It happened to Target and recently we learned it happened to UPS stores, too. It went on for a year at the Montana Health Department and it happened to millions of customers of Kaiser Permanente Northern California. It's the theft of customer or patient data, and it can take place in many ways – a laptop goes missing, an employee downloads malware to an internal computer, someone on the inside intentionally leaks the data.
When this happens at a retail outlet like Target, customers can lose their credit card information, leading to a lengthy process of sorting out with the credit card company what you did and didn't authorize. When this happens with a healthcare organization, the consequence can be the loss of your privacy, maybe even a social security number that links you with your identity in ways that are terribly difficult to disentangle.
In late July, Becker's Hospital CIO published an article describing 7 HIPAA myths that hospitals, clinics, and other healthcare organizations need to keep in mind when trying to stay on the right side of privacy concerns. But there are things patients can do to safeguard their data, too. One of these things is simply knowing what healthcare organizations are and are not required to do to keep your data safe. Unfortunately, there’s HIPAA and then there’s what people think is true about HIPAA.
Following are 5 myths that I hear from patients in respect to their privacy. Of course many if not most healthcare settings, absolutely including my addiction treatment facility, have set their own best practices to answer these concerns. We go far above and beyond HIPAA requirements. But it’s still best to know what healthcare facilities have to do and what they choose to do with patient data. Knowing your rights can keep you safe. Be sure to ask your doctor, hospital, or addiction treatment center what they do to go beyond HIPPA’s basic privacy requirements.
1. HIPAA Requires a Consent Form before Treatment or Billing
Not only can a healthcare facility treat or bill you without a signed consent form, but it can pass along your information to another healthcare provider without signed consent so that you can be treated and billed. When you move between healthcare institutions or even between some departments within an institution, another medical record may be created. The same is true of billing. Make sure you trust the clinic you are referred to as much as you trust the data security at the hospital where you started.
2. Healthcare Providers Can't Tell Your Family about Your Medical Treatment
Believe me, I see this all the time; there is some information you might want to withhold from your family. But when it is in the "best interest" of the patient, healthcare providers are allowed under HIPAA to share your medical information. It's even easier to share information with a family member that a patient has identified as a caregiver.
3. The Fact of Your Admission Is Confidential
This depends on the treatment facility. At my facility and most addiction centers, the fact of admission is confidential. But many hospitals list patients in an online directory and anyone that calls may be given your phone and room numbers. In most healthcare facilities, if you want your stay to be confidential, you have to request it specifically.
4. Your Sensitive Medical Information Won't Be Emailed
What sits on the top of a fax machine tray may not stay on the top of a fax machine tray. And unless you have expressly communicated how you prefer to be communicated with, your healthcare provider can use email or even text. Most doctors and mental health providers are careful to offer disclaimers of non-confidentiality on all emails. Still, it's easy to overlook what is and what is not secure.
5. Healthcare Providers Can't Leave Messages on Answering Machines
In this day of personal smartphones, perhaps there's less chance that an unsuspecting spouse or child will listen to the message describing the prescription that is ready for you at the pharmacy. Sure, providers are discouraged from leaving the specifics of medical information, but I'm sure you can imagine many cases in which a message leaving the provider's name and the request to call back could raise privacy concerns. And providers are certainly within their rights to do so.
I don't mean to sound like a conspiracy theorist. In most cases, healthcare providers will use your information to provide the best possible care – and this information will stay within the walls, or at least within the database, of your treatment provider. And again, most healthcare providers have internal policies that go above and beyond the bare-bones requirements of HIPAA. But it's worth knowing your privacy rights – not just guessing that your information will be kept safe. At least if you know enough to be uncomfortable with the way your records have been handled, you will be able to request they be handled in a more secure way.
Richard Taite is founder and CEO of Cliffside Malibu, offering evidence-based, individualized addiction treatment based on the Stages of Change model. He is also co-author with Constance Scharff of the book Ending Addiction for Good.