This story was first published on Post-Gazette.
After her fiance died suddenly, Patricia Galvin left New York for San Francisco in 1996 and took a job as a tax lawyer for a large law firm. A few years later, she began confiding to a psychologist at Stanford Hospital & Clinics about her relationships with family, friends and co-workers.
Then, in 2001, she was rear-ended at a red light. When she later sought disability benefits for chronic back pain, her insurer turned her down, citing information contained in her psychologist’s notes. The notes, her insurer maintained, showed she wasn’t too injured to work.
Ms. Galvin, 51 years old, was appalled. It wasn’t just that she believed her insurer misinterpreted the notes. Her therapist, she says, had assured her the records from her sessions would remain confidential.
As the health-care industry embraces electronic record-keeping, millions of pages of old documents are being scanned into computers across the country. The goal is to make patient records more complete and readily available for diagnosis, treatment and claims-payment purposes. But the move has kindled patient concern about who might gain access to sensitive medical files — data that now can be transmitted with the click of a computer mouse.
The U.S. Department of Health and Human Services implemented standards in 2003 for guarding patient privacy, supplementing a patchwork of state laws. The federal standards, which grew out of the 1996 Health Insurance Portability and Accountability Act, single out psychotherapy notes for extra protection.
Critics claim that loopholes in the rules have left patient privacy under threat. Ms. Galvin, for example, discovered that when psychotherapy notes are mixed in with general medical records, the federal rules afford them no special protection. That is precisely what happened with her records at Stanford, she says.
“I feel like now I have no privacy,” Ms. Galvin says. “My most private thoughts, my personal tragedies, secrets about other people, are mere data of a transaction, like a grocery receipt.” Ms. Galvin has sued Stanford Hospital and her insurer in California state court for, among other things, violating state medical-privacy laws.
In a written statement, a spokesman for the hospital said: “We believe we acted legally and appropriately.” He declined to comment further due to continuing litigation.
Confidentiality has been integral to the practice of medicine since the Hippocratic oath was drafted some 2,400 years ago. Today, the American Medical Association’s ethical guidelines call on doctors to “safeguard patient confidences and privacy within the constraints of the law.”
Patients tend to be especially sensitive about medical information they believe could stigmatize them in the workplace or among acquaintances, such as records about AIDS, substance abuse and abortion. “What’s sensitive to one person may not be to another,” says Deborah Peel, an Austin, Texas, psychiatrist and head of Patient Privacy Rights, a medical-privacy advocacy group. “How many women want somebody to know whether they are or are not on birth control?”
Mental-health records are generally viewed as worthy of the most stringent safeguards. In recent years, courts and state legislatures have afforded psychotherapy records special protections. All 50 states recognize some form of psychotherapist-patient privilege to limit disclosures in legal proceedings, and a similar federal privilege was established in a landmark 1996 Supreme Court ruling.
Because Ms. Galvin learned of the disclosure and filed a lawsuit, unusual in such cases, her experience offers a look at how increasingly complex confidentiality issues are affecting patients and their insurance coverage.
Ms. Galvin, a former litigator for the Securities and Exchange Commission and for the U.S. Attorney’s office in Manhattan, says she decided to leave her native New York for a fresh start on the West Coast after her fiance committed suicide. She took a job with Heller Ehrman LLP. Eventually, the partner she reported to left the firm, and she clashed repeatedly with a supervisor, she says. In a later lawsuit in California state court against the firm related to her employment, she called the supervisor’s conduct abusive. The supervisor has since died. (Terms of the lawsuit’s resolution bar both Ms. Galvin and the firm from commenting on the allegations.)
In 2000, she sought help for sleeping problems at a sleep-disorder center at Stanford Hospital. She began psychotherapy sessions with clinical psychologist Rachel Manber, director of the center. The sessions, she says, delved into her problems at work, as well as deeply personal matters such as her fiance’s death. “I would never have engaged in psychotherapy with her if she did not promise me those notes were under lock and key,” Ms. Galvin says.
On a rainy morning in February 2001, Ms. Galvin was rear-ended at a red light in Palo Alto and suffered four herniated discs. She returned to work, but over time her back problems worsened, she says. Her doctor eventually diagnosed an unusual connective-tissue disorder that made healing difficult, she says. Two years after the accident, she applied for long-term disability leave. “My body just started breaking down,” she says.
Her employer’s carrier, UnumProvident Corp., asked her to sign a broad release covering her medical records. Without it, the insurer said, it would deny her claim. Ms. Galvin signed, she says, only after receiving assurances from Dr. Manber that the therapy records wouldn’t be turned over without additional authorization. Ms. Galvin says she figured the newly adopted federal privacy rules that grew out of the Health Insurance Portability and Accountability Act, or HIPAA, would give her another layer of protection.
HIPPA’s principal goal was to ensure that people could change jobs without losing insurance coverage for pre-existing medical conditions. When employers and insurers complained about the added cost, the federal government pledged to make it easier for medical providers, insurers and others to swap medical information electronically, potentially saving as much as $30 billion over a decade.
To assuage concerns of privacy advocates, Congress authorized the Department of Health and Human Services to draft privacy regulations. The final rules allow health insurers and medical providers — including doctors, pharmacies and hospitals — to disclose medical information for “treatment, payment and health-care operations,” among other situations, without specific patient permission. But they aren’t supposed to send any more records than necessary for nontreatment purposes.
Dawn Ross, a 37-year-old Los Angeles hairstylist, says she was startled to discover how much a bill collector knew about her. Federal rules permit the release of medical records in connection with “payment.” Soon after Ms. Ross returned home from an uninsured hospital stay, the hospital’s collection agency began dunning her for $8,600. When she disputed the bill, she learned that the agency had detailed records about her miscarriage and the treatment she received for it.
