The Challenge of Keeping Medical Records Private in the Electronic Age

While there's no real debate over whether transitioning to digitized medical records will help save money and improve health care (this is a certainty...though how much those improvements will be is still in question), what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing all of our most personal medical records poses to our privacy.

The fact is there are benefits and pitfalls to such a plan. And being that this digital transition is a key component to both President Obama's health plan (and budget) AND his economic stimulus package, this debate has just been pushed to the forefront of the ongoing privacy debate.

For instance, as the New York Times recently pointed out:

"with paper records the opportunities for breaches are limited to over-the-shoulder glimpses or the occasional lost or stolen files. But when records are kept and transferred electronically, the potential for abuse can become as vast as the Internet.

....

Employers who obtain medical records inappropriately might reject a job candidate who looks expensive to insure. Drug companies with access to pharmaceutical records might try to pressure patients to switch to their products. Data brokers might buy medical and pharmaceutical records and sell them to marketers.

Unscrupulous employees with access to electronic records might snoop on the health of their colleagues or neighbors....It should be possible through implementing regulations to fine-tune the privacy requirements so that they do not disrupt patient care. Congress must make every effort to ensure that patients’ privacy is protected.

According to the health-care and drug-industry lobbies, they don't do anything nefarious with our medical records...Scouts Honor! This of course contradicts the fact that literally armies of their high priced lobbyists have been descending - even on on SUBCOMMITTEE hearings - that were held to determine what kind of privacy protections should be applied to our electronic medical records.

One aspect of this privacy debate centers around an issue we at CFC know very well: the selling of prescription records to third party marketers. In fact, we helped torpedo legislation last year designed to allow this insidious practice to become legal in California. But I'll get to that a little more later.

For today, I've got a couple articles that deal with this issue, one a New York Times piece laying out what consumer's can do to protect their private medical records, and the second, an interview of Consumer Watchdog's Jamie Court in the Cleveland Plain Dealer.

First, here's the complete article from the New York Times:

Medical histories are among the most sensitive of our sensitive personal information. And our details have been spread from here to, well, all over the place — doctors’ offices, hospital archives, pharmacies, labs, billing companies and insurers’ computer networks.

Today, the World Privacy Forum has released a plain-spoken online guide that can help people regain some control and a measure of privacy over their health records.

The guide, a year in the making, takes on the less-than-fun challenge of dissecting complicated privacy rules created by the Health Insurance Portability and Accountability Act, or HIPAA, a 1996 federal statute that set data-privacy and security rules for key players in the American health care system. The new guide explains patient rights and provides practical advice about how to defend those rights using the law as well as basic social skills and common sense.

Especially useful are sections on how to retrieve medical records from the vortex that is our health system and request fixes if there are errors — vital stuff for anyone with a serious health condition or, for that matter, who’s moving to a new state, changing doctors, seeking a second opinion, considering a malpractice suit or concerned about false entries due to medical identity theft.

There’s also important information for people with ailments they prefer not to disclose to family members, friends or employers. Yes, you can ask the doctor’s office that’s treating you for a venereal disease to call you only on your cellphone and put any mail in plain sealed envelopes, and they should comply. But note that if you are hospitalized, for example, it will be harder to keep relatives and friends in the dark. You can make a formal request for confidentiality, but it probably won’t work. The better route is an informal appeal to your caregivers, W.P.F. says.

The guide also maps out how to seek redress if your rights have been violated, starting with contacting the chief privacy officer at the institution you’re having a problem with. If that fails, complain to the secretary of Health and Human Services via the Office of Civil Rights and perhaps also to your state’s health or insurance department. You can also go public, contacting any relevant licensing boards, writing bad reviews on the Web or, say, reaching out to a reporter.

As I wrote about in a previous post here, the Rose Foundation of Oakland, California, due to growing concerns regarding Google's increasingly adversarial relationship with privacy advocates and issues, awarded Consumer Watchdog - a California consumer rights group - with significant funding to independently monitor Google's activities in Washington.

In fact, the past six months of Consumer Watchdog's "monitoring" of Google so antagonized the company that Bob Boorstin, Google's Director of Corporate and Policy Communications, recently urged the Rose Foundation to consider pulling the group's funding. Needless to say, there's quite a backdrop to this story, leading to a blistering response from Consumer Watchdog, including a letter to Google CEO Eric Schmidt, and an eventual "apology" from Google.

So with that, here's some highlights from the interview of Consumer Watchdog in the Cleveland Plain Dealer:

How private are electronic medical records, especially those provided by companies like Google and Microsoft?

If they are at your doctor's office or a hospital, these are all systems that are pretty protected. There's always the risk of theft, but that's a remote risk. But what worries us is if you put your medical records on a Google server and you agree to share it with the wrong person, like the wrong vendor, then you're in trouble. Most people probably don't realize it's dangerous. You just don't want medical information floating out there on a cloud.

Are there uniform standards or minimum standards for electronic medical records?

There are some protections in the Health Insurance Portability and Accountability Act of 1996, or HIPPA, and there are some in the new stimulus bill. But several key protections are still missing:

The prohibition on the sale of medical records is weak and full of loopholes. It also doesn't apply to vendors, such as Microsoft or Google. Both companies have agreed to contracts that say they won't release your information, but there is no law mandating that they don't sell the information.

The breach provisions requiring companies to notify patients when electronic medical records are accessed does apply to Google and Microsoft. However, there are safe-harbor provisions that let companies off the hook from the notification requirement if the breach occurred in "good faith."

The federal law on the books only requires that patients are notified when their information was disclosed in the course of treatment but not how it was used. As a result, the patient will not know which hospital personnel looked at the information or for what purpose -- so you won't know if a nurse reviewed your file to look up drug allergies or whether the hospital's fund-raising office reviewed the record for the purpose of requesting a donation.

Click here to read the rest of the interview: