How Secure Are Your Medical Records?
Eight tips to better protect the privacy of your health information
Caroline Mayer is a consumer reporter who spent 25 years working for The Washington Post. Follow her on Twitter @consumermayer
Still, there are many moments when I’m troubled about technology's potential impact on the privacy of my medical records. I wonder: Who else is reading the emails I send my doctor? Who’s tracking me when I research an ingrown toenail online? Even more disconcerting is my “personal health record” on my health insurer’s website — a list of my prescriptions and ailments based on doctor visits and pharmacy purchases.
And given the shaky start to the Affordable Care Act (aka Obamacare), my concern about computer security has increased even more lately.
Should I be worried? Should you?
(MORE: Sneaky Ways Wellness Apps Invade Your Privacy)
What Privacy Experts Say
To find out, I turned to several privacy experts and asked their advice on the best ways to protect our medical records.
“We should all be concerned about medical privacy,” says Adam Levin, chairman of Credit.com and Identity Theft 911. The reason, he explains, is simple: There are a lot of people and companies involved in processing medical payments — doctors, labs, insurers, pharmacists, pharmacy benefit managers (intermediaries between drug stores and insurers), even banks that process credit and debit cards payments — and “an awful lot of data is moving back and forth” among them. Many of these transmissions, Levin says, may not be properly encrypted.
It’s not just an idle concern. Levin told me that “breaches upon breaches have occurred in the medical area.”
One way that medical ID theft occurs is when a thief uses your name and perhaps your insurance information or Social Security number to obtain care. Alternatively, a con artist might use your identity to create a phony bill, allowing him to scam money out of others, particularly Medicare or insurers.
The results can be devastating: You could be harassed by debt collectors. You might be turned down for a job or promotion if a false diagnosis, such as depression, appears on your medical record. You could receive an incorrect diagnosis or treatment — for example, if someone swiped your identity, which then changed the blood type and allergies appearing in your records or added a bogus ailment to your charts.
What’s more, phony medical claims could prompt your health insurer to deny future claims, saying you exceeded its plan’s limits.
(MORE: 7 Steps to Protect Your Online Security)
Less nefarious — although possibly more detrimental — is that your medical records and the health info you share on social media sites or through smartphone apps could be used to deny you insurance or boost your premiums. (That’s why you should think twice before signing up for apps that track weight, blood glucose levels and even your anxiety level.)
Loopholes in a Law
But wait. What about those papers doctors make you sign on your initial visits, as a result of the 1996 HIPAA law (Health Insurance Portability and Accountability Act) and say which records can be disclosed and to whom. Aren’t they supposed to protect your privacy?
Actually, that law excludes life insurers, self-help websites, companies collecting health data given voluntarily to surveys or research and firms that conduct medical screenings at pharmacies, shopping centers and other public places.
As a result, “people are frequently targeted with marketing communications based on information obtained outside of HIPAA protections,” says Deven McGraw, director of the Center for Democracy & Technology’s health privacy project.
Also not covered: over-the-counter drugs (use your frequent shopper’s card to buy Preparation H at the drugstore or supermarket and others may ultimately find out).
As a result of all these loopholes, according to the World Privacy Forum, even if you try to keep certain procedures or diagnoses private, it’s almost impossible to do.
(MORE: Don’t Be Dumb About Smartphone Privacy)
Electronic recordkeeping has made patients’ medical information much more accessible, too. “For many years, medical information was trapped in Manila folders” and inaccessible to fraudsters, says Lauren Fifield, government affairs and policy advisor to Practice Fusion, a San Francisco-based firm providing electronic health networks and records to doctors and patients.
With electronic records, she adds, patients “need to take personal responsibility for their information" to make sure it is protected.
8 Tips to Protect Your Medical Privacy
Here are eight tips on how to begin that process:
1. Aak your doctor and other medical practitioners about how they share your medical information and with whom. “Some providers are more sensitive than others, so find one you can trust,” says McGraw.
2. Read your privacy rights. Closely examine the forms you fill out in medical offices. Some provisions vary from doctor to doctor.
3. Don’t readily give out your Social Security number if your doctor’s office asks for it. “Ask why they need it,” says Levin. “If they have your insurance information, they shouldn’t need your Social Security number too.”
Of course, if you’re on Medicare, your SSN is your billing ID number (plus a single letter that follows). In that case, take a precautionary step to reduce the chance of identity theft by making a copy of the card to carry with you and then blacking out your Social Security number in case your wallet is ever stolen.
4. Read your insurance bills carefully, even if no money is due. To make sure no one has stolen your identity, be certain you weren’t charged for office visits you didn’t make or procedures you never received. If you spot any inaccuracies, report them to your insurer immediately.
5. Review your credit report annually. Many medical ID theft victims have discovered they were scammed after spotting a collection notice from a hospital or medical lab in their credit report. If that happens to you, contact the credit bureau immediately to report the identity theft and contest the notice with the collection agency. (You can get a free credit report once a year at Annualcreditreport.com.)
7. Be discreet browsing the Internet. Some search engines, such as Google, track your searches, often to sell to third-party advertising sites. So if you’re browsing something medically sensitive that you don’t want tracked, consider using search engines that refrain from that common practice. Washington, D.C. privacy consultant Robert Gellman likes Startpage.com and Duckduckgo.com.
8. Be cautious about providing personal medical information for surveys and screenings and to health sites and pharmaceutical companies. Ask how the information will be used and who who’ll have access to it. If you don’t like what you hear, just say “no.”