E-Health Records, Data Breaches, and Privacy

Rather than re-inventing the wheel today, if you want some past posts I've done on electronic health records (EHR's) and the need for strict privacy safeguards that protect consumers, you can go here, here, or here. Generally speaking, I've made the following arguments: yes, this transition from paper to EHR's is inevitable and necessary; yes, such a transition does offer numerous benefits from cost effectiveness to better care; but, and this is a big but, what remains contentious - and rightly so - is the intrinsic threat a massive electronic database containing our most personal medical records poses to individual privacy and security.

Similarly, I have also documented, one medical records data breach after another, some due to hackers/identity thieves and some as a result of gross hospital incompetence and negligence (and more). In addition, I've detailed how states, like California for instance, are trying to create a set of privacy standards for these records that often means merging state rules and federal ones.

Given the lack of consistency, for instance, between California’s Confidentiality of Medical Information Act (CMIA) and the federal HIPAA (The Health Insurance Portability and Accountability Act), there is no single, comprehensive “rule” for the use and disclosure of health information in our state.

Thus the debate taking place over what kind of privacy standards and protections should apply to EHR’s centers around a few core principles: accountability among parties involved in processing electronic transactions, consumer control over how their information is shared and the availability of access to it, transparency (so anyone who accesses files is recorded and made available to the consumer if desired), and system security to ensure a patients private information is protected from identity thieves, overzealous law enforcement, or unwanted marketers.

Now that I've briefly gone over some of the general fundamentals of this very complex issue, I want to discuss two articles that have come out in the past week or so, one about the UC Regents dragging its feet in the lawsuit against it for a medical records data breach at the UCLA Health System, and the other, a MUST READ from the Los Angeles Times Michael Hiltzik entitled (apt for this blog), "Her case shows why healthcare privacy laws exist."

I want to bring these up because they demonstrate, particularly the Los Angeles Times piece, WHY the work that, in California for instance, CalOHII (State of California Office of Health Information Integrity) is doing to come up with ironclad privacy protections for the state to adopt is so important (full disclosure: I'm on the privacy steering committee).

Let's begin with Hiltzik's piece because it truly blows the mind, and brings home why this MATTERS. He writes:

Of all the personal information that you might want to keep private, your medical records are the most important. That's why federal and state laws carry stiff penalties, up to and including jail time, for healthcare providers who let such data loose into the wild.

So you should be aghast at how free and easy Prime Healthcare Services and two executives at Prime-owned Shasta Regional Medical Center have been with the medical chart of a patient named Darlene Courtois. They showed the entire chart to an editor of her hometown newspaper, and Prime's corporate office divulged some of her medical examination results to me (though I didn't ask for them). They didn't have her permission for those disclosures, her daughter says.

...

Here's what state and federal laws have to say: A hospital can't disclose a patient's medical information publicly, such as to a newspaper, without the patient's written authorization. The authorization has to be very specific, designating exactly which records may be disclosed and to whom.

The applicable laws are the federal Health Insurance Portability and Accountability Act of 1996, which is known as HIPAA, and the 2008 California Confidentiality of Medical Information Act. The covered records include any information about an individual's "past, present or future physical or mental health or condition," and "the provision of health care to the individual." (The language comes from the federal government's published privacy rule summary.)

There are a few limited circumstances in which a healthcare provider doesn't need permission. Chiefly these fall into the categories of "treatment, payment and healthcare operations" — in other words, charts can be seen by doctors treating the patient or insurers paying for care, or in connection with hospital functions such as evaluating doctors' competency — and regulatory activities or subpoenas.

...

Under the law, there's no such thing as an implied authorization by a patient for disclosure of personal records, said Linda Ackerman, a San Francisco expert in privacy law.

The office of civil rights of the U.S. Department of Health and Human Services, which enforces HIPAA, put it this way: "There is no 'waiver' that would apply to the release of a chart or medical record to the media without an individual's written authorization."

Several experts told me it doesn't matter if the hospital was trying to contradict misinformation provided by a patient (even if that's what Courtois did, which is debatable). Under the law, patients themselves can divulge anything they wish about their medical conditions and their treatment by a hospital. But a hospital's obligation is to keep its mouth shut. A desire to deflect bad PR is not an excuse. Even if they think they're in the right, the law says healthcare providers have to suffer in silence, the experts say.

