The Devil Is In the Details: How Patients’ Mental Health Data Is At Risk

As medical records go electronic and employers offer staff “wellness incentives,” the privacy of our mental health data is at risk — with potentially devastating consequences.

Secure Medical Records
Secure Medical Records Photo: Micah Young/Getty Images

When Julie (who requested that her last name not be used for reasons that will become obvious) went for a routine doctor visit in 2009, she found a nervous resident filling in for her regular physician, who was on maternity leave. He quickly told her that he’d read her psychiatric records, even though she wasn’t coming in for mental health issues, and that he wanted her to see a therapist. Immediately. In the aftermath of the visit, she discovered exactly what he’d been reading — “Uncovering past trauma. Sexual abuse by boy in preschool…. Patient is looking to change her job; problems with family continue. She and her mother are not talking….She has defaulted on student loans and has begun to deal with this including consulting an attorney.” In all, there were 200 pages of details from her therapy sessions, including issues that had taken years for her to disclose even to a professional.

Julie has bipolar disorder, which she and her doctors have managed successfully for two decades. She has a graduate degree, a good job and a child. But she didn’t have a true picture of what would happen to her mental health records as her provider, Partners HealthCare, transitioned to electronic medical records (EMRs). She had been seeing a primary care doctor, gynecologist and psychiatrist in the practice for many years. But, she says, “I thought I’d have to give permission for my regular doctors to see my psychiatry records.”

Nope. It turns out that all doctors in the practice could see all of her records when they logged in to the new system. Her primary care doctor regularly refilled her prescription for bipolar medication, something she’d expected during this visit, though it wasn’t her reason for coming. The substitute doctor refused at first, then agreed, but only after adding a note to her permanent medical record saying, “I counseled patient that she needs to see a psychologist immediately.” Julie was aghast. “The next time I have any kind of appointment that’s what they’re going see first.” Then she sighs, “I talked to him after. He was a resident. He wanted to do a good job, and he was trying to be diligent in reading all my records. It kind of backfired.”

If the effort to blend the efficiency of technology with patients’ privacy needs has backfired in general health care (see “Medical Privacy Under Threat”), it is causing particular emotional and financial wounds in the world of mental health, where even a well-managed diagnosis can become a job-threatening stigma. HIPAA laws, long assumed by patients to protect their privacy, only apply in certain circumstances to certain entities. There’s a raging debate over how to regulate the new privacy issues around employee assistance plans and workplace wellness incentives. And the issue of how and when to track mental health patients has even become an issue at the U.S.-Canada border. Citing the high numbers of Americans who have experienced sexual abuse, major depression, or substance abuse, Dr. Deborah Peel, a psychiatrist who founded Patient Privacy Rights, a research and advocacy group, says, “You cannot force people to cough up information when it’s not private. They will hide it. How can we accept an electronic records system that drives people away from being open and honest?”

Peel was also an expert in a case involving the Employee Assistance Program at a Fortune 500 company. “The person had a great track record but didn’t do well with the next boss,” she says. “She had some problems with substance abuse but had treated it. But there was information in the EAP about it, which was paid for by the company.” The information leaked to her boss — and the person was fired.

Privacy experts also worry about workplace wellness programs, which offer employees financial incentives in return for behavioral changes such as quitting smoking or walking 10,000 steps a day. The Equal Opportunity Employment Commission (EEOC) is seeking to allow employers greater latitude in asking for medical data in exchange for these incentives. Their proposal is intended to be in line with the Obama administration’s focus on wellness and fitness, but some advocates from the civil rights, women’s rights, and medical rights communities argue the cost is too high. Jennifer Mathis, director of programs at the Bazelon Center for Mental Health Law, suggests that what the rule change describes as voluntary could seem coercive to employees living with mental or physical disabilities, in violation of the Americans with Disabilities Act.

