I just returned from the 2nd International Summit on the Future of Health Privacy in Washington, D.C. where the title of this year’s Summit was: “Is there an American Health Privacy Crisis?” The Summit brought together privacy experts, public health officials, lawyers, technology developers, and academics to discuss the importance of privacy protection (as I wrote about last week) as the federal government moves to establish the Nationwide Health Information Network (NwHIN). Security breaches and patient consent were two major themes at the Summit—two issues which I believe are inextricably linked.
My vantage point for thinking about this issue is my home state of New York, where we’re facing a major privacy issue. Over 60,000 providers here have contracted with 12 Regional Health Information Organizations (RHIOs) and have made their patients’ health information available through the RHIOs. Several years ago, New York made a policy decision to “upload” patient information—making it accessible electronically—without patient consent or notification. From a patient privacy perspective, this is a huge mistake. The state maintains that no one can access this patient data without consent, but this isn’t the case.
In fact, there are at least five ways that patient health information can be accessed without consent:
1. Through the state’s Break the Glass policy, which allows a provider to “break the glass” to access patient health information through a RHIO in an emergency situation when a patient is unable to provide consent for such disclosure;
2. For public health surveillance purposes, because the state’s department of health has argued that it has the legal authority to access identifiable patient health information in order to track trends that may indicate a public health epidemic (a questionable legal proposition);
3. By those in charge of auditing, maintaining, and performing other technical functions at the facility or RHIO-level;
4. By health care professionals who do not have patient consent but nevertheless access the system through unauthorized disclosures; and
5. Through security breaches.
While each of the above disclosures is worthy of its own discussion, I want to focus here on security breaches.
The vast amount of patient data that is now accessible electronically is a treasure trove for identify thieves and perpetrators of fraud—and it’s not a question of preventing security breaches, because bad actors are often one step ahead of those charged with establishing security protocols and breaches are inevitable. It’s a matter of when and how to mitigate such breaches.
Data breaches have increased as the adoption of electronic medical records exchange has increased:
• A December 2011 report from the Ponemon Institute noted that the number of reported breaches has increased by 32 percent between 2010 and 2011.
• The New York Times has reported on a number of these breaches, including one involving “the theft of a laptop computer from an employee of the Massachusetts eHealth Collaborative which potentially exposed over 13,500 patients’ private data—an ‘identity theft gold mine.’”
• In another story, the Times reported that the medical records of close to 20,000 patients were posted online for nearly a year because the hospital’s billing contractor’s marketing agent used an electronic spreadsheet with patient data as part of a skills test for a job applicant, who then posted the data on a public website. The marketing agent explained the breach as “a chain of mistakes which are far too easy to make when handling electronic data.”
In light of the tremendous risk to privacy posed by ubiquitous security breaches, it is critical that patients have the ability to consent to making their personal health information available electronically. While most agree that enabling providers to easily share information about their patients can improve care, patients must be given the choice whether to take advantage of these benefits in light of the risks involved.
The backlash against the adoption of health information exchange in the event of a security breach could be fatal to the system. Imagine finding out that someone was able to gain access to all of your aggregated medical information from many different providers—information you didn’t even know was made accessible electronically? That’s one reason that it’s so important that patients are given notice—and more importantly, provided with an opportunity to consent—before their information is uploaded to a networked system that makes that information accessible electronically.