is HIPAA?
HIPAA contains rules about medical privacy, as well as provisions that regulate health insurance coverage for people with pre-existing conditions. With the implementation of aspects of the Affordable Care Act (ACA) in 2014, the pre-existing condition provisions are not as critical. However, HIPAA’s privacy rules have become more important than ever with the advent of private health exchanges and electronic medical records, and their scope was even extended in 2013. These rules apply to most health plans, including employer-provided group plans, individual policies, Medicare and Medicaid.
Here are some key points of HIPAA’s privacy rules:
- Healthcare facilities nationwide, and many of the companies they do business with, must have formal safeguards, including clear policies and electronic file security, to protect private health information, and must train all their staff about privacy concerns and practices. They must also have a designated privacy officer.
- A healthcare facility must provide a notice to its patients detailing its privacy practices, how patients’ medical information is used and disclosed, and how patients can contact the facility’s privacy officer.
- Patients have the right to see and obtain copies of their medical records.
- Patients can specify that their information be shared with healthcare providers, family members and anyone else they designate; they can also place restrictions on how information is shared and with whom.
- Patients can specify how and where healthcare providers may communicate with them, such as whether to call them at home or work, or whether it’s permissible to leave a message on an answering device.
- Information about genetic tests cannot be used by or shared with insurance companies in determining coverage.
- If patients pay out of pocket for any services or drugs, they can instruct healthcare providers not to share this information with insurance companies.
- Personal information cannot be shared for marketing purposes with third parties, such as pharmaceutical companies, without the patient’s consent.
If, as in Carlson’s case, you believe any of these rights have been breached, you can file a complaint with your healthcare provider and with the Office of Civil Rights at the Department of Health and Human Services. (See “Where can you learn more?” below.)
Who has access
The most frequent question that the National MS Society’s MS Navigators field about medical privacy is whether employers can get access to a person’s health information through insurance or benefits paperwork. The answer is no. Neither your healthcare provider nor your health insurance company may disclose any personal health information to your employer without your authorization. However, HIPAA applies to health records only. It doesn’t apply to employment or school records, even if they contain health information. And HIPAA can’t stop your employer from asking for a doctor’s note for sick leave.
In 2013, HIPAA privacy rules were extended to companies that do business with healthcare and health insurance companies—consulting firms, medical billing services, auditors, legal advisers and many others. This has closed an important loophole, says Pamela Schafer Rayne, associate senior counsel in the legal department at the Johns Hopkins Health System in Baltimore. “A lot of breaches seemed to happen on the vendor side. Previously, [vendors] were not directly regulated and so they sometimes were not properly trained,” she says. “Now that the rules, and the liability, have been extended, they have an incentive to comply.”
Another frequent concern is that people may have trouble getting copies of their own medical records. The HIPAA rules make it mandatory for healthcare facilities to provide copies of medical records, if requested, and in most cases they should comply within 30 days, even if someone hasn’t paid his or her medical bills. People may be charged for copies and mailing, but there are limits on the fees.
Allies in health
Yet another concern is when you want to include a close friend or family member in your healthcare decisions. In such cases, you need to “provide guidance beforehand,” advises Dr. Scott Newsome, director of neurology outpatient services at Johns Hopkins Hospital, where he sees many people with MS. No matter what your current age or medical condition, Dr. Newsome says it’s best to put your wishes in writing “before you need help with your medical care.” Ask the medical facility for a form that authorizes your healthcare professional to discuss your condition with someone else, and make sure the staff keeps it on file. Have your trusted ally keep a copy, as well.
Privacy paperwork may vary in format from facility to facility, as there is no standard form, but in every case, it will include information about who will have access to your private health information, Dr. Newsome says. “Make sure whoever has access is supposed to be involved with your care. Make active decisions about who you want to see your information.” He points out that you can also specify which friends or family members may not receive information about your medical care.
Carlson emphasizes that there is much that people with MS can and should do to protect their privacy. “Sometimes you are so concerned about the outcome [of a doctor visit] that you forget to look at the environment,” she says. For instance, is check-in set up so other people can’t hear your private information? Is your doctor speaking to you in the hallway or in the waiting room? Notice who is around you, and ask to be in a more private setting if you feel others are listening in.
Carlson also suggests keeping records of whom you see and speak with, and when—not just at the doctor’s office, but also during phone calls to your insurance company or anyone else involved with your healthcare. And she recommends saving privacy notification forms you sign and any patient bill of rights or similar documents to refer to in case you have any questions about privacy rights. (See “Organize your medical records.”)
Rayne recommends treating after-visit summaries—a form a doctor might give you at the end of a visit summarizing what you discussed—like other confidential documents, and to either file these someplace safe, or shred them.
Rayne warns that if you want to communicate with your doctor by email, to remember that is not necessarily secure. Carlson adds that social media like Facebook and Twitter are not appropriate places to share health news. Even if you restrict access to your Facebook friends, your posts are still not fully private. While your medical privacy at the doctor’s office is protected under HIPAA, you are your own best advocate for privacy when it comes to ensuring those rules are followed—both inside and outside of the office.