• Life Advice & Visual Arts Welcome Guest
    Posting Rules Bluelight Rules
    🌌 Share Your Dreams! 🌌
    📸 15 Years of Photo Contests 📸
  • LAVA Moderator: Shinji Ikari

The Medical Records Privacy Thread

RedLeader

RedLeader

Bluelight Crew
Joined
Jul 23, 2008
Messages
12,311
Location
तमसोमा ज्योतिर् गमया
A Guide to Medical Privacy
Originally Drafted - 8 June 2009​

This guide has been created to provide the Bluelight community with information concerning the privacy (or publicity) of one's personal medical records. It was inspired by recent questions on the board, such as (not quoted verbatim):

If I ODed and was hospitalized but not legally charged, could this come back to haunt me later in life? For example, not getting into a career in medicine or theropy?

Can my medical records restrict my ability to get into University?

Are there existing laws which concern the privacy of medical information/data? Can my boss or university dig very deep, if they so desired?

Hopefully this guide will be able to properly answer these questions, as well as give even more information about medical privacy. As many of us wish to balance the risks we take as drug users with our desires to get an education and then eventually work a job, it is very important to not let the former undermine the latter. The information age is very intimidating to pretty much all of us. To help reduce this mysterious and confusing threat, this guide does its best to educate readers on ways to lessen the chance that our experimental youth could undermine our desired future in less-than-obvious ways.

*NOTE: This guide was written by an American (Redleader), and therefore largely concerns American laws and standards. Given that the majority of BLers are American, hopefully this will be of good to a wide range of people. However, to those not in the US, be cautious in how you respond to this guide. Laws vary by country, and what works in the US may not work in other countries. E&C strongly encourages non-Americans to contribute any knowledge to this thread, which could give analogous information about medical privacy laws in other countries. Also, even though not directly applicable to a non-American, he or she can use this guide as inspiration as to how to go about researching this issue in his or her country.


MEDICAL RECORDS - What exactly are they?

A medical record, in general, will fall into one of three categories:

  • Those created when one receives treatment from a health professional such as a physician, nurse, dentist, chiropractor, or psychiatrist. Such records may include your medical history, details about your lifestyle (such as smoking or involvement in high-risk sports), and family medical history.
  • Laboratory test results, medications prescribed, and reports that indicate the results of operations and other medical procedures. One's records could also include the results of genetic testing used to predict one's future health. And they might include information about your participation in research projects.
  • Information you provide on applications for disability, life or accidental insurance with private insurers or government programs can also become part of your medical file.

The HIPAA - The biggest medical privacy act

In 2003, the US federal government passed the Health Insurance Portability and Accountability Act (HIPAA). This was largely done as a response to the rapid increase of electronic storage of data within the medical field, and to ensure privacy standards for electronic medical information would exist on a national level. If you want to know exactly what HIPAA states, give it a go on Wikipedia (http://en.wikipedia.org/wiki/HIPAA).

In short, in contains two parts. The first part deals with protection of health insurance in the case of changes or losses of jobs. The second part, which is officially called The Administrative Simplification (AC) Provisions, is designed to help keep medical information private.

The good is that the AC Provisions do offer a lot of protection, but the bad is that of course there are loopholes. HIPAA only applies to medical records maintained by health care providers, health plans, and health clearinghouses - and only if the facility maintains and transmits records in electronic form. Any health information existing outside of such, or existing within such in non-electronic form, is not protected by HIPAA.

Given that external health information does frequently exist, it is important to not develop a false sense of security from the HIPAA, and know exactly where this external information would be, and how to minimize creating more of it with such gained knowledge.

THE THREAT - Information not covered by HIPAA

The majority of such information would be contained within one's financial records. In 1999, the federal government passed the Gramm-Leach-Bliley Act (GLB), which gave financial companies (banks, brokerages, insurance agencies, etc.) the ability to operate as independent, single entities. A side-effect of this was that it opened up the door for financial companies to share/sell your information to third-party associates. Now GLB gives you the legal right to insist that your information not be shared/sold if you speak up, but in contrast, it does not insist that you must be notified when such does occur. It's largely left up to you to take the initiative(s) to prevent this from occurring.

For example, your credit card records likely contain information about your healthcare costs. GLB gives the right to your credit card company to share/sell this information, and HIPAA cannot protect this leakage.

There is some good news, though. Especially given the current bad economy, financial institutions will often make privacy promises including, but not limited to, not sharing/selling your personal information to attract clients. Again, it is important to either read or have your attorney read the fine print of contracts, such as those set up with financial companies, to see if these issues are addressed (either way).

Another set of information not covered by HIPAA is that of your education records as a minor, maintained by your school(s). These records contain information about vaccinations, sports drug-testing, guidance councilor visits, reasons for suspensions, etc.

ACCESS - Who can access my medical records?

In general, you are required to give up medical records under the following scenarios:

1) Applying for Insurance - When you apply for insurance, be it health insurance, life insurance, or other types, you typically are expected to give up your medical records in exchange for the chance to be given a policy. The degree to which this is "official" depends on the strength of the insurance (For example, a single 22 year old applying for basic health insurance may just be required to undergo a phone interview "on the merit system," whereas a 40 year old exotic dancer applying for life insurance may be required to sign disclosures, undergo physical examinations, etc.).

What sucks is that under the GLB, insurance companies are considered financial institutions, and therefore have the legal right to share/sell your medical information unless you initiate the instruction for them not to. I know, this is a real 8o for most people. So again, it is very important to know where you stand with regard to the finer details of financial institutions, with which you may contract.

2) The Government - If you're trying to qualify for a government-backed program, such as Medicare or Workers Compensation, you will be asked to submit your medical records.

3) Court Cases - Your records may be subpoenaed if they would be relevant to the given case. To give an extreme example, a man being prosecuted for knowingly engaging in sex after an HIV+ diagnosis may be asked to provide medical records concerning his history of HIV testing. Furthermore, once your medical records are used in court, they will go on public file. You can attempt to ask the judge to only make public the portions so the subpoenaed records relevant to the case, but there's no guarantees that s/he will.

4) The Medical Information Beuro (MIB) - This is a central database of medical information shared by insurance companies. Basically, what happens is that if you apply for health/life insurance and through the application process, your potential insurer flags you as a "risky" individual, they have free right to add your information to the MIB. In such a case, a profile for the individual would be created, and a list of "risky things" would be made. These could range from anything from being HIV+ to smoking cigarettes. There's over 200 different "risky" descriptions that the MIB uses within its coding system. It's estimated that over 10 million Americans have files in the MIB.

Another 8o fact is that the MIB is not subject to the HIPAA. Hence if you are flagged and placed into the MIB, there exist ways for third-parties to obtain knowledge of this. You can determine if you have an MIB file through the MIB's website, and you have the right to work with the MIB if you feel that information in your file is incorrect.

5) Prescription Drug Databases - There exist two main prescription drug databases, IntelliScript and MedPoint. These are used to allow insurance agencies access to a potential candidate's prescription drug history. Details in such databases can go back as far as five years, detailing drugs used as well as dosage and refills. Anybody who gets prescription medicines is subject to being placed into such databases. Anyone can contact either of these companies and request a personal report, so as to either ensure its accuracy or simply for the novelty factor. Like the MIB, such databases are also not subject to the HIPAA. This is certainly unnerving for people who "doctor shop."

6) Employers - Potential employers will often ask you to disclose your medical information to them. In some cases, you have no choice. But in others, you have rights. For an example of the former, adult film stars are required to submit medical records concerning STD-testing. The way that employers go about obtaining the records you disclose varies state-by-state (legally), so some states can allow one to hide behind the HIPAA (plus state laws) easier than others with respect to employers keeping one's records private.

in 1990, the federal government passed the well-known Americans with Disabilities Act (ADA). This act initially suggests that employers can only be so nosy, but it's a very loosely written piece of legislation, and allows for a range of discretion to be taken against a candidate.

