July 15, 2011 – Every time I read another story about a messy health care data breach, I first check to see if the breached protected health information included dates of birth and Social Security numbers. That’s my gut-check gauge of just how bad it is, and how painful things will be going forward for the organization that got hit.
The industry wraps layers of technologies and policies around protected health information because (A) it’s a fundamental responsibility of the medical community to keep patient/physician interactions confidential, and (B) it has to, because if it doesn’t follow the rules, you can get in big trouble, and big trouble means lawsuits, heavy fines, public humiliation, and etc. and etc.
But … if I found out my medical chart was breached, I’d feel somewhat violated that someone knew I was being treated for, say, irritable bowel syndrome or had to get some ear wax removed. It would be a feeling akin to my neighbor peeking through the window to see me opening a pickle jar in the nude.
I likely would have a different perspective if I had a serious condition I was trying to keep confidential, but I have yet to hear of anyone using stolen diagnosis codes to blackmail victims with public disclosure. It is a violation, yes, but for the most part it’s the violation you would feel from a voyeur.
But If I found out my Social Security number and other personally identifiable information got loose, I’d be extremely pissed off and worried about identity theft and fraudulent uses of that information that would punish my bank accounts and credit rating. I’d feel the exact same level of fear and anger I would if my credit card issuer got breached (which it has) or some store where I have a loyalty card (again, it's happened to me).
The real threat to confidential medical information, as health care privacy critics like Deborah Peel, M.D., founder of the Patient Privacy Rights Foundation have carped on for years, is the loose regulations and enforcement around disclosing sensitive data.
The truth is, pretty much any entity you don’t want to get that information--your employer or an insurance company or a marketing firm – already can, one way or another, as well as numerous internal personnel at hospitals and other provide sites.
The HIPAA privacy law does require express patient authorization for disclosures beyond treatment, payment, and health care operations. (And will get more stringent pending the finalization of the proposed accounting for disclosures rule). But the legalese that rolls on in authorization forms can be used to get people to sign their lives away, as we’ve probably all learned at some point and time (ever tried to read through your health club contract?). The recent outrage over banks using shopping and personal data to target credit card holders for retailer and insurance marketing is a case in point. The authorization for the use of personal data is buried in the fine print, and in most cases cardholders are automatically enrolled in merchant incentive programs.
And under HIPAA, a covered entity can in fact disclose a patient’s entire medical record with an authorization, even though the guidelines note that signing away disclosure of "all protected health information" might not be sufficiently specific. And there are all kinds of exceptions and broad definitions under the disclosure rules. Did you ever think that fund-raising might fall under the umbrella of health care operations? I, as a patient, certainly wouldn’t think so.
I think when the accounting for disclosures rule is finalized and goes into effect, patients who make the effort to see who has been given their private information are going to be horrified about who has seen it and who is requesting it. This is going to be all the more acute when genomic data starts to be incorporated into therapies and is available via the patient record.
So a lot of organizations are getting publicly beat up for being on the data breach wall of shame maintained by the HHS Office of Civil Rights, and rightfully so. Many of those breaches are the result of fundamentally lax security practices, such as losing track of laptops or tapes with thousands of patient files on them. And you often find yourself reading through a breach report and wondering why someone in an administrative department (clinicians rarely have been responsible for the PHI going missing), would have the authorization and the ability to load thousands of records on a laptop they're taking home with them.
But I worry that the industry has focused so much energy and attention on keeping "unauthorized' clinicians from looking at the results of my last cholesterol test that it’s hard to give it to the people who should see it, but easy for outside organizations and internal personnel that I really don’t want to be rooting around in my personal data to get their hands on it. We’re giving away our privacy--not just in health care, but in the broader consumer landscape – via line by line of fine print while looking over the ramparts for the enemy (which really is, for the most part, the industry stakeholders themselves.)
This article originally appeared on Health Data Management.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access