Privacy Issues with the Affordable Care Act
People were shocked and outraged to learn their government has been collecting phone records, accessing Facebook and checking out Internet access searches without their knowledge. What will they say when they learn hitherto private information including medical histories will be exposed and vulnerable under the Affordable Care Act (ACA) now that it’s beginning its full implementation.
A provision under the stimulus bill passed in 2008 called for all medical providers to switch to computer generated electronic medical records (EMR) to document all patient health care events. This change from paper based systems would permit all the medical providers of any one person easy access to that individual’s medical history, past and current medications, and whose care they were under now. The change to electronic records makes good sense. However, medical records, even millions of them, in an electronic data format are very portable, easily copied, and can be carried off in someone’s pocket or transported over the ether to other computers in minutes. These are records that would include potentially embarrassing conditions, alcoholism, mental illness, family histories of disease, bouts with cancer, and increasingly now, DNA results. Unfortunately, means to stop this from happening are not part of the ACA.
Medical providers, clinics, hospitals and doctors have until 2015 to implement electronic systems or face reduced Medicaid and Medicare reimbursements. The increased rate of compliance, now at 55%, has been matched by increasing incidences of lost and stolen medical records.
At Howard University Hospital in Washington D.C., a medical technician had, over a 17 month period, sold the personal information and medical history of hospital patients to identity thieves. Earlier, at the same facility, 34,000 patients had to be notified that their medical records had been compromised when an IT contractor’s laptop containing the records had been stolen.
Then in Utah, Eastern European hackers broke into the servers at the Department of Health and stole the personal medical information of 800,000 people. That’s 1 of every 4 people in the state! The most egregious incident yet took place at the Department of Veteran Affairs (VA) facility when a laptop with 26.5 million service men’s electronic records was stolen. These are but a few of the tens of thousands of security breaches involving medical records reported since EMRs began to take over paper records.
A new medical coding system, ICD-10 has been mandated by the ACA that will make even more of our medical history accessible. It increases the level of detail medical providers must include in each patient’s diagnosis and treatment, requiring 8 times the number of codes previously called for. Under the previous system, an angioplasty was represented by one code. Now, under ICD-10, an angioplasty must be represented with one of 854 codes! Medical providers have until Oct 1, 2014 to begin identifying all their diagnosis and procedures with this vastly expanded system.
Because of the additional time required to look up and enter all these new codes, busy medical providers will hand off the work of interpreting and entering these codes to clerical help including contractors who can work at home. Medical records will be exposed to still more people who have nothing to do with a patient’s healthcare.
In fact, our medical records, once within the province of highly trained medical professionals, are increasingly accessed by all manner of individuals uninvolved in our medical treatment and largely unsupervised. Once a person’s personal information is entered into a facility’s data system, there’s little control over who can access it. Celebrities like Britney Spears and George Clooney can speak to this. Their medical histories were recently stolen and sold to gossip magazines.
Theoretically, our medical history, is strictly protected by law: The Health Insurance Portability and Accountability Act of 1996 (HIPAA). Moreover, under the law, the Department of Health and Human Services (HHS) has the authority to prosecute any medical facility that does not take measures to protect patient information. Despite the 22,000 reported instances where medical records were lost and stolen between 2003 and 2011, HHS has issued only 1 monetary penalty and just 2 subpoenas.
Now, HHS has just issued a 253 page ruling under the ACA freeing all government agencies to make available, without patients’ pre-approval, the health information of anyone applying for government assistance through the new health insurance exchanges. Analysts will review this information to determine how much health insurance and government assistance is warranted. It looks like when you ask the government for help, you lose all the rights guaranteed by law.
For all of us, the government is requiring our very personal medical information to be detailed and available in a more accessible, more vulnerable format without building in any new safeguards or even acting on existing safeguards. Who is protecting our 4th Amendment Constitutionally guaranteed right to privacy?