by Milt Freudenheim • NY Times May 30, 2011
Federal health officials call it the Wall of Shame. It’s a government Web page that lists nearly 300 hospitals, doctors and insurance companies that have reported significant breaches of medical privacy in the last couple of years.
Such lapses, frightening to consumers, could impede the Obama administration’s effort to shift the nation to electronic health care records.
“People need to be assured that their health records are secure and private,” Kathleen Sebelius, secretary of health and human services, said in an interview by phone. “I feel equally strongly that conversion to electronic health records may be one of the most transformative issues in the delivery of health care, lowering medical errors, reducing costs and helping to improve the quality of outcomes.”
So the administration is making new efforts to enforce existing rules about medical privacy and security. But some health care experts wonder if the current rules are enough or whether stronger laws are needed, for example making it a crime for someone to use information obtained improperly.
“The consequences of breaches matter,” conceded Dr. Farzad Mostashari, a former New York public hospitals official who recently became the Obama administration’s national coordinator for health information technology. “People say they are afraid that if their private information becomes known, they may not be able to get health insurance.”
In the last two years, personal medical records of at least 7.8 million people have been improperly exposed, according to the government data. One particularly egregious case involved information about 1.7 million patients, staff members, contractors and suppliers of Bronx hospitals and clinics operated by the Health and Hospitals Corporation, the New York public health agency. Their electronic files were stolen from an unlocked van belonging to a record management company.
The affected patients got the disquieting news that their medical and personal information, like Social Security numbers, had been violated when their health care providers notified them under federal rules.
Showing just how lax security can be, the inspector general of the Department of Health and Human Services said two weeks ago that the agency had found dozens of vulnerabilities in systems to protect records of patients at seven large hospitals in New York, California, Illinois, Texas, Massachusetts, Georgia and Missouri. Auditors cited such problems as personal information that was not encrypted and was stored on computers that could be easily used by unauthorized users.
Auditing teams are now inspecting eight more hospitals, said Lori Pilcher, an assistant inspector general at Health and Human Services. The hospitals are not being identified to avoid alerting hackers, she said.
Another big breach was reported in March on the official Web site by Health Net, a California-based insurance company, which notified 1.9 million health plan members that records with their personal information were missing.
Health Net said I.B.M., which was managing its information system, told the insurer that the records could not be found.
“The health care industry is not as vigilant as they should be about protecting private information in a patient’s medical records,” said Representative Joe L. Barton, a Texas Republican who is co-chairman of the Bipartisan Privacy Caucus in the House.
Mr. Barton knows from personal experience. His own records after a heart attack, along with several thousand others from a research project at the National Institutes of Health, were “on a disk in a laptop in somebody’s trunk that disappeared,” he recalled. “I was stunned.”
The Obama administration has levied a string of stringent penalties for egregious violations of patient rights under the most commonly cited law, the Health Insurance Portability and Accountability Act, or HIPAA, of 1996. Health information is supposed to stay private under those rules, but research has shown that it is not that difficult to connect names and addresses to nominally anonymous data with Internet searches and computerized matchups.
The Office of Civil Rights at Health and Human Services, which took over enforcement of the law, imposed a $1 million fine on Massachusetts General Hospital in March after a hospital employee left paper records of 192 patients on a Boston subway train. The hospital agreed in a settlement, without admitting wrongdoing, to report twice a year on its efforts to tighten patient protections.
Earlier this year, the civil rights office fined a Maryland health plan, Cignet Health, $4.3 million, saying that it had denied patients the right to see their own records in violation of HIPAA provisions. It was the first civil penalty levied under the HIPAA law. “We have ramped up our enforcement,” said Georgina C. Verdugo, director of the civil rights office.
But Dr. David Brailer, a Bush appointee as the first national coordinator of health information technology, is skeptical about whether such efforts will curb security breaches. “We can’t just lock health care data away — because of its role in lifesaving treatment,” Dr. Brailer said.
He said that even with the best technology it would be hard to make health systems secure. “It’s a huge challenge. Break-ins and hacks are unfortunately going to be part of the landscape,” he said.
One protection, he suggested, would be laws to make it illegal for an insurer or employer to discriminate against a person based on information about health conditions like H.I.V./AIDS, cancer and mental health problems.
As a model, he pointed to the antidiscrimination law to prevent the misuse of genetic information that was passed with bipartisan support in the Bush administration. He also said he believed the laws should say “patients own the data, period, and decide what happens to it. The patient should be able to say to Hospital X: ‘send my data to Hospital Y because I’m changing hospitals,’ “ he said.
Today, the information belongs to whoever possesses it, under ideas inherited from 17th-century English common law, he said. “If it gets into your database, essentially you own it,” he added, “and you can pass it on.”
“Today HIPAA makes no sense,” Dr. Brailer added. “The law didn’t anticipate a world where your data passes through many, many hands.”
Wes Rishel, a longtime health care analyst for Gartner, the technology consulting firm, and an adviser to the national coordinator’s office, has a similar view. “Your ability to control access to your information is a horse that is already out of the stable,” he said. “What is really needed is legislation that controls use of it.”
On that score, researchers at Carnegie Mellon University have shown that at least 30 people and organizations have access to the health data of a typical person with private insurance through an employer. They range from pharmacies and drug companies to an employer’s wellness programs and a spouse’s self-insured employer.
“Only you, your doctor and hundreds of others know,” said Latanya Sweeney, a health privacy expert at Harvard and Carnegie Mellon who is also an adviser to the office headed by Dr. Mostashari.
Since HIPAA was enacted there has been “an explosion in data sharing,” Ms. Sweeney said. “And after electronic records are widely adopted, there will be another big explosion.”