Data breachesData breaches compromise nearly 8 million medical records
The revelation that millions of people have had their personal medical records stolen could slow the Obama administration’s efforts to digitize the nation’s health care records; in the last two years alone nearly eight million people have had their medical records stolen or compromised; 1.7 million patients, staff members, contractors, and suppliers at several New York hospitals had their information stolen when thieves removed them from an unlocked van; to ensure that medical records are safe, HHS has begun imposing penalties on health care providers who compromise their patient’s records; but some health care experts wonder if enforcing HIPAA alone will be enough to address the problem
The revelation that millions of people have had their personal medical records stolen could slow the Obama administration’s efforts to digitize the nation’s health care records.
In the last two years alone nearly eight million people have had their medical records stolen or compromised. In one instance, 1.7 million patients, staff members, contractors, and suppliers at several New York hospitals had their information stolen when thieves removed them from an unlocked van that belonged to the record management company.
Representative Joe L. Barton (R – Texas), the co-chairman of the Bipartisan Privacy Caucus in the House, said, “The health care industry is not as vigilant as they should be about protecting private information in a patient’s medical records.”
For example, last March, Health Net, a California based insurance company, notified nearly 2 million of its customers that their personal information had gone missing. According to Health Net, IBM, which manages the company’s data system, could not locate the records.
In addition, Representative Barton himself has had his own medical records compromised along with thousands of others when a “disk in a laptop in somebody’s trunk had disappeared,” he said.
The HHS Inspector General recently examined the security measures in place at health care facilities across the United States and found glaring vulnerabilities in systems that house patient records. At seven large hospitals in New York, California, Massachusetts, Missouri, Georgia, Illinois, and Texas, HHS investigators found that unencrypted personal data was kept on computers that were easily accessed by unauthorized users.
Dr. Farzad Mostashari, who recently became President Obama’s national coordinator for health information technology, said, “The consequences of breaches matter.”
“People say they are afraid that if their private information becomes known, they may not be able to get health insurance,” he said.
To ensure that medical records are safe, HHS has begun imposing penalties on health care providers who compromise their patient’s records under the Health Insurance Portability and Accountability Act (HIPAA), passed in 1996.
“People need to be assured that their health records are secure and private,” said HHS Secretary Kathleen Sebelius.
She went on to say that guaranteeing the privacy of patients’ medical records was critical step before the government could move forward with its plans to digitize health care records.
“I feel equally strongly that conversion to electronic health records may be one of the most transformative issues in the delivery of health care, lowering medical errors, reducing costs and helping to improve the quality of outcomes,” she said.
In March, HHS fined Massachusetts General Hospital $1 million after an employee left the paper records of 192 employees on a Boston subway train. But some health care experts wonder if enforcing HIPAA alone will be enough to address the problem.
Dr. David Brailer, the first national coordinator of health information technology under President George W. Bush, said, “We can’t just lock health care data away — because of its role in lifesaving treatment.”
He added that it is unrealistic to believe that the government can design a system that prevents all medical records from being compromised.
“It’s a huge challenge. Break-ins and hacks are unfortunately going to be part of the landscape,” he said.
Instead, Dr. Brailer suggested that Congress should enact laws that make it illegal for insurance companies or employers to discriminate against individuals based on medical conditions like cancer, mental health problems, or HIV.
Dr. Brailer explained, “Today HIPAA makes no sense. The law didn’t anticipate a world where your data passes through many, many hands.”
A recent Carnegie Mellon University study found that at least thirty people or organizations have access to an average individual’s health care records. Those with access include pharmacies, drug companies that participate in an employer’s wellness program, and a spouse’s self-insured employer.
“Your ability to control access to your information is a horse that is already out of the stable,” he said. “What is really needed is legislation that controls use of it.”