Len’s Lens: Privacy and Personal Health Information – What patient consent really looks like

Med Page Today – by J. Leonard Lichtenfeld MD, MACP

So you are a health professional or knowledgeable consumer and think you understand the issues surrounding privacy and exchange of personal health information? So did I, until I recently became a patient and had the temerity (or is that foolishness and patience?) to actually read the consent when I went to the outpatient surgical center for a cancer screening procedure.

And what I read was — to say the least — disturbing. When it came to sharing my health information, there were no middle options: either it could be shared with other exchanges, vendors, consultants, and others nationwide, or I wouldn’t be able to get access when I really needed it — especially in an emergency situation.  

Let’s just say that wasn’t what I was expecting. No “opt in,” no limitation to just those who needed the information to provide me medical care, just “all or none.”

I don’t know if this is typical of similar releases in other healthcare facilities (and I have been advised it is not), but it certainly raises a question about how much we as patients and professionals truly appreciate how much control (or lack thereof) we have over what some consider very private information.

What is so awkward about this situation is that I have been a proponent of having medical information available at appropriate points of care, and for consumers to have access to their medical records. For patients — especially cancer patients — transporting records from place to place or having them available to multiple hospitals and medical consultants can certainly make their lives a little easier and may even save a life in an emergency situation.

Let’s set the scene:

I went to the hospital outpatient department for a screening colonoscopy (Oh, that prep!!!!). When I arrived, a very pleasant lady asked me to read and sign the six pages of consents. OK, no problem there, since I have seen it all before including the fact that medicine is not a science, that I have to pay my bill and so forth.

Then I came across the section that discussed health information exchange, which dictates what personal health information I give the hospital permission to share with others. I almost fell out of my chair. The section was about a page in length, so allow me to share some of it with you:

“I consent to (the hospital) and its employees, volunteers, vendors and medical staff sharing Patient’s medical record and personal (e.g. social security number, date of birth, contact information), payment, and insurance information through any local, regional, state or national Health Information Exchanges/Networks (HIEs) in which (the hospital) participates and through any HIEs in which (the hospital) participates, unless Patient or legal representative has signed an HIE Opt-Out Form. I understand Patient’s medical information, including sensitive data, will likely be shared through HIEs, unless Patient…signs the Opt-out Form.” (Emphasis theirs).

Well, folks, my information is now out of the box — all of it, everywhere they want to send it. And what the heck may I ask does a volunteer have any business having access to share any of this? They are very nice people, and do good things, but my personal health information? My social security number and birthdate? Anything that could be used to create my personal identity? I don’t think so.

And it goes on:

“I delegate (the hospital’s) employees/independent contractors/agents; the employees/independent contractors/agents of affiliated healthcare providers; the HIEs; and any authorized users of the HIEs (including all health care professionals/insurance companies) as authorized users and recipients of Patient protected health information (and also their employees or business associates and the health care providers to whom the Patient’s health care providers refer Patient to care or consultation), and I consent to the use, disclosure, and re-disclosure in those listed in this paragraph without further consent of all Patient health/personal information through regional, state and national HIEs, including the following information:”

By the way, all of the underlining and parentheses are in the original. And I have little doubt that even though a cursory definition of HIE is offered, 99% of the people reading this or signing it don’t have a clue what HIE means or what information/rights/redress they are signing away.

So what information can they broadcast over this very wide net whenever they want to broadcast it by whoever wants to broadcast it, including people I have never met and will never know such as some contractor or consultant hired by the hospital or by someone who participates as a business associate in another exchange somewhere in the country of which I have no clue?

Here are some examples of what information is included in the consent:

• Genetic testing, such as laboratory tests of my DNA or chromosomes conducted in an attempt to discover diseases or illnesses of which Patient is not showing symptoms at the time of the test (Think: BRCA)
• Information showing whether I have been diagnosed as having AIDS, whether I am being treated for AIDS, if I am at risk of AIDS, if I had a test and if so what the result was
• Whether I have a mental illness or developmental disability (By the way, I wondered what I should respond when asked on the admission exam whether I ever had anxiety. Is that a mental illness?)
• Information concerning pregnancy, prevention of pregnancy, child birth and abortions (guess I don’t have to worry about that one!)
• Information regarding diagnosis, treatment, detoxification or rehabilitation for alcohol or drug use or abuse

Then the document concludes with this paragraph (bolding is theirs):

“I consent to the above uses, disclosures, and re-disclosures to and by users of the HIEs with the full understanding that (the hospital) will have no control over the non-(hospital)-owned HIE users or their data practices and that Patient can and should opt of the HIEs if Patient is concerned about sensitive information being used, disclosed, and or re-disclosed.”

