Patient Privacy Protections Fall Short


TwitterFacebookCopy LinkPrintEmail

I would like to thank the CT Examiner for their informative article on Connie, the nonprofit managing Connecticut’s new health information exchange for medical records.

I sit on the state’s Health Information Technology Advisory Council (HITAC), which in 2020 was tasked by the legislature with providing oversight of Connie and the state’s health information technology.

The legislature created Connie in the first place and continues to pass laws on the handling of your health records, but it seems that the only way that there will be true patient privacy, beyond just citing HIPAA, is for the public to demand it. Unfortunately, HIPAA does not provide privacy but confidentiality at best.

Connie could move into the forefront of patient privacy protection with additional consent provisions and by offering patients the ability to suppress selected intimate information from the rest of the record. To be transparent, Connie needs to inform the public of the providers, companies and researchers who will see their medical data without their consent, beyond having agreed to treatment.

Instead, patients have no say over which of their providers may see which data. This means that rather than seeing only the parts of your medical record needed by them, all providers including your podiatrist, optometrist, etc. may see your whole record, including a full genetic profile if done. In fact, Connie may be expanding the types of entities which will have access to your records by including dentists, social workers, community-based workers, pharmacists, insurers and their vendors who also could see your reproductive, behavioral health or other intimate information. But before providers were mandated to send records to Connie, they were able to request your specific permission to share your records, if they were not part of a large electronic health care system such as Epic. By the time the wider public is aware that they can opt-out of Connie, their providers might already have sent in their records.

If you take the time to review the FAQ at, you will notice that your insurer will have access to your entire medical record when you are insured by the company. There is no indication that the insurers will receive only some parts of the medical record. It seems Connie will give more information to the insurers than normally they would need to receive to pay a particular claim. For example, why would your health insurer need to see your reproductive history to pay an orthopedic claim? Or if you have paid out of pocket for behavioral health treatment, why should an insurer be given that information? And is it believable that insurers will ignore medical information, including a full DNA profile if done, when determining benefits and eligibility?

The tricky part about the health insurers is that they are allowed by HIPAA to handle Protected Health Information (PHI) which is identified patient information. However, where in the law does it say that providers must share the whole medical record with them which Connie plans to do? Connie denies that it will sell Protected Health Information, but insurers will be paying to join Connie to see their patients’ fuller medical records.

Connie promises to follow state and federal laws and HIPAA rules but does not spell out that as such it can sell fully de-identified data to anyone. The problem is that even Health and Human Services said that 0.4% of patients (1400 people in CT) could be re-identified and this was before so much is available online. One example, is that Facebook bought de-identified data from hospitals and then re-identified it by cross referencing with its customer postings.

There is nothing the public can see in Connie’s documents which assures that only aggregated data would be given out or (sold) to academic and other researchers and commercial enterprises. In fact, Connie can share partially identified records which, even if receivers sign not to re-identify them, are easily re-identifiable by cross referencing with in-house hospital or other online data bases, such as voter registration rolls. Dr. Latanya Sweeney of Harvard showed that with one’s date of birth, gender and zip code, 87% of patients can be re-identified. And Connie also could include the providers’ names, treatment diagnoses and places of service which would further enable re-identification (HIPAA Limited Data Sets).

Additionally, the public needs to understand what is involved in Connie’s supporting “clinical decision-making.” Would that entail your health insurer seeing more of your medical record in order to decide with providers what your treatment plan will be? If Connie is engaging in defining quality care and setting treatment practices, there should be a more open public discussion and involvement with this.

Further, there are several bills being considered now to expand behavioral health services to children and families, where the use of Connie to share records may occur. The plan is to increase school-based counseling and behavioral health services and to follow children over time. These are needed and important goals. But since HIPAA is only relatively protective of privacy, the bills must also address and improve the safety of how student data will be shared, stored and moved. Parents need to know that the intimate personal and family information their children will tell the school counselors, behavioral health and medical providers will be subject to more protections than are medical records and with additional consent provisions. They need to know who all will see these school/medical records and how they will be handled because as above, once something is typed into an electronic record, many people can have authorized access to it.

It could be argued that the legislature put our medical privacy at risk by depending on HIPAA, when voting to send our insurance claims data (largely whole medical history) from the APCD (All Payer Claims Database) to the hospitals and their contractors in PA 22-58, Section 50, f. This claims data would be released in the partially identified form of Limited Data Sets as above, which are easy to re-identify by cross referencing online data bases. It could even happen inadvertently, particularly if you are a patient in the hospital’s system. The hospitals need to demonstrate that it is possible study a patient’s ongoing medical care by mixing their claims and electronic medical records if needed, without re-identification. This will be hard to do given all of the patient health care topics which the hospitals are required to study and report on. 

For completeness about problems with patient privacy across the board in CT, it should be noted that the Prescription Drug Monitoring Program (PDMP) which was designed to stop abusers and overdoses, also compromises the psychiatric and behavioral health privacy of responsible patients. Since the PDMP is for all controlled substances, besides the opioids, it includes stimulant medications prescribed for attention deficit disorder and anti-anxiety medications prescribed for depression, bipolar disorder, panic disorder, etc. It includes the name of the psychiatrists and the dates of prescription history. Others, besides your direct provider, have access to this information. In certain circumstances of being personally known, this can be embarrassing when you seek medical care. More importantly, others who see these identified behavioral health data are the company which processes the prescription data from the pharmacies, the provider’s and pharmacist’s staff, law enforcement and other states. 

Susan Israel, MD

Israel sits on the state’s Health Information Technology Advisory Council which oversees Connie