[LINK] Electronic medical records: why we should seek a second

stephen at melbpc.org.au stephen at melbpc.org.au
Mon Dec 19 21:50:25 AEDT 2011


David writes,

> Nobody denies the risks. Clearly, the powers that be give those risks 
> less weight than the Privacy Foundation would like. I've no doubt that, 
> even with the best intentions, the implementation will be flawed; 
> probably deeply so. That said, the Privacy Foundation probably gives
> the benefits less weight than the powers that be would like. For mine;
> though aware of the risks and not among the disadvantaged, I see enough
> benefits that I'll be willing to participate.


David I admire your gentle non-rabid discursive style here, and probably 
many might agree with your bring-it-on conclusion re e-medical-recording. 

However, going forward, such medical records will be better than gold to
low-life elements. And as this article in just today's NYTimes concludes,
and in terms of your medical records, "We’re entering a brave new world." 

Let alone simple identity-theft considerations, could linkers imagine the
money that could be made from just the next-of-kin info for anyone dying?
There's dozens of industries who'd pay for such info. Think, family pain?

So sure bring-it-on. But, bolt it down much tighter than bank-only money.

Digital Data on Patients Raises Risk of Breaches
By NICOLE PERLROTH, Published: December 18, 2011 

One afternoon last spring, Micky Tripathi received a panicked call from 
an employee. Someone had broken into his car and stolen his briefcase and 
company laptop along with it.

So began a nightmare that cost Mr. Tripathi’s small nonprofit health 
consultancy nearly $300,000 in legal, private investigation, credit 
monitoring and media consultancy fees. Not to mention 600 hours dealing 
with the fallout and the intangible cost of repairing the reputational 
damage that followed. 

Mr. Tripathi’s nonprofit, the Massachusetts eHealth Collaborative in 
Waltham, Mass., works with doctors and hospitals to help digitize their 
patient records. His employee’s stolen laptop contained unencrypted 
records for some 13,687 patients — each record containing some 
combination of a patient’s name, Social Security number, birth date, 
contact information and insurance information — an identity theft gold 
mine. 

His experience was hardly uncommon. 

As part of the 2009 stimulus bill, the federal government provides 
incentive payments to doctors and hospitals to adopt electronic health 
records. Some 57 percent of office-based physicians now use electronic 
health records, a 12 percent jump from last year, according to the 
Centers for Disease Control. 

An unintended consequence is that as patient records have been digitized, 
health data breaches have surged. 

The number of reported breaches is up 32 percent this year from last 
year, according to the Ponemon Institute, a security research group .. 

<www.ponemon.org/blog/post/second-annual-patient-privacy-study-released>

Those breaches cost the industry an estimated $6.5 billion last year. In 
almost half the cases, a lost or stolen phone or personal computer was 
responsible. 

Mr. Tripathi describes the days after the theft as a “vortex.” 

Fresh in his mind was a similar, albeit smaller, breach at Massachusetts 
General Hospital just months earlier in which a hospital employee left 
detailed clinical records for 192 patients on a subway. The breach had 
cost the hospital $1 million in settlement fees. 

“We’re a nonprofit with 35 people on staff,” says Mr. Tripathi. “A 
million-dollar fine would have decimated us.” 

Mr. Tripathi says his nonprofit had just enacted a policy requiring that 
all patient files be encrypted, but had yet to decide on an encryption 
provider. All that stood between a determined computer thief and his 
patient data was a few passwords. 

Mr. Tripathi went to work assembling a crisis team of lawyers and 
customers and a chief security officer. They hired a private investigator 
to scour local pawnshops and Craigslist for the stolen laptop. The 
biggest headache, he says, was deciphering how much about the breach his 
nonprofit needed to disclose. 

Health organizations are required by federal law to report data breaches 
that affect more than 500 people to the Department of Health and Human 
Services. 

The department’s Office of Civil Rights publishes the equivalent of a 
data breach “Wall of Shame” on its Web site — which today includes 380 
breaches affecting more than 18 million people ..

<http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrul
e/breachtool.html> 

Mr. Tripathi said he quickly discovered just how many ways there were to 
count to 500. 

The law requires disclosure only in cases that “pose a significant risk 
of financial, reputational or other harm to the individual affected.” 

His team spent hours poring over a backup of the stolen laptop files. Of 
the nearly 14,000 patient records on the stolen laptop, most records did 
not warrant disclosure. In 2,777 cases, for instance, a record listed 
only a patient’s name. 

Complicating matters were liability rules. 

In the eyes of the law, Mr. Tripathi’s nonprofit is a contractor that 
acts on behalf of health providers. The legal burden of protecting 
patient data actually falls on his clients: the physicians and hospitals 
who entrusted his nonprofit with their files. 

“The laws create a perverse outcome,” he says. “It was our fault, but 
from a federal perspective, it wasn’t our breach.” 

Mr. Tripathi narrowed down the group of patients whose data put them at 
serious risk for identity theft to 998 people across seven physician 
practices. 

Only one practice broke the 500-patient threshold requiring disclosure on 
the Department of Health and Human Services Web site. 

His office got to work notifying the affected patients of the data 
breach. They offered free credit monitoring — though less than 10 percent 
took them up on the option — spending a total of $6,000. 

In the aftermath, Mr. Tripathi says his company destroyed all patient 
data on mobile devices and temporarily prohibited employees from removing 
patient data from clients’ offices. 

The company now mandates that all data be encrypted, and employees are 
required to tell health providers what data they will need to access and 
how they plan to use it. 

He never found the stolen laptop, and the incident, all told, cost his 
nonprofit $288,000. 

In many ways, Massachusetts eHealth Collaborative got off easy. 

In October, a desktop computer containing unencrypted records on more 
than four million patients was stolen from Sutter Health, a nonprofit 
health system based in Sacramento. A rock was thrown through a window to 
gain access to the computer. The theft is now the subject of two class-
action suits, each of which seeks $1,000 for each patient record 
breached. 

“Breaches are going to be one of the big challenges as more physicians 
and hospitals adopt electronic health records,” Mr. Tripathi says. “We’re 
entering a brave new world.” 

<http://www.nytimes.com/2011/12/19/technology/as-patient-records-are-
digitized-data-breaches-are-on-the-rise.html?nl=todaysheadlines&emc=tha26>
--

Cheers,
Stephen



More information about the Link mailing list