For the third time in recent months, Tampa Bay citizens have found themselves the unwanted recipients of patients' private medical records. What's more, in two cases, the recipients' efforts to restore patients' privacy were rebuffed, suggesting the federal Health Insurance Portability and Accountability Act (HIPAA) is falling far short of its promise to protect and enforce patient privacy.
For more than half a year, strangers' medical records jammed the home fax machine of Hudson resident Elizabeth Reed. The records described patients' illnesses, lab results and prescription refill requests. The flow of records so disrupted the family's home phone service that they resorted to using cell phones. Reed discovered that an incorrect phone number on a doctor's prescription pad was to blame, but her calls to the doctor's office, pharmacies and the state Department of Health didn't stem the tide.
And for months, strangers' medical records have been delivered in the mail to Elsie Huebner's Safety Harbor home, including details of a woman's visit to a psychiatrist, a man's chest pains, and another man's oxycodone prescription.
Huebner discovered the medical records came from Aetna and UnitedHealth Group insurance companies, which had mistaken her home address for a medical office where 10 doctors worked. She called the doctors and wrote "Return to Sender" on envelopes. She even contacted the federal agency responsible for enforcing HIPAA. But at best, she got only a form letter response — until the St. Petersburg Times wrote about her problem last week. Now both insurance companies have contacted her and are urgently retrieving the misdirected medical records.
Protecting patients' private medical records ought to be a priority of every health care agency, but violations are not uncommon. The Times reported another local example in March, when a St. Petersburg storage facility was preparing to auction the contents of a self-storage unit, including boxed medical records left by a doctor who didn't pay her bill.
It is especially disturbing that the U.S. Department of Health and Human Services, which is responsible for HIPAA enforcement, did not respond to Huebner's complaint. What good is a law when the government won't enforce it?
One of the shortcomings of HIPAA is that it isn't specific enough about how complaints of violations should be handled. HHS's rules should fill that gap. And every medical facility and private company that deals with patient records should train their staffs to respond appropriately to complaints like Huebner's and Reed's. Allowing private medical records to continue to go astray is not just illegal. It is a betrayal of patients' trust.