Thursday, February 15, 2007

Is Your Medical Information Safe?

Is Your Medical Information Safe?

Last summer the theft of a laptop containing the personal and medical records of over 24 million veterans caused a quite a stir. The theft occurred when a couple of teens broke into the home of a VA employee who had authorization to take the computer home. The incident ended happily for the Veterans. The data was recovered and had not been compromised, since the teens were more interested in the computer than what was stored on it.

Other incidents involving medical record privacy have not turned out so well.

Last summer confidential medical information belonging to hundreds of patients who subscribed to Prudential Financial Insurance was exposed when faxed to the wrong fax number by a third party. This incident was reported in Network World,

Recently the Akron Children’s hospital admitted that an intruder had gained access to patient and charitable donor information of over 200,000 patients.

During the past year, computer backup tapes and disks containing records of 365,000 home health patients were stolen from a car in Oregon; a hacker broke into a server and accessed 42,000 patient records in Colorado; Backup tapes containing information on 57,000 enrollees of Blue Cross Blue Shield of Arizona were taken.

The issue is not new. Two years ago the Kaiser Foundation Health Plan was fined by the State of California for unauthorized disclosure of patient health information resident on a web site over a four year period. This web portal included confidential patient information such as names, addresses, phone numbers and lab results. It was set up and available for public viewing without the prior consent of those affected, in direct violation of state law.

A story on the front page of the Wall Street Journal on December 26, 2006 told of a woman whose discussions with her psychologist were made public to an insurance company when she applied for disability benefits, after her psychologist verbally assured her that their discussions would remain confidential.

In 1996 the United States Congress passed the Health Insurance Portability and Accountability Act which was amended to include the Privacy Rule, in 2003. This law is intended to guard patient privacy, particularly in situations dealing with emotional and mental health. However, nothing on the books is able to prevent individuals with malicious intent from tampering with digital databases and trying to access confidential information.

As medical institutions, third party providers and insurers scramble to tighten their security, spending millions of dollars to bring some semblance of reliability to their computer systems, loopholes and limitations in technology and legislation enable unauthorized individuals to seek and peek at your data. For example, HIPAA allows providers to share data with healthcare-related businesses (third party sources). When you have a consolidated electronic medical record, all sorts of information about you can be out there.

On the other hand your paper records are not any safer. In April 2005, thousands of hospital bills issued by the Cleveland Clinic fell out of a delivery truck and blew through downtown Cleveland. In every hospital and doctor’s office, any healthcare worker can access a paper record that is lying on a desk unprotected.

There are some things that you can do to protect your medical record which belongs to you:

o Talk with your providers. Find out where your medical information is kept and how it is stored. Let them know that you expect them to keep your data confidential.

o Become more familiar with privacy laws which specifically prohibit your providers from disclosing your medication information to anyone, including your employers without your explicit permission.

o Be aware if your medical information is being posted on a “secure” web portal. Be sure that you have granted permission for that.

o Never assume that an email communication with medical providers is passing through secure channels.

No comments: