What You Need to Know About Health Privacy

Your privacy is protected.

The Health Insurance Portability and Accountability Act (HIPAA) was intended to define your rights and protect your privacy as health records went electronic. The law also created a firewall between employees who handle health-care management and those who make employment decisions.

But five years after the law took effect, gaps and unintended consequences have cropped up. Sometimes called the Huge Increase in Paperwork and Aggravation Act, HIPAA has been blamed-not always justifiably-for everything from stymied medical research to the killings at Virginia Tech last year.

And also overprotected.

One father who tried to pay a gynecologist's bill for his 16-year-old daughter was told the billing office would not take his insurance information without the daughter's written permission. Hospitals have refused to divulge an unconscious patient's room number to distraught relatives.

Parents have been unable to find out whether a child has been hospitalized, and adult children have been denied details on the condition of an elderly parent.

Few people understand the law.

"The number-one problem with HIPAA may be that people mis-understand the rule and what it allows," says Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology, an advocacy group in Washington, D.C.

You don't have to sign a form at the doctor's office to receive treatment. HIPAA requires only that health-care providers make an effort to get you to read the form and understand your rights. But the disclosures are written in language "way beyond the average reading level of people in this country," says McGraw.

And now the loopholes.

Your medical information can be shared without your authorization with, say, pharmaceutical and medical-device companies to market products and services. Some disclosures may be made to law-enforcement agencies without a warrant or court order. Plus, you have no right to sue for violations-only the Department of Health and Human Services or the Justice Department can file an action.

But despite thousands of complaints and well-documented abuses by health-care providers, the feds have never imposed a monetary penalty. "That sends a message to the industry that they don't have to work very hard to comply with the law because they won't ever have to pay,S says McGraw.

Your personal record could still be at risk.

The law doesn't cover personal health records, or PHRs-patient-controlled electronic medical histories gaining popularity with employers and insurers. PHRs are often stored on the Web, so you can keep tabs on your information and share it with doctors.

But privacy advocates worry that when companies outside the health system, such as Microsoft and Google, store your information, it could leak to marketers or data bro-kers or be more easily subpoenaed than records protected by HIPAA.

Sometimes hipaa works.

When Britney Spears was hospitalized for psychiatric evaluation, a slew of hospital workers were caught snooping into her electronic records. Thirteen of them were fired.