Healthcare ePrivacy

The move towards inter-connected electronic health records in the United States and other countries increases access by not only medical professionals but those who are associated with them (covered entities such as insurance companies). A delicate balance needs to be struck between safeguarding patient privacy and necessary access to medical record information. There are a host of inter-twined technological and social issues that have yet to be resolved. For example medical billing is an inaccurate source to derive a patient record yet medical insurance coverage decisions are often based on such data. Most patients and lawmakers are unaware of the ramifications of inter-operable electronic health records. Health information privacy has not been adequately addressed by most healthcare organizations. There will likely be a role for regulation and oversight of EHRs at least in the US. (link) Many interesting questions are raised when a Personal Health Record can be legally searched to find candidates for a clinical trial (link). Privacy has to be balanced with accessibility although these are inter-twined. While has increased the privacy of your medical records, those same rules may make it more difficult to get your data. A CNN article addresses patient frustration when their healthcare providers block access to their own data. (link)

Latest in Healthcare Privacy

Privacy versus Efficiency. The Chief Privacy Officer of IBM believes it takes building public trust in the electronic health network with transparency being important. (link) It seems that the two are at odds with each other.

Certification. How does one build trust? Certification of Electronic Health Records is one way. There is an attempt to build certification requirements in the United States through the Department of Commerce/NIST. Booz Allen Hamilton awarded a $400,000 contract to develop a framework for electronic health record certification.

Visibility. US Health and Human Services Department has a new website listing breaches of medical privacy. However, the information is quite limited and if your records are compromised you must rely upon the breached healthcare organization to notify you. You won't be able to tell from the database. (link)

  • Theft of Protected Health Information

There were over 275,000 cases of medical information theft in the US during 2009 that were reported. (link) The latest reported incident involved a laptop stolen from John Muir's perinatal clinic in Walnut Creek. (link) The data was unencrypted but at least the file was password protected.

Thieves are stealing identities to get access to healthcare. (link) While an unintended disclosure, Affinity Health had to notify 409,262 patients that there information had been found on the hard drive of a retired photocopier. (link)

  • Safeguards for Protected Health Information

HIT Auditing EMRs and their associated infrastructure can be audited using Healthcare IT (HIT) audit principles. One such service is the The FairWarning Patient Privacy Framework intended for hospital CIOs, IT managers, and other employees responsible for PHI. The framework consists of three documents that address auditing, breach detection, remediation, and breach prevention. (link)

Health Information Exchange (HIE) Accreditation Program The Electronic Healthcare Network Accreditation Commission (EHNAC), a non-profit standards development organization and accrediting body, effort to develop accreditation criteria. The first phase addressed privacy and security, technical performance, business practices and organizational resources. The second phase addresses HIE-specific policies. (link)

Interesting Facts

  • Thirty-five percent of Fortune 500 companies admitted to looking at employee’s health records before making hiring and promotion decisions (65 Fed. Reg. 82,467). (link)

  • Prescriptions NOT Private (NY Times): Drug, dosage, doctor, SSN, address commonly sold for marketing purposes (link)

  • Sales Force Effectiveness: tools provide real-time information about doctor prescribing habits to drug representatives (link)

  • Prescribing Data Restriction Program (PDRP): Only 25% of surveyed physicians are even aware that the program exists (early 2007) (link)

  • E-prescribing benefits rely upon sharing of secondary information (link)

  • Dr. Westin 2007 Survey: 58% of respondents agreed that "The privacy of personal medical records and health information is not protected well enough today by federal and state laws and organizational practices.” (link)

  • Survey of Healthcare IT security professionals: 80% of respondents (healthcare organizations) had at least one incident of lost or stolen healthcare information (link)

  • Lax Privacy in Hospitals: 80% of respondents had at least one incident of lost or stolen healthcare information (link)

  • Personal Health Records - Private?: Patient Privacy Rights Report Card Suggests NOT (link)

  • Digital Security: Only half of US hospitals use encyrption (link)

  • Digital Security: Health 'data spill' more damaging than BP's oil spill (link)

  • Tools for monitoring your websites 15 Best Free Syslog Servers for Linux and Windows provided by Jeff Grant (Comparitech)