Sneakwrapped Medical Forms

We are all increasingly inured to the daily assaults various institutions make on our rights and privacy through the sneakwrap terms in their forms, mail stuffers, warranties, monthly statements, etc. But some medical patients in one metropolis that will remain nameless are just a little safer today from such outrages because of one reader who read the fine print, took the time to think about it, and then said no.

Like many of us of a certain age, the reader had been told by his doctor that a colonoscopy was in order. “Included with my preparation information was a one-page form from a genetics institute that I’d never heard of asking for my family’s medical regarding several types of cancer,” the reader wrote. “OK, even as a layman, I can understand how such information might be pertinent to this procedure. The form also asked for my name, date of birth, address, phone number, and Social Security number. Then near the bottom it said:

By submitting this form to your physician … you agree to the possibility that you may be contacted to discuss the opportunity for a clinical consultation at (the genetics institute).”

This legalese suggesting he was entering some kind of contract involving very sensitive personal information – not just of his own but of his entire family – brought the reader up short. “Wait a minute — by submitting medical information that the doctor apparently requires, I have to agree to enter a relationship with some organization I don’t know? At the very least, I need to understand what they are going to be doing with this information and what their privacy practices are. Now, I might be perfectly willing to participate in medical research if that’s what this is. But I would like to be asked, not tricked into it by some shrinkwrap-like agreement. I’m disappointed that the medical profession is apparently stooping to the level of the software industry.”

The more the reader thought about the form (along with all the worries and stresses of prepping for a colonosocpy), the less he liked it. “Why would they need my Social Security number?” he wondered. “Is this a genuine request for medical information or some kind of marketing thing or even an identity theft scam? To have my SSN, date of birth and all this other information on a form that will be passed from hand to hand around a hospital and who knows what other organizations is VERY questionable.”

The reader decided not to submit the form. “Thankfully, there was no grief about not returning the form — nobody at the hospital even asked about it,” the reader wrote. “The hospital experience itself was actually better than I could have hoped for, and the results look good. After I got home, I did a little checking and discovered that the genetics center is indeed connected to the hospital, so I decided to write them a letter explaining my concerns about their form.”

For his trouble, the reader got a rather sanctimonious response. “Out of the ~4000 forms we have received back, you are the first to raise these questions,” the genetics institute wrote him back, saying the purpose of the form was to screen for genetic counseling, not for research as the reader had guessed. “For people who provide a family history suggestive of a hereditary cancer syndrome, a letter is sent directly to the individual and referring physician … suggesting a referral to us. The reason we ask for DOB and SSN is that there are a number of patients who have the same name and DOB, which means the only other discriminator between two people would be SSN (we do not rely on address or phone numbers as people move all the time). The reason we have the wording at the bottom is due to HIPAA issues. Since we have no relationship to the person filling out the form, we need to make sure that (s)he agree to have us contact them if needed.”

HIPAA, one of the few federal privacy laws we have with real teeth, does indeed put some restrictions on how patient information is handled. But there are no provisions in it mandating that patients be kept in the dark as to who their information is being given to and for what purposes. If anything, the real HIPAA issues with a form like this would be whether the hospital fulfilled its legal obligations to inform the reader why he was being asked for this information, or to make it clear that is was not mandatory he provide it.

“Of the approximately 4,000 responses that you have received, how many people genuinely knew that, simply by giving the form to their doctor, they were agreeing to your contact?” the reader wrote back to the genetics center. “The form is provided to patients in a potentially extremely stressful situation, and its inclusion with the instructions implies that it is a REQUIREMENT of the procedure. The form should state clearly at its tops that it is an invitation to participate, and that it is NOT required for the patient’s colonoscopy. The form should NOT include information other than name, address and telephone number. You chose to use the Social Security Number as a convenient mechanism to uniquely identify a participant — but there are other ways to do so. You could, for example, sequentially number the forms before they are sent.”

To a degree, at least, that seems to have done the trick. “My second letter to the hospital where my colonoscopy was done got results,” the reader wrote me a few days later after getting a second response from the genetic counseling center. “It sounds like they will incorporate what I considered to be my most salient concerns by making the voluntary nature of the form clear and only using the last four digits of the Social Security number. Still, I wonder how many people at the hospital, the genetics institute, and maybe elsewhere can see the information on those forms? How is it stored and how is it protected? To me, this just serves as a warning that we all need to be extremely vigilant in all facets of our lives.”

Indeed. When I decided not to identify the hosptial — my own form of medical privacy policy, I guess — I googled the sneakwrap language in their genetic center’s form to make sure it wouldn’t be too easy to figure out who they were that way. No chance — the by-sumbitting-this-form-you-agree kind of wording is in to be found in all manner of medical documents all over the place. Hopefully the context isn’t always quite as scary as with this example, but a little more vigilance from all of us is just what the doctor ordered.

Post your comments about this story on my website or write Ed Foster at Foster@gripe2ed.com.