This story was co-published with the Washington Post.
Seven years ago, I sat across from Farrah Fawcett in the living room of her Los Angeles condo. In what would be her last media interview before she died in 2009, she described her suspicion that an employee at UCLA Medical Center had shared details of her cancer treatment — and the setbacks along the way — with the National Enquirer.
Whenever she sought treatment there, the tabloids were quick with a story, even if it wasn’t right.
“I actually kept saying for months and months and months, ‘This is coming from here,’ ” Fawcett told me in the summer of 2008. “I was never more sure of anything in my life.”
To prove her theory, Fawcett set up a sting: In May 2007, she withheld news of her cancer’s return from nearly all of her relatives and friends. Within days, the story was in the Enquirer. “I couldn’t believe how fast it came out,” Fawcett said.
A UCLA employee was caught and charged with selling information to the tabloid. She pleaded guilty, but died before she was sentenced.
In 2008, prompted by Fawcett’s experience and those of other celebrities, California passed a law authorizing fines against hospitals that fail to protect patient privacy. Gov. Arnold Schwarzenegger signed it; his then-wife, Maria Shriver, was one of those whose records had been accessed inappropriately at UCLA.
At the time, I thought that this was a problem largely confined to the People magazine world of celebrities and that this law would quash the prurient interest in their medical records.
I was wrong.
After spending the past year reporting on loopholes and lax enforcement of the Health Insurance Portability and Accountability Act, the federal patient-privacy law known as HIPAA, I’ve come to realize that it’s not just celebrity patients who are at risk. We all are.
Over the course of my reporting, I’ve talked to hundreds of people who said their medical records were hacked, snooped in, shared or stolen. Some were worried about potential consequences for themselves and their families. For others, the impact has been real and devastating, requiring therapy and medication. It has destroyed their faith in the medical establishment.
I spoke to Jacqueline Stokes, a cybersecurity consultant whose story I wrote about in The Washington Post. When she went to what was supposed to be a secure website to check the results of a paternity test she’d purchased at a local pharmacy, she stumbled upon 6,000 other people’s test results. She complained to the federal regulator that enforces HIPAA, but she was told that the lab wasn’t covered by the law — when it was drafted in 1996, its authors probably hadn’t anticipated such things as over-the-counter paternity tests. Stokes gave up when she was told to contact a different agency.
What You Need to Know About HIPAA
Q. Remind me again, what’s HIPAA?
A. HIPAA is an acronym for the Health Insurance Portability and Accountability Act, a law passed by Congress in 1996 and signed by President Bill Clinton.
Q. What does it do?
A. HIPAA is a broad law that does many things, such as setting standards for electronic health care transactions and making it easier for workers to keep health insurance if they lose their jobs. But it is now best known for its privacy and security protections. The federal government has put in place detailed regulations governing who can use and release your health records and requiring safeguards to protect the privacy of this information.
HIPAA also gives you the right to get a copy of your health records and have corrections added, to receive a notice that tells you how your health information may be used and shared, and to file a complaint if you believe your privacy was violated.
Q. Does HIPAA apply to all health providers?
A. No. It applies to health plans, health data clearinghouses and those health providers that conduct certain transactions electronically, such as electronically billing your health insurer. It also applies to outside contractors, subcontractors or other outsiders that work with entities covered by the law.
But if your doctor or clinic doesn’t take insurance, HIPAA may not apply. HIPAA also doesn’t apply to life insurers, employers, workers’ compensation carriers, most schools and school districts, state agencies like child protective service agencies, most law enforcement agencies or media organizations.
Q. Can my health information be shared without my permission?
A. Health providers are allowed to share your information with those treating you, to pay doctors and hospitals for your health care, to help run their businesses and to oversee the quality of care delivered to you. They also may be required to report certain illnesses (like sexually transmitted diseases) to public health agencies and to alert the police to crimes.
Q. Who enforces HIPAA?
A. A small office within the U.S. Department of Health and Human Services called the Office for Civil Rights.
Q. What does it mean to “violate HIPAA”?
A. Violations can take many forms, both inadvertent and deliberate. They may include failing to give patients copies of their records, mailing a patient’s confidential information to the wrong address, and sharing details with a patient’s family or friends without permission. They may also include cyberattacks that expose millions of records, failing to encrypt data on laptops that are subsequently stolen, and snooping in someone’s medical records out of spite, jealousy or even curiosity.
Q. Are there penalties for breaking the law?
A. Yes, the Office for Civil Rights can impose monetary penalties (up to $50,000 per violation, or $1.5 million per year) or even seek criminal charges for deliberate violations. These rarely happen. Nearly all violations are resolved with warnings, reminders, corrective actions and pledges to do better next time.
Q. What should I do if I believe my privacy has been violated?
A. You can try to resolve it directly with your health provider or file a complaint with the Office for Civil Rights using its online portal. Complaining to the government doesn’t guarantee an investigation, though. Most complaints are resolved informally.
Q. Can I sue if my privacy is violated?
A. That’s a tricky question. HIPAA does not allow for a private right of action. What that means is that it doesn’t let people sue for damages for violations of the law. Some people have gotten around that by suing in state court, alleging medical malpractice, negligence or other claims. State courts vary widely in whether they allow such suits to go forward.
