Thursday, September 22, 2011

A REALLY BAD Week for Electronic Health Record Privacy

Let me begin with an obvious caveat: I'm no Luddite and I COMPLETELY understand the logic behind transitioning to an electronic based health records system. 

It was just a few weeks ago that a San Jose Mercury News sounded a few alarm bells regarding just how "safe" our personal data will be in the coming cyber world reality of electronic health records. But after this week, these privacy concerns have just expanded and metastasized significantly. For those that don't know, we (America) are in the midst the massive transition to e-health records, a key component of both President Obama's health care proposal as well as the stimulus package itself.

Let me again reiterate that because the three stories I'm going to share with you today, all from this week, epitomize the concerns articulated by privacy advocates is not to say that we shouldn't make this transition, for all the money and even life saving reasons everybody has probably heard by now. But what it DOES say is that STRICT privacy safeguards, at every step of the transition process, must be implemented...from the beginning, not once the Genie is out of the bottle.

And the fact is, as these breaking news stories will make clear, time is running out, because states across the country, including California, are working to implement such a system, with consumer privacy perhaps the paramount area of I write this!

AS I said, one of the most important challenges for privacy advocates has been making sure that the transition to electronic medical records includes ironclad privacy safeguards along with it. We know such a system will save money and improve health care (though how significant these improvements and savings will be is still in question), but what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing our most personal medical records poses to individual privacy and security.

When it comes to the issue of e-health records certainly one question the consumers should ponder is "Where is my data and who has access to it and for what purposes?" Or perhaps even more importantly, "can my private data be traced back to me personally and sold to others?"

Before I go on too long, let me get to the three separate articles...the first entitled "Theft of Digital Health Data More Often Inside Job, Report Finds" from Bloomberg Business Week.

The article reports:

Electronic health data breaches are increasingly carried out by “knowledgeable insiders” bent on identity theft or access to prescription drugs, according to a report from PricewaterhouseCoopers LLP. 

More than 11 million consumers have had medical data stolen or inappropriately disclosed since September 2009, and the privacy breaches are expected to rise as more health information is put online, according to the report released today by the New York-based accounting firm’s health research institute. The most frequently reported issue was the improper use of protected information by an “internal party,” the study found. 

The report underscores the need to strengthen privacy and security controls as health records are more frequently stored online and accessed by portable devices, said James Koenig, co- lead of PwC’s Health Information Privacy and Security Practice. Consumer concerns that personal medical information may be vulnerable to disclosure are likely to increase as the Obama administration spurs the adoption of digital records.


While the report didn’t specify how many security thefts were carried out by insiders, 40 percent of surveyed providers reported an incident of improper internal use of protected health information during the past two years. Over the past several years, thefts by insiders or disgruntled former employees have surpassed disclosures by hackers and outsiders, Koenig said.

Read the rest here.

Now, if that wasn't enough to get grab your attention and maybe, for a second at least, question the "we don't have time for privacy protection rush" to implement this system correctly and responsibly, there's also an article from Information Week entitled "HHS: Patient Data Breaches Have More Than Doubled".

The article reports:
Health organizations notified approximately 5.4 million individuals affected by patient health data breaches in 2010, compared to approximately 2.4 million individuals in 2009. This according to a report recently sent by the Department of Health and Human Services (HHS) to Congress. The report comes several months after the HHS office of inspector general published two audits that highlighted the difficulties healthcare deliveryorganizations are facing in their efforts to protect sensitive patient information.

HHS' latest report to Congress revealed that in 2010 theft was the most common cause of large breach incidents that affected 500 or more individuals. Among the 207 breaches that covered entities such as healthcare providers, health plans, and healthcare clearinghouses reported last year, 99 incidents involved theft of paper records or electronic media, combined affecting approximately 3 million individuals. 


In 2010, the second highest number of data breaches involved the loss of electronic media or paper records, with 33 reported cases that affected more than 1 million individuals. There were 31 breaches that involved unauthorized access to, or uses or disclosures of, protected health information that affected approximately 1 million individuals. Other breaches included 19 incidents resulting from human or technological errors that affected approximately 78,663 individuals. Eleven covered entities reported breaches caused by the improper disposal of protected health information that affected approximately 70,000 individuals. In Gallagher's view, the increasing number of incidents could mean that the policies and procedures coming from HHS are encouraging the healthcare industry to do a better job of detecting and reporting breaches. 

Read the rest here.

But wait...there's more!! A Reuters article entitled "Health industry lacks patient data safeguards: poll" adds yet another wrinkle, which again, totally and completely validates and reinforces claims by privacy advocates that we must put the privacy of patients ahead of the need to get the system up and running as quickly as possible no matter the risks.

The article reports: 

A vast majority of hospitals, doctors, pharmacies and insurers are eager to adapt to increasingly digital patient data. However, less than half are addressing implications for privacy and security, a survey of healthcare industry executives by PricewaterhouseCoopers LLP found. PwC's Health Research Institute interviewed 600 executives in the spring of this year and also found that less than half of their companies have addressed issues related to the use of mobile devices. Less than a quarter have addressed implications of social media.


U.S. health and drug regulators are expected by the end of the year to finalize their updated rules on patient privacy protection, and they also continue to adapt to new technologies coming to health labs and physicians' offices. Some 74 percent of healthcare organizations were planning to expand the purposes for which they use electronic patient health data, the survey found. For instance, that may mean looking across patients to find better treatments or tracking records of one patient from doctors and pharmacies to analyze medication adherence. 

But only 47 percent of the companies have or are addressing related privacy and security issues, the report said.Reports of security breaches, although many not directly related to health IT, are not uncommon in the health industry. 

Just over half of surveyed executives said they were aware of some kind of a privacy or security breach at their companies in the past two years, with hospitals being the likelier offenders. 

Read the rest of that article here.

As I have written here before on this issue, we all consider our healthcare information to be extremely personal and expect the government to protect it from falling into the wrong hands. Granted, regulations alone (nor even technical safeguard perhaps) will never be the end all solution when it comes to privacy in the information must be coupled with public awareness and the pressure that consumer choice can put on industry. 

But as it stands today, there still aren't uniform standards for electronic medical records. Yes, there are some protections in the Health Insurance Portability and Accountability Act of 1996, as well as some in the stimulus bill. But key protections are still absent. 

The prohibition on the sale of medical records is weak and full of loopholes, nor does it apply to vendors like Microsoft or Google. Both companies have agreed to contracts that say they won't release your information, but there is no law mandating that they don't sell the information. If we've learned anything about corporate behavior in recent years, it’s that without ironclad, legal requirements, we shouldn't expect them to behave the way we'd expect from say, a human being.

Similarly, the breach provisions requiring companies to notify patients when electronic medical records are accessed does apply to Google and Microsoft, however, there are safe-harbor provisions that let companies off the hook from the notification requirement if the breach occurred in "good faith."

The federal law on the books only requires that patients are notified when their information was disclosed in the course of treatment but not how it was used. As a result, the patient will not know which hospital personnel looked at the information or for what purpose.

Look, I don't yet consider myself an expert on this issue, for that, go to World Privacy Forum and read some of the work and research done by Pam Dixon on electronic health record privacy.

Clearly, if today's list of articles, and last months piece in the San Jose Mercury News, tells us anything its that we need MORE attention paid to privacy, not less...and that means taking a bit more time to get this new system up and running...and more care given to the rights of patients...not hospitals, not suppliers, not the government, and not any other interest looking to profit off this transition. We can have BOTH privacy and a more efficient medical records system...there's no need to sacrifice one for the other.

No comments: