Keeping Mum

Hippocrates

This post was prompted by an article written by Ben Goldacre in The Guardian, Care.Data is in Chaos. It Breaks My Heart. The article is about the Health and Social Care Information Centre (HSCIC, in the UK), which, "admitted giving the insurance industry the coded hospital records of millions of patients." These records, according to Goldacre, were line for line, and could be decoded by anyone with an inclination to do so. The purpose of this "gift", by the way, was for the insurance companies' actuaries to figure out premiums, based on likelihood of death (or illness, I assume).

Useless Fun Fact: Years ago, in another professional trajectory, I passed the first of the however many actuarial exams.

Anyway, then the HSCIC said it couldn't share documentation on this release of information, presumably because it's more important to protect insurance company privacy than patient privacy.

Summarily, in Goldacre's words, "...a government body handed over parts of my medical records to people I've never met, outside the NHS and medical research community, but it is refusing to tell me what it handed over, or who it gave it to, and the minister is now incorrectly claiming that it never happened anyway."

So I started to think about patient privacy, including a long-ago post, What, Exactly, Is HIPAA?, where I wrote that I would follow-up with more information about privacy, and I never did. Incidentally, I've looked, and I still haven't found any contradictory information about what constitutes a HIPAA covered entity, and I'm still convinced that I'm not one, because I don't bill patients electronically.

So I was wondering, what is the difference between privacy and confidentiality, as they relate to patients? And I found this article (Prater), which was helpful.

Basically, confidentiality is the, "...obligation of professionals who have access to patient records or communication to hold that information in confidence," while privacy is the, "...right of the individual client or patient to be let alone and to make decisions about how personal information is shared."

In other words, confidentiality is my professional, or at least ethical obligation to my patients, while privacy is a patient right I need to respect. From this I infer that technically, my patients do not have a right to confidentiality, and I don't have an obligation to protect patient privacy.

Here are some more details.

Confidentiality

Confidentiality goes back, at least, to the Hippocratic Oath:

And whatsoever I shall see or hear in the course of my profession, as well as outside my profession in my intercourse with men, if it be what should not be published abroad, I will never divulge, holding such things to be holy secrets.

It is a cornerstone of professional association codes of ethics. The AMA's code of Ethics, Opinion 5.05, states:

The information disclosed to a physician by a patient should be held in confidence. The patient should feel free to make a full disclosure of information to the physician in order that the physician may most effectively provide needed services. The patient should be able to make this disclosure with the knowledge that the physician will respect the confidential nature of the communication. The physician should not reveal confidential information without the express consent of the patient, subject to certain exceptions which are ethically justified because of overriding considerations.

And don't forget about postmortem confidentiality:

All medically related confidences disclosed by a patient to a physician and information contained within a deceased patient’s medical record, including information entered postmortem, should be kept confidential to the greatest possible degree...At their strongest, confidentiality protections after death would be equal to those in force during a patient’s life. Thus, if information about a patient may be ethically disclosed during life, it likewise may be disclosed after the patient has died.

In reading this stuff, I also found that the AMA has a slightly different slant on the definitions of privacy and confidentiality:

In the context of health care, emphasis has been given to confidentiality, which is defined as information told in confidence or imparted in secret. However, physicians also should be mindful of patient privacy, which encompasses information that is concealed from others outside of the patient-physician relationship.


An example of support for the legal status of confidentiality, as the privileged communication between patient and doctor, can be found in Jaffee v. Redmond, where the, "...U.S. Supreme Court upheld a therapist’s refusal to disclose sensitive client information during trial." (Prater)


Effective psychotherapy...depends upon an atmosphere of confidence and trust in which the patient is willing to make a frank and complete disclosure of facts, emotions, memories, and fears. Because of the sensitive nature of the problems for which individuals consult psychotherapists, disclosure of confidential communications made during counseling sessions may cause embarrassment or disgrace. For this reason, the mere possibility of disclosure may impede development of the confidential relationship necessary for successful treatment. (p.10, Jaffee v. Redmond)


Privacy

There is no constitutional right to medical privacy. Rather, healthcare privacy rights, "...have been outlined in court decisions, in federal and state statutes, accrediting organization guidelines and professional codes of ethics." (Prater)

The big example is HIPAA. Subject to HIPAA, "Individuals are provided some elements of control, such as the right to access their own health information in most cases and the right to request amendment of inaccurate health information...However, in [the] attempt to strike a balance, the Rule provides numerous exceptions to use and disclosure of protected health information without patient authorization, including for treatment, payment, health organization operations and for certain public health activities..."(Prater)

I've been trying to read through the relevant parts of this ponderous document about HIPAA, and on pages 757 and following, in part Squiggle164.512, Uses or Disclosures for which an Authorization or Opportunity to Agree or Object is not Required, I found what appear to be a number of these exceptions to the "privacy" provided by HIPAA. I think. I'm not a lawyer. Such as:

a) required by law
b) public health activities
c) victims of abuse, neglect, or domestic violence
d) health oversight activities
e) judicial and administrative proceedings
f) law enforcement purposes
g) about decedents, i.e. coroners, ME's, funeral directors
h) cadaveric organ, eye, or tissue donation purposes
i) research purposes
j) aversion to serious threat to health or safety
k) specialized government functions
j) worker's compensation

There are many specifics, including disclosing information to a patient's employer, but I'll leave those as an exercise for the reader.

