Consumer Federation of California

Most of us have come to the obvious, inevitable realization
that we are going to shift (and in fact are doing so right now) what are
currently called personal health records from a paper system to an electronic
one. Having your medical records computerized and stored electronically
promises to reduce medical errors – including prescribing the wrong
medications. The National Academy of Sciences’ Institute of Medicine
estimates between 44,000 and 98,000 people in the United States die each year because
of errors such as being prescribed medicine to which they are allergic.

These EHR’S offer an easier way to collect, double-check and complement the
information you receive from your physician. At the very least, your records
can help you speed through waiting room forms and prompt important
conversations with your physicians. If your doctor writes a new prescription,
you can use your current medication list to ask about any interactions with the
new drug. Or if your records suggest it’s time for a colonoscopy, you might
make time to discuss the pros and cons of the procedure.

EHR’S can also allow you to access your health information to prepare for
medical appointments. As laid out by Patient Privacy Rights, "It can
enable you to communicate better with your healthcare providers about your
medical needs. People with chronic health conditions may use them to keep track
of such things as how their medications are affecting them, or how they’re
feeling from day to day. People with hypertension might want use it to track
their blood pressure readings."

Transitioning to a health information exchange will create much more patient
data in electronic formats than ever before in history. The privacy threat
posed by the interoperability of a national network is a key concern because in
order for the records to be readily available and accessible they would have to
be linkable and searchable.

If medical records fell into the wrong hands at worst they could be used for a
host of purposes unrelated to improving your health: advertisers might flood
our email inboxes with even more spam and patients may not feel so comfortable
having an honest conversation with their doctor if it could end up for all to
see. This treasure trove of personal information would also be a goldmine for
insurance companies, drug companies, data mining companies, and software
companies.

I give you this backdrop because we are witnessing increasing numbers of data
breaches that are exposing – on a mass level – peoples personal health records.

Before I get to the latest news on partly why these breaches are occurring
(hospitals skimping on their security costs), let me layout some of the data
and its costs we ALREADY knew about:

• More than 11 million consumers have had medical data stolen
  or inappropriately disclosed since September 2009, and the privacy breaches are
  expected to rise as more health information is put online, according to the
  report released today by the New York-based accounting firm’s health research
  institute.
• While the report didn’t specify how many security thefts
  were carried out by insiders, 40 percent of surveyed providers reported an
  incident of improper internal use of protected health information during the
  past two years.
• Health organizations notified approximately 5.4 million
  individuals affected by patient health data breaches in 2010, compared to
  approximately 2.4 million individuals in 2009.
• HHS’ latest
  report to Congress revealed that in 2010 theft was the most common cause of
  large breach incidents that affected 500 or more individuals. Among the 207
  breaches that covered entities such as healthcare providers, health plans, and
  healthcare clearinghouses reported last year, 99 incidents involved theft of
  paper records or electronic media, combined affecting approximately 3 million
  individuals.
• In 2010, the second highest number of data breaches involved
  the loss of electronic media or paper records, with 33 reported cases that
  affected more than 1 million individuals. There were 31 breaches that involved
  unauthorized access to, or uses or disclosures of, protected health information
  that affected approximately 1 million individuals. Other breaches included 19
  incidents resulting from human or technological errors that affected
  approximately 78,663 individuals. Eleven covered entities reported breaches
  caused by the improper disposal of protected health information that affected
  approximately 70,000 individuals.

Now that we’ve
gone over just a few of the reasons why this is all so important, and why
concerns articulated by privacy advocates that STRICT privacy safeguards, at
every step of the transition process must be implemented have been proven true,
lets get to some of the reasons WHY such breaches are occurring.

As
Business Week reported: 

Data breaches at U.S.
health-care providers are increasing as hospitals adopt electronic medical
records and mobile technology without spending enough on security to ensure
patient privacy, a research group said.

The frequency of data breaches at health organizations jumped 32 percent in
2011 from a year earlier, costing the industry an estimated $6.5 billion,
according to a study released today by the Ponemon Institute LLC, a Traverse
City, Michigan-based information-security research group.

Forty-nine percent of health organizations said that lost or stolen devices
were to blame for breaches, according to the institute, which surveyed 72
hospitals and health providers. The study didn’t name the organizations
surveyed.

