VII. Key Issues: Regulation & Reform >> B. Health Care Regulation >> Health Insurance Regulation >> Medical Privacy (last updated 7.2.17)
In part due to the outbreak of AIDS, there has been renewed concern on both the state and federal level regarding the confidentiality of medical information. There are three interests that together create a legal and ethical dilemma for policy makers: 1) the rights of individuals with HIV and AIDS; 2) the public interest in controlling and fighting an epidemic; and 3) the interest of employers, insurers, and health officials in providing adequate and affordable medical care (Caldwell 2001).
Laws regulating access to personal medical records vary from state to state, but all states have at least some degree of privacy protection. There are two important pieces of federal legislation that relate to privacy of records maintained by insurance carriers. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted in August 1996, but regulations did not become finalized until seven years later. After significant concerns were expressed over the potential cost impact of privacy regulations originally published on December 28, 2000 (65 FR 82462), the regulations were revised considerably and the final modification of these regulations was not issued until August 14, 2002 and became effective on April 14, 2003. Another federal law called the Gramm-Leach-Bliley Act (GLBA) was passed in 1999.
Most states have required registration of persons infected with certain contagious diseases (e.g. AIDS, tuberculosis, STDs). However, the access to those person’s medical records is usually highly guarded and the cases reported are usually done so in the strictest of confidence. Thus a certain basic level of privacy protection is provided by most states (Caldwell 2001). The federal privacy regulations included in HIPAA guarantees patients access to their medical records, gives them more control over how their protected health information is used and disclosed, and provides a clear avenue of recourse if their medical privacy is compromised.
The Duke Center for Health Policy has developed a draft working paper assessing the costs and benefits of privacy regulations, including HIPAA (1996) and state requirements.
Cybersecurity and Medical Records
- Wall Street Journal reports (2.18.14): “Health-care organizations increasingly are having trouble protecting data because medical equipment, such as dialysis and imaging machines, can be serviced through the Internet. That often is so the machines’ software can be administered or updated remotely. There also are many more entry points where cybercriminals potentially can enter a health-care facility to try to access electronic medical records or billing systems, which have credit-card data. The push to digitize medical records means that a treasure trove of data is online for hackers to target.”
- Wall Street Journal reports (2.18.14): “Medical records sell for about $60 apiece on the black market, while credit-card information typically goes for about $20, said Sam Glines, the CEO of NorseCorp. Medical records are “more valuable because you can do more with it, including Medicare fraud and prescription fraud,” he said.“
- Ponemon Institute. The Institute is a privacy and data-protection research firm.
- SANS Institute. The Institute is a cybersecurity research and educational organization.
Data Breach News
- Partners Data Breach Affects 3,300 Patients. “Hackers may have accessed medical and personal information, including Social Security numbers, about 3,300 patients at Partners HealthCare, the health system said Thursday. The breach happened when some Partners employees responded to phishing e-mails, which allowed unauthorized access to their e-mail accounts. Some of the e-mails contained private patient information, including Social Security numbers, addresses, phone numbers, and information about medical treatments and health insurance.” (The Boston Globe, 4.30.15)
- Oregon Health Insurer’s Data Breach Alert Misfires, Sparks Do-Over. “On Wednesday Sherwood residents Lester and Nora Brock were surprised to learn that personal data entrusted with their health insurer, Oregon’s Health CO-OP, might be compromised. Even more surprising? They learned this not from a letter addressed to them, but from five different letters addressed to other people – each in separate envelopes delivered to the Brocks’ address…The breach comes as bad news for the upstart insurer. It’s operated as a consumer-owned operated nonprofit, one of two set up with the help of federal loans in Oregon in 2013.” (The Oregonian, 4.30.15)
- Privacy Rule. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule
- Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information. This link summarizes the Privacy Rule’s protection of the privacy of individually identifiable health information, the rights granted to individuals, OCR’s enforcement activities, and how to file a complaint with OCR.
- A Fight Over How Drugs Are Pitched (Natasha Singer, NYT, 4.24.11). Three states have enacted laws prohibiting using of prescription drug data to market to physicians.
- The Privacy Rule: A Primer for Psychologists. “For psychologists already familiar with the prior versions of this document, key changes to the Privacy Rule are indicated by “New” markers. These changes are discussed in greater detail in a resource titled HIPAA Final Rule: What You Need to Do Now (Final Rule Resource), which also provides the inserts you need for your privacy notice and other HIPAA forms. It is available at no charge to APA Practice Organization Practice Assessment payers and purchasers of the APAPO Privacy Rule compliance product discussed in Section E.“ (American Psychological Association, 2013)
- HIPAA Final Rule: Notice of Privacy Practices for Protected Health Information: Content of Notice. (HIPAA.com, 3.22.13)
- See Health Insurance Portability and Accountability Act (HIPAA) under Government Health IT Initiatives.