Story URL: http://news.medill.northwestern.edu/chicago/news.aspx?id=87383
Story Retrieval Date: 4/24/2014 2:02:26 PM CST

Top Stories
Features

Privacy, shmivacy: How many people can see your medical records?

by Erica Peterson
April 29, 2008


Hospital or first-time doctor visits all start with the same clipboard. Use it to fill out sensitive personal information and scrawl a signature on the dotted line after several pages of legal jargon.

That information may not be securely stored away, however.

Recent scandals reveal security breaches in the medical records of celebrities such as Britney Spears, George Clooney and Farrah Fawcett.

So what about us non-celebrities? How secure is our personal information? Not very may be the answer, experts say. They cite information leaks, relaxed federal controls and medical records programs operating over the Internet as potential culprits.

Between 2006 and 2007, hospital data breaches exposed more than 1.5 million names attached to personal health information. That is according to a patient data security study undertaken jointly by Kroll’s Fraud Solutions in Nashville and the Healthcare Information and Management Systems Society, with offices in Chicago, Ann Arbor and Washington, D.C.

This numbers include everything from inadvertent access by hospital employees to more malevolent activities, according to the study.

Hospital data is very susceptible to identity theft, more so than other types of information, said Brian Lapidus, chief operating officer of Kroll’s, during a webcast discussing the results of the study.

Name, social security number and date of birth are the “holy trinity,” Lapidus said. With the addition of patient health and billing information, usually found in medical records, “that trinity is on steroids.”

But local hospitals asserted that they keep information secure. Electronic records, stored on closed networks, are protected by passwords, firewalls and encryptions, said Anne Herman, privacy and compliance officer at Adventist Midwest Health, with hospitals throughout the Chicago area. 

Though electronic records may be more vulnerable to data breaches, digital files can also help catch and track information leaks. “We have a very good ability, far more than when we had paper records, to manage and track employee access to records,” Herman said.

A privacy expert said that, while personal information is at risk of theft or misuse by industry employees, there also are legal ways that patient data is being manipulated and shared as well.

The year 2002 marked the dissolution of privacy rights, says Dr. Deborah Peel, the founder of Patient Privacy Rights, medical privacy watchdog organization based in Austin, Texas.

The Health Insurance Portability and Accountability Act, signed into law in 1996, addressed the security and privacy of electronic health data. However, HIPAA has undergone changes in recent years, and some argue the law now does the opposite of what was originally intended.

In 2001, President Bush implemented a rule requiring individual’s consent for the disclosure of health information. But, in 2002, Congress amended the law to allow the medical and insurance industries “to use and disclose protected health information for treatment, payment [and] healthcare operations.”

By doing so, Congress “essentially blessed the theft of medical records,” Peel said.

Private patient health information can be sent to any number of outside organizations, including data clearinghouses, banks, health insurance companies, pharmacy chains and credit brokers, according to Patient Privacy Rights.

Ironically, the parties who don’t automatically have access to a patient’s medical records include those who may need the information the most -- family members or referred doctors. Specific patient consent is needed to share this information, though parents can access the medical records of their minor children.

These relaxed privacy laws, combined with electronic medical records, make health records ripe for security breaches. “The federal government turned privacy rules into the data miner’s dream,” Peel said.

Despite the 2002 “gutting” of HIPAA, as Peel called it, patient privacy still has  champions in Congress. On Feb. 14, the “Trust Act Bill” was introduced in the U.S. House of Representatives but no action on it has been taken since. The bill, designed to ensure health privacy, security and confidentiality, is co-sponsored by Illinois Rep. Rahm Emanuel (D-5th).

To fill that privacy void in the meantime, software giants Microsoft and Google have begun launching sites for individuals to store and organize their personal medical information.

Microsoft’s HealthVault was launched in October 2007 and is in beta testing while Google Health has yet to be released. Both sites are geared toward providing a free Web-based platform for individuals to personally enter their medical records. Users can then choose to share the information with family members or health care providers.

“People’s health information is decentralized and isolated, existing only in filing cabinets and a multitude of disconnected servers,” a Microsoft representative stated in an e-mail. “It is difficult for individuals and their families to manage and share health information productively, or to navigate online and offline health resources efficiently and accurately.”

However, convenient online medical record portals may be, industry experts question the security of such personal data when put on the Internet by a commercial entity.

“They have clearly business motives. The technology is figured out and the health care system is the next gravy train,” Peel said. “This is a massive business opportunity for every technology vendor.”

Microsoft said that extra precautions are taken with the data recorded on the Web site. Traffic is isolated onto a virtually separate network and located on Microsoft’s servers in separate, locked cages. All data moving among the systems are encrypted, but the services will not fall under HIPAA’s jurisdiction.

“Microsoft is committed that it will not share any information from HealthVault to advertisers and the default setting for privacy settings allows users to have opted out of the sharing of any information,” according to Microsoft. “And they have to opt in if they want their data used for any commercial uses.”

Besides judiciously choosing where to store health information, right now there’s little individuals can do to protect their privacy, Peel said.

“Once the records are out, you can never make them private again,” she said.