By Robert A. Clifford
Most of the major local hospitals in the Chicago area share medical records to improve health care in the community by forming the largest data exchange in the country, the Metropolitan Chicago Healthcare Council (MCHC), announced in April 2011. At first glance, it may appear to be a good thing.
There certainly is something to be said for improving health care and analyzing electronic data perhaps may help the cause. But privacy experts question the real motivations of the hospitals, which might be mining patient data for the purpose of patients increasing the use of their services and equipment.
It was reported by USA Today earlier this year that hospitals are using patients’ demographic and health-care data to send advertising materials targeting those who may need possible services, but also those who do not.
One of the criticisms of hospital information exchanges (HIE), such as the one formed in Chicago last year, is that it could actually be trying to target patients with better private insurance so their services will provide a greater financial return to the health-care provider. The targeting of patients with better insurance also may be a problem. Doug Heller, executive director of Consumer Watchdog in California, called this practice “cherry-picking” for the best-paying patients. And Deven McGraw, director of the health privacy project at the Center for Democracy & Technology in Washington, D.C., told USA Today , “Sometimes this is about generating business for a new piece of equipment that the hospital just bought.”
For example, USA Today reported that over a 10-month period, St. Anthony’s Medical Center in St. Louis sent personalized mailings to 40,000 women for mammogram screenings, to which 1,000 women responded and from which $530,000 in revenue was generated. The mailing cost only $25,000.
The article reported that in 2010, Provena’s hospitals in Illinois sent targeted mailings to 293,000 people that led to 17,000 more patient visits and $595,000 in net revenue. Were all of these tests really needed? Was health care improved? Or were the health-care providers’ bottom lines the real reason?
The real purpose of any one of the HIE will never be known because each agreement allows for the sharing of data as long as there is a “valid reason.”
Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), federal law allows the use of confidential medical records to keep patients informed about services, but also for marketing purposes that allows it to be used for “operations.” As these hospitals gather information regarding the health habits and problems of patients, there is no law preventing them from engaging in proactive direct mail campaigns for services they may or may not need, such as mammograms, cholesterol testing or CT scans. Solicitations for obesity programs, seminars to quit smoking and new asthma medications may be found in your mailbox or e-mail in-box, facilitated by the information easily collected and stored by hospitals.
Entire companies have been created to mine the Internet for data on your habits, interests and health, which amounts to compromising patients’ privacy using their private medical records.
Pam Dixon, executive director of the World Privacy Forum, a public interest advocacy group based in California, said this activity is expected to increase with the use of electronic data that makes it much easier to sort information by gender, age, insurance data and other demographic information.
Although for some potential health-care consumers, hospitals reaching out to them may be a plus because it educates them about possible tests needed.
But privacy concerns remain an issue. Dixon said, “Hospitals can do more to share less information.” She expressed concern that hospitals could use “loopholes” in the law to further their bottom lines.
For example, when a patient signs a HIPAA form at a doctor’s office, does that person really know what he or she is signing? Could there be boxes checked off already that allow for the health-care provider to share that information for marketing purposes or even with nonmedical personnel?
Despite revisions to HIPAA in 2009, the law doesn’t provide for patient protections in this area.
In a 2011 Crain’s article, the cost of building and running the Chicago HIE is unknown because the record keeping and types of information already in the possession of each hospital varies. Rush University Medical Center, University of Illinois at Chicago Medical Center, John H. Stroger Jr. Hospital of Cook County, Loyola University Medical Center and Central DuPage Hospital are among at least 70 founding member hospitals that joined the HIE in April.
Northwestern Memorial Hospital and the University of Chicago Medical Center were reported then to take a wait-and-see attitude.
Although it may seem impossible to remain anonymous in this digital world, everyone still has to work to protect patients’ rights. We are talking about people’s health and privacy, both of which are of utmost importance.