How Private Are Electronic Health Care Records?
There are many arguments in favor of electronic health care records, including fewer medical errors and reduced costs, not to mention the sheer amount of paper saved. Unfortunately, such electronic records are not nearly as secure as we would like, especially considering the highly personal information in medical records, from Social Security numbers to mention of pre-existing conditions to notation of what medications you are taking. Recently the likes of Lockheed Martin, PBS and Sony have all had their websites hacked and, as it turns out, electronic health care records are just as vulnerable.
The US government’s Office of Civil Rights has a website dubbed the “wall of shame” on which are listed some 300 hospitals, doctors and insurance companies who have reported significant breaches of medical privacy in the past few years. A quick skim through the list reveals that huge HMOs such as Kaiser Permanente Medical Care Program, New York Presbyterian Hospital and Columbia University Medical Center have all suffered security breaches of medical records. These have occurred through the loss or theft of a laptop or other portable electronic device (an employee of Massachusetts General Hospital left the paper records of 192 patients on a Boston subway train in March); improper disposal of records; hacking and the unauthorized accessing of computer records.
According to the New York Times, personal medical records of at least 7.8 million people have been improperly exposed in the past two years.
The Health Insurance Portability and Accountability Act, or HIPAA, of 1996 (HIPAA) is supposed to protect patients against such revelations of their personal data. Under HIPAA, health information is supposed to stay private and the Obama administration has “levied a string of stringent penalties for egregious violations of patient rights.” But it is still not too difficult to “connect names and addresses to nominally anonymous data with Internet searches and computerized matchups.”
Dr. David Brailer, who was appointed by former President Bush as the first national coordinator of health information technology, is “skeptical” about using HIPAA and such measures to limit security breaches and argues that what’s needed are laws that state that patients themselves own their medical data:
(Yes, you don’t actually own your own medical data.)
Says Dr. Brailer:
“It’s a huge challenge. Break-ins and hacks are unfortunately going to be part of the landscape,” he said.
One protection, he suggested, would be laws to make it illegal for an insurer or employer to discriminate against a person based on information about health conditions like H.I.V./AIDS, cancer and mental health problems.
As a model, he pointed to the antidiscrimination law to prevent the misuse of genetic information that was passed with bipartisan support in the Bush administration. He also said he believed the laws should say “patients own the data, period, and decide what happens to it. The patient should be able to say to Hospital X: ‘send my data to Hospital Y because I’m changing hospitals,’” he said.
Today, the information belongs to whoever possesses it, under ideas inherited from 17th-century English common law, he said. “If it gets into your database, essentially you own it,” he added, “and you can pass it on.”
“Today HIPAA makes no sense,” Dr. Brailer added. “The law didn’t anticipate a world where your data passes through many, many hands.”
My family has moved several times in the past decade-plus and it’s not been easy to make sure our medical records, especially those of my son, are passed one from doctor’s office to doctor’s office. Again and again we have had to request and pay to get copies of Charlie’s medical records, information that is certainly crucial as doctors address his neurological issues, his history of medications and behaviors, and much much more.
With the current digitalization of seemingly every shred of information in our society, electronic health records seem inevitable. The benefits are apparnet. But the security breaches of medical records are troubling and we should try to use such lapses as grist for improving the software and protocols for what are, indeed, records that are all about ourselves.
Photo of a nurse accessing electronic medical records by MC4 Army.