Electronic Records, Private Lives
Data for Sale?
If you are one of those people who worry that health-care providers will be
tempted to sell your private medical information to the highest bidder, you
should know that hospitals have an even more powerful incentive to keep that
information under electronic lockdown. That incentive is called HIPAA, for the
bipartisan Health Insurance Portability and Accountability Act, also known as
the Kennedy-Kassebaum Act of 1996.
The act is designed to encourage the use of electronic transactions in
health-care while safeguarding the security and confidentially of health
information. According to the U.S. Department of Health and Human Services,
most health insurers, pharmacies, doctors, and other health-care providers are
required to comply with the standards.
Among other things the HIPAA rules are supposed to guarantee:
- Patient access to copies of their medical records within 30 days of request
for identification of errors and mistakes the records.
- Notification of how personal health information may be used, and the right
to restrict how that information is used, as well as limits imposed on
providers. Under the rules, patients need to grant specific authorization for
release of records to outside entities such as life insurers, banks, marketing
firms, or other businesses.
- Prohibition on sharing of patient information by pharmacies, health plans,
and others with marketing firms without the express consent of the
To put some teeth into the measure, Congress provided civil and criminal
penalties for individuals or groups that misuse personal health information.
Violations of patient civil rights are subject to penalties of up to $100 per
violation for a maximum of $25,000 per year.
"Criminal penalties apply for certain actions such as knowingly
obtaining protected health information in violation of the law. Criminal
penalties can range up to $50,000 and one year in prison for certain offenses;
up to $100,000 and up to five years in prison if the offenses are committed
under 'false pretenses'; and up to $250,000 and up to 10 years in prison if the
offenses are committed with the intent to sell, transfer or use protected
health information for commercial advantage, personal gain or malicious
harm," according to a fact sheet published by the HHS Office of Civil
Will all of these measures protect patient privacy? Maybe. But in any case,
privacy has long been an uncertain commodity in American life. As Irish
playwright and author George Bernard Shaw told a New York audience in 1933,
long before the Internet was even dreamed of, "an American has no sense of
privacy. He does not know what it means to. There is no such thing in the
Originally Published: September 2003