Junkfood Science: Medical record privacy update

December 28, 2006

Medical record privacy update

Health Care Renewal just reported on “Another Electronic Medical Record Horror Story.”

According to a Wall Street Journal article, medical information about her psychotherapy that patient, Patricia Galvin thought was confidential was released to an insurance company. Health Care Renewal writes:

[C]omplaints to HHS about breaches of medical privacy have exceeded 23,000 [and] HHS presently receives about 700 new complaints monthly, while enforcement of "guarantees" such as in the HIPAA act are basically non-existent. I'd bet a large proportion of these breaches were facilitated by electronic legerdemain.


Ms. Galvin’s fears that her most private thoughts and secrets are “mere data of a transaction, like a grocery receipt” are well-founded and truly give life to an observation I made several years ago while leading electronic medical records (EMR) implementation at a large hospital....Unfortunately, as Ms. Galvin discovered to her horror, good things do not come from treating twenty-first century medical “transactions” as nineteenth century accounting data.


We’re not alone in the United States. In the UK, the ambitious Connecting for Health national EMR project and plans for a central clinical database have been met with stiff resistance from patient advocacy groups. Plans to upload medical records onto the central clinical database will put patient confidentiality at risk, the UK program has been told by its own consultants....


A similar advocacy movement is needed in the U.S., for there has been an idealistic and almost reckless push in the US to put any and all healthcare information into EMR’s and other electronic databases, even when the financial and clinical benefits are unproven....


In a decade when conflict of interest and mismanagement in healthcare is common, break-ins to supposedly secure databases appear in the news almost weekly, and dominant computer operating systems are barely able to keep ahead of hackers’ attempts to circumvent security, the dream of patient confidentiality is increasingly utopian. The reality is that the HIPAA act lacks teeth, enforcement initiatives non-existent (as the Journal reports), and stated exceptions to the HIPAA rules are prone to misuse by the powerful and those with financial incentives. These factors make it likely that the HIPAA “guarantees” are not worth the weight of the paper they’re written on.


In reality, if you want to keep information secure, don’t put it on a computer; and if you have to put it on a computer, and the computer is to be put on a network, then the information by definition is no longer secure.


These harsh realities call for a critical rethinking of the types of clinical data that should be put into electronic databases, and on governance of privacy, security and confidentiality....

Healthcare professionals quickly come to know that patients’ records are not really confidential, but when they become electronic, the numbers of people and interests with potential access explodes. The public would be astounded to learn that HIPAA gives virtually anyone remotely connected to their healthcare, third-party reimbursement or regulatory surveillance, access to their most private information, as explained by Patient Privacy Rights Foundation (and was recently written about here).

Given the unsoundness, conflicts of interest and potential for misuse of employer, government and health insurer clinical guidelines, health screenings, “health risk assessments” and “wellness” programs (as written here), the public would be wise to avoid volunteering information about their private lives to their employer or insurer. But many do, lulled perhaps by assurances the information they provide is “confidential” and will help them, and that their privacy is protected under HIPAA.


In a related story, the Chicago Sun Times just reported on an online Personal Health Records database being created by one of the country’s largest health management companies, Blue Cross and Blue Shield Association, which has partnered with America’s Health Insurance Plans, the main lobbying organization for 1,300 health insurance companies. The newspaper reports:

The two groups have developed and pilot tested standards on what should be included in the records and that make them portable, enabling consumers to transfer the records when they change insurers or doctors.

The groups, whose members cover more than 200 million people, said the goal is to have insurers include in every personal health record core data such as records of visits to doctors' offices and hospitals; medical conditions and illnesses; treatment plans, including medications; immunizations; allergies; health risks, and health insurance information....

An estimated 70 million people have personal health records through their health insurers, and millions more are scheduled for the service next year, the groups note. But, until now, the information contained in them has been inconsistent. Physician groups have urged the industry to work to standardize the information....

Association spokesman John Parker, said, "There could be many different bells and whistles to distinguish [the records] in a unique way, but core elements would be shared."


Patient Privacy Rights, a national consumer watchdog organization based in Austin, Texas, denounced this plan. “This is a wolf in sheep’s clothing,” said Deborah Peel, MD, founder and chair of Patient Privacy Rights. “Insurer-provided electronic personal health records held in a data bank that the insurers control will be used primarily to benefit insurers, not patients.” Her organization reports that insurers will get:

· An immensely lucrative database they control completely.

· A rich compilation of patient data with no state or federal laws to prevent them from using the information any way they please.

· The opportunity to data mine the new information consumers add to their PHRs for medical underwriting.

· A great new business opportunity they can sell the PHR data of millions of enrollees to employers, drug companies, and data brokers.

“The last place on Earth where patients want to keep their complete medical records is in the hands of their insurers. But that is exactly what AHIP and BCBSA are proposing. By giving plan enrollees a Personal Health Record and asking them to fill in the blanks, we’re basically being asked to spy on ourselves for the financial benefit of the insurance industry,” said Dr. Peel. “Will these companies guarantee that patients’ personal health information will never be used against them or disclosed without informed consent?”

In a press release, Patient Privacy Rights described the research showing consumers do not want their insurers to have their complete electronic medical records and feel the privacy risks outweight any benefits. They “strongly advise all Americans not to participate in any personal health record databases or data banks until Congress passes a law saying that consumers own their health records and gives them the right to control who can access their health records.”


Also in electronic medical record news, National Business Group on Health founding board member, Thomson Medstat, was just awarded a three-year $14.9 million contract to build and support the Healthcare Cost and Utilization Project (HCUP) databases of patient- healthcare information (written about here). It will be the largest and most complex electronic database to date. The contract is from the Agency for Healthcare Quality and Research under the U.S. Department of Health and Human Services. Medstat is part of Thomson Corporation, which provides electronic software and applications, including business intelligence and decision solutions, “to help employers, government agencies, health plans, hospitals and pharmaceutical companies manage the cost and quality of healthcare,” according to their press release.

Bookmark and Share