Early bird tickets for Baltimore’s BEST party on sale now!

Access to medical records brings security concerns


Patients of the land, unite! You have nothing to lose but your privacy.

There's a growing national effort to bring medical records into the 21st century by converting the paper records scattered in doctors' file cabinets to electronic records by 2014. It's a grand idea - in many ways.

If medical records were electronic, prescriptions would be more legible and pharmacists could fill them more accurately. Scientists would have access to a gold mine of data about diseases. Public health officials could spot disease outbreaks quickly and track their spread.

Doctors could speedily check a patient's record, avoid wasteful, repetitive tests, minimize harmful drug interactions and otherwise eliminate errors that kill an estimated 98,000 people a year in the United States.

There could be other direct benefits, too. If I had a car accident in San Francisco, an emergency room doctor there could check my records in Boston to treat me correctly.

Well, call me paranoid. Call me old fashioned. Call me an electronic dummy. But the whole thing scares me - and not just me.

"I have spent 30 years seeing nothing but how people are harmed [in their] reputation or livelihoods when sensitive medical records are seen by anyone ... outside of the few people you trust to actually take care of you," said Dr. Deborah Peel, a Freudian psychoanalyst in Austin, Texas, and founder of the nonprofit Patient Privacy Rights Foundation (patientprivacyrights.org).

"If privacy is not fully protected, we won't be building anything except the most valuable mother lode of information for data mining on Earth," she said.

To be sure, paper records aren't all that secure, either. In some places, just about anyone in a white coat can peruse paper records and no one would ever know. Electronic records can, at least, leave audit trails to show who has peeked at what.

Still, do we really want to make it easier for more people to see sensitive medical data? We know today that personal electronic information on 26.5 million military veterans, including their Social Security numbers and birth dates - and in some cases, disability codes - was stolen from the residence of a Department of Veterans Affairs employee who had taken the data home without authorization.

In another example of the vulnerability of electronic records, we know that the National Security Agency has secretly been collecting the phone records of tens of millions of Americans. And we know that credit card information is vulnerable to hacking and accidental release.

"If the Veterans Administration can't prevent the theft of 26 million names and Social Security numbers from an electronic file, why would any patient believe their personal, sensitive health data is safe online?" Peel asked.

Already, about 150 people, from nursing staff to X-ray technicians to billing clerks, have access to at least part of a patient's records during a hospitalization, according to the U.S. Department of Health and Human Services. And 600,000 payers, providers and other entities that convert providers' raw data into billing data have some access, too.

The national Health Information Technology effort, authorized by the Bush administration in 2004, is being hammered out by four groups working through HHS.

One group is standardizing the way records are kept - nitty-gritty stuff such as whether the patient's name or something else comes first on forms, said Dr. John Halamka, chief information officer for Harvard Medical School and chairman of the group, called the Health Information Technology Standards Panel.

Another group is working on the "architecture" of the system - deciding who gets to see which pieces of data and how the data can be secured.

A third is working on privacy policy, sorting through privacy regulations from all 50 states, whose laws often provide better privacy protection than HIPPA, an acronym for the complex set of federal rules in effect since 2003. The Washington Post recently reported that the federal government has been fairly lax in enforcing HIPAA, receiving nearly 20,000 allegations of privacy violations, but imposing no fines and prosecuting only two criminal cases.

The fourth group is working on certification - to ensure that electronic record-keeping products offered by vendors have all the features they are supposed to have.

At first glance, all this sounds reassuring. But there is only one consumer representative on the advisory panel, called the American Health Information Community, that oversees the other four working groups. The other 16 members come from federal agencies, hospital or doctor groups, the technology industry (Intel), an employer (Pepsi) and a state Health Department (Indiana).

And while part of the health information community's stated mission is "consumer empowerment" even in this effort, most of the members of the consumer work group are not explicitly patient advocates.

To ensure that patients have adequate privacy and control over their own records, "more could be done to increase consumer participation in the e-health records process," said privacy advocate Ray Campbell, executive director of the Massachusetts Health Data Consortium, a nonprofit group that uses information technology to improve health care. The Massachusetts group is working with the privacy committee of the health information community.

One issue is how centralized health information data banks should be.

What has worked well so far, said Halamka of Harvard, is a "very decentralized approach," such as the one he has put in place at Beth Israel Deaconess Medical Center in Boston.

"The data live in the doctor's office or in the hospital. It never gets put into any central data base where it could be hacked. I would be worried if there were a central data base in the basement of the White House that could be hacked, but we are not building that."

Stephanie Reel, chief information officer for Johns Hopkins Medicine, said she has confidence in the privacy efforts of top-notch hospitals, but worries about sharing information across a larger audience.

"Our hospitals do a good job of protecting patient information," she said, "but people's concerns are legitimate when you are sharing information across a larger audience."

How well privacy can be safeguarded in a national, electronic system is "the $64,000 question," said Carole Klove, chief compliance and privacy officer for UCLA Medical Sciences.

It was valuable during Hurricane Katrina that New Orleans pharmacies had electronic records so patients could still get prescriptions filled, she said. "But certainly there are risks in having all your records electronic. Risks can result in inappropriate access."

The good news is that the push to make medical records electronic is still a work in progress. It's not too late for more consumer voices.

If you are concerned, you can monitor the workings of the Health Information Technology effort at hhs.gov/healthit/ahic.html.

Send your questions to foreman@baltsun.com.

Copyright © 2019, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad