It’s no secret that privacy these days is an increasingly rare commodity. Cameras in public watch your every move. Even your iPhone is tracking your whereabouts. Now there’s a new frontier of privacy concerns–your private health information (PHI).
With over 260 Large Patient Information Breaches during the past 18 months... Are doctors and hospitals placing financial incentives ahead of patient privacy?
The federal government is offering financial incentives for doctors and hospitals to transition medical records into the digital age with the installation of electronic records systems, and creating a potential risk for patient’s privacy in the process.
If they aren’t already, your doctor and hospital will soon be using electronic medical record (EMR) systems and electronic prescribing (eRx). While the move toward electronic medical records is intended to provide increased healthcare quality, particularly in emergency situations, there are downsides to this form of medical record-keeping.
The unanswered question is “will patients’ personal health information be at risk during the paper-to-digital conversion process?”
This is the third installment of the ten-part series, "The Road to Personalized Medicine." We discuss how each patient's privacy is being put at risk with the federal government’s rush to digitize medical records, and we offer some guidance on what you can do, right now, to protect your health privacy.
Part 1: If your Doctor Doesn't Use Electronic Records, Get One Who Does
Part 2: e-Prescribing Can Save Time, Money and Lives
Part 3: Should Patients Trust Their Doctor's Electronic Record System?
Electronic management of your personal health information
Electronic record-keeping, storage and transmission of your health data will play a major role in transforming healthcare. Your personal health information, stored on EMRs, will eventually contain everything about you, including your habits that affect your health, your health history and your genetic make-up.
So yes, you must protect your PHI not only for you, but also for your children, your grandchildren and your great-grandchildren.
Just how safe are EMRs?
Part of the beauty – and it turns out danger – of EMRs is how easy they make it for doctors, hospitals, labs and others to share information. Yet you might wonder about the overall safety of your PHI that’s stored on EMRs.
- Can EMRs be hacked? Yes
- Can your information be shared with companies and the government without your consent? Yes
- Do you have any way of knowing your health information is protected? No
- What can you do if your PHI falls into the wrong hands? Very little
These are the very questions that the health industry and the government are wrestling with as we move into a new era in medicine.
Negligence or incompetence?
At this point, your health information is not particularly safe. Human mistakes are made all the time. In 15 months, an average of about 18 reports per month – or a little more than one every other day -- has surfaced on the OCR website.
With over 260 vilotations of HIPAA, consider the impact of the following patient privacy breaches reported just this year:
- MidState Medical Center loses hard drive containing information on 93,000 patients
- Health Net loses nine server drives filled with information on 2 million people
- Family Planning Council in Philadelphia reports the loss of a USB flash drive containing information on 70,000 patients’ family planning and reproductive health services such as HIV and STD screening, cancer screening and teen pregnancy prevention
This alarming pattern of privacy breaches shows a real need to take preventive measures now, before the next incidents put more patients at risk.
Who has access to your PHI?
The question remains on who will have “legitimate” access to your health records, as well as how that information could be used. Some are questioning:
- Can or will the government see your medical records? If so, what will that mean? In the future, might you be taxed if your BMI is too high? Could you be denied services because you smoke?
- Does your employer have the right to know your health information? If so, could you be fired – or never hired - for having a genetic predisposition to a disease – say a certain type of cancer?
- What about your insurance company? If you’re honest about your lifestyle habits and tell your doctor how much alcohol your drink, for example, can your insurance company see that information and hold it against you?
These questions remain unanswered, yet need to be considered by all concerned parties, especially patients.
Privacy and personalized medicine
The field of human genetics (known as genomics) is advancing daily. Tests that look at your individual genetic make-up are already available for nearly 2,000 diseases. This information can offer insight into how likely you are to develop disease and what treatments would be most effective for you.
While this data can be used to provide you with personalized treatment options, this information also affects your children because they inherit your genes.
Individuals who take advantage of these medical advances will have this data woven into their electronic medical records. What would happen if this deeply personal information fell into the wrong hands?
