When Julie (who requested that her last name not be used for reasons that will become obvious) went for a routine doctor visit in 2009, she found a nervous resident filling in for her regular physician, who was on maternity leave. He quickly told her that he’d read her psychiatric records, even though she wasn’t coming in for mental health issues, and that he wanted her to see a therapist. Immediately. In the aftermath of the visit, she discovered exactly what he’d been reading — “Uncovering past trauma. Sexual abuse by boy in preschool…. Patient is looking to change her job; problems with family continue. She and her mother are not talking….She has defaulted on student loans and has begun to deal with this including consulting an attorney.” In all, there were 200 pages of details from her therapy sessions, including issues that had taken years for her to disclose even to a professional.

Julie has bipolar disorder, which she and her doctors have managed successfully for two decades. She has a graduate degree, a good job and a child. But she didn’t have a true picture of what would happen to her mental health records as her provider, Partners HealthCare, transitioned to electronic medical records (EMRs). She had been seeing a primary care doctor, gynecologist and psychiatrist in the practice for many years. But, she says, “I thought I’d have to give permission for my regular doctors to see my psychiatry records.”

Nope. It turns out that all doctors in the practice could see all of her records when they logged in to the new system. Her primary care doctor regularly refilled her prescription for bipolar medication, something she’d expected during this visit, though it wasn’t her reason for coming. The substitute doctor refused at first, then agreed, but only after adding a note to her permanent medical record saying, “I counseled patient that she needs to see a psychologist immediately.” Julie was aghast. “The next time I have any kind of appointment that’s what they’re going see first.” Then she sighs, “I talked to him after. He was a resident. He wanted to do a good job, and he was trying to be diligent in reading all my records. It kind of backfired.”

If the effort to blend the efficiency of technology with patients’ privacy needs has backfired in general health care (see “Medical Privacy Under Threat”), it is causing particular emotional and financial wounds in the world of mental health, where even a well-managed diagnosis can become a job-threatening stigma. HIPAA laws, long assumed by patients to protect their privacy, only apply in certain circumstances to certain entities. There’s a raging debate over how to regulate the new privacy issues around employee assistance plans and workplace wellness incentives. And the issue of how and when to track mental health patients has even become an issue at the U.S.-Canada border. Citing the high numbers of Americans who have experienced sexual abuse, major depression, or substance abuse, Dr. Deborah Peel, a psychiatrist who founded Patient Privacy Rights, a research and advocacy group, says, “You cannot force people to cough up information when it’s not private. They will hide it. How can we accept an electronic records system that drives people away from being open and honest?”

Peel was also an expert in a case involving the Employee Assistance Program at a Fortune 500 company. “The person had a great track record but didn’t do well with the next boss,” she says. “She had some problems with substance abuse but had treated it. But there was information in the EAP about it, which was paid for by the company.” The information leaked to her boss — and the person was fired.

Privacy experts also worry about workplace wellness programs, which offer employees financial incentives in return for behavioral changes such as quitting smoking or walking 10,000 steps a day. The Equal Opportunity Employment Commission (EEOC) is seeking to allow employers greater latitude in asking for medical data in exchange for these incentives. Their proposal is intended to be in line with the Obama administration’s focus on wellness and fitness, but some advocates from the civil rights, women’s rights, and medical rights communities argue the cost is too high. Jennifer Mathis, director of programs at the Bazelon Center for Mental Health Law, suggests that what the rule change describes as voluntary could seem coercive to employees living with mental or physical disabilities, in violation of the Americans with Disabilities Act.

Mathis tells me that the proposal is “alarming,” noting, “It’s unrealistic to think that charging people thousands of dollars if they decline to answer questions about their medical status or mental health status could be done and still safeguard people’s privacy interests.” Not all employers are covered by HIPAA, only ones that “self-insure,” generally large companies that run their own plans, and in addition to internal data leaks, Mathis cites the rise of hacks and data breaches. She notes that at a recent briefing, Anthem was among speakers assuring the audience that health privacy would not be at risk in workplace wellness programs. Anthem, she pointed out, had one of the worst privacy breaches in recent years.

The issues around mental health records don’t stop at the U.S. border. Just this week, the Toronto Police Service announced it had curbed its information sharing about suicide attempts with a national database, CPIC, which in turn shares data with the U.S. Department of Homeland Security. Why? For years, Canadians with a documented history of suicide attempts or mental health hospitalizations have been complaining that they were being turned away from the U.S. border.