Anthony Wright, executive director of the statewide patient advocacy group Health Access California, also mentioned the "chilling precedent" of a hospital company exposing a patient's personal information just because she criticized the company in public. Indeed, the lesson of the Courtois case is clear: Give an interview about your experience at a Prime-owned hospital, and don't be surprised if the hospital responds by exposing the most private details of your medical history to the world. 

Click here for more.

I would have to say, in addition to the blatant disregard for the privacy, and the RIGHTS of Darlene Courtois demonstrated by Prime, I find Anthony Wright's point on this serving as a "chilling effect" against patients who may speak out, to be of particular concern. I say this because all too often, as a consumer advocate, industry's from chemical to big pharma to big oil, and on down the line, we see intimidation, obfuscation, and in fact, a factoring in of the damage they cause people and the planet into their business model. I would HATE to think that EHR's could serve as yet one more tool to protect these kinds of corporate interests from proper justice and accountability.

My sense is, that in the case of Prime, its so egregious, there will be accountability, and this chilling effect will not take root. But, that is why I brought up the issue of factoring in the cost of the damage these corporate interests do into their business model: will the damages Prime faces outweigh the benefits, they, and other vultures like them, feel they might get from such intimidation?

This also is why, as Hiltzik rightly states in the articles title, "Her case shows why health care privacy laws exist", and why, INCREASED privacy protections, and increased accountability and enforcement, are also necessary...and must also exist.

On a similar note, let's look at the case of the UCLA Health System data breach and the lawsuit against it (remember, as I pointed out in a recent post, hospitals are NOT doing their job, and spending the required resources to protect these EHR's to date). As the Daily Bruin reports:

The UCLA Health System reported in November 2011 that a hard drive containing more than 16,000 patients’ information had been stolen from the home of a UCLA physician on Sept. 6, 2011.

Social Security numbers and financial information were not among the documents stolen, but they did include first and last names and may have contained birth dates, medical record numbers, addresses and medical record information, according to the Health System’s statement.

The lawsuit claims the September incident was a violation of the California Confidentiality of Medical Information Act, in place to protect the privacy of patients’ personal histories and information. The suit is calling for $1,000 in damages for each patient on the hard drive. The total cost of the suit for the Health System could amount to as much as $16 million, including the legal fees associated with the case.

...

While storing information online is an increasingly common practice, and can certainly coexist with patient privacy rights, the potential for data breach is significantly higher than a paper-based system, said Tena Friery, research director at the Privacy Rights Clearinghouse, a national nonprofit organization focused on consumer privacy protection.

She also cited a 2011 study revealing that 71 percent of health care organizations had suffered a data breach in the last year.

Kabateck was also involved in a case concerning similar violations against Stanford University’s Hospital and Clinics late last year, filed on behalf of 20,000 patients whose information was released onto a public website through a third party. 

Click here to read more.

Obviously, this brings me back to the same key points at the article before it...how do we prevent this MASS amounts, in some cases (as in Prime), intentional, data breaches from occurring? This, my friends, is serious business. And, as such, I would urge we seek and demand adequate penalties against those responsible for such breaches to ensure they don't keep happening going forward. This means BOTH privacy standards AND enforcement/security/accountability.

As I wrote in past posts, "If medical records fell into the wrong hands at worst they could be used for a host of purposes unrelated to improving your health: advertisers might flood our email inboxes with even more spam and patients may not feel so comfortable having an honest conversation with their doctor if it could end up for all to see. This treasure trove of personal information would also be a goldmine for insurance companies, drug companies, data mining companies, and software companies....


When it comes to the issue of e-health records certainly one question the consumers should ponder is "Where is my data and who has access to it and for what purposes?" Or perhaps even more importantly, "can my private data be traced back to me personally and sold to others?"...Clearly, what is MORE than clear now is that we need MORE attention paid to privacy, not less...and that means taking a bit more time to get this new system up and running...and more care given to the rights of patients...not hospitals, not suppliers, not the government, and not any other interest looking to profit off this transition. We can have BOTH privacy and a more efficient medical records system...there's no need to sacrifice one for the other.