Image via Rosefirerising on Flickr, Creative Commons licensed

Unfortunately, the answer to the question in the headline is probably yes. More than half the states release some identifying information about your health records, making it more likely that your privacy can be exploited, according to a report that Bloomberg News ran a few weeks back.

I’ll explain what’s going on in detail in a minute, even though I’m deeply embarrassed as a citizen that I even have to.

When I first read the news article in early June, I said to myself, “well here’s an issue even our do-nothing Congress can actually fix in about 10 minutes.” The information can be sold because the states are exploiting a massive loophole in what used to be known as the HealthInsurance Portability and Accountability Act (HIPAA – now HIPAA/HITECH). All it would take to eliminate the problem—and it is a HUGE problem as I will explain—is for Congress to close the loophole. So far (and I’m sure this will hardly come as a shock to anyone), Congress hasn’t done a darn thing.

Okay, here’s what’s going on and why you should be concerned.

Under existing regulations, hospitals can give out information about hospital stays—so that researchers and insurance companies can study what is going on—but that data must be stripped of details such of the patients’ age, zip code and admission and discharge dates. The reason for that is obvious. That information could be used in conjunction with other data to identify a specific person.

The problem? The privacy rules only apply to health care providers, insurers, and billing and claims processors. States, ironically, were exempt because it was expected they would go even further with their restrictions and federal regulators didn’t want to set up a conflict.

Well, not all states did. While some are following strict privacy guidelines, Bloomberg reports at least 26 states release some combination of identifying information that can be linked back to you.

And as the article made clear, it is surprisingly easy to use the information, in combination with other data, to identify who you are.

Using state records of hospital stays, Bloomberg managed to track down an executive addicted to painkillers who was hospitalized for assault; a man hospitalized after a motorcycle accident who was found to be arthritic and severely obese; and a businessman, who had been diagnosed with pancreatic cancer, who ended up in the hospital after a suicide attempt.

What are the problems with this, besides a loss of privacy? Let me rattle off just five:

1) No Health Insurance For You. Insurance companies use complicated algorithms to predict how much it will cost to cover medical expenses of the people they insure. If your entire medical history is revealed through public records, most of that guesswork is suddenly rendered unnecessary. And if they find something they don’t like, insurance carriers can still deny you coverage until the new federal health care regulations take effect.

2) No Job For You. Employers are out to learn all they can about job applicants. Some check credit reports, others scan Facebook and Twitter for anything potentially objectionable. If a data company buys state hospitalization records, combines them with other public and private databases, and sells searches of those databases, then employers can learn such sensitive information as whether applicants suffer depression or a potentially expensive medical condition. And since it’s entirely legal, this could become a backdoor to circumvent current laws barring employers from asking questions about such things during the interview process.

3) Potentially Fatal Medical Complications. State hospitalization records are so cheap the run-of-the-mill identity thief can easily afford to buy them, and use the data to obtain free medical care using your personal data or your insurance. In the process, your medical records could morph — reflecting the co-mingled information of the thief (i.e., your blood type, allergies, or medication), putting your life at risk the next time you seek medical care.

4) Non-Medical Identity Theft. Even if identity thieves don’t use your hospital records to obtain medical services, such data can help them find and exploit other information about you, including financial data.

5) Extortion. If you’re a business owner, imagine what your competitors could do to you if they knew you were addicted to painkillers, suffering terminal cancer, or any number of conditions listed in your medical records. Even if you aren’t an executive, peoples’ lives could be crushed, their marriages destroyed, and their community networks tarnished if private medical information is made public.

While I believe the phrase “please write to your Congressman and Senator” has become hackneyed, this really is a case where you must stand up and sound the alarm in order get this loophole closed ASAP.

First published on

[Image via Rosefirerising on Flickr, Creative Commons licensed]