How Private Are Electronic Health Care Records?

There are many arguments in favor of electronic health care records, including fewer medical errors and reduced costs, not to mention the sheer amount of paper saved. Unfortunately, such electronic records are not nearly as secure as we would like, especially considering the highly personal information in medical records, from Social Security numbers to mention of pre-existing conditions to notation of what medications you are taking. Recently the likes of Lockheed Martin, PBS and Sony have all had their websites hacked and, as it turns out, electronic health care records are just as vulnerable. 

The US government’s Office of Civil Rights has a website dubbed the “wall of shame” on which are listed some 300 hospitals, doctors and insurance companies who have reported significant breaches of medical privacy in the past few years. A quick skim through the list reveals that huge HMOs such as Kaiser Permanente Medical Care Program, New York Presbyterian Hospital and Columbia University Medical Center have all suffered security breaches of medical records. These have occurred through the loss or theft of a laptop or other portable electronic device (an employee of Massachusetts General Hospital left the paper records of 192 patients on a Boston subway train in March); improper disposal of records; hacking and the unauthorized accessing of computer records.

According to the New York Times, personal medical records of at least 7.8 million people have been improperly exposed in the past two years.

The Health Insurance Portability and Accountability Act, or HIPAA, of 1996 (HIPAA) is supposed to protect patients against such revelations of their personal data. Under HIPAA, health information is supposed to stay private and the Obama administration has “levied a string of stringent penalties for egregious violations of patient rights.” But it is still not too difficult to “connect names and addresses to nominally anonymous data with Internet searches and computerized matchups.”

Dr. David Brailer, who was appointed by former President Bush as the first national coordinator of health information technology, is “skeptical” about using HIPAA and such measures to limit security breaches and argues that what’s needed are laws that state that patients themselves own their medical data:

(Yes, you don’t actually own your own medical data.)

Says Dr. Brailer:

“It’s a huge challenge. Break-ins and hacks are unfortunately going to be part of the landscape,” he said.

One protection, he suggested, would be laws to make it illegal for an insurer or employer to discriminate against a person based on information about health conditions like H.I.V./AIDS, cancer and mental health problems.

As a model, he pointed to the antidiscrimination law to prevent the misuse of genetic information that was passed with bipartisan support in the Bush administration. He also said he believed the laws should say “patients own the data, period, and decide what happens to it. The patient should be able to say to Hospital X: ‘send my data to Hospital Y because I’m changing hospitals,’” he said.

Today, the information belongs to whoever possesses it, under ideas inherited from 17th-century English common law, he said. “If it gets into your database, essentially you own it,” he added, “and you can pass it on.”

“Today HIPAA makes no sense,” Dr. Brailer added. “The law didn’t anticipate a world where your data passes through many, many hands.”

My family has moved several times in the past decade-plus and it’s not been easy to make sure our medical records, especially those of my son, are passed one from doctor’s office to doctor’s office. Again and again we have had to request and pay to get copies of Charlie’s medical records, information that is certainly crucial as doctors address his neurological issues, his history of medications and behaviors, and much much more.

With the current digitalization of seemingly every shred of information in our society, electronic health records seem inevitable. The benefits are apparnet. But the security breaches of medical records are troubling and we should try to use such lapses as grist for improving the software and protocols for what are, indeed, records that are all about ourselves.


Photo of a nurse accessing electronic medical records by MC4 Army.

Love This? Never Miss Another Story.


jane richmond
jane richmond4 years ago

not very. Too many eyes and machines have access to the files

Grace Adams
Grace Adams4 years ago

The sooner health insurance companies are reduced to claims handling, the less motive they will have to pry into patients' health care records. It will probably take an industry wide shared reserve fund to get insurance companies to stop trying to cherry pick insureds. The whole industry should need only one shared actuarial department. There should be no underwriting. Sales should be a matter of taking orders for insurance through the state or regional health insurance exchange. In Connecticut, insurance companies have a right to review the medical records of their insureds. Once they have no choice who to insure, they won't need to review medical records.

KrassiAWAY B.
Krasimira B.4 years ago

I don't trust electronic files.

lyn L.
l L.4 years ago

Veronica c may 30 2011 8:12 pm-- I agree with you whole heartedly. how do you get a second opinion that is not tainted with the first? And a mis diagnosis follows you forever. And-- no one cares until it happens to someone important enough to listen to-- I believe. I also don't like what certain dems are trying to push for results oreinted pay for medical providers, when dealing with medicare patients. I believe drs should be paid for their services and that idea is unfair to the patients and the doctors. for one with food borne infections outbreaks after the fact and our popultaions being experimented on, there are no conclusive healings and cures. Somethings we manage and live within the bounderies of its limitations. I don't agree with being locked in a health facility until a cure is reference vs repeat admissions for whatever reasons. That is just like a lobbyists deciding who is a good teacher when they can control the results of societal ills and instantly produce genuises. We see where that took us. tens of thousands of people being put out of work and the who that replaced them were soley required to show passion and no results and less pay. The same thing with the health field. I was looking for somewhere to make this point, is why I added it. I think it is a way for both client and service provider to be cheated out of their just due. When drs are under that kind of system, nothing valid will follow. They may instantly claim you are cured to get paid.

lyn L.
l L.4 years ago

you all make good valid points. And-- if they can hack the systems they can alter info. And-- did you know in way of privacy, that when you see one service provider and they have affiliates, that the affiliates are entittled to the same info? it is the same way with banks. You can read it in their brochures. And-- when you go to dentists, eye doctors, these days they write down everything you say whether it has anything to do with the service and put it on their trusty computer or laptop. I guess it is a global effort to coin the client and profile them for their files by saying they said this and that. That is if they are writing what actually happened and what actually was said. How I long for the times we were truly free. And all this info gets shared and hacked about all of us, when it does. And-- I saw where college grad students, I believe, help the state department collect information about sites around the world who have experienced certain things for record keeping and reference. I wonder what else is going on. And-- these our the days of our lives.

Liz T.
Liz T.4 years ago

Had concerns about these security issues as well. Hard to trust anything on the web. Found a digital medical record service thru my insurance company- our information is not online. Family now uses an mDoc card and that seems to be working well. Has our information on the card and is password-protected. The thought of someone tracking our habits & targeting us based on our health information really scares me :(

Marie W.
Marie W.4 years ago

Nothing is private and electronic stuff least of all.

Amanda M.
Amanda M.4 years ago

I do NOT trust electronic files. I'm not even crazy about direct deposit for paychecks-how do I know who's got their fingers in our financial pie?

Marilyn L.
Marilyn L.4 years ago

We need to start demanding from the computer industry that making site secure be their number one priority. We have enough gadets for now, let's work on security.

Nance N.
Nance N.4 years ago

As a retired medical record health professional I have very mixed emotions on the electronic records. they have both good and bad points.