The rules also do not require patient permission for the release of records for “health-care operations,” a broadly defined category that includes some marketing, data warehouses and fund-raisers. John Metz, chairman of JustHealth, a consumer health-care advocacy group in California, says he has encountered patients who were diagnosed with borderline diabetes — then inundated with marketing materials for diabetes services and supplies from their medical providers.
The federal rules allow patients to ask doctors, other medical providers and insurers not to share records with certain people, groups or companies. But medical professionals and insurers can ignore such requests.
Kaiser Permanente, the big Oakland, Calif.-based managed-care organization, informs its 6.2 million members in California in a privacy notice that “you may request that we limit our uses and disclosures of your” personal health information, but that “it is our policy to not agree to requests for restrictions.” Scott Morgan, Kaiser’s national privacy and security compliance officer, says that because patient records often reside in many locations, it would be too difficult logistically to accommodate special privacy requests. Furthermore, some requests would have to be reviewed by lawyers, driving up costs.
Complaints of privacy violations have been piling up at the Department of Health and Human Services. Between April 2003 and Nov. 30, the agency fielded 23,896 complaints related to medical-privacy rules, but it has not yet taken any enforcement actions against hospitals, doctors, insurers or anyone else for rule violations. A spokesman for the agency says it has closed three-quarters of the complaints, typically because it found no violation or after it provided informal guidance to the parties involved.
“We’re three years into the enforcement of the rule, and they haven’t brought their first enforcement initiative,” says Peter Swire, a law professor at Ohio State University who helped write the regulations. “It sends the signal that the health system can ignore this issue.”
The agency’s spokesman maintains that it is “very serious about compliance and enforcement, and we take complaints very seriously.”
Mr. Swire says the drafters of the regulations intended to give special protection to psychotherapy notes by requiring patient consent before they are released. But the rule drafters didn’t want to get bogged down coming up with a precise definition for such notes, he recalls. Because the drafters understood that such notes were typically kept separate from other medical records, they made that a criterion for the extra protection.
In mid-2003, three months after Ms. Galvin signed UnumProvident’s release for her medical records, the Chattanooga, Tenn.-based insurer denied her long-term disability coverage. In a letter explaining its decision, UnumProvident cited notes taken by Ms. Galvin’s psychologist about her “working on a case” and about a job interview in New York. “(Y)ou continued to actively seek a new position and actively interviewing for positions, including traveling to New York,” the letter said. “There is also some indication that you were working on a case … after you left work.” The medical information in her file, the letter said, did not support her claim.
Ms. Galvin disputed UnumProvident’s decision. She said that the notes about the job interview referred to the psychologist’s suggestion during one session that she find another job, and that the reference to “working on a case” referred to her pursuit of a claim against the driver who rear-ended her. She says she showed UnumProvident telephone and bank records and they prove she wasn’t in New York when the insurer said she was. UnumProvident stuck to its decision.
Jim Sabourin, a spokesman for UnumProvident, says the contents of Dr. Manber’s notes were one reason it denied her claim. He says the company obtained the records appropriately, using the authorization form signed by Ms. Galvin for the release of her general medical records. If she thought there were errors in her record, he says, she should have asked Stanford to correct them. Mr. Sabourin says the insurer has extended the time for Ms. Galvin to appeal its denial.
Ms. Galvin says she complained to her therapist, Dr. Manber, and to others at Stanford Hospital that she hadn’t given permission for her psychotherapy records to be released — and that Stanford should have made sure her insurer obtained permission. In 2004, she sued Dr. Manber, the hospital and her insurer, accusing them of violating their professional obligations, malpractice and invasion of privacy, among other things.
In a written statement, Lee Wills, Stanford hospital’s chief marketing and communications officer, denied that any records had been sent improperly. He declined to comment further. A Unum spokesman said: “We believe that for our part, the proper procedures were followed, and that Ms. Galvin’s lawsuit is without merit.”
A year after she sued, says Ms. Galvin, she learned from a lawyer representing Stanford that the hospital had scanned at least some of Dr. Manber’s notes about her into its computer records system, effectively making them part of her basic medical record. Stanford then had sent this file to her insurer and to the lawyer for the driver who hit her car. Later, UnumProvident sent Ms. Galvin’s records to a lawyer for an auto club that insured Ms. Galvin against uninsured motorists. Unum says it did nothing improper.
In court papers, Stanford said that “psychotherapy notes that are kept together with the patient’s other medical records are not defined as ‘psychotherapy notes’ under HIPAA.” The hospital is not required to keep them separate, the court papers said, and it would be “impracticable” to do so. In a separate filing, Dr. Manber asserted that the notes “do not constitute psychotherapy notes” as defined by the federal rules and that it was appropriate for her to send them to Stanford’s medical-records department. Dr. Manber declined to comment, as did a lawyer representing her and Stanford.
The U.S. Department of Health and Human Services last summer rejected an administrative complaint by Ms. Galvin against Stanford, saying the hospital hadn’t broken any rules because it “did not separate Ms. Galvin’s Sleep Center Records from her general medical records.”
Ms. Galvin says she has acted as her own lawyer because she has had trouble finding a California attorney with privacy experience, although one has recently begun to assist her. She says she has asked Stanford to separate her therapist’s notes from other medical records the hospital can disseminate without her permission. Stanford told her it wouldn’t do that, she says. A spokesman for Stanford declined to comment.
She continues to worry, she says, that “any time anybody asks for my medical records, my psychotherapy notes are going to be turned over.” In therapy, she adds, “all kinds of things come up — they want you to go into detail about your feelings about your mother and your father and your sister and your brother and your dead fiance and how all of that affects you.”