Mathis tells me that the proposal is “alarming,” noting, “It’s unrealistic to think that charging people thousands of dollars if they decline to answer questions about their medical status or mental health status could be done and still safeguard people’s privacy interests.” Not all employers are covered by HIPAA, only ones that “self-insure,” generally large companies that run their own plans, and in addition to internal data leaks, Mathis cites the rise of hacks and data breaches. She notes that at a recent briefing, Anthem was among speakers assuring the audience that health privacy would not be at risk in workplace wellness programs. Anthem, she pointed out, had one of the worst privacy breaches in recent years.

The issues around mental health records don’t stop at the U.S. border. Just this week, the Toronto Police Service announced it had curbed its information sharing about suicide attempts with a national database, CPIC, which in turn shares data with the U.S. Department of Homeland Security. Why? For years, Canadians with a documented history of suicide attempts or mental health hospitalizations have been complaining that they were being turned away from the U.S. border.


Lois Kamenitz, denied entry to the U.S. because of a previous suicide attempt

In 2010, for instance, Lois Kamenitz, then 64, was traveling from Toronto to Los Angeles to visit family when the U.S. Customs and Border Protection pulled her aside for what she thought was a random search. But the officer told her it was because, as she recalls his words, “police had attended my home in 2006.” That’s when she had attempted suicide, using pills. While she was unconscious, her partner had called 911. The officer told her she could not enter the country because she had “done violence to self, other or property.”

After being photographed and fingerprinted like “a criminal,” Kamenitz says, she was told she could travel only after laborious paperwork to share her medical records with a doctor who charged her $250 to process them for DHS. What were they looking for? Well, they asked not only about her mental health, but whether she had STDs, AIDS, or tuberculosis, among many other questions. She signed paperwork saying her medical records would be the permanent property of the United States. “Someone asked, why would you sign it?” Kamenitz recalls. “I would not be allowed into the U.S., nor would I be allowed into U.S. airspace if I didn’t.” (A representative from U.S. Customs and Border Protection emailed to say the agency could not comment on any specific cases but that a section of the Immigration and Nationality Act allows officers to turn away non-citizens with a history of “physical or mental disorder” whose “behavior has posed a threat to the property, safety, or welfare of the alien or others.”)

After protests by Ontario’s then-information and privacy officer, Dr. Ann Cavoukian, the service will now share with the Canadian national database (and the U.S.) only those incidents in which suicide attempts involved violence or harm to others, or seemed to be attempts at provoking “suicide by cop.” Under the new review policy, says Cavoukian, 64 percent of existing suicide attempts uploaded to the database were removed. “We were in effect branding individuals for life because of a mental health mistake they made — a cry for help,” says Cavoukian, now the executive director of the Privacy and Big Data Institute at Ryerson University. Canadian lawyer Ryan Fritsch, who started hearing about the border cases when he was counsel for the Ontario Psychiatric Patient Office, offers some caveats. “I think we’ve made a lot of progress in principle. Practically speaking, there’s a long way to go. There’s still no absolute prohibition on how all non-criminal mental health-related information is collected, used and disclosed.” 


Canadian privacy expert Dr. Ann Cavoukian

Individuals with psychiatric disabilities often discuss a movement toward self-disclosure — one that comes with high risks and possibly high rewards. Jennifer Mathis of the Bazelon Center says, “You can take the LGBT world as a parallel. Seeing the transformation of the ‘coming out’ movement, the mental health movement has wanted to learn and incorporate some of those lessons, but you might get hurt in the process and lose a job. With all disabilities, some people think, ‘you’re not capable.’ And with psychiatric issues there’s also, ‘you’re scary.’ It’s been a challenge for folks to be open.”

Julie, who knows these challenges firsthand, says, “Electronic health records save lives, but [proponents don’t] give information about whose lives have been hurt.” After many questions, her longtime doctor eventually sent her a letter that read in part, “After a discussion with our medical director … and with our HIPAA compliance advisor, I was informed that we cannot restrict anyone from your records and we need to continue to record your information in an electronic medical record.” (Partners HealthCare said it would not comment on the case.) Julie contacted the Office of Civil Rights about the detailed information in her file, but the hospital told them that these weren’t psychotherapy notes so they weren’t protected by HIPAA. “That’s why I decided to come forward,” she says. “If I don’t say anything, nothing is going to change.”



Join The Conversation