I met Kenneth Chanko, whose dad Mark was rushed to NewYork-Presbyterian Hospital/Weill Cornell Medical Center in 2011 after being struck by a sanitation truck. Unbeknownst to his family, a real-life medical show, “NY Med,” was filming in the hospital at the time. The following year, Mark Chanko’s widow was watching the show on ABC and realized that the blurred-out man dying on the TV screen in her living room was her husband. No one had told the family — or asked for permission. The Chankos filed a lawsuit against the hospital and the TV network, as well as a complaint with the Department of Health and Human Services’s Office for Civil Rights, which enforces HIPAA. The lawsuit was dismissed and is being appealed to New York’s top court. The complaint with the civil rights office, filed in January 2013, is pending. In the meantime, New York City’s hospitals voluntarily agreed this summer not to allow commercial filming of patients without their permission.
I talked to Edie McGee, a lawyer for a federal agency who lives in Maryland and whose name was leaked to the media in 2003. She had just returned from China after adopting her daughter when she came down with an upper respiratory infection. Doctors suspected she had the SARS virus. Before the lab results even came back ruling out SARS, a Washington Post reporter showed up at her door, and other media outlets wanted interviews, too.
And I spoke with a woman named Frances whose diagnosis with a sexually transmitted disease was plastered on Facebook by a former friend who worked at the Indiana hospital where she received treatment. “PLZ HELP EXPOSE THIS HOE!” the public post said. Frances now drives miles out of her way to go grocery shopping so she can avoid people in her town. I was surprised by just how many health workers have leaked details about acquaintances who have STDs.
I’ve written about nursing home workers who posted dehumanizing, explicit photos of residents on Snapchat and about a New Jersey psychology practice that didn’t redact patients’ mental health diagnoses or their treatments as part of legal actions to secure payment of unpaid bills. Even the names and diagnoses of minors were included.
In each story, a common theme emerged: HIPAA wasn’t working the way we expect. And the regulatory agency charged with enforcing it, the HHS Office for Civil Rights, wasn’t taking aggressive action against those who violated the law.
We all know HIPAA, whether we recognize the acronym or not. It’s what requires us to stand behind a line, away from other customers, at the pharmacy counter or when checking in at the doctor’s office. It is the reason we get privacy declaration forms to sign whenever we visit a new medical provider. It is used to scare health-care workers, telling them that if they improperly disclose others’ information, they could pay a steep fine or even go to jail.
But in reality, it is a toothless tiger. Unless you’re famous, most hospitals and clinics don’t keep tabs on who looks at your records if you don’t complain. And even though the civil rights office can impose large fines, it rarely does: It received nearly 18,000 complaints in 2014 but took only six formal actions that year. A recent report from the HHS inspector general said the office wasn’t keeping track of repeat offenders, much less doing anything about them.
Making matters worse, HIPAA does not allow patients to sue health providers for damages if they violate the law. So if the federal government doesn’t enforce the law, there are often no consequences for breaking it, though some patients have found grounds to sue under some states’ laws.
What can be done? For one, the HHS civil rights office could use the tools already at its disposal. When the office imposes fines for HIPAA violations, it gets to keep the money for its own enforcement efforts, rather than hand it over to the treasury. Experts I interviewed said the agency needs to use its authority more and demonstrate that it’s serious about violations, particularly repeat ones. ProPublica recently analyzed data requested under the Freedom of Information Act and found that hundreds of health providers have been cited for violations multiple times. The top offender was the U.S. Department of Veterans Affairs, followed by CVS Health.
Moreover, the government still needs to write regulations to implement provisions of a law passed in 2009. One would require health providers to give patients, upon request, a log of everyone who looked at their electronic medical record. Another would give patients whose privacy has been violated a share of the money HHS recovers. Finally, the government has yet to submit to Congress a report due in 2010 with recommendations for how to deal with the privacy of health information not covered by HIPAA.
For our part, we as patients — and loved ones of patients — need to stay vigilant. We need to ask for and keep copies of our medical records. We should look for errors and ask for corrections. Beyond that, we can request a list of who has looked at our electronic records (although providers may not have the ability to generate this or could simply say no). You can ask to speak to your hospital’s or clinic’s privacy or compliance officer with such a request.
After my mom died in 2013, I worried that her death might have been caused by a medical error. In the course of trying to investigate, I asked for a listing of everyone who had looked at her records. It was dozens of pages, and even though I’d been writing about health care for more than 15 years at that point, I couldn’t make much sense of it. I didn’t know who the people were or why they had looked at her records. I’m sure many, if not all, of them had legitimate reasons to do so — to take her blood, process her prescriptions, adjust the settings on her ventilator, etc. That said, now that I know about the steps I can take to protect myself, I’m pretty sure I will take them going forward.
Ultimately, though, privacy boils down to trust. It has to. If we need medical care, we seek it — and whether our records will be kept secure is generally not foremost in our minds.
I’ve thought often this year about how what Fawcett told me years ago foreshadowed a much bigger problem.
“I’m a private person,” she said. "I’m shy about people knowing things. And I’m really shy about my medical” care.
“It seems that there are areas that should be off-limits.”
Ornstein interviewed Fawcett while he was a reporter at the Los Angeles Times. Has your medical privacy been compromised? Help ProPublica investigate by filling out a short questionnaire. You can also read other stories in ourPolicing Patient Privacy series.