Maybe you should read that one again: someone else can do whatever they want with your data and it isn’t the hospital’s fault — even if they slyly violate privacy rules or even see how far they can bend them. That’s anyone who gets the data: any contractor, any affiliate, anyone anywhere in the nation who may be on someone’s data feed. I dare someone to find a data breach somewhere out on the far tiny branches of that tree.

The consent to all of this closes with the note that once the information is sent to the HIE it cannot be undone if I decide at a later time to stop sharing information. Once it goes, it’s gone.

Wow. That’s comforting, isn’t it?

Most of you reading this are health professionals. You have faith in our system, at least the system that is taking care of you or the one you work in. How much faith do you now have that your information is safe once it gets beyond that system of care or where it may be needed somewhere for a medical emergency? Do you trust the insurers? Do you trust the consultants? Do you trust the independent contractors? Do you trust a nationwide HIE that has your information available to someone somewhere who you don’t know and won’t tell you when, where, and why your information is accessed? Do you want your genetic code available to someone who can get access to your data? Do you take comfort that they take no responsibility for the misuse of your information or whether it is sent somewhere that doesn’t have particularly good computer security? Or maybe you don’t mind getting a season’s greeting card from some company that provided the hardware or machine used in your recent surgery thanking you for using their product (that would be the “vendor” on the list annotated above)? (I know that’s an outrageous and unlikely event, but sometimes you need to exaggerate a point to make a point. This consent allows the exchange of your information with the vendor.)

So there I sat, wondering how far this could go, not to mention my concern that I ran the risk of being labeled a “problem patient” if I didn’t consent.

What did I do? I drew a thick black line through the entire thing and wrote “DECLINE” with my initials.

Can you appreciate how difficult that was for me to do? I am someone who wants my information to be available to my healthcare team. I am someone who wants my information available in an emergency. I am someone who believes in this process. And, quite honestly, I don’t have anything that I think I need to hide — except maybe that anxiety thing, my date of birth, my social security number, my email address, and maybe my mother’s maiden name.

But I am not everyone. I could be someone who may not want the world to know that I have a drug problem or an alcohol problem that was successfully treated many years ago. I could be someone who doesn’t want their genetic code floating around the country unless I specifically say that is OK and I know the researchers who are using the information and why they are using it. I could be someone who doesn’t want an insurer or prospective employer to know (and it doesn’t limit to “health insurer” by the way, for which there are specific protections — unlike life and disability insurers) that I have a particular genetic abnormality that may substantially increase my risk of cancer

As we have moved into the internet age we are learning that what goes on the internet stays on the internet. This particular consent gives a huge carte blanche to the hospital to send my information to anyone on the exchange or who has some business relationship with the hospital or anyone on any other exchange where they can share the information with no restraint whatsoever, except within the scope of HIPAA. And those folks can then send it to whomever they want who is also on the unnamed exchange(s). And on and on and on.

Given the breadth of this release, I had to face the fact that I had zero confidence that my information, even though protected by HIPAA, would not end up at some time now or in the future being used in a way that I would not approve. And I would never know.

Oh, and then there was the final scene in this short event: the same very pleasant (and by now probably befuddled) clerk came to the holding area to get me to sign another paper before they gave me any premedication. This consent form asked me to confirm that I declined permission to put my information into the HIE and advised me that if I end up in an emergency department somewhere I understand my hospital won’t share my information with the other hospital. None of that other nasty stuff about sending it around the country. Just that if I really need the information to save my life they won’t provide it.

I guess that’s the quid pro quo: I might die from an allergic antibiotic reaction because I don’t want my genetic code floating around the internet universe.

Somehow that is an incredibly bizarre and ludicrous choice/threat: give us what we want, or you can’t have what you need. I signed the paper declining participation. Now I can pray that one day someone won’t give me vancomycin or a cephalosporin, both of which have caused me life threatening reactions.

We have to make a lot of choices when it comes to our medical care. Choosing between a reasonable expectation of privacy and saving our lives shouldn’t be one of those choices. Something is seriously wrong here.

J. Leonard “Len” Lichtenfeld, MD, is deputy chief medical officer of the American Cancer Society in Atlanta. In his capacity as a spokesperson for the ACS, he has become a prolific writer, addressing all aspects of cancer research and care. In this monthly guest blog for MedPage Today, he shares insights gained from the perspective of a cancer specialist, researcher, and advocate.

http://www.medpagetoday.com/Blogs/ThroughLensLens/55194