Medical information can be the most private information about people. There are plenty of situations with obvious stigmas - STDs, abortion, mental health as well as a near infinite list of things which could cause embarrassment or that people would want to keep private, from acne to miscarriage.
The last thing we want is for millions of people to stop going to the doctor because they're scared their classmates, coworkers and neighbors are going to know about their [rash, lump, depression, diarrhea, anxiety, psoriasis, pregnancy, etc].
You make a good point about people not seeking medical attention due to privacy concerns. I certainly don't think medical records should be public. It is the extreme privacy that I take issue with.
I mean, why the hell can't my doctor email me my blood work even if I ask?
Currently the privacy pendulum is all the way in the free-for-all territory.
- Consider that it takes only one breach and all other measures you've ever taken to protect data is wasted.
- Data can be used in the future in unforseen ways, you don't know by whom and what for.
- Most people don't understand how databases work and think in terms of individual data ("who would care about X") and are therefore careless with their data.
It's the term "extreme privacy" that does not make sense in a time where you can't really have "basic privacy" any more.
Got any more insight into that topic? Or maybe do you underestimate the consequences of the ongoing collection and aggregation of data?
Email is not private and not secure. I'm not sure if the law makes exceptions for encrypted emails, but that's a moot point considering most doctors can barely use a computer.
> But it's my privacy and security that's at issue. I don't think it's obvious why I shouldn't be able to waive those concerns.
You could, in theory, consent to a disclosure to of your PHI in insecure form to the doctor's email provider (or maybe to the whole chain between the doctor and you, but i don't think that would be necessary since once its been disclosed under your consent to someone not covered by HIPAA they can do anything they want with the data, including delivering it to you), but doctors would probably to use a method that doesn't require that overhead and not also manage the kind of consent tracking that would be necessary to use unsecure email (and would rather not deal with the PR fallout that would happen when someone who didn't really understand the implications got bit by it.)
The fact that you could, in theory, under the law consent to certain insecure disclosures to third parties doesn't mean that doctors are mandated to maintain the infrastructure to deal with every conceivable way you might want to do that. They are required to provide information to you under certain circumstances, and not to provide it to others except as allowed under the law.
That's one argument; I don't think it's an outstanding one. A sort of "traffic analysis" argument seems somewhat reasonable, too - if the only things kept secret are embarrassing or compromising, then learning of the existence of a secret communication tells you there's something embarrassing or compromising going on.
"Many things that are not embarrassing or compromising (in a negative sense) are rightfully kept secret."
I don't intend any negative sense, just things that you have a particular reason to keep hidden. Allowing additional inference around that by being selective about channels seems like poor privacy practice.
The last thing we want is for millions of people to stop going to the doctor because they're scared their classmates, coworkers and neighbors are going to know about their [rash, lump, depression, diarrhea, anxiety, psoriasis, pregnancy, etc].