Not only could you be impacted, but your children and your children’s children may also be negatively affected – for life. However, some safeguards do exist.
In 2008, Congress passed the Genetic Information Non-Discrimination Act, making it illegal for genetic information to be used to hire or fire a person or for insurers to use it as the basis for determining insurance rates.
Medical identity theft
Medical identity theft could increase, which is a costly problem to remedy. This crime is generally committed by someone who doesn't have insurance or can’t pay for health care.
The average costs exceed $20,000 to resolve medical identify theft and several months of effort. If your medical identity is stolen, you could lose your insurance plan, face higher premiums and/or lower credit scores.
But the costs reach beyond the individual. According to a study by the non-profit Ponemon Institute, data leaks cost U.S. hospitals $6 billion a year. The financial impact of a data breach averages $1 million per hospital per year. These costs are then passed down to the patient in the form of increased service costs.
Inadequate privacy laws
While some laws are in place to protect your privacy, those regulations don’t address all of the issues at hand in the emerging eHealth world. The most far-reaching of the laws currently on the books is HIPAA – the Health Insurance Portability and Accountability Act of 1996. There are two parts to this federal law:
- The Privacy Rule sets rules and limits on who can look at and receive your health information
- The Security Rule protects health information in electronic form - establishes a set of national standards for confidentiality, integrity and availability of electronic PHI
- While HIPAA provides a framework for protecting your privacy, it doesn’t guarantee PHI security.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, expands the security requirements stipulated within HIPAA, but these regulations affect only organizations that are regulated by the Department of Health and Human Services.
Penalties for security breaches
The Department of Health & Human Services (HHS) is starting to penalize sloppy organizations:
- HHS reached a $1 million settlement with Massachusetts General Hospital after a hospital employee left protected health information about 192 patients on a subway train
- HHS fined Maryland’s Cignet Health $4.3 million for denying 41 patients access to their medical records
New laws being written
Senators John Kerry (D-Mass.) and John McCain (R.-Ariz.) have introduced a new privacy bill to protect consumers against the unauthorized collection, use and distribution of their personal information.
While the bill mentions personal health information, it's not clear how it might affect the transmission of health data.
The Commercial Privacy Bill of Rights Act of 2011 "does not allow for the collection and sharing of private data by businesses that have no relationship to the consumer for purposes other than advertising and marketing," McCain said in a statement.
The legislation requires those collecting the data to:
- Notify individuals that their data is being collected and explain why
- Give consumers a way to opt out of this data collection, in most cases
- Create a system whereby consumers give their permission (opt in) for "sensitive personally identifiable information" including personal health information, to be included in a database
Various consumer advocacy groups said they would not endorse the bill because the legislation would take away consumers' right to sue over privacy violations.
Certain states, such as Texas and Maine, have introduced patient privacy legislation. Two bills recently introduced in Texas – HB 300 and SB 622 – are designed to boost privacy protection by a number of means, such as:
- Improving training of staff using EMRs
- Creating a consumer website and complaint process
- Enabling patients to know who has access to their information and consent to that access
- Increasing penalties to entities that knowingly or unknowingly violate patient privacy
So what’s a patient to do?
While policies and new laws are being formulated, health privacy advocates say patients can protect themselves by asking their doctor the right questions:
- Which third-party certification service has verified your doctor’s EMR and ePrescribing systems?
- When was the PC used by your doctor last upgraded?
- Who has verified the security of the doctor’s external data communications, such as the Internet?
- Has your doctor’s office staff been certified in the latest privacy policies and procedures?
- Who in your doctor’s office is operationally responsible and financially accountable for protecting your medical information?
Moving into the future
EMR and eRx systems are here to stay. They are now a key part of the federal healthcare reform initiative. So the train has left the station whether or not you, your doctor or your hospital like it.
In our first two Special Reports, we recommended finding a doctor who is using EMR and eRx systems. These electronic systems will save you time, money and enable you to live life to the fullest.
And in Special Report #3, we suggest patients ensure their doctors, and their office staff, are using these electronic systems appropriately....and protecting your personal health information.