Spotlight on your private medical records

September 27th, 2011 by Amy Categories: health care, school district 3 Responses
Share on Twitter

At least two national media outlets are concerned enough to report that Obamacare allows the federal Department of Health and Human Services (HHS) access to everyone’s private medical records. According to the Washington Examiner:

America is learning about the federal government’s plan to collect and aggregate confidential patient records for every one of us.

In a proposed rule from Secretary Kathleen Sebelius and the Department of Health and Human Services (HHS), the federal government is demanding insurance companies submit detailed health care information about their patients.

Government mandated collection of your private medical records should not be news to Coloradans. In 2010, the state legislature passed HB 1330 the Health Care Cost Transparency Act, what Linda Gorman of the Independence Institute called the “transparency trojan horse.” The legislation established an All Payer Claims Database (APCD). Ms. Gorman wrote critically of the Colorado bill:

It will make your most personal actions transparent to government officials, officials who have no business keeping track of what kind of health care you buy or what you pay for it.

The bill authorizes the state to collect information on every health care transaction in the state, including information from private medical records, insurer files, and hospitals.

People who refuse to comply can be fined. There is no limit to the fines that may be assessed.

The data that can be requisitioned and stored include individual information on physical functioning, medical treatment, supposed mental stability, marital problems, family structure, sexual habits, addictions, adherence to government health recommendations, and individual financial arrangements. If your teenager filled out the kind of questionnaire that is standard in pediatric practices, it may also contain information on whether you own a firearm, your household’s illegal drug use, how well your child does in school, and whether your child or his friends have ever broken the law.

Since no one can opt out of the database the bill creates, any information in it could potentially used against anyone who decides to run for office, get a professional license, apply for a security clearance, or make trouble for state government.

The development of the database is to be financed by gifts, grants, and donations from unknown sources with unknown agendas. The design of the database is controlled by an unknown ‘Administrator’ who will decide who your data will be shared with and the form it will take.

We now know who that “Administrator” will be.  In Colorado, it is the non-profit Center for Improving Value in Health Care (CIVHC), a spin off of the Colorado Department of Health Care Policy and Financing (HCPF). Because it is a non-profit that means it is not subject to the Colorado Open Records Act (CORA) request. So much for transparency.

I recently sent a list of questions to CIVHC director Phil Kalin. One in particular about the budget for the APCD. Mr. Kalin responded:

As you are no doubt aware, CIVHC is no longer an entity of state government, having been spun off as an independent 501(c )(3) in May.  As I’m sure you also realize, the legislation that created the APCD included no general fund dollars.  Thus, CIVHC is raising the funds to implement and operate the database.  Our board is currently reviewing the APCD budget so it is not yet final.  When it is, we do not intend to distribute a detailed budget publicly, as we will be negotiating and working with vendors and want to ensure that we obtain the best pricing possible.

Translation: CIVHC is a non-profit and doesn’t intend to make information available about who funds the database that houses all private medical information nor how CIVHC spends the money.

Another question regarded privacy and security. Mr. Kalin’s response:

As APCD Administrator, CIVHC must comply with all aspects of the federal Health Information Portability and Accountability Act (HIPAA).  At all times, data will be transmitted and stored in a secure and fully-encrypted manner.  We have not yet chosen a prime vendor.  However, one of our top criteria for choosing a database vendor is their extensive experience with privacy and security and demonstrated ability to comply with all aspects of HIPAA.

There is no such thing as secure facility as Wikileaks has proven. University of Colorado law professor Paul Ohm, who specializes in internet privacy, issued this warning in a recent Coloradan Magazine article:

while blacking out social security numbers might once have been enough to protect anonymity, that is no longer the case. Thanks to lightning-fast computers and an ever-growing web of databases that hold different pieces of the jigsaw puzzle, we can figure out who people are, he says.

“If I know a 23-year-old living in a ranch house in Boulder has been diagnosed with cancer, I can without a lot of computing time or expertise find a short list of 23-year-olds who live in ranch houses in Boulder,” he says. “It’s a lot easier than we used to think it was.”

According to one study, 87 percent of the population can be uniquely identified with just three pieces of information — zip code, birthday and gender.

The state-sanctioned non-profit, unaccountable CIVHC will have access to a lot more than three simple pieces of your personal medical information. Under the FAQ section of the CIVHC Web site, the following “data elements” will be included in the state’s health care database:

What information is typically included in an APCD?

  • Encrypted social security number
  • Type of product (HMO, POS, Indemnity, etc.)
  • Type of contract (single person, family, etc.)
  • Patient demographics (date of birth, gender, residence, relationship to subscriber)
  • Diagnosis codes (including E-codes)
  • Procedure codes (ICD, CPT, HCPC, CDT)
  • NDC codes/generic indicator
  • Revenue codes
  • Service dates
  • Service provider
  • Prescribing physician
  • Plan payments
  • Member payment responsibility (co-pay, coinsurance, deductible)
  • Date of payment
  • Type of bill
  • Facility type

Colorado’s APCD is a disaster waiting to happen and makes a mockery of transparency, which is intended for citizens to watch government not the other way around. Among civil libertarians, the Independence Institute was the lone defender of your medical privacy.
Fortunately for Coloradans, the database is behind schedule.  It was supposed to be operational by summer 2011. That has been delayed until December 2011. Enjoy your medical privacy while it lasts. As supporters claim, they cannot “manage” your health care, unless they can “measure” it.

Feel better knowing government has its eye on you? Neither do we.

  1. [...] Oliver of the Independence Institute writes: Colorado’s APCD [All Payer Claims Database] is a disaster waiting to happen and makes a mockery [...]

  2. [...] on our Transparency blog, COST, Amy alerts us that Americans just found out what else was in Obamacare (in the words of Nancy Pelosi). Namely, [...]

  3. [...] week COST detailed the developments in Colorado’s APCD, a state-mandated data warehouse of all your private healthcare [...]