Does HIPAA protect you? Why? Why not?

This Saturday, I have the opportunity to bring the patient perspective to a panel at SXSW in Austin, titled "Why HIPAA Won't Save You: Protecting Data Privacy":

I will be joined by a Health Economist, a person from Industry, and having a long-time Health Care Communications expert as the moderator.

Here's the session description, to give you a sense of the direction the panel is shooting for:

Every day, people are collecting, sharing and leveraging health information -- sometimes without even realizing it. From fitness tracking tools to info shared through social to online search and purchases made online, a wealth of health-related data is being generated about each of us that, if used wisely, could improve health outcomes. But while much has been said about the opportunities, few people give much thought to the digital footprint they leave behind -- a footprint that includes data and information not necessarily protected under existing regulatory guidance (HIPAA). By bringing together key stakeholders who can talk to the needs of patients, manufacturers and entrepreneurs, we aim to tackle both the promise -- and the risks -- of maximizing the wealth of health information generated online.

I would love to incorporate your thoughts about HIPPA and how you feel it protects you or falls short of doing so.

This is a really important topic. I think most of us believe that our Personal Health Information (PHI) is protected by HIPAA, but HIPAA has very narrow applicability. HIPAA only applies to health care providers, health plans and health care clearinghouses (like EHR centers). It doesn't cover all other kinds of things where PHI can be collected and used adversely against patients. When we take part in social media, whether it be here or on facebook or wherever, if we reveal our identity and facts about our health that information can used against you. It may be used to deny you insurance, target marketing or employed by individuals or businesses in a whole variety of ways that compromise your privacy and lead to negative impacts. Unfortunately, once information leaks into the network we not longer control it. We really need to expand the protections of HIPAA beyond the covered entities.

I worry that sites like TuDiabetes are being farmed for their data. That they are being used to analyze patients for business or investing opportunities. That companies are trying to look up real identities and "connect the dots." I should have a reasonable expectation that information I post not be harvested in a way that compromises my privacy.

And I also think we need to be concerned about how vulnerable our detailed PHI is in all these new EHRs. There are already far too many notices of massive EHR breaches. It does little good to have HIPAA if the company that is supposed to "protect" our PHI doesn't do a good job and it is all hacked. EHR breaches damage us as patients and we should have recourse.

I hope you have a great time at SXSW. Austin is a great place to visit. Try to eat some barbeque for me. I do hope things work out for you to swing by Diabetes Unconference.

I don't feel that HIPAA protects me for two reasons: [1]Very few people actually understand what HIPAA is and how it works, and [2]HIPPA is a convenient excuse used to avoid sharing medical information.

Just last week I experienced the second one again. The pharmacy I go to has changed its receipts. It used to include the name of the patient. Now it doesn't. I'm afraid this is going to make it difficult to get an FSA reimbursement approved. When I asked the head of the pharmacy about this change she cited HIPPA as the reason names no longer appear on the receipt.

Brian you bring up a very good point about the narrow application of HIPAA. I see this as an issue with privacy in general and not just personal health info. Our laws have not kept up with technology and our judiciary seems to rule on the side of institutions and not the individual.

To be honest, I guess after 31 years of Type 1 and living in a small city where you can't go to a doc appt without running into people you know, I really don't care much about privacy. But I'm not the paranoid type. I can't imagine what anybody would do with my information that would be unsavory.

And HOW are you supposed to take those nameless receipts and use them for FDA reimbursement??? :S

THANKS for the amazing points! These are SUPER-critical points in terms of how patient data could be using in ways that are not known and/or understood. And not everyone reads "How to keep your TuDiabetes contributions Google-safe" although it's in the first email new members get upon joining the community.

P.S. I will be stopping by the Unconference the first evening. So I will see you then/there (right?)

I will be there. I arrive on Thursday night and will be there for the Friday event.

