Betcha Thought Big Brother Was the Gov’t — But You Thought Wrong

It turns out that a bigger threat to your privacy may not be the government (though they should certainly be high on the list).  Believe it or not, the bigger threat may be the remarkably potent combo of your health insurance company and your pharmacy.

What??  Your little ol’ pharmacy down at your grocery store, or your local drugstore? 

Yes, indeed, the very ones.

Turns out that the companies operating those pharmacies in your grocery store or drugstore often sell your prescription information to third parties called Pharmacy Benefit Managers. 

The Pharmacy Benefit Managers in turn sell your prescription information to two other companies: MedPoint and Intelliscript.

Here’s how it works: you apply for health coverage with any of a number of insurance companies, including Blue Cross/Blue Shield, Humana, UnitedHealth Group, Aetna, and others.  Generally you sign a release giving your authorization for the insurance company to obtain your previous medical history. 

Then, for a measly $15 a pop, MedPoint and/or Intelliscript sell your pharmaceutical “profile” to health insurance companies.

Here’s the problem: you may have signed a release for the insuance company to obtain your medical history, but you never gave your authorization for your pharmacy to sell your protected health information to MedPoint or IntelliScript.

Your pharmacy profile includes all the medications you’ve taken, along with a sweet little number that clues the insurance company on how much they might have to pay out on you in the future.

Taking anything “off-label”?  Problem.  Taking any mental health meds ?  Oops.  You might very easily be denied coverage.

Those who are particularly vulnerable are those who are self-insured, but even those trying to obtain insurance through their employers can be denied.

For the whole story, read the following:

Then, contact your Congressional Representative and your state’s Senators.  (I know, I know, but it’s a start.)  You can also file a privacy complaint with Health & Human Services.

Got a problem with the privacy of your health information?  Yes?  Did you read and understand the Notice of Privacy Practices your new provider gave you?  No?  Want more information about how to protect your health information?  Leave a comment, or send me an email at  And hey, tell your friends about this blog — bet they could use some help with their health privacy, too.


Should You Bother Getting a Copy of Your Medical Records?

Why yes, you should.

I manage the HIPAA program at a large medical center in the South. About 70-75% of the complaints I receive are about the accuracy of the patient’s medical record. That’s a lot of complaints.

Sometimes the patients want changes made to their records that are just outright fraud. For example, there was the patient last year who wanted me to make his provider add a diagnosis of bi-polar disorder, so that he, the patient, could get more government benefits. Nevermind that the patient didn’t have bi-polar disorder, or any other diagnosed mental disorder; he just wanted the extra money from the benefits.

More often, though, the patients who contact me have legitimate concerns about the information that has been recorded in their medical records. Right now I’ve got a patient whose provider erroneously copied and pasted another patient’s post-surgical notes into his online medical record. The patient is post-op hip replacement. The other patient is post-op removal of a possible cancerous mole. Aside from the obvious problems associated with this kind of mix-up, there are significant potential patient safety issues, as well.

I could give you many more examples of mistakes that have been made in medical records. The point is that you really should request a copy of your medical records from each of your providers. You need to read the records and see what’s in them.

Here are a few things to keep in mind: you have a statutory (legal) right to a copy of your medical records as long as they have not been sequestered as part of a medical-legal action, and you cannot obtain a copy of handwritten notes that are maintained by a mental health provider. Other than that — you have an absolute right to a copy of your records.

Second, keep in mind that your medical records are about you, but they do not belong to you. So the idea that you should be able to get your medical records because “they’re yours” is not true. You are entitled only to a copy of them.

Third, you may get a copy of the medical records of a family member if you have written authorization from the family member to obtain a copy. Parents, you generally don’t need an authorization from your (minor, unemancipated) children in order to get a copy of their records; obtaining copies of medical records for teens, in which there are questions regarding birth control and certain procedures, is dependent on the laws of the state in which you reside.

Most important, your request must be in writing. Your provider has up to 60 days to provide you with the copy of your records, and your provider may charge you a reasonable copying fee.

Had trouble getting a copy of your medical records? Contact me privately at I would be happy to help. And yes, I expect to launch a website within the next 30-60 days. In the meantime, I’m glad to help you with any questions you may have about your medical privacy.

Is your health information a little safer today?

Are your medical records a little safer today?

Maybe.  But probably not.

After five years and tens of thousands of complaints, Health & Human Services finally put some teeth into their HIPAA Privacy rule, and two weeks ago fined a hospital system in Seattle $100,000 for HIPAA privacy and security violations.

$100,000?  That’s more than a fine.  That’s a statement.

But is it enough?

Let’s see, the HIPAA privacy rules went into effect in April, 2003.  There have been dozens and dozens of privacy breaches since then.  A few prosecutions.  And one fine.

In just the past couple of days:

—  There were as many as 500 victims of a privacy breach that occurred in Ft Bend County, TX, at the local Kelsey Seybold Clinic.

—  An unknown number of medical records were stolen at Grady Memorial Hospital in Atlanta, GA.

—  A potential database intrusion is alleged to have occurred at Saint Mary’s Regional Medical Center in Reno, NV, with as many as 128,000 records breached.

And only one fine.

And you know, that fine was for events that occurred in 2005 and 2006.  Why does it take HHS two years to investigate and levy fines against a hospital system in which several laptops were stolen, which compromised more than 350,000 medical records?

The maximum civil fine that HHS can levy is $250,000.  One would think that the theft of 350,000 records would merit more than a $100,000 fine.  But it’s a start.

Have a problem getting copies of your or your family’s medical records?  Concerned that maybe your medical records aren’t as secure as they could be?  Let me know.  Post a comment.  I can help.

Hello everyone!

Welcome to hipaadiva at wordpress. I’m delighted that you’re here. Got a question about the privacy of your or your family’s medical records? Is HIPAA kind of a 4-letter word for you, that’s thrown in your face every time you try to get any information from your healthcare provider? Let me know what’s going on — I’m here to help.