In short, it states that employers may not ask job applicants about medical information or require a physical examination prior to offering employment. Once employment is offered, an employer can only ask for a medical examination if it is required of all employees holding similar jobs. Furthermore, if one is turned down for work based on the results of a medical examination, the employer must prove that it is physically impossible for one to do the work required.

This is very vague, and it does not take a wild imagination to see how employers can dance around this. Also, note that it only concerns them directly asking you about your medical records, but says nothing about them using background-checking techniques to obtain such information. A point of note, medical information is one of the forefront topics common to a typical "background check."

This is not a complete list of the ways that your medical information can be obtained, but it covers the dominating cases.

SECURITY - How to keep private

Phrases like "background checks" can and are quite intimidating. Given the above information in this guide, the intimidation is quite justifiable. In short, what can one do to ensure one's records are kept as private as possible? First, one must swallow the hard truth that what the information age has already dragged out IS out and WILL remain out bar future legislation. But one can look forward, and do one's best to minimize the negative impact of one's medical records. Here are some tips for protecting one's records:

1) The obvious first piece of advice is to educate oneself on HIPAA and its details.

2) If you are asked to sign a waiver for the release of your medical records, attempt to compromise with the asker; don't sign a blanket waiver if you're really only being investigated about a given condition (for example, an adult film star could talk a blanket waiver down to a specific one for STD-testing).

3) If you are going to a doctor for private reasons, suck it up and pay for it out of pocket, instead of using your insurance. By doing this (paying out of pocket), you then have the legal right to ask your doctor to sign a document (drafted by you or your attorney) which insists that he not disclose any of the information to anybody else (including your health insurance company) about the visit. For example, if you believe you might have HIV and want your doctor to test you, this would be the wise decision. The downside of this is that the HIPAA fires back and gives your doctor the right to refuse such a visit altogether. Hence in cases like this, finding a different, more willing doctor may be necessary.

4) Use common sense when you do give up medical information. For example, if you are willing to submit some medical records to an employer, ask your doctor to only photocopy the appropriate sections of your records, and not print out your entire life story.

5) If you are insured through your employer, be observant of any claims you file under such, as they will go into the data of your company. Ask politely that the HR department of your company allow you to see what such files appear like (if you can, produce copies for personal storage), and also ask for your information to not be shared externally (although you have no guarantee).

6) Do not fill out marketing-type questionares which ask you to give up information about your medical history or medical conditions. As soon as the asker gets that information, it's public. It's not worth the one in a million shot that you'll win a trip to Hawaii! Same goes for public health screenings. If, for example, the Red Cross sets up at your local Starbucks doing free health screenings, ensure that they will not give out such results before you agree to such tests.

7) Use discretion on the internet. If you become a member of a health-related website or forum, try to remain anonymous. If you must give personal information, read the fine print of the site first, concerning its privacy regulations. For example, if the web company becomes defunct, might its databases be auctioned off, or used as collateral?

8 ) Keep track of your medical history. Keep track of all of the doctors you go to, for example. If a doctor's office you've used in the past plans to close, be ready to ask them what they'll be doing with your records.

EMLPOYMENT - More Details

The topics of medical records being ascertained by a potential employer, either directly or through a background check, have been covered elsewhere in this guide. Here, issues specific to an established work environment will be discussed. If you have a job and health insurance, you will fall into one of three categories:

1) You have health insurance independent of your employer. In this case, your only concern becomes information-age monitoring that your employer may be doing on you (like a continuous background check).

2) You are part of a group health insurance plan sponsored by your work. Group health plans are covered by HIPAA as long as the plan has 50 or more people being covered. If you are a member of a group health plan, your employer pays a premium to the health plan organization to cover potential costs. The health care plan assumes the risk of paying for health care expenses covered by the plan. The HIPAA Privacy Rule applies to the plan itself, but not your employer. Hence your employer is free to use whatever medical information he or she obtains in any otherwise legal fashion (but, as contrasted to the next case, your employer would not be directly privy to your claims and such). However, the HIPAA allows for a basic summary of your claims to be given to explain away adjustments in premiums - what can be contained in this summary is a gray area (and there are laws that tradeoff the depth of the summary and the extent to which your employer must keep the information private).