Point being, HIPAA does little to protect patient privacy. I think the value of HIPAA is that it attempts to delineate what patient privacy rights are, and that it has succeeded in making people aware that the privacy of their medical information is vulnerable. It does not solve this difficulty, which becomes hugely magnified by the use of electronic health records. This leads to consideration of one more important term, security, or the means by which patient information is protected, such as a locked filing cabinet, or encrypted data.

What I glean from all this is that there is at least a notion of a patient's right to privacy, which I should try to respect. But that my standards for protecting patient information are much higher than anything HIPAA has to say.

Limits of Technology

The other day, I went to see a new physiatrist for my chronic back problems. She came highly recommended by my former physiatrist, who retired. I found her (the new one) to be lovely and helpful, as was her staff. No problem with the people.

The technology was concerning, though.

Some things they got right. The doctor typed on a computer while we talked, but she had the monitor and keyboard raised and next to the examining table, so that she wasn't constantly looking down or away. I didn't find that off-putting at all, surprisigly. And when I first registered, the receptionist asked for my email address. I declined, because I don't want to be spammed by the hospital she's affiliated with. The receptionist told me that it's for something called, "My Charts", where I can look up my results and summaries of my visits, and where I can easily communicate with my doctor. I still declined.

Later, the physiatrist encouraged me to sign up for My Charts. She didn't know I had refused. She obviously uses it regularly, so I decided to do it, and I sheepishly told the receptionist that the doctor had convinced me, and gave her my email.

What I didn't like about the technological aspect was the initial forms. Well, "forms". I was handed a tablet, and asked to fill out privacy and insurance forms that way.

Problem 1: The thing is a fomite. There are typical hospital-type signs in the office about properly wiping down all shared equipment with cleaning products, but you can't really do that with a tablet, and dude, this thing was not clean.

Problem 2: The user interface was crappy, but that's no surprise.

Problem 3: The software was less sophisticated than paper forms. When you're handed a paper HIPAA form, you can decline to sign it, and the doctor simply has to document that she made a good faith effort to give you the forms. Your lack of signature does not in any way prevent the sharing of information that HIPAA allows. In other words, your information can get tossed around publicly, whether you agree to it or not. If you don't believe me, see my post, What, Exactly, Is HIPAA?

The electronic version had no option for not signing. With paper forms, I generally refuse, because even if I have no say in what happens to my information, I don't have to jump on board that bandwagon by obsequiously signing. But I couldn't finish the electronic form without signing.

There were 4 different documents I had to sign. One said that if I didn't agree to the terms, I wouldn't be treated. At least I think that's what it said. The lack of clarity is another problem.

A second form was a standard, "I agree to share this info with my insurance," which I know I have to sign if I want coverage. And I was pleased that this doctor, who came so highly recommended, happened to be in my network. This is part of the upside of technology, which, if done well, can make it possible to manage a high volume practice that takes insurance but still makes money, and also treats patients well. And this practice, unlike my own, is high volume.

Another form gave me two final options. I could either agree to share all information with other providers, or I could refuse to share any information with other providers, including in an emergency. It specified that part. Then there was a line below the options that said if I didn't choose one or the other, it would be assumed that I wanted to share no information, except in an emergency. I thought, "Oh, good. I won't choose." Naturally, the software wouldn't let me do that. So I refused the sharing of any information, on the assumption that in an actual emergency, any intelligent doctor would just go ahead and get the necessary history.

There was one other form, and I can't remember what it did.

Like I said, paper forms would have made more sense. It was galling that there was a big sign in the office touting the use of these tablet forms, and how they would allow for better patient care.


I'm not comfortable having my health information readily available to pretty much everyone. In an article in yesterday's NY Times, Why Health Care Tech Is Still So Bad, Robert Wachter describes a lot of what I just did, but with the hope that today's tech is really version 1.0, and that it'll get better. He points out the flight industry wouldn't dream of using new software until it was tested extensively by pilots in simulation. Not so in health care. Go figure. And Apple interface, especially with iPhones and iPads, is a pleasure in large part because Steve Jobs was a tyrant who wouldn't market a product until it worked the way he wanted it to. Not so in health care. Maybe we need a Steve Jobs.

But the line that struck me from the Wachter piece was, "Big-data techniques will guide the treatment of individual patients, as well as the best ways to organize our systems of care. (Of course, we need to keep such data out of the hands of hackers, a problem that we have clearly not yet licked.)"

Personally, I'm far less concerned about hackers getting my health information than about insurance companies and the government getting my health information. Who else would hackers sell it to?

Practice Fuse-Up?

There was an anonymous comment on my post, E-Rx Update and Review (thanks, BTW), that linked to a concerning article in Forbes about Practice Fusion.

