I just returned from the 2nd International Summit on the Future of Health Privacy in Washington, D.C. where the title of this year鈥檚 Summit was: 鈥淚s there an American Health Privacy Crisis?鈥 The Summit brought together privacy experts, public health officials, lawyers, technology developers, and academics to discuss the importance of privacy protection (as I wrote about last week) as the federal government moves to establish the Nationwide Health Information Network (NwHIN). Security breaches and patient consent were two major themes at the Summit鈥攖wo issues which I believe are inextricably linked.
My vantage point for thinking about this issue is my home state of New York, where we鈥檙e facing a major privacy issue. Over 60,000 providers here have contracted with 12 Regional Health Information Organizations (RHIOs) and have made their patients鈥 health information available through the RHIOs. Several years ago, New York made a policy decision to 鈥渦pload鈥 patient information鈥攎aking it accessible electronically鈥攚ithout patient consent or notification. From a patient privacy perspective, this is a huge mistake. The state maintains that no one can access this patient data without consent, but this isn鈥檛 the case.
In fact, there are at least five ways that patient health information can be accessed without consent:
1. Through the state鈥檚 Break the Glass policy, which allows a provider to 鈥渂reak the glass鈥 to access patient health information through a RHIO in an emergency situation when a patient is unable to provide consent for such disclosure;
2. For public health surveillance purposes, because the state鈥檚 department of health has argued that it has the legal authority to access identifiable patient health information in order to track trends that may indicate a public health epidemic (a questionable legal proposition);
3. By those in charge of auditing, maintaining, and performing other technical functions at the facility or RHIO-level;
4. By health care professionals who do not have patient consent but nevertheless access the system through unauthorized disclosures; and
5. Through security breaches.
While each of the above disclosures is worthy of its own discussion, I want to focus here on security breaches.
The vast amount of patient data that is now accessible electronically is a treasure trove for identify thieves and perpetrators of fraud鈥攁nd it鈥檚 not a question of preventing security breaches, because bad actors are often one step ahead of those charged with establishing security protocols and breaches are inevitable. It鈥檚 a matter of when and how to mitigate such breaches.
Data breaches have increased as the adoption of electronic medical records exchange has increased:
鈥 A December 2011 report from the Ponemon Institute noted that the number of reported by 32 percent between 2010 and 2011.
鈥 The New York Times has on a number of these breaches, including one involving 鈥渢he theft of a laptop computer from an employee of the Massachusetts eHealth Collaborative which potentially exposed over 13,500 patients鈥 private data鈥攁n 鈥榠dentity theft gold mine.鈥欌
鈥 In another story, the Times that the medical records of close to 20,000 patients were posted online for nearly a year because the hospital鈥檚 billing contractor鈥檚 marketing agent used an electronic spreadsheet with patient data as part of a skills test for a job applicant, who then posted the data on a public website. The marketing agent explained the breach as 鈥渁 chain of mistakes which are far too easy to make when handling electronic data.鈥
In light of the tremendous risk to privacy posed by ubiquitous security breaches, it is critical that patients have the ability to consent to making their personal health information available electronically. While most agree that enabling providers to easily share information about their patients can improve care, patients must be given the choice whether to take advantage of these benefits in light of the risks involved.
The backlash against the adoption of health information exchange in the event of a security breach could be fatal to the system. Imagine finding out that someone was able to gain access to all of your aggregated medical information from many different providers鈥攊nformation you didn鈥檛 even know was made accessible electronically? That鈥檚 one reason that it鈥檚 so important that patients are given notice鈥攁nd more importantly, provided with an opportunity to consent鈥攂efore their information is uploaded to a networked system that makes that information accessible electronically.