Monday, August 22, 2011

Another Massive E-Health Record Data "Spill"

A story in the San Jose Mercury News today sounded a few alarm bells regarding just how "safe" our personal data will be in the coming cyber world reality of electronic health records. As many know, the massive transition to e-health records was a key component of both President Obama's health care proposal as well as the stimulus package itself. 

Currently, states across the country, including California, are working to implement such a system, with consumer privacy perhaps the paramount area of dispute.

One of the most important challenges for privacy advocates has been making sure that the transition to electronic medical records includes ironclad data safeguards along with it. We know such a system will save money and improve health care (though how significant these improvements and savings will be is still in question), but what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing our most personal medical records poses to individual privacy and security.

When it comes to the issue of e-health records certainly one question the consumers should ponder is "Where is my data and who has access to it?" Or perhaps even more importantly, "can my private data be traced back to me personally and sold to others?"

We all consider our healthcare information to be extremely personal and expect the government to protect it from falling into the wrong hands. Granted, regulations alone will never be the end all solution when it comes to privacy in the information must be coupled with public awareness and the pressure that consumer choice can put on industry. 

But as it stands today, there still aren't uniform standards for electronic medical records. Yes, there are some protections in the Health Insurance Portability and Accountability Act of 1996, as well as some in the stimulus bill. But key protections are still absent. 

The prohibition on the sale of medical records is weak and full of loopholes, nor does it apply to vendors like Microsoft or Google. Both companies have agreed to contracts that say they won't release your information, but there is no law mandating that they don't sell the information. If we've learned anything about corporate behavior in recent years, it’s that without ironclad, legal requirements, we shouldn't expect them to behave the way we'd expect from say, a human being.

Similarly, the breach provisions requiring companies to notify patients when electronic medical records are accessed does apply to Google and Microsoft, however, there are safe-harbor provisions that let companies off the hook from the notification requirement if the breach occurred in "good faith."

The federal law on the books only requires that patients are notified when their information was disclosed in the course of treatment but not how it was used. As a result, the patient will not know which hospital personnel looked at the information or for what purpose.

In other words, there's a lot of work still to be done on this issue. Now let's get to the latest breach of very private, personal medical information. The San Jose Mercury News reports:

Until recently, medical files belonging to nearly 300,000 Californians sat unsecured on the Internet for the entire world to see. There were insurance forms, Social Security numbers and doctors' notes. Among the files were summaries that spelled out, in painstaking detail, a trucker's crushed fingers, a maintenance worker's broken ribs and one man's bout with sexual dysfunction.

At a time of mounting computer hacking threats, the incident offers an alarming glimpse at privacy risks as the nation moves steadily into an era in which every American's sensitive medical information will be digitized. 


"When things go wrong, they can really go wrong," says Beth Givens, director of the nonprofit Privacy Rights Clearinghouse, which tracks data breaches. "Even the most well-designed systems are not safe. ... This case is a good example of how the human element is the weakest link."

Southern California Medical-Legal Consultants, which represents doctors and hospitals seeking payment from patients receiving workers' compensation, put the records on a website that it believed only employees could use, owner Joel Hecht says.

When mistakes occur, the fallout can be more severe than the typical breach of email addresses or credit card numbers.

In the wrong hands, health records can be used for blackmail and public humiliation. The information can also be used by insurance companies to inflate rates, or by employers to deny job applicants.

Usually when personal data are exposed, it's the result of a network break-in by a hacker or a theft of computer equipment. Sometimes, it can be a simple case of someone mishandling the information. Leaks are more likely the more data are passed around within the health industry's increasingly interconnected networks.

Dozens of companies can be authorized to handle a single person's medical records. The further away from the health care provider the records get, the flimsier the enforcement mechanisms for ensuring the data are protected. 


The latest incident is "an eye-opener, and we're going to get eye-opener after eye-opener," says Jim Dempsey, a security and public policy expert at the Center for Democracy & Technology.

As instances of data mishandling become more commonplace, government officials may seek greater control over security policies of companies with access to health care records that aren't currently regulated.

"It should be yet another warning bell for companies: You've got your reputation on the line, and you're also facing enforcement action if you don't pay attention to the security of the data you collect and process," Dempsey says.

In fact, a recent study by Patients Privacy Rights further validated privacy advocates concernsGoogle's scores of a D and F and systems offered by employers and insurers also receiving an F. These are two HUGE providers of what will be the electronic health record "industry" that are still failing us. The group notes:

"The bad news is other companies do not allow patients to control their PHRs. That is a scary thing when you consider that PHRs can store sensitive health information as well as lifestyle habits such as what you eat, how much you drink, and how often you exercise. This information can easily get into the wrong hands, especially if your PHR is offered by an employer or insurer. All PHRs claim to be “patient-centric” and claim that “privacy is important”, but it’s simply not true.

What grades did the PHRs earn?

CapMed’s ICE PHR: C

Google Health: D – Platform F - Partners

Microsoft HealthVault: B – Platform F - Programs

NoMoreClipboard: A

WebMDs: C

PHRs offered by Employers/Insurers: F


1) Know that if your PHR is sponsored by your employer or insurer, the odds are VERY GOOD that they have access to all your information. This was quite clear after reviewing a form privacy policy for employer/insurer sponsored PHRs. Sure, not every company is out there to take advantage but personal health information can be used to discriminate, damage reputations and harm opportunities.

2) Every company and product has their own privacy policy. Even if you feel comfortable with a PHRs policy and website, click on a link and leave the site, all bets are off. Any third party that touches your data may not be held to the same standard. This is a key lesson for the Google and Microsoft tools.


So what can be done?

1) The public needs to wake up and pay attention. Our personal health information is everywhere and being passed from one company to the next, without our permission or knowledge. If we don’t demand control, we will lose it forever.

2) We need federal laws that make Fair Information Practices the rule for all health information, including PHRs. Data shared for one purpose should be used solely for that purpose unless the patient gives consent for any new use. No single piece of data should be allowed to go to an employer, insurer or other entity without patient permission.

Click here to read the article in its entirety.
Pam Dixon of the World Privacy Forum not too long ago broke some of the challenges we face down, stating "Much of the discussion around PHRs has been oriented toward how they benefit consumers, with almost no meaningful or detailed discussion of the privacy risks. As a result, few consumers have the ability to make genuinely informed decisions about these tools. For example, many consumers assume that because a PHR involves health-related information, that special privacy protections must apply. However, there are different varieties of PHRs and PHR companies, some of which do not fall under the federal privacy rules that are usually applied to health information." 

"Many consumers have this deeply held belief that their health information, no matter where it travels, is protected in the same way as when you have a doctor/patient relationship," Dixon said. In reality, consenting to have data transmitted to a non-covered system likely would be viewed as an indication that you had waived your privacy privilege, she added.

Health information stored in commercial PHR systems is also less protected against subpoenas than it otherwise would be, Dixon asserted. Under HIPAA, if someone seeks to subpoena medical records about an individual from a covered entity, the patient has to be informed first. But that protection doesn't apply to PHRs in all instances, she said.

Even more worrisome to Dixon, though, is the potential for protected medical information stored in PHRs to be used for marketing purposes. HIPAA explicitly prohibits such uses, but the terms under which many PHR systems are operated could enable their owners to sell personal health data to marketers, she said. 

People should be aware of such issues when choosing whether to use PHR systems, Dixon said. She added that the operators of PHR systems should be required to clearly disclose whether they are covered under HIPAA and what sort of privacy protections they offer.

As we see the continuing consolidation of, and even the possible monopolization of information technologies, the concern and fear that forces beyond our control have access to EVERYTHING we've nearly ever done will only will the likelihood that this "power" will be our expense.

The fact that the health-care and drug-industry lobbies are spending so much effort to weaken privacy standards does not bode well either.

This is an issue I'll be following more on this blog in the coming weeks and months now that California is in the midst of establishing its own e-health record privacy regulations.

No comments: