A REALLY BAD Week for Electronic Health Record Privacy
Let me begin with an obvious caveat: I'm no Luddite and I COMPLETELY understand the logic behind transitioning to an electronic based health records system.
It was just a few weeks ago that a
San Jose Mercury News sounded a few alarm bells regarding just how
"safe" our personal data will be in the coming cyber world reality of
electronic health records. But after this week, these privacy concerns have just expanded and metastasized significantly. For those that don't know, we (America) are in the midst the massive transition to e-health
records, a key component of both President Obama's
health care proposal as well as the stimulus package itself.
Let me again reiterate that because the three stories I'm going to share with you today, all from this week, epitomize the concerns articulated by privacy advocates is not to say that we shouldn't make this transition, for all the money and even life saving reasons everybody has probably heard by now. But what it DOES say is that STRICT privacy safeguards, at every step of the transition process, must be implemented...from the beginning, not once the Genie is out of the bottle.
And the fact is, as these breaking news stories will make clear, time is running out, because states across the country, including California, are working
to implement such a system, with consumer privacy perhaps the paramount area of
dispute...as I write this!
AS I said, one of the most important challenges for privacy advocates
has been making sure that the transition to electronic medical records includes
ironclad privacy safeguards along with it. We know such a system will save money
and improve health care (though how significant these improvements and savings
will be is still in question), but what remains contentious - and rightly so -
is the intrinsic threat a massive electronic database containing our most
personal medical records poses to individual privacy and security.
When it comes to the issue of e-health records certainly one question the
consumers should ponder is "Where is my data and who has access to it and for what purposes?"
Or perhaps even more importantly, "can my private data be traced back to
me personally and sold to others?"
Before I go on too long, let me get to the three separate articles...the first entitled "Theft of Digital Health Data More Often Inside Job, Report Finds" from Bloomberg Business Week.
More than 11 million consumers have had medical data stolen or inappropriately disclosed since September 2009, and the privacy breaches are expected to rise as more health information is put online, according to the report released today by the New York-based accounting firm’s health research institute. The most frequently reported issue was the improper use of protected information by an “internal party,” the study found.
The report underscores the need to strengthen privacy and security controls as health records are more frequently stored online and accessed by portable devices, said James Koenig, co- lead of PwC’s Health Information Privacy and Security Practice. Consumer concerns that personal medical information may be vulnerable to disclosure are likely to increase as the Obama administration spurs the adoption of digital records.
While the report didn’t specify how many security thefts were carried out by insiders, 40 percent of surveyed providers reported an incident of improper internal use of protected health information during the past two years. Over the past several years, thefts by insiders or disgruntled former employees have surpassed disclosures by hackers and outsiders, Koenig said.
Now, if that wasn't enough to get grab your attention and maybe, for a second at least, question the "we don't have time for privacy protection rush" to implement this system correctly and responsibly, there's also an article from Information Week entitled "HHS: Patient Data Breaches Have More Than Doubled".
HHS' latest report to Congress revealed that in 2010 theft was the most common cause of large breach incidents that affected 500 or more individuals. Among the 207 breaches that covered entities such as healthcare providers, health plans, and healthcare clearinghouses reported last year, 99 incidents involved theft of paper records or electronic media, combined affecting approximately 3 million individuals.
In 2010, the second highest number of data breaches involved the loss of electronic media or paper records, with 33 reported cases that affected more than 1 million individuals. There were 31 breaches that involved unauthorized access to, or uses or disclosures of, protected health information that affected approximately 1 million individuals. Other breaches included 19 incidents resulting from human or technological errors that affected approximately 78,663 individuals. Eleven covered entities reported breaches caused by the improper disposal of protected health information that affected approximately 70,000 individuals. In Gallagher's view, the increasing number of incidents could mean that the policies and procedures coming from HHS are encouraging the healthcare industry to do a better job of detecting and reporting breaches.
Read the rest here.
But wait...there's more!! A Reuters article entitled "Health industry lacks patient data safeguards: poll" adds yet another wrinkle, which again, totally and completely validates and reinforces claims by privacy advocates that we must put the privacy of patients ahead of the need to get the system up and running as quickly as possible no matter the risks.
A vast majority of hospitals, doctors, pharmacies and insurers are eager to adapt to increasingly digital patient data. However, less than half are addressing implications for privacy and security, a survey of healthcare industry executives by PricewaterhouseCoopers LLP found. PwC's Health Research Institute interviewed 600 executives in the spring of this year and also found that less than half of their companies have addressed issues related to the use of mobile devices. Less than a quarter have addressed implications of social media.
U.S. health and drug regulators are expected by the end of the year to finalize their updated rules on patient privacy protection, and they also continue to adapt to new technologies coming to health labs and physicians' offices. Some 74 percent of healthcare organizations were planning to expand the purposes for which they use electronic patient health data, the survey found. For instance, that may mean looking across patients to find better treatments or tracking records of one patient from doctors and pharmacies to analyze medication adherence.
But only 47 percent of the companies have or are addressing related privacy and security issues, the report said.Reports of security breaches, although many not directly related to health IT, are not uncommon in the health industry.
Just over half of surveyed executives said they were aware of some kind of a privacy or security breach at their companies in the past two years, with hospitals being the likelier offenders.
Read the rest of that article here.
But as it stands today, there still aren't uniform standards for electronic medical records. Yes, there are some protections in the Health Insurance Portability and Accountability Act of 1996, as well as some in the stimulus bill. But key protections are still absent.
Similarly, the breach provisions requiring companies to notify patients when electronic medical records are accessed does apply to Google and Microsoft, however, there are safe-harbor provisions that let companies off the hook from the notification requirement if the breach occurred in "good faith."
The federal law on the books only requires that patients are notified when their information was disclosed in the course of treatment but not how it was used. As a result, the patient will not know which hospital personnel looked at the information or for what purpose.