Why you shouldn't process and store medical records online
Posted Aug 05 2010 5:25am
By Cathy Leahy
So the federal government's Department of Health and Human Services (HHS) has decided that their breach notification final rule under the HITECH Act needs further review. Apparently they got an earful from privacy advocates so they decided to scrap it and start over. Here's what was posted on the HHS website on August 2, 2010:
"Breach Notification Final Rule Update
The Interim Final Rule for Breach Notification for Unsecured Protected Health Information, issued pursuant to the Health Information Technology for Economic and Clinical Health (HITECH) Act, was published in the Federal Register on August 24, 2009, and became effective on September 23, 2009.
During the 60-day public comment period on the Interim Final Rule, HHS received approximately 120 comments.
HHS reviewed the public comment on the interim rule and developed a final rule, which was submitted to the Office of Management and Budget for Executive Order 12866 regulatory review on May 14, 2010. At this time, however, HHS is withdrawing the breach notification final rule from OMB review to allow for further consideration, given the Department's experience to date in administering the regulations. This is a complex issue and the Administration is committed to ensuring that individuals' health information is secured to the extent possible to avoid unauthorized uses and disclosures, and that individuals are appropriately notified when incidents do occur. We intend to publish a final rule in the Federal Register in the coming months."
Well, that's clear as mud isn't it? Who are these people? What are their names? Who can a person call to find out what's up? The question is - what did the 120 comments say? Who submitted them? What is it that you are reviewing and will you be addressing the issue of the high risk of allowing medical records to be processed and reside on the Internet?
The previous "final rule" required breach notification. That means that after the cat is out of the bag and your medical identity has been compromised, you get notified. Gee, how nice of them! What do they expect you to do once that happens? Just sit and fret?
Those in the know realize that stealing medical identity information is far more valuable to identity thieves than just regular ol' identity theft. There is much more information that can be gleaned from it. Not only do they get your name, address, date of birth and social security number, but they also get your health insurance policy number and a list of your ailments. Armed with this information, not only can they ruin your credit and steal your identity, but now they can access medical care under your name and hand you the bill.
They can also blackmail you by threatening to publicize the fact that you had a nervous breakdown or HIV or both, for example.
For the first half of 2010, the U.S. Department of Health and Human Services, Office of Civil Rights has reported 119 instances of medical record breaches which have put at risk some 5 million patients' healthcare information.
The breaches span from coast to coast. Some of the most egregious offenders are health insurance companies and state agencies. But, according to the statistics, private healthcare providers also must take some blame. Of the 119 instances reported (probably the tip of the iceberg), some 71 were due to theft and some 59 were being stored on some form of electronic device, either a network server, a laptop or perhaps what they call a tablet PC which is an electronic device which your doctor may bring into the examination room with him so that he can key in your information after which he places it in a base unit so that the information can be uploaded to a central system.
Other breaches include intentional hacking, improper disposal, unauthorized access and phishing.
So what did HHS do about these breaches? Not much. They seemed satisfied that the offenders promised to beef up their security practices. Not good enough, HHS, whoever you are. This is whistling past the graveyard at its finest.
The U.S. government has allocated some 28 million to fund a marketing campaign to promote the widespread implementation of electronic medical records which leads to a healthcare information exchange that typically must utilize the Internet to implement. But experts disagree on whether this is a good idea. The Internet is not the place most folks want their health information to reside.
A case in point is the October 2009 U.K. news piece which reported a transcription center in India that engaged in the sales of medical records sent to them from the U.K. to the highest bidder. It was the manager of the center in India who bragged to the buyer that he was in charge and that all his floor managers were in on the deal. They could supply any kind of record the buyer wanted and they would sell each record for about 4 British pounds. We can thank the widespread use of the Internet to process and store medical records for this revolting event.
So here's my suggestion to those nebulous folks at HHS: Time is of the essence. Quit monkeying around. Do not listen to the lobbyists from companies that offshore our medical records and clamp down on entities that allow medical records to be processed and stored over the Internet. Before the advent of the Internet, we did not have this problem. Yes, your big push for electronic medical records and health information exchanges may need to be revamped. But isn't our medical privacy worth it?
Cathy Leahy is a CMT and HIT specialist and CEO of Datamed Health Informatics based in Bellingham, Wash.