Wednesday, February 21, 2007

Is Congress Doing Enough to Ensure Electronic Medical Records are Kept Private?

On January 2, 2007, I wrote about the growing danger of medical identity theft and how current laws do not offer the same protection as the Fair Credit Reporting Act does for your credit reports and financial records. (In addition, the laws related to disclosure of data breaches only apply to financial records, therefore medical records are often excluded in many states that have such laws.). Today, an article in The New York Times highlighted this issue. The seriousness of the whole issue of medical privacy and medical identity theft was perhaps best outlined in a BusinessWeek article about a woman from Florida who apparently had her medical identity stolen by a poorly-controlled patient with type 2 diabetes who had his or her leg amputated. But when the victim of the medical identity theft went in for surgery related to her own health issues a few years later, she discovered her own medical records were then mixed up with the thief's records, and as a result, the hospital staff tried to force her to take diabetes pills and blood pressure medication she did not need and could have been harmful.

Patients with diabetes in the New York City area have already become unwilling participants in a registry for the first, non-communicable disease anywhere in the U.S. and cannot opt out of having their glycosated hemoglobin (better known as hemoglobin A1c) test results included in the registry (they can, however, opt out of receiving communications from the Health Department). While many people assume the registry applies only to residents of the five boroughs, the reality is that suburban residents who have lab work drawn in the city or see a physician in the city are likely also having their test results seized as well. I highlighted some background info. on this topic a year ago (my previous post can be viewed here).

But beyond that, a very recent U.S. Government Accountability Office (G.A.O.) study, an investigative arm of Congress, ordered by Hawaii Senator Daniel K. Akaka revealed that in the push by legislators and the Bush administration to make medical records electronic, the government has no clear strategy to protect the privacy of patients, even as they promote the use of electronic medical records throughout the nation's health care system. Most notably, in the G.A.O. report released in late January 2007, the G.A.O. also noted that the Bush administration had taken only rudimentary steps to safeguard sensitive personal data that would be exchanged over the network.

Although HIPAA provides some privacy protections, as The Washington Post reported last year, the Bush administration had received thousands of complaints alleging HIPAA violations but had not imposed a single civil fine and prosecuted only two criminal cases as of last June.

In response to the recent G.A.O. report, Senator Akaka said that it showed that "the Bush administration is not doing enough to protect the privacy of confidential health information." As a result, Mr. Akaka said, "more and more companies, health care providers and carriers are moving forward with health information technology without the necessary protections."

Legislation to encourage the use of health information technology seems to enjoy broad bipartisan support, but died in Congress last year partly because of disagreements over privacy protections. Under Mr. Bush's proposal, lawmakers claim that its unclear how much control people would have over their electronic medical records.

As people with chronic medical conditions, diabetes patients generally make more frequent doctors visits and have more routine labwork done than most other people. Therefore, we have much more at stake and more to risk in the event of medical identity theft. Patients with diabetes should be legitimately concerned about any pending legislation on expediting implementing a nationwide sytem for electronic medical records until more serious attention has been paid to the issues of patient privacy and protection of electronic medical records.

Some relevant background reading:

1 comment:

Scott K. Johnson said...

Still a very scary issue.