For those who haven't been following, Practice Fusion is a free electronic medical record system. I signed up for it because it allows me to e-prescribe, which I and every other doctor in the country will be required to do starting in March of 2015,and I don't want a last minute scramble-the I-STOP deadline had to be postponed because many prescribers didn't have an HCS account, although I'm not sure how they were getting their rx pads before that. I don't use Practice Fusion for patient records, mainly because the data is stored in the cloud and it's not clear who owns it.

However, the Forbes article is not about storage of patient data, or even security of patient data. At least, not through the health record maintained by the doctor. According to the article, Practice Fusion has set up a Yelp-like site, Patient Fusion, where patients can have access to their health records, if they agree to this with their doctors. They can also schedule appointments, and read and write reviews about doctors. The writing reviews is where the problem came in.

Apparently, patients were writing reviews and including personal information about themselves, sometimes very intimate information (the article calls them, "Burning Sensation [Down There]' Reviews"). And these patients were not aware that their comments, and sometimes names, would be posted publicly.

This is a screenshot of what I could find of the review page:

It's not clear to me if this is the same form that these patients filled out, or if it's been revised since the company realized personal information was being presented publicly. The fine print under "please leave a review for your provider" reads: for your protection, do not include any personal information.

And the fine print under "Patient Authorization" reads:

I authorize my provider and Practice Fusion, Inc. to publish my review on the Practice Fusion website, together with my first name (subject to my unchecking of the "Keep this Review Anonymous" box above). The purpose of publishing my review is to make it available to patients and prospective patients of my provider, and other members of the public. I understand that my provider and Practice fusion will not publish any personal information about me, except my first name (subject to my unchecking of the "Keep this Review...

That's where the screenshot ends. I tried to find myself as a provider so I could set up a Patient Fusion account and get more information, but I wasn't listed. I guess I have to fill out or set up something special to be listed as a doctor.

Here's the thing. Practice Fusion clearly needs to take some responsibility in this. There should be a popup window with a reminder: Please be sure not to include personal information. Or something like that.

But in the age of Facebook, and the era of complete absence of privacy that it ushered in, don't the people who wrote the reviews need to have some responsibility? Everything was filled out online, so you can't say they're not tech-savvy at all.  Do people really not know what it means to write a review? Don't people buy stuff from Amazon?

I don't mean to "blame the victim" here. And the Forbes article was waving around some sensationalism to get read. But I'm very uncomfortable with the whole paternalistic approach, like where government tries to dictate how much soda a person can drink, or how much salt a chef can cook with (this was proposed but thank goodness shot down several years ago).

Maybe the whole idea is that people want to believe a greater power or authority figure is taking care of them and making decisions for them, so they don't need to think and feel responsible, and so they can feel protected. And maybe the price of this protection is privacy. If you want mommy and daddy to make sure you're safe, then they have to know everything you're up to.

Is that a good thing?

What, Exactly, Is HIPAA?

The term, "HIPAA" gets thrown around in relation to patient confidentiality, so I thought it might be useful to clarify exactly what HIPAA is.

My understanding of a HIPAA-covered entity, at least for private practice, has been that you're a HIPAA Covered Entity if you bill electronically. End of story. Here's a government chart to corroborate my opinion.

Specifically:

I don't bill electronically, therefore, I am not a HIPAA Covered Entity.

Now, if you do bill electronically, or work with a billing service, then you are a HIPAA Covered Entity. But again, you are restricted in terms of the billing, not other areas.

This is a link to a useful fact sheet from HHS. Some key points:

Health Insurance Portability and Accountability Act (HIPAA) does not require patients to sign consent forms before doctors, hospitals, or ambulances can share information for treatment purposes.

So you can share patient information with other health care providers without the patient's consent.

I think it's still a nice idea to get consent, anyway, but you are not in violation of HIPAA if you don't have it.

HIPAA does not cut off all communications between providers and the families and friends of patients

You can share needed information with family, friends, or caregivers, as long as the patient doesn't object. And if the patient is unable to indicate a preference, you can do what you think is best.

So let's get something straight once and for all. HIPAA is not a catchall term that describes all legal issues surrounding patient privacy and confidentiality. It's about billing electronically.

The next time you hear someone try to reassure you by saying he or she is restricted from revealing patient information because of HIPAA, Uh-Uh.

If you're a HIPAA covered-entity, you need to give your patients forms indicating how their information may be used. And you need to make a good faith effort to get them to sign a form acknowledging receipt of these forms. What you don't need to do is get the patient to consent to the release of information. And in fact, these forms are more about the ways in which the patient's information lacks privacy.

The sample Patient Privacy Notice from NYU Langone includes the following ways a patient's health information may be used, without consent:

Treatment
Payment
Business Operations
Appointment Reminders
Fundraising
Education
Business Associates
Electronic Communications
Research
Public Need

Doesn't sound all that private, to me.

There are non-HIPAA laws regarding patient privacy, doctor-patient privilege, and confidentiality, and these vary by state. I'll go into more detail in a future post.

But for now, PLEASE read Shrink Rap's post on KevinMD for a description of what can happen to privacy under the auspices of "HIPAA".