No. Because for many things that matter we are essentially strong-armed into granting prying eyes access to our medical records anyway. Examples-- insurance policies for medical and particularly life insurance (makes sense, fair enough). Regulatory bodies for professional licensing (can be an outrageous process) even potential employers can demand you grant access to medical records. Unfortunately doctor/patient confidentiality is a lovely historical concept that doesn’t exist in reality in our world today. In today’s world it just means the medical professionals don’t make fun of your problems to other people. I am more concerned about these aspects than the digital data aspects you mention.

The concern I see is if the ACA is gutted and once again people with diabetes need to worry about insurance coverage. If we return to a time where pre-existing conditions are an absolute or financial exclusion then sharing health information would be a greater concern.

Very good point! (sadly)

That's the single most popular aspect of the ACA, it would be political suicide to disrupt that piece of it. A lot of the rest of it will be subject to debate for a long time though.

I don't think HIPAA protects you. In many ways, it leaves you exposed to rapacious medical provider while insurers jack around with allegedly due diligence, e.g. "letters of medical necessity", etc. I wish I had saved the BG log I had kept to get a pump as it was a hoot, scribbled numbers and annotations, blood stains, the whole 9 yards. It was copied and sent to Blue Cross but I can't imagine that it had any actual medical value although, using it and whatever else they used, my doc got within .025U/hr of my "normal" basal rate and very close on the C/I ratios to boot.

Manny, I fell strongly that the ACA is one of the most important pieces of legislation in history. But if the ACA is important it is only possible as a result of HIPAA. Lets take for instance health care potability. Folks tend to forget that prior to HIPAA health insurance following marriage, separation or on the birth of the child was not required regardless of health issue if the employer offered health insurance.

Lets also recall that without HIPAA discrimination in the workplace for medical insurance as no prohibited. True the data itself is only as secure as the footprint offered. But lets understand that HIPAA is bigger than just information sharing.

To many times we focus only on information sharing as regards to HIPAA but security is also access to health care. If we contemplate only information, we sell HIPAA short of its complete impact.



I am woefully ignorant about how HIPPA works. My ideal vision about personal data, including medical data, is that ultimate ownership resides with the person. That person is the "author" of that data and nothing short of explicit written consent should allow anyone one to even view the data. No viewing secondary party, like doctor or insurance company should be able to pass that data on to any third party without the express written approval of the data author. And anyone's personal data should not be able to be sold without the entire dollar value flowing to the author. No one and no company should be allowed to profit using anyone's personal data.

I know this is not how the world works. The credit reporting agencies all act like your financial data is theirs! They even make you jump through hoops to view your data.

It's a complicated world we live in and the most influential parties are those with wealth, corporate power, and government connections. The ideal of our US system, with the citizen as the ultimate source of power, falls far short when it comes to actual real world expression.

Good luck with the SXSW conference. I'll be in Las Vegas, perhaps we can finally meet. I'll be the guy with the Yellow Labrador Retriever.

I don’t think that’s true if you need something from the third party. The medical records justify the drugs, or the settlement or whatever so if an insurer wants to review old records, get another opinion on the records they have or have somebody new check under your hood, they will do it.

I understand. I'm expressing ideal values, not reality. 8-/

See you Friday!

Absolutely! I can't really talk about work however what I see there makes me question the value of HIPAA to anyone, including business and whatevermedicalproviders are.

I'd definitely reach out to Erin Gilmer, who knows her stuff in this area as she's a HIPPA attorney who happens to be living with T1D.

This has been a big issues we've been discussing locally in regard to diabetes camp -- some are concerned about the risk, and allowing this to exist when there's such a risk of info leaking and endangering privacy. Interesting topic.

Thanks for putting up this link, Manny!

I always believed that having my name associated with my posts would send a subtle message that I am willing to stand behind my comments and not hide behind a pseudonym. However, I also tried to make sure that I didn't reveal too much about my medical details, TDD, A1C, etc, because I am worried that this data will be mined as outlined by Brian, above.

Today, I am closing the gate after the horse has left the barn, and I am changing my screen name to YogaO, an acronym for, "You Only Go Around Once".