Monday, April 30, 2007

Medical Privacy: Americans Have Justifiable Reason to Be Concerned

As my friends, relatives and blog readers know, I believe strongly that medical privacy is an important but overlooked issue today. New York City is currently seizing the results of hemoglobin A1C tests (largely, although not exclusively, given to patients with diabetes) without even disclosing the results are being taken, providing no means for patients to opt-out of the registry itself, and has refused to disclose how (if they would at all) deal with a breach of patient privacy should that ever occur. Although the registry applies largely to people who live in New York City, the fact is that anyone from the suburbs who has labwork done in New York City or sees a physician in the city may also find themselves on the registry.

In April 2004, President George W. Bush called for the Department of Health and Human Services (HHS) to develop and implement a "strategic plan" to guide the nationwide implementation of health information technology (IT). The plan was to recommend methods to ensure the privacy of electronic health information. The U.S. Government Accountability Office (GAO) was asked to summarize its report which describes the different steps that HHS is (and is not) taking to ensure privacy protection as part of its national health IT strategy and identifies challenges associated with protecting electronic health information exchanged within a nationwide health information network.

According to a study released in late 2006, most Americans want electronic health data, but they fear for privacy. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 provides broad exemptions for "covered entities" to have unlimited access to our medical data, and according to the Patient Privacy Rights Foundation, an Austin, TX-based patient advocacy organization, there are well over 6,000 organizations who are considered "covered entities" which are exempt from HIPAA privacy rules. As some of my first posts of this year suggested, Americans have good reason to be concerned about the privacy of their medical information. Unlike the laws governing maintenence of our financial records (such as our credit reports), which are tightly controlled and have specific rules governing dispute resolution, no such rights currently exist for our medical records. If someone steals our medical information to obtain surgery, for example, the record-keepers are really under no legal obligation to resolve your complaints, and may take years to address them even if they do act in good faith to resolve the issues.

In February 2007, the GAO released its report which showed that overall, the Department of HHS was only in preliminary stages of protecting patient privacy, and has not yet defined an overall approach for integrating its various privacy-related initiatives and addressing key privacy principles, nor has it defined milestones for integrating the results of these activities. The GAO identified a number of key challenges associated with protecting electronic personal health information.

Specifically, they defined the key challenges as understanding and resolving legal and policy issues, such as those related to variations in states' privacy laws; ensuring that only the minimum amount of information necessary is disclosed to only those entities authorized to receive the information; ensuring individuals' rights to request access and amendments to their own health information; and implementing adequate security measures for protecting health information. As of today, few (if any) of these issues has been addressed by Congress.

Even more troubling was that I have learned that the so-called advisory panel of "experts" on patient privacy no longer exists -- all of the members apparently resigned (I would guess in disgust) at the lack of progress being made by HHS. These issues will only receive attention if we bring them to our legislators' attention! If you fail to express your concerns, you'll have no one to blame but yourselves if your medical records end up posted on the Internet because a billing and coding person in Pakistan has decided to use you as a pawn to get better pay unless you urge your legislators to act in your interests!

By the way, a postscript is in order here. Today, The Wall Street Journal's Health Blog featured a posting on the subject of how few doctor's offices have made their health records electronic, but a San Francisco-based company called Practice Fusion is offering doctors a free, web-based electronic medical records system with a few strings attached, the most notable being that the records will be open to data miners, presumably without the patients' consent. Not sure that looks like the best way to go!


Anil said...

Interesting topic.
The way I see it, there is never ever going to be a guarantee of privacy. It is impossible to give in the age or the internet.
There has never been privacy ever. Most of the information was available to steal earlier too.
The problem these days are the aggregators of data. These folks need to know clearly that they are not allowed to sell medical information and then we define what medical means.

If we want to have some ease of moving between doctors and be able to have the history be transferred, we will have to settle on some sort of data storage. There will be some risk of this data being stolen, but I feel that we have to move forward.

I wonder who would want to steal my medical information?

Scott S said...

I suspect that is true to some extent, but we still need procedures for getting disputes resolved (including processes and timeframes). Right now, consumers can dispute errors on their credit report, but not with medical records. Think about the implications if your medical ID is stolen to obtain medical services and you happen to need treatment at a later date and the doctors say that your medical record indicates you have some ailment you do not, you could be improperly medicated for the thief's medical conditions and not your own -- a scary thought!!

Scott K. Johnson said...

That is a very scary thought!

I think it was you who talked about a lady who had an amputation in her record and had to walk in and throw her leg on the desk to prove it was still attached!!!

The data mining scares me silly too.

Scott S said...

Yes, Scott ... that was in my January 2, 2007 post. You have a good memory!