A REALLY BAD Week for Electronic Health Record Privacy

by Zack Kaldveer, Communications Director, Consumer Federation of California

Let me begin with an obvious caveat: I’m
no Luddite and I COMPLETELY understand the logic behind transitioning to an
electronic based health records system. 

It was just
a few weeks ago that a San Jose Mercury News
sounded a few alarm bells
regarding just how "safe" our personal data will be in the coming
cyber world reality of electronic health records. But after this week, these
privacy concerns have just expanded and metastasized significantly. For those
that don’t know, we (America) are in
the midst the massive transition to e-health records, a key component of both
President Obama’s health care
proposal as well as the stimulus package itself.

Let me again reiterate that because the three stories I’m
going to share with you today, all from this week, epitomize the concerns
articulated by privacy advocates is not to say that we shouldn’t make this transition, for all the money and even
life saving reasons everybody has probably heard by now. But what it DOES say
is that STRICT privacy safeguards, at every step of the transition process,
must be implemented…from the beginning, not once the Genie is out of the

And the fact is, as these breaking news stories will make clear, time is
running out, because states across the country, including California, are working to implement such a
system, with consumer privacy perhaps the paramount area of dispute…as I
write this!

AS I said, one of the most important challenges for privacy advocates has been
making sure that the transition to electronic medical records includes ironclad
privacy safeguards along with it. We know such a system will save money and
improve health care (though how significant these improvements and savings will
be is still in question), but what remains contentious – and rightly so – is
the intrinsic threat a massive electronic database containing our most personal
medical records poses to individual privacy and security.

When it comes to the issue of e-health records certainly one question the
consumers should ponder is "Where is my data and who has access to it and
for what purposes?" Or perhaps even more importantly, "can my private
data be traced back to me personally and sold to others?"

Before I go on too long, let me get to the three separate
articles…the first entitled "Theft
of Digital Health Data More Often Inside Job, Report Finds
" from
Bloomberg Business Week. 

The article reports:

Electronic health data breaches are increasingly carried out
by ‘knowledgeable insiders’ bent on identity theft or access to prescription drugs,
according to a report from PricewaterhouseCoopers LLP. 

More than 11 million consumers have had medical data stolen or inappropriately
disclosed since September 2009, and the privacy breaches are expected to rise
as more health information is put online, according to the report released
today by the New York-based accounting firm’s health research institute. The
most frequently reported issue was the improper use of protected information by
an ‘internal party,’ the study found. 

The report underscores the need to strengthen privacy and security controls as
health records are more frequently stored online and accessed by portable
devices, said James Koenig, co- lead of PwC’s Health Information Privacy and
Security Practice. Consumer concerns that personal medical information may be
vulnerable to disclosure are likely to increase as the Obama administration
spurs the adoption of digital records.


While the report didn’t specify how many security thefts were carried out by
insiders, 40 percent of surveyed providers reported an incident of improper
internal use
of protected health information during the past two years. Over
the past several years, thefts by insiders or disgruntled former employees have
surpassed disclosures by hackers and outsiders, Koenig said.

Read the
rest here.

Now, if that wasn’t enough to get
grab your attention and maybe, for a second at least, question the "we don’t have time for privacy protection rush" to
implement this system correctly and responsibly, there’s
also an article from Information Week entitled "HHS:
Patient Data Breaches Have More Than Doubled"

The article reports:

Health organizations notified approximately 5.4 million
individuals affected by patient health data breaches in 2010,
compared to
approximately 2.4 million individuals in 2009. This according to a report
recently sent by the Department of Health and Human Services (HHS) to Congress.
The report comes several months after the HHS office of inspector general published
two audits
that highlighted the difficulties healthcare deliveryorganizations
are facing in their efforts to protect sensitive patient information.

HHS’ latest report to Congress
revealed that in 2010 theft was the most common cause of large breach incidents
that affected 500 or more individuals. Among the 207 breaches that covered
entities such as healthcare providers, health plans, and healthcare
clearinghouses reported last year, 99 incidents involved theft of paper records
or electronic media, combined affecting approximately 3 million individuals. 


