Seven years ago, I sat across from Farrah Fawcett in the living room of her Los Angeles, California condo. In what would be her last media interview before she died in 2009, she described her suspicion that an employee at University of California–Los Angeles Medical Center had shared details of her cancer treatment—and the setbacks along the way—with the National Enquirer.
Whenever she sought treatment there, the tabloids were quick with a story, even if it wasn’t right.
“I actually kept saying for months and months and months, ‘This is coming from here,’” Fawcett told me in the summer of 2008. “I was never more sure of anything in my life.”
To prove her theory, Fawcett set up a sting: In May 2007, she withheld news of her cancer’s return from nearly all of her relatives and friends. Within days, the story was in the Enquirer. “I couldn’t believe how fast it came out,” Fawcett said.
In 2008, prompted by Fawcett’s experience and those of other celebrities, California passed a law authorizing fines against hospitals that fail to protect patient privacy. Governor Arnold Schwarzenegger signed it; his then-wife, Maria Shriver, was one of those whose records had been accessed inappropriately at UCLA.
At the time, I thought that this was a problem largely confined to the People magazine world of celebrities and that this law would quash the prurient interest in their medical records.
I was wrong.
After spending the past year reporting on loopholes and lax enforcement of the Health Insurance Portability and Accountability Act, the federal patient-privacy law known as HIPAA, I’ve come to realize that it’s not just celebrity patients who are at risk. We all are.
Over the course of my reporting, I’ve talked to hundreds of people who said their medical records were hacked, snooped in, shared, or stolen. Some were worried about potential consequences for themselves and their families. For others, the impact has been real and devastating, requiring therapy and medication. It has destroyed their faith in the medical establishment.
I spoke to Jacqueline Stokes, a cybersecurity consultant whose story I wrote about in the Washington Post. When she went to what was supposed to be a secure website to check the results of a paternity test she’d purchased at a local pharmacy, she stumbled upon 6,000 other people’s test results. She complained to the federal regulator that enforces HIPAA, but she was told that the lab wasn’t covered by the law—when it was drafted in 1996, its authors probably hadn’t anticipated such things as over-the-counter paternity tests. Stokes gave up when she was told to contact a different agency.
I met Kenneth Chanko, whose dad Mark was rushed to NewYork-Presbyterian Hospital/Weill Cornell Medical Center in 2011 after being struck by a sanitation truck. Unbeknownst to his family, a real-life medical show, NY Med, was filming in the hospital at the time. The following year, Mark Chanko’s widow was watching the show on ABC and realized that the blurred-out man dying on the television screen in her living room was her husband. No one had told the family—or asked for permission. The Chankos filed a lawsuit against the hospital and the TV network, as well as a complaint with the Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA. The lawsuit was dismissed and is being appealed to New York’s top court. The complaint with the civil rights office, filed in January 2013, is pending. In the meantime, New York City’s hospitals voluntarily agreed this summer not to allow commercial filming of patients without their permission.
I talked to Edie McGee, a lawyer for a federal agency who lives in Maryland and whose name was leaked to the media in 2003. She had just returned from China after adopting her daughter when she came down with an upper respiratory infection. Doctors suspected she had the SARS virus. Before the lab results even came back ruling out SARS, a Washington Post reporter showed up at her door, and other media outlets wanted interviews too.
And I spoke with a woman named Frances whose diagnosis with a sexually transmitted disease was plastered on Facebook by a former friend who worked at the Indiana hospital where she received treatment. “PLZ HELP EXPOSE THIS HOE!” the public post said. Frances now drives miles out of her way to go grocery shopping so she can avoid people in her town. I was surprised by just how many health workers have leaked details about acquaintances who have STDs.
I’ve written about nursing home workers who posted dehumanizing, explicit photos of residents on Snapchat and about a New Jersey psychology practice that didn’t redact patients’ mental health diagnoses or their treatments as part of legal actions to secure payment of unpaid bills. Even the names and diagnoses of minors were included.
In each story, a common theme emerged: HIPAA wasn’t working the way we expect. And the regulatory agency charged with enforcing it, the HHS Office for Civil Rights, wasn’t taking aggressive action against those who violated the law.
We all know HIPAA, whether we recognize the acronym or not. It’s what requires us to stand behind a line, away from other customers, at the pharmacy counter or when checking in at the doctor’s office. It is the reason we get privacy declaration forms to sign whenever we visit a new medical provider. It is used to scare health-care workers, telling them that if they improperly disclose others’ information, they could pay a steep fine or even go to jail.
But in reality, it is a toothless tiger. Unless you’re famous, most hospitals and clinics don’t keep tabs on who looks at your records if you don’t complain. And even though the civil rights office can impose large fines, it rarely does: It received nearly 18,000 complaints in 2014 but took only six formal actions that year. A recent report from the HHS inspector general said the office wasn’t keeping track of repeat offenders, much less doing anything about them.
Making matters worse, HIPAA does not allow patients to sue health providers for damages if they violate the law. So if the federal government doesn’t enforce the law, there are often no consequences for breaking it, though some patients have found grounds to sue under some states’ laws.
What can be done? For one, the HHS civil rights office could use the tools already at its disposal. When the office imposes fines for HIPAA violations, it gets to keep the money for its own enforcement efforts, rather than hand it over to the treasury. Experts I interviewed said the agency needs to use its authority more and demonstrate that it’s serious about violations, particularly repeat ones. ProPublica recently analyzed data requested under the Freedom of Information Act and found that hundreds of health providers have been cited for violations multiple times. The top offender was the Department of Veterans Affairs, followed by CVS Health.
Moreover, the government still needs to write regulations to implement provisions of a law passed in 2009. One would require health providers to give patients, upon request, a log of everyone who looked at their electronic medical record. Another would give patients whose privacy has been violated a share of the money HHS recovers. Finally, the government has yet to submit to Congress a report due in 2010 with recommendations for how to deal with the privacy of health information not covered by HIPAA.
For our part, we as patients—and loved ones of patients—need to stay vigilant. We need to ask for and keep copies of our medical records. We should look for errors and ask for corrections. Beyond that, we can request a list of who has looked at our electronic records (although providers may not have the ability to generate this or could simply say no). You can ask to speak to your hospital’s or clinic’s privacy or compliance officer with such a request.
After my mom died in 2013, I worried that her death might have been caused by a medical error. In the course of trying to investigate, I asked for a listing of everyone who had looked at her records. It was dozens of pages, and even though I’d been writing about health care for more than 15 years at that point, I couldn’t make much sense of it. I didn’t know who the people were or why they had looked at her records. I’m sure many, if not all, of them had legitimate reasons to do so—to take her blood, process her prescriptions, adjust the settings on her ventilator, etc. That said, now that I know about the steps I can take to protect myself, I’m pretty sure I will take them going forward.
Ultimately, though, privacy boils down to trust. It has to. If we need medical care, we seek it—and whether our records will be kept secure is generally not foremost in our minds.
I’ve thought often this year about how what Fawcett told me years ago foreshadowed a much bigger problem.
“I’m a private person,” she said. "I’m shy about people knowing things. And I’m really shy about my medical” care. “It seems that there are areas that should be off-limits.”