HIPAA: Privacy Still at Risk

Most people have been led to believe that HIPAA is to protect your information, especially your health information.  That has never been the case and here is an item that calls this to your attention, even though we have been reporting on this for many years.

It is important to note that the HIPAA privacy rule permits public-health workers to use and disclose individually identifiable health data without patients' authorization. This is a major loophole that allows patients’ personal health information to be shared with many others—without their consent.  (See 45 CFR Subtitle A, Subpart E—Privacy of Individually Identifiable Health Information; section 164.512 “Uses and disclosures for which an authorization or opportunity to agree or object is not required.”)

Further, the information below should be an eye opener. 

Proposed Changes to Privacy Rule Won’t Ensure Privacy

The federal government once again is modifying the HIPAA privacy rule.  This time around it’s modifying the rule to incorporate legal requirements in the economic stimulus law passed in 2009.   But since that law doesnot require consent before health information is shared for most purposes (including treatment, payment, and health-care operations), the modifications will fail to truly protect health privacy rights.  IHF first reported on this in March 2009: http://forhealthfreedom.org/Newsletter/March2009.html#Article2  

IHF noted that while the stimulus law aimed to prohibit the sale of electronic health records, the exceptions are so broad that it fails to meet its purported objective.  In fact, the stimulus law actually permits the selling of Americans’ electronic health records for public-health and research purposes—without patients’ consent.  The stimulus law also limits insurers’ access to health data, but only if patients pay out-of-pocket and forgo insurance reimbursement. 

Additionally, the stimulus law expanded the number of people authorized to access patients’ personal health information without patients’ consent.  Previously HHS estimated that about 600,000 covered entities (and their employees) would have access to patients’ data for many purposes.  However, the stimulus law added some 1.5 million “business associates” who can legally access patients’ health records—without patients’ consent.  Now over 2 million health-related organizations and their business partners will have legal access to patients’ health data without consent in many circumstances (see table below).  

Number of Health-Care Entities and Business Associates With Access to

Patients’ Health Information under HIPAA Privacy Rule

Health-Care Entity	Number
Business Associates* (conduct business on behalf of entities listed below)	1,500,000
Office of MDs, DOs, Mental Health Practitioners, Dentists, PT, OT, ST, Audiologists	419,286
Durable Medical Equipment Suppliers	107,567
Pharmacies	88,396
Nursing Facilities**	34,400
Home Health Service Covered Entities	15,329
Outpatient Care Centers***	13,962
Medical Diagnostic, and Imaging Service Covered Entities	7,879
Other Ambulatory Care Service Covered Entities (Ambulance and Other)	5,879
Hospitals (General Medical and Surgical, Psychiatric, Substance Abuse, Other Specialty)	4,060
Third Party Administrators Working on Behalf of Covered Health Plans	3,522
Health Insurance Carriers	1,045
Total Entities and Business Associates	2,201,325
* According to HHS, examples of business associates include third-party administrators or pharmacy benefit managers for health plans, claims processing or billing companies, transcription companies, and persons who perform legal, actuarial, accounting, management, or administrative services for covered entities and who require access to protected health information.  ** Includes nursing care facilities, residential mental retardation facilities, residential mental health and substance abuse facilities, community care facilities for the elderly, and continuing care retirement communities.  *** Includes family planning centers, outpatient mental health and drug abuse centers, other outpatient health centers, HMO medical centers, kidney dialysis centers, freestanding ambulatory surgical and emergency centers,  and all other outpatient care centers. Source: “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act,” RIN: 0991–AB57, Federal Register, Vol. 75, No. 134, July 14, 2010 (see pages 40872, 40906, 40907, 40911).

Thus, the stimulus law expanded the number of people who can access patients’ health information but stillfailed to give patients the final say in who may—and may not—see their most personal health records. Rather than tinkering around the edges modifying the weak HIPAA privacy rule (as required by the stimulus law), it’s time to call on Congress to change the law to ensure that patient consent is required before personal health information is shared for any purpose, including public health. 

What’s more, although the stimulus law doesn’t give patients the right to control the electronic flow of their health information, it does require the secretary of HHS to post a list of breaches of “unsecured protected” (HHS’s term!) health information affecting 500 or more individuals.  The breaches are posted here:http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html 

Sources:

• “HHS Releases Proposed HIPAA Rule Extending Mandate to Business Associates,” Kendra Casey Plank, BNA’s Health Care Policy Report, July 12, 2010.
• “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act,” RIN: 0991–AB57, Federal Register, Vol. 75, No. 134, July 14, 2010.

