For Sale: Your Medical Records?

In a quiet data warehouse, somewhere on the Internet:

“Step right up for our big clearance sale! Today only, we have billions of medical records. Pharmaceutical companies, learn what doctors are prescribing. It’s the best way to convince them to switch from your competitor’s brand! We also have deals on using patient information from pharmacies to pitch advertisements directly to the consumer. We can even help you outsource to companies not covered by health privacy laws!”

Wait a minute, that doesn’t sound right. Isn’t my medical information private? You’re not talking about medical records about me, right?

Actually we are. Calling the federal medical “privacy” laws riddled with more holes than Swiss cheese is an insult to Swiss cheese. Privacy rules (formally known as the Health Insurance Portability and Accountability Act, or HIPAA) supposedly prohibit health care providers from disclosing medical information — but these rules apply only to doctors, hospitals, insurers and other covered entities. Once they are shared with “business associates” (which can happen for any reason), these associates are not bound by HIPAA and can resell the information at will.

This leads to the resale and repackaging of patients’ records and personally identifiably information from non-covered entities to other corporations, including employers, insurance companies, for-profit and not-for-profit researchers, and pharmaceutical companies. Due to this loophole, a multibillion dollar industry has sprung up, trafficking in prescriptions, personal health information and other coverage information.

But there are good reasons why you don’t know what’s happening with your medical records. Seemingly the only person who doesn’t have access to them is you. You have almost no ability to see who has looked at your record, limit where it gets sent or control access to it. Providers are not required to tell you when your information is lost or stolen.

Fortunately, that sorry situation has just gotten a little bit better. Included in the mammoth stimulus legislation that President Obama signed earlier this week was a section encouraging doctors and hospitals to move toward the use of electronic medical records. And it included important language plugging some holes and improving some privacy protections for both electronic medical records and medical records in general.

However, much will depend on how the law is implemented, especially the regulations that will now be created to implement the new law. Those regulations could mean the difference between significant new protections that go a long way toward protecting the privacy of American patients, and yet another set of loopholes that leave Americans’ medical lives out in the open.

Hopefully in the future when you head back to the data warehouse you’ll hear something different, perhaps: “Sorry folks, no medical data for sale here, we’ve been shut down!”

Here is our more formal analysis.