Opinion: Ready or not, here we go: Healthcare privacy and security

Commentary by: Jonathan Leviss, MD,
President Obama has requested (possibly demanded) that the U.S. healthcare system move into the modern information age with broad implementations of health IT (HIT). Our nation’s health system needs HIT to:

• Address the inefficiencies and high costs of our health system;
• Improve the quality and safety of healthcare delivery; and
• Create new delivery models to address health care access challenges.

But are we ready for HIT? Are we ready, as a healthcare delivery system, as consumers and as a society for the possibility that our most private and personal information might be viewed and exchanged by people around the corner and even globally at the click of a button, intentionally, accidentally and even illegally?

As a medical student in the early 1990s (pre-HIPAA), I watched hospital staff post signs in elevators reading:  “Shhh…please don’t discuss patients in elevators and other public areas.” Cartoons often accompanied the text to emphasize the point to providers accustomed to openly discussing their patients with colleagues. 

As providers, we enter into a complex compact with our patients, knowing their private histories and potential risks and complications of current illnesses. In previous years, our patients’ information was mostly stored and shared on paper, note cards or verbally from our memories. We tried to avoid embarrassing our patients and ourselves by not having discussions of patients overheard by passersby, but when we lost or misplaced papers from a chart or other patient records we were more concerned with interruptions or errors in care than any potential breach of privacy or confidentiality.

Occasionally, we learned how an unauthorized release of patient information caused the loss of a job or destroyed a family or relationship. Mostly, our patients understood and accepted that we shared their information with others to provide quality care, learn, teach or pursue medical research. As a society, we understood that some level of health information security breach might be unavoidable, even though laws were passed prohibiting such events. Yet the occurrences seemed infrequent, or at least infrequently reported.

Today, privacy and security breaches illustrate what happens when we do not adequately protect our digital health information:

• March 2010—Shands Healthcare in Florida notifies 12,500 individuals treated in a gastroenterology clinic that a laptop containing their personal and medical information, including social security numbers, was stolen.
• April 2009—A Virginia state website used by pharmacists to track prescription drug abuse was illegally accessed; the violators demanded $10 million in exchange for returning the records of eight million patients. Federal and state authorities began a criminal investigation.
• March 2009—Kaiser Permanente fires and fines employees for illegally accessing the medical records of a mother of octuplets who received much attention in the media.
• October 2008—The pharmacy benefits manager, Express Scripts, received a $1 million demand from hackers under the threat of exposing medical and personal information on millions of Americans.
• May 2006—A U.S. Veterans Health Administration employee reported a stolen laptop which held personal and medical data and social security numbers of 26 million veterans.

How effectively are we protecting personal health information? Have we, as a society of consumers (patients), providers, health systems, and regulators, implicitly agreed upon a new compact to share health information electronically? If yes, then what level of protection of personal health information is expected? In order to reaffirm the patient-provider health information compact, we must all understand the risks and benefits of an HIT-enabled healthcare paradigm.

Benefits:

• Better quality of care (the right diagnosis and/or procedure for the right patient at the right time)
• Improved efficiency of care (reduced duplication of steps, including diagnostic tests that are repeated for new medical consultations or the filling out of insurance forms that need to be completed at every appointment)
• Better access to health care services (improved delivery models for patients to receive needed services sooner or closer to home)

Risks:

• The ability for many inappropriate people to access an individual’s private medical, social, and financial information (causing loss of job, rejection of health insurance, identity theft, or public embarrassment)

The financial services industry offers one approach—protect against the criminal use of information after it has been inappropriately divulged. During the past decade, we have grown accustomed to the trade-off between the benefits of electronic financial information and the risks of privacy breaches.  We demand second-by-second access to our entire financial portfolio 24 hours a day and, in exchange, accept that some will endure identity theft and others will receive 12 months of free credit monitoring in the hopes of averting an identity theft after an information security breach.

Is there a similar model for healthcare? How do we monitor for inappropriate use of health information following a security breach? A maligned credit history after identity theft can be rebuilt, but how do we ‘repair’ the effects of public exposure of your mental health, sexual, or other medical history? If we cannot, what options remain?

First, we must determine whether our hospitals and health care organizations will devote the same level of efforts and resources to information security as our financial institutions. Second, if they do, are the health care information security policies, technologies, and practices sufficiently robust? If not, what needs to be improved? Third, what is an acceptable level of risk for the divulgence of a person’s private health information to justify the benefits, both collective and individual, of HIT? Should the individual victim independently bear the costs of a breach or should it be carried by society as a whole?

The Department of Health and Human Services continues to audit health systems for IT security breaches under HIPAA. The Health Information Technology for Economic and Clinical Health (HITECH) Act includes privacy and security enforcement language that may limit a provider’s or hospital’s access to HIT funding if privacy and safeguards are violated, or even reduce future Medicare funding. However, the Office of the National Coordinator for HIT and the Centers for Medicare & Medicaid Services (CMS) have not settled on final certification criteria for HIT that would help define security standards and detect such a breach.

Questions still remain, including:

• Is it okay for computer screens to openly display lists of a patient’s diagnoses in a hospital hallway, for all passersby to view?
• Should hospitals and healthcare providers be able to monitor who looked at, or shared with others, any information in a patient’s record or should only certain types of information be protected?
• Should patients be able to access reports of who reviewed, copied, or printed a list of their medical diagnoses or medications?
• Should hospitals be required to disclose audit practices that monitor how and which staff access patient information or how hospitals proactively screen for potential security breaches?

President Barack Obama repeatedly reminds us that the influence of the people as an agent of change is more powerful than government actions or decisions. Are the people of the United States aware of the security and privacy risks of HIT? Are our hospitals and health systems ready to sufficiently protect our private health information? If not, we better address these problems fast. Our compact appears to be sealed–we are starting to go, ready or not.

About the author: Jonathan Leviss, MD, is a practicing physician at Thundermist Health Center in West Warwick, R.I., and was the first CMIO at the New York City Health & Hospitals Corporation. He is also vice president, chief medical officer at Sentillion (a Microsoft company), a provider of health care technologies that include identity and access management solutions.