“How the Economic Stimulus Law Affects Your Health Privacy Rights,” Health Freedom Watch newsletter published by the Institute for Health Freedom, March 2009:http://forhealthfreedom.org/Newsletter/March2009.html#Article2

Real Age? Real Cagey...

Oprah's doctors, Oz and Roizen, are linked to RealAge, an on-line actuarial questionnaire that evaluates your lifestyle to give you an age that reflects how healthy your choices are. You may end up older or younger than your chronological age as a result of their quiz.

I took it once when they first published it and came out about 20 years younger than my chronological age.

Then along came one of their daily facts I disagreed with, and so did the science.

Do you think they would correct the error of their ways? No way, Jose!

Now it appears - according to some data dug up by Public Citizen, that the folks who bring you the RealAge questionnaire also sell your info and email to pharmaceutical companies.

Website Collects Medical Data and Uses That Data for Drug Company Solicitations

Online Age Quiz Is a Window for Drug Makers

A word to the wise: You'd better skip this test.

Health Care Industry already sharing health records

Worth reading, especially the comments.

If you find a health provider willing to take cash then you have more control over your own records. Just get your files compiled and carry them with you.

Hospital Workers Sharing Music? They May Also Be Sharing Your Medical Records
Health care workers using Gnutella or other peer-to-peer (P2P) networks to share music and video, may be putting you at risk for medical identity theft, Dartmouth researchers find.

Much Ado About Merck Marketing

I'd suggest the money spent on this fiasco be put to nutrition education in an effort to prevent and reverse diabetes rather than promote drug sales.

A group of labor unions is launching a campaign that accuses CVS Caremark Corp. of violating patient privacy and improperly pushing doctors to prescribe a costly prescription drug.

Change to Win, a group of unions that represents about six million workers, said CVS's pharmacy benefits management business has been urging doctors via a letter to add Merck & Co. diabetes drug Januvia to specific patients' treatments. The letter, obtained by the union group, said CVS identified the diabetes patients through a review of prescription-drug claims processed by its Caremark unit.

A line at the bottom of the letter says Merck paid for the mailing. Neither Merck nor CVS would say how much Merck paid, and the drug maker also declined to say whether the mailing boosted Januvia sales.

CVS said the union group's actions are rooted in a dispute about workplace rules. The unions represent several thousand CVS workers. The Woonsocket, R.I., company said the unions have been attacking CVS for more than a year, including objecting to two recent acquisitions.

Januvia is as much as eight times more expensive than many other diabetes treatments, according to a recent study. Some medical experts say patients may not need the drug and may respond just as well to older, cheaper treatments.

The CVS letter was previously reported by Phoenix Business Journal.

Change to Win says the Januvia letter is an example of CVS putting its interests ahead of the businesses that pay it to manage employee prescription-drug benefits. CVS became a big player in the pharmacy-benefits business when it acquired Caremark, then the nation's second-largest PBM, for about $27 billion in 2007.

A Merck spokeswoman said the Whitehouse Station, N.J., company paid for the mailing "to help inform physicians about additional treatment options." She added that "no personal information about patient participants in the plan are provided to Merck." The letters were sent by CVS Caremark, not Merck.

CVS said it does not improperly try to switch patients to more expensive drugs and protects the privacy of plan participants' health information. As for the Januvia mailing, CVS said it was part of a program to provide information to physicians and that doctors make the ultimate decision about prescribing a drug.

Employers and insurers hire PBMs with the goal of keeping costs low while providing access to a wide range of treatments.

In recent years, PBMs have been accused of favoring drugs that generate rebates and high profit margins. Six years ago, some patients complained about a letter from Longs Drug Stores urging the patients to switch to a new version of the osteoporosis treatment Fosamax. That mailing also was paid for by Merck.

The union campaign, set to be announced Friday, comes as CVS's PBM business has struggled. In its most recent quarterly earnings report, announced last month, revenue in the PBM unit fell about 1% to $10.6 billion.

Change to Win's executive director, Chris Chafe, said the goal of the CVS campaign is to change state laws to force PBMs to disclose to customers all payments or rebates they receive from drug companies; limit the amount of patient information the PBMs can disclose; and require that any switching of drugs results in lower costs for PBM customers.

Mr. Chafe said CVS was targeted because of its large role in the retail drug business and the PBM industry, and because the company manages prescription benefits of many union members. Change to Win's members include the Teamsters and the Service Employees International Union.

Write to David Armstrong at david.armstrong@wsj.com
http://online.wsj.com/article/SB122663485690627711.html?mod=todays_us_marketplace