I just returned from the 2nd International Summit on the Future of Health Privacy in Washington, D.C. where the title of this year’s Summit was: “Is there an American Health Privacy Crisis?” The Summit brought together privacy experts, public health officials, lawyers, technology developers, and academics to discuss the importance of privacy protection (as I wrote about last week) as the federal government moves to establish the Nationwide Health Information Network (NwHIN). Security breaches and patient consent were two major themes at the Summit—two issues which I believe are inextricably linked.
My vantage point for thinking about this issue is my home state of New York, where we’re facing a major privacy issue. Over 60,000 providers here have contracted with 12 Regional Health Information Organizations (RHIOs) and have made their patients’ health information available through the RHIOs. Several years ago, New York made a policy decision to “upload” patient information—making it accessible electronically—without patient consent or notification. From a patient privacy perspective, this is a huge mistake. The state maintains that no one can access this patient data without consent, but this isn’t the case.
In fact, there are at least five ways that patient health information can be accessed without consent:
While each of the above disclosures is worthy of its own discussion, I want to focus here on security breaches.
The vast amount of patient data that is now accessible electronically is a treasure trove for identify thieves and perpetrators of fraud—and it’s not a question of preventing security breaches, because bad actors are often one step ahead of those charged with establishing security protocols and breaches are inevitable. It’s a matter of when and how to mitigate such breaches.
Data breaches have increased as the adoption of electronic medical records exchange has increased:
In light of the tremendous risk to privacy posed by ubiquitous security breaches, it is critical that patients have the ability to consent to making their personal health information available electronically. While most agree that enabling providers to easily share information about their patients can improve care, patients must be given the choice whether to take advantage of these benefits in light of the risks involved.
The backlash against the adoption of health information exchange in the event of a security breach could be fatal to the system. Imagine finding out that someone was able to gain access to all of your aggregated medical information from many different providers—information you didn’t even know was made accessible electronically? That’s one reason that it’s so important that patients are given notice—and more importantly, provided with an opportunity to consent—before their information is uploaded to a networked system that makes that information accessible electronically.