3) You are self-insured by your employer as a benefit to your job. In this case, the employer bares all financial risk of your health. Here, it acts as its own insurance company, and how it handles claims and maintains records is completely up to the employer. The efforts can be outsourced, etc. In this case, HIPAA states that the portion of the company that acts as the insurance company must effectively blackbox itself from the rest of the company. But HIPAA does NOT say anything about how that firewalled section of the company handles the job, which basically undermines the entire blackboxing rule. Be very cautious if you choose this option!


ADDITIONAL INFORMATION

1) You have the right to obtain your medical records from any healthcare provider, as per HIPAA (and this act stipulates the records must be in your hands in under a month's time). The only time you would be denied a request would be in the case where the provider believed that after obtaining such records, one could become a physical threat to oneself or to others. Note that you might have to pay fees in order to obtain such. Also, it is a good idea to ask said healthcare provider how they plan to copy your records - in some cases they are legally allowed to, for example, walk into a copy shop and have it done. This is borderline paranoia, but it is another exposed area.

2) Many states do have state-laws, which add to the protection of the federal HIPAA. Read up on your state's legislation, as you may have more rights than you originally thought. Also, Worker's Compensation varies state-by-state, so when disclosing information for such, it is important to know how your state's laws fall within this situation.

3) As alluded to in 1), your healthcare provider uses what are known as "business associates" for various tasks, such as accounting, consulting, data aggregation, etc. Kinkos, for example, could count as a "business associate." Your healthcare provider will have a written agreement with all business associates about privacy. But under HIPAA, your consent is NOT required if your provider takes action which could expose your medical records to business associates. This can be dangerous, especially if outsourcing is involved. You have all the power you want to ask your provider about their business associates.

4) Under HIPAA, you have the right to not only obtain your own medical records (as mentioned above), but also to obtain a list of every case of your records being accessed in the past 6 years.

5) Another 8o fact. Under HIPAA, you do not have the right to sue for violations of said act. All you can do is file a complaint. If your complaint is taken seriously, an investigation will be undertaken, and the guilty party will either be fined or criminally investigated.

6) Under HIPAA, you have the choice as to whether you want to be added to a hospital’s database or not. This was done basically to give people who do not want others to know that they are currently hospitalized that option. For example, victims of domestic violence who do not want their attackers to be able to locate them.

Again, though, don't think that by choosing to remain anonymous to the directory of a hospital will help you in a situation such as a drug overdose. Unless you're willing to cover your expenses out of pocket, you will likely have to turn to your health insurance company. This then could be the incident that pushes you past the proverbial line, and adds you to the MIB (along with the reasons why you're on the MIB, including the overdose).

ADVICE - Students

Do not stress about your medical history precluding you from being accepted into an academic program. There are plenty of discrimination laws, which do not allow schools to openly discriminate against you based on medical conditions (now what goes on behind closed doors, well that's a different story). Does Harvard run background checks? I think that's still a conspiracy theory.

Again, as long as you have no criminal charges linked to such medical circumstances, don't fret. There could be side-effects, though. For example, if you've destroyed your credit rating through bankrolling your own shady medical expenses or have collection agencies coming after you for unpaid medical bills, this could make a school wonder about your ability to pay tuition.

ADVICE - Employees

In the information age, it's best to think about minimizing the leakage of personal information than assuming that one can always take measures to completely eliminate all potential leaks. Know the laws and know your rights, both under HIPAA and your state. Following the suggestions above is very important, given that background checks and information freeflow are both becoming more common each passing day. The sad truth is that a solid background check can often uncover things such as hospitalizations for ODs. All the more need for harm reduction education!

--

In conclusion, E&C asks anyone with questions about medical privacy not covered in the above text to post them in this thread. We cannot promise you answers, but we will do our best to try and assist you. Further, as stated up top, we encourage anyone with addition useful information (especially about these themes in countries other than America) to contribute to this thread.
 
Last edited:
You must log in or register to reply here.
Top