In 2010, the second highest number of data breaches involved the loss of
electronic media or paper records,
with 33 reported cases that affected more
than 1 million individuals. There were 31 breaches that involved unauthorized
to, or uses or disclosures of, protected health information that
affected approximately 1 million individuals.

Other breaches included 19
incidents resulting from human or technological errors that affected
approximately 78,663 individuals
. Eleven covered entities reported breaches
caused by the improper disposal of protected health information that affected
approximately 70,000 individuals. In Gallagher’s
view, the increasing number of incidents could mean that the policies and
procedures coming from HHS are encouraging the healthcare industry to do a
better job of detecting and reporting breaches. 

the rest here.

But wait…there’s more!! A Reuters
article entitled "
industry lacks patient data safeguards: pol
" adds yet another
wrinkle, which again, totally and completely validates and reinforces claims by
privacy advocates that we must put the privacy of patients ahead of the need to
get the system up and running as quickly as possible no matter the risks.

The article reports:

A vast majority of hospitals, doctors, pharmacies and insurers are eager to
adapt to increasingly digital patient data. However, less than half are
addressing implications for privacy and security, a survey of healthcare
industry executives by PricewaterhouseCoopers LLP found. PwC’s Health Research Institute interviewed 600
executives in the spring of this year and also found that less than half of
their companies have addressed issues related to the use of mobile devices.
Less than a quarter have addressed implications of social media.

U.S. health and drug regulators are expected by the end of the year to finalize
their updated rules on patient privacy protection, and they also continue to
adapt to new technologies coming to health labs and physicians’ offices. Some 74 percent of healthcare
organizations were planning to expand
the purposes for which they use
electronic patient health data, the survey found. For instance, that may mean looking
across patients to find better treatments or tracking records of one patient
from doctors and pharmacies to analyze medication adherence. 

But only 47 percent of the companies have or are addressing related privacy and
security issues
, the report said.Reports of security breaches, although many not
directly related to health IT, are not uncommon in the health industry. 

Just over half of surveyed executives said they were aware of some kind of a
privacy or security breach at their companies in the past two years, with
hospitals being the likelier offenders. 

the rest of that article here.

As I have written here before on this issue, we all consider
our healthcare information to be extremely personal and expect the government
to protect it from falling into the wrong hands. Granted, regulations alone
(nor even technical safeguard perhaps) will never be the end all solution when
it comes to privacy in the information age…it must be coupled with public
awareness and the pressure that consumer choice can put on industry.

But as it stands today, there still aren’t
uniform standards for electronic medical records. Yes, there are some
protections in the Health Insurance Portability and Accountability Act of 1996,
as well as some in the stimulus bill. But key protections are still

The prohibition on the sale of medical records is weak and
full of loopholes, nor does it apply to vendors like Microsoft or Google. Both
companies have agreed to contracts that say they won’t
release your information, but there is no law mandating that they don’t sell the information. If we’ve
learned anything about corporate behavior in recent years, it’s that without
ironclad, legal requirements, we shouldn’t
expect them to behave the way we’d
expect from say, a human being.

Similarly, the breach provisions requiring companies to notify patients when
electronic medical records are accessed does apply to Google and Microsoft,
however, there are safe-harbor provisions that let companies off the hook from
the notification requirement if the breach occurred in "good faith."

The federal law on the books only requires that patients are notified when
their information was disclosed in the course of treatment but not how it was
used. As a result, the patient will not know which hospital personnel looked at
the information or for what purpose.

Look, I don’t yet
consider myself an expert on this issue, for that, go to World Privacy Forum
and read some of the
work and research done by Pam Dixon on electronic health record privacy.

Clearly, if today’s
list of articles, and last months piece in the San Jose Mercury News, tells us
anything its that we need MORE attention paid to privacy, not less…and that
means taking a bit more time to get this new system up and running…and more
care given to the rights of patients…not hospitals, not suppliers, not the
government, and not any other interest looking to profit off this transition.
We can have BOTH privacy and a more efficient medical records system...there’s no need to sacrifice one for the other.