New Threats to Medical Privacy: The Challenge of Securing Electronic Health Records
TWillcutts - - 01/09/2010
The Obama administration's new standards for electronic health record (EHR) technology promise a quantum leap in administrative efficiency and patient care, but many worry the new paradigm could expose patients to identity theft and other privacy breaches. One of the goals of the American Recovery and Reinvestment Act (ARRA) of 2009 is to get electronic medical records on file for every American by 2014, effectively amassing a database of every American's most sensitive personal information. The benefits are considerable: an ability to quickly cross-check a medical condition with potentially dangerous drug interactions, for example, and to mine other medical data that busy doctors might otherwise overlook. But according to a recent article in InformationWeek , the new database may also increase the risk of marketers using patient data to promote sales of medical products -- and of criminals stealing patients' insurance information in order to obtain medical treatments. ARRA does include strong provisions intended to protect patient privacy, but will they be enough?
Balancing the promise of quality health care with the ongoing need to protect patient privacy is a delicate act, according to John Halamka, CIO of Harvard Medical School and Beth Israel Deaconess Medical Center in Boston. "If you come to the emergency department in a coma," Halamka says, "and you have a record that includes psychiatric treatment, HIV, drug abuse, and other information, would you share part of it or all of it? My preference would be all of it, with the hope that emergency workers would use it discreetly, to save my life," InformationWeek reports. ARRA provides powerful financial and legal incentives to ensure such discretion is used. Every doctor in America whose implementation of EHR meets federal privacy, security, and other standards, between 2011 and 2015, can claim $44,000. Hospitals could claim $2 million. Organizations that fail to meet the privacy standards laid out by ARRA would receive nothing, and individual privacy breaches could result in criminal charges and fines. Authorized professionals who access medical data inappropriately would have to be terminated, and providers would have to notify prominent media when more than 500 medical records are compromised. "Of course I respect federal law," Halamka says, "but I'm more afraid of the Boston Globe and New York Times because if I lose the trust of my patients, I'm not going to be given a second chance."
As stringent as these safeguards may seem, many professionals remain skeptical that they will be sufficient to protect a database that is at once accessible to thousands of employees and, in many cases, full of valuable, marketable information. Deborah Peel, founder and chair of the political group Patient Privacy Rights, notes that hospital employees sometimes can't resist peeking into certain patients' medical records, as happened last March when fifteen hospital workers were fired from Kaiser Permanente Bellflower Medical Center for accessing the records of the so called "Octomom," the briefly famous octuplet mother Nadya Suleman. Employees at UCLA Medical Center also accessed Farah Fawcett's medical records, after she went there for cancer treatments, and leaked the story to the press before Fawcett had the chance to inform her family of the diagnosis. Britney Spears' medical records have also been inappropriately accessed at UCLA Medical Center.
But celebrities aren't the only ones vulnerable to such invasions of privacy. Peel suggests some other possible scenarios. "Suppose a woman's partner is an abuser," she says, "she's left him, she goes to the hospital for treatment. If the abuser is an employee of the hospital, how is her privacy going to be protected?" Disciplinary consequences aside, often the only technical barrier blocking an employee's access to EHR is a pop-up warning, and while doctors and nurses may be the only ones allowed to see certain data, it is clear that clerks and office workers have found their way into patients' files in the past and are likely to do so again in the future. The increasing use and availability of EHR has also enabled a new form of crime, medical identity theft. Criminals pose as another patient and obtain medical treatments using the person's insurance information. As a consequence, not only are insurance companies forced to pay for someone else's procedure, but the original patient's medical records are also updated with incorrect information, potentially endangering their health by distorting the kind of care the patient receives in the future.
Other recent privacy breaches and near-breaches include a threat made by a medical transcriptionist in Pakistan in 2003 to post patient records from the University of California San Francisco Medical Center on the internet if she was not paid for her work at a transcription service company hired by the university. This dispute was resolved. More recently, two computers containing the medical records of almost 200,000 patients of a medical group in San Jose, California were posted for sale on Craigslist.org, according to a 2006 report in the HIPAA bulletin. The FBI recovered the medical data.
Responding punitively to known privacy breaches is crucial, but identifying when and where a privacy breach has taken place is a much more complicated matter. Developers are working on software that can identify instances when healthcare workers access medical records of patients with the same last names or patients with addresses near the home of the healthcare worker conducting the search. Locating patterns like these may expose employees who are snooping on friends or family members, but it might not account for every conceivable scenario.
A key issue in the debate over patient privacy is patients' consent to release health records. "In the paper world, you were told by your doctor's office every time he got a request to release information," Peel says, "You were asked to sign off on that. But in the electronic world, your ability to do that has been taken away. This is very important, because once health information is out there, you can't put it back in the bottle." Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS), argues that patients still do have the right to control the release of their health records but that exercising this right demands very proactive engagement. "Consent puts most of the burden on the patient," she says, "The patient has to be involved in every transaction, and the patient needs to be knowledgeable enough to make the consent, and aware that they're not leaving out things through inaction that might hurt them later on . . . In my view, Congress weeded out consent as a solution to the privacy problem."
Under the new EHR infrastructure, patients will have other rights they can invoke to help safeguard their medical privacy. Providers and other health businesses will have to maintain records of everyone who has access to a medical file. Patients will have the right to know who saw their file, who accessed it, and why. The Office of Civil Rights will enforce standards and the Federal Trade Commission will have the authority to process consumer complaints. ARRA also enables states' attorneys general to prosecute HIPAA violations.
Still, given the amount of information involved and the novelty of EHR technology, can we expect patients to devote the time and energy required to hold healthcare professionals accountable? Or will the complexity of the issues lead most patients to simply trust their doctors' discretion -- not to mention the discretion of other hospital staff? On the other hand, will doctors and other providers feel compelled to hire outside consultants to assist in the enforcement of privacy standards? We will have to see. In any case, when it comes to ensuring medical privacy in the years ahead, both patients and providers will have their work cut out for them.