Privacy advocate talks about who, what has access to your medical information

8:20 PM, May 22, 2013   |    comments
  • Share
  • Print
  • - A A A +

In the digital age, more and more private information is becoming less private.

The Health Insurance Portability and Accountability Act (HIPAA), signed into law in 1996, is designed to protect people's health data. However, weak barriers in HIPAA are making your private health information public to debt collectors, lawmakers, attorneys, the company you work for, etc.

RELATED STORY: Who has access to your medical records? More people than you think 

News10 anchor Cristina Mendonsa talked to Privacy Rights Clearinghouse Research Director Tena Friery about health privacy and who has access to your information in the following Q&A:

REPORTER BLOG: Who is creeping your medical file?

First on the Medical Adherence Score:  Can consumers safeguard their prescription information from FICO at all?  Would using a smaller pharmacy help or is the information obtained from insurance companies? Does the scoring take into account a person's employment (unemployed/can't afford meds)? Are the actual medications in the data given to FICO or only the record of filling/renewing prescriptions? Who do consumers write if they don't like FICO having access to this information?

The FICO Adherence Score was in the news a couple years ago, but I've not heard much about it lately. As I understand it, the score is not computed based on actual prescription or other medical information identifiable to any individual or that individual's past behavior, e.g. taking his or her medication or not. Rather, this score is based on a person's likelihood of taking their medication based on certain data, e.g. age, employment or housing stability, marital status, gender. Here's FICO's description of the score. It is, they say, useful for healthcare providers to use as a reminder to patients who have a high score to take their meds. Not taking meds results in higher health costs. FICO says it will not be used for insurance underwriting, but only for health workers to encourage patients to take medications. But, who knows how it will be used in the future? From a privacy standpoint, there are certainly concerns about this kind of predictive behavioral scoring. Here's one story where I expressed concerns.

To my knowledge, we've not had consumers contact the PRC about this score. I suspect few people have even heard of or recognize that the score may have prompted a call from their pharmacy--even when they are taking their medicine as prescribed.

As for what consumers can do, I believe the market for various scores, even those based on actual consumer behavior, is one that should be more transparent. Regulators and lawmakers should start by giving consumers the right to any score and scoring model that allows businesses to make judgments about them. A first step would be free credit scores. If consumers want to voice an opinion, they should contact the Federal Trade Commission and/or their representatives in Congress. I believe the FTC did touch on predictive scoring in a report to Congress about privacy. I'd have to look into that further if you'd like more information.

On MIB: I know this database has been around for awhile, how do you know if there is a file kept on you? What kinds of things are in the file and who has access? How can you affect what is in your personal MIB file?

MIB is a central database used by member insurance companies for underwriting individual health, life or disability insurance. MIB essentially functions like the credit bureaus, that is member insurance companies furnish information to MIB and MIB may, in turn, issue reports to other member companies when someone applies for private insurance coverage. MIB, like the credit bureaus, is subject to the federal Fair Credit Reporting Act. The FCRA, among other things, gives individuals the right to a copy of their information and the right to dispute erroneous information. MIB is also what's called a "business associate" of member insurance companies that are subject to HIPAA. Under the Health Information Technology for Economic Health Act (HITECH) and recent Department of Health and Human Services Rules, business associates are subject to most of the privacy, data security, and penalties that apply to doctors, hospitals, and other HIPAA "covered entities." Consumers may order their MIB Report, or find out if MIB has a file, through this website: The PRC website includes further information about MIB:

On HIPAA:  Why can bill collectors get access to your medical records? Can those records ever be "sealed" or shielded legally from agencies? 

Keep in mind, health care is a business like any other. And, overdue or unpaid medical bills, like any other debt, can end up as a negative item on a credit report. Health care providers are allowed, under HIPAA, to report certain information to credit bureaus. If an unpaid medical bill is not paid, after time a provider may employ a debt collector. Third-party debt collectors are business associates and also subject to HIPAA. As for the information that can be disclosed, HIPAA has what is called a "minimum necessary" rule, which means disclosure should be limited to the amount necessary to accomplish the purpose of disclosure.

Who is likely to want to look at your medical records? 

Obviously, anyone involved in a patient's care would want to look at medical records. That could include doctors, nurses, receptionists, therapists, laboratory and radiology workers. It could be many more for people who are hospitalized. Add to that health insurance companies and companies, called clearinghouses, that process insurance payments also have access to medical data. Business associates may also have access. This would include billing services, attorneys, auditors, accountants, debt collectors storage facilities-just to name a few. In addition, although HIPAA is a "privacy rule," it does recognize numerous interests other than those of the patient. This could include, to name a few, public safety officials, law enforcement, courts. There's quite a list, which we include in Part 5 of our HIPAA Fact Sheet 8a: (NOTE: The posted version of Fact Sheet 8a does not include the most recent amendments to HIPAA Privacy, Security and Enforcement Rules required by HITECH. I'm working on it.)

Can potential employers access your medical records? 

Ordinarily, a patient's authorization is required before a doctor, for example, can release information to an employer. See the following HHS publication on health information and the workplace: As this says, HIPAA does not apply to employers or employment records. Employers may have access to health information in other situations such as workplace drug testing, employer- sponsored wellness programs, workplace safety issues, or pre-employment physicals where HIPAA would not apply.

Do you think knowledge of medical data stored on consumers makes people feel less likely to seek certain kinds of care (mental health for example)?

Maybe, for some people. There is a new right given to consumers under HITECH that allows a patient who pays for treatment out of pocket to request that information not be shared with a health insurer. Hopefully, this will encourage people to seek needed treatment without fear of having their insurance company know about it.

PRC's goal is to raise awareness about various privacy issues and to provide information needed to control the use of personal information. For more information about PRC check out their website




Most Watched Videos