Privacy Malpractice

The online Internet exchanges created by the Affordable Care Act are up and running.

OK, they’re up. Uhh, OK, some of them are sort of up.

It has been almost a week since last Tuesday’s initial launch, and there have been more than a few problems.

Website crashes, excessive response times and other problems have plagued the exchanges. The government assures us the problems are temporary and “all new technology has a few glitches.”

But the technology used to operate the exchanges is not new. Google, Amazon, and eBay each serve millions of people every day using Internet tools that have been under development for two decades. Each of these Internet vendors has gained people’s trust because their systems provide secure platforms and protect personal and financial information.

A federal Health and Human Services Department audit of the exchange development process raised significant questions about the exchanges’ capacity to protect sensitive personal information, including medical records. To date, those questions have not been answered publicly.

Anecdotal evidence, however, suggests personal information will be at risk of inappropriate disclosure. For example, known data “leaks” included disclosure of unencrypted medical information on 2,400 Minnesota residents to an insurance broker. Who was behind this blunder? A health care exchange employee.

So this is a good time to consider what steps you can take to protect your medical records and associated personal information that you normally give to your doctor.

As we shall see, some threats originate through the hacking or misuse of database files. Others originate through the use of considerably lower-technology tools… like phone surveys. But more on that in a moment.

What comprises your medical records and why should you take steps to protect yourself when it comes to the use and distribution of such information?

Your medical records include information about treatment received, diagnostic testing results, drugs prescribed and reports on chronic conditions or medical procedures. It might include family medical history and information about lifestyle choices (like smoking).

It likely also includes material you gave to insurance providers as well as personal financial information regarding you credit and banking. Your medical records also might include information collected by schools (vaccination records, behavioral issues), employers (employee health plan records, injury records), and marketing companies (Internet use histories and surveys; phone surveys; and data purchased from information brokers, insurance companies, and other sources).

People are generally surprised to find out that most health-related information is not covered by federal privacy laws. The federal Health Insurance Portability and Accountability Act (HIPAA) only applies to medical records kept by health care providers, health plans and certain medical information data collectors where the information is transmitted electronically. Thus, it is vital to understand how and why your information is distributed and what control you have personally in the process.

Most disclosures are “voluntary.” For example, when you apply for insurance, most insurance companies require you to disclose your personal medical information. Similarly, the government requires disclosure when you seek benefits. Employers often request disclosure of health-related information of employees.

Self-imposed disclosures based on Internet interaction with marketers, health-related websites, and other Web-based activities are common, as are responses to telephone and personal surveys and questions.

So how do you protect the privacy of your medical records?

First, be aware of what disclosures you have made in the past. Your physician will provide you with a copy of your medical record upon request.

Similarly, request copies of your medical record files from the Medical Information Bureau (MIB), IntelliScript, and MedPoint and check them for accuracy. Each of these companies maintains databases of health-related information that they share with insurance companies.

Second, before using Web-based health-related sites or participating in marketing surveys or health screenings, think about what information you want to disclose. Presume that the information you disclose will become public, and act accordingly.

Third, talk to your physician and employer about the health-related information they collect about you. If you have concerns about potential disclosure, make it clear in writing that you expect certain information to be maintained in confidence.

Finally, with the implementation of Obamacare, remember that the exchanges are potentially ill-designed to maintain your privacy. Be cautious what you disclose in your interaction with any exchange.

Similarly, given the technical problems experienced to date, be very cautious with any disclosures to purported “navigators” or third-party providers like insurance brokers. States like Colorado and Oregon are requesting that individuals wishing to sign up for Obamacare seek out help from “navigators” or other third parties.

We have little assurance that the information provided to such third parties will be properly secured given the state of affairs today.

For example, as one blogger recently asked:

“There are enough glaring issues with this complete lack of privacy to get the wheels of any self-respecting conspiracy theorist turning. Here are a few scenarios that explain why this privacy breach could be an incredibly big deal.

“Think about some of the ramifications of having your private information in this large electronic network. How easy would it be for algorithms to be run to pinpoint “threats” to any given agenda?

Don’t believe in vaccinating your kids? It’s in the database.

Don’t believe in taking psychiatric medication? It’s in the database.

Refuse to get ‘the chip’ at some point in the future? It’s in the database.

Decline the flu shot? It’s in the database.

Did you tell the doctor that, yes, you do have guns in your home? It’s in the database.

Decline answering the physician’s intrusive questions about firearms in your home? It’s in the database.

As more and more data becomes available because of the commingling and coordination of databases throughout society, it falls to you, the individual, to make certain that the personal information floating in the cloud is correct and legally disclosed.

Please be careful out there!


Mike Leahy

Privacy and Security Expert, Spy Briefing Club

Leave A Reply

Your email address will not be published.