…

Fifty-three percent of the organizations surveyed said that inadequate funding
was the biggest barrier to preventing data breaches, according to the study.

U.S.
data-breach notification laws for health organizations are making providers
more aware of their security vulnerabilities, Ponemon said. Data breaches
affecting more than 500 people must be reported to the Health and Human
Services Department, which posts a list of incidents on its website.

Health providers, insurers and their business partners reported 373 breaches
affecting almost 18 million individuals between September 2009 and October of
this year, according to the list, which is tended by the Health and Human
Services Department’s Office of Civil Rights.

In  fact, the Privacy Rights Clearinghouse listed the now notorious Sutter
Health data breach as one of the largest of the year. Amber Yoo, the
organization’s Communications
Director, recently
wrote in the California Progress Report:

 "Sutter Physicians Services
(SPS) and Sutter Medical Foundation (SMF) (Nov. 16) – A company-issued desktop
computer was stolen from SMF’s
administrative offices in Sacramento,
California, during the weekend of
October 15th. Although the data was password protected, it was not encrypted.
Approximately 3.3 million patients whose health care provider is supported by
SPS had their names, addresses, dates of birth, phone numbers, email addresses,
medical record numbers and health insurance plan name exposed. An additional
934,000 SMF patients had dates of services and description of medical diagnoses
and/or procedures used for business operations, bringing the total to 4.2
million patients. At least two lawsuits have been filed against Sutter Health.
One class-action suit alleges that Sutter Health was negligent in safeguarding
its computers and data, and then did not notify the millions of patients whose
data went missing within the time required by state law….The security lapse
occurred on two levels: both the data itself (being unencrypted) and the
physical location (stored in an unsecure location). Although no Social Security
numbers or financial information were apparently exposed, all the data elements
needed for medical identity theft were included in the stolen records."

In addition,
Amber points out another massive breach, writing, "Nine data servers
containing sensitive health information went missing from Health Net’s data center in Rancho Cordova, California.
The servers contained the personal information of 1.9 million current and
former policyholders, compromising their names, addresses, health information,
Social Security numbers and financial information. Not only was Health Net the
first massive medical breach of the year, but the company waited three months
before notifying affected individuals. The servers were discovered missing in
January, but policyholders were not notified until March. The breach highlights
the importance of timely notification."

The good news, as if there is any in all this, is that California recently
implemented one of the strongest data breach notification laws in the country –
one we here at the
Consumer Federation of California worked hard to pass the legislature and
convince Governor Brown to sign. Now, thanks to the law, any breached entity
must submit their notice letters to the California Attorney General. The AG’s office will then post the letters on its website.
In addition, the notifications sent to individual who’s
private information was breached will be clearer, more detailed, with specific
recommendations for what to do no next, including who to call.

As for the larger issue of electronic health records, as these breaking news
stories make clear, time is running out, because states across the country,
including California, are working to implement such a system, with consumer
privacy perhaps the paramount area of dispute.

We know such a system will save money and improve health care (though how
significant these improvements and savings will be is still in question), but
what remains contentious – and rightly so – is the intrinsic threat a massive
electronic database containing our most personal medical records poses to
individual privacy and security.

When it comes to the issue of e-health records certainly one question the
consumers should ponder is "Where is my data and who has access to it and
for what purposes?" Or perhaps even more importantly, "can my private
data be traced back to me personally and sold to others?"

But as it stands today, there still aren’t
uniform standards for electronic medical records. Yes, there are some
protections in the Health Insurance Portability and Accountability Act of 1996,
as well as some in the stimulus bill. But key protections are still absent, and
state laws often conflict with federal ones.

For instance, the federal law on the books only require that patients are
notified when their information was disclosed in the course of treatment but
not how it was used. As a result, the patient will not know which hospital
personnel looked at the information or for what purpose.

Clearly, what is MORE than clear now is that we need MORE attention paid to
privacy, not less…and that means taking a bit more time to get this new
system up and running…and more care given to the rights of patients…not
hospitals, not suppliers, not the government, and not any other interest
looking to profit off this transition. We can have BOTH privacy and a more
efficient medical records system…there’s
no need to sacrifice one for the other.