Many of you have quickly realized that I find it a lot more interesting to write about EMR than I do about HIPAA. Seems like most people prefer to read about EMR than they do HIPAA as well (except for this popular HIPAA Lawsuits post I did eons ago). However, I’m sure that many of you will find this article I found about privacy of medical data quite interesting. Here’s a quote from the beginning of the article which prefaces the health privacy situation quite well.
A pharmaceutical company, Bristol-Myers Squibb Co., sent him an eight-page brochure pitching another medicine, Abilify, used to treat patients “when an antidepressant alone isn’t enough.”
Lexapro was plenty for Spencer, but the mailing stuck in his craw. He has followed the recent debate over the utterly porous privacy of consumer data. But he thought his medical history, at least, was guarded by the special privacy protections of HIPAA, 1996’s Health Insurance Portability and Accountability Act.
Spencer asked a simple question: How did Bristol-Myers Squibb – or the “third-party list company” that the brochure said was the source of his name – know enough to send him that mailing?
The article goes through all the places that had the information that he was on the antidepressant Lexapro: the insurance company, his doctor, the pharmacy. Each of course denied having sold his information. After some digging, Bristol-Myers Squibb gave the actual way they got Spencer’s health information to be able to do a targeted mailing:
Maybe Spencer bought an over-the-counter depression remedy at a store where he has “frequent shopper” card? Maybe he called an 800 number for information? Maybe he answered a survey on health concerns?
I ran all these ideas by Spencer, and he rejected each.
On Friday afternoon, Bristol-Myers Squibb delivered a “gotcha.” Yes, Spencer was the source of his own privacy breach, according to spokeswoman Laura Hortas.
Hortas says Bristol-Myers Squibb bought the list in question from a reliable list broker. “We only work with list vendors that we know commit to observing U.S. privacy law,” she told me.
And how did the list vendor get Spencer’s name? Hortas says Spencer visited a site called www.WinningSurveys.com at 9:25 p.m. on Dec. 14 and replied to a prompt that said: “Please provide relevant information to me on the following ailments.”
“He selected depression,” Hortas says.
Of course, Spencer denies every having visited that site. The problem is that I bet Spencer is like most Americans and doesn’t really know what sites they’re visiting anyway. I’m still surprised how many people I talk to don’t know the difference between going to www.emrandhipaa.com and typing emrandhipaa in Google to find the site. I see the stats on my blog that show how many people don’t know the difference. I wouldn’t be surprised if Spencer is one of these people.
I’m not trying to defend sites like WinningSurveys.com. There’s a lot of JUNK on the internet that is absolutely terrible, deceptive and in many cases dishonest. It’s really easy to trap someone into providing their personal information to you online (although I don’t agree or use these methods). Many times without people even realizing they’ve done it. Is that a breach of someone’s privacy if they were deceived into giving up their information to win an iPad?
I’m also not saying that companies shouldn’t be held responsible for using health information inappropriately. They should be held accountable according to the laws. I just don’t see any violation of HIPAA laws in this case.
I do love the irony that someone so concerned about privacy of his health information now has an article on Philly.com with his name and his health information. That leads me to believe that Spencer isn’t as concerned about the privacy of his information as he puts on. Maybe he’s just mad that he didn’t have a winning survey. I wonder if he’d won an iPad from the survey if he’d be as concerned about the mailings.