[LINK] Electronic medical records: why we should seek a second
stephen at melbpc.org.au
stephen at melbpc.org.au
Mon Dec 19 21:50:25 AEDT 2011
David writes,
> Nobody denies the risks. Clearly, the powers that be give those risks
> less weight than the Privacy Foundation would like. I've no doubt that,
> even with the best intentions, the implementation will be flawed;
> probably deeply so. That said, the Privacy Foundation probably gives
> the benefits less weight than the powers that be would like. For mine;
> though aware of the risks and not among the disadvantaged, I see enough
> benefits that I'll be willing to participate.
David I admire your gentle non-rabid discursive style here, and probably
many might agree with your bring-it-on conclusion re e-medical-recording.
However, going forward, such medical records will be better than gold to
low-life elements. And as this article in just today's NYTimes concludes,
and in terms of your medical records, "Were entering a brave new world."
Let alone simple identity-theft considerations, could linkers imagine the
money that could be made from just the next-of-kin info for anyone dying?
There's dozens of industries who'd pay for such info. Think, family pain?
So sure bring-it-on. But, bolt it down much tighter than bank-only money.
Digital Data on Patients Raises Risk of Breaches
By NICOLE PERLROTH, Published: December 18, 2011
One afternoon last spring, Micky Tripathi received a panicked call from
an employee. Someone had broken into his car and stolen his briefcase and
company laptop along with it.
So began a nightmare that cost Mr. Tripathis small nonprofit health
consultancy nearly $300,000 in legal, private investigation, credit
monitoring and media consultancy fees. Not to mention 600 hours dealing
with the fallout and the intangible cost of repairing the reputational
damage that followed.
Mr. Tripathis nonprofit, the Massachusetts eHealth Collaborative in
Waltham, Mass., works with doctors and hospitals to help digitize their
patient records. His employees stolen laptop contained unencrypted
records for some 13,687 patients each record containing some
combination of a patients name, Social Security number, birth date,
contact information and insurance information an identity theft gold
mine.
His experience was hardly uncommon.
As part of the 2009 stimulus bill, the federal government provides
incentive payments to doctors and hospitals to adopt electronic health
records. Some 57 percent of office-based physicians now use electronic
health records, a 12 percent jump from last year, according to the
Centers for Disease Control.
An unintended consequence is that as patient records have been digitized,
health data breaches have surged.
The number of reported breaches is up 32 percent this year from last
year, according to the Ponemon Institute, a security research group ..
<www.ponemon.org/blog/post/second-annual-patient-privacy-study-released>
Those breaches cost the industry an estimated $6.5 billion last year. In
almost half the cases, a lost or stolen phone or personal computer was
responsible.
Mr. Tripathi describes the days after the theft as a vortex.
Fresh in his mind was a similar, albeit smaller, breach at Massachusetts
General Hospital just months earlier in which a hospital employee left
detailed clinical records for 192 patients on a subway. The breach had
cost the hospital $1 million in settlement fees.
Were a nonprofit with 35 people on staff, says Mr. Tripathi. A
million-dollar fine would have decimated us.
Mr. Tripathi says his nonprofit had just enacted a policy requiring that
all patient files be encrypted, but had yet to decide on an encryption
provider. All that stood between a determined computer thief and his
patient data was a few passwords.
Mr. Tripathi went to work assembling a crisis team of lawyers and
customers and a chief security officer. They hired a private investigator
to scour local pawnshops and Craigslist for the stolen laptop. The
biggest headache, he says, was deciphering how much about the breach his
nonprofit needed to disclose.
Health organizations are required by federal law to report data breaches
that affect more than 500 people to the Department of Health and Human
Services.
The departments Office of Civil Rights publishes the equivalent of a
data breach Wall of Shame on its Web site which today includes 380
breaches affecting more than 18 million people ..
<http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrul
e/breachtool.html>
Mr. Tripathi said he quickly discovered just how many ways there were to
count to 500.
The law requires disclosure only in cases that pose a significant risk
of financial, reputational or other harm to the individual affected.
His team spent hours poring over a backup of the stolen laptop files. Of
the nearly 14,000 patient records on the stolen laptop, most records did
not warrant disclosure. In 2,777 cases, for instance, a record listed
only a patients name.
Complicating matters were liability rules.
In the eyes of the law, Mr. Tripathis nonprofit is a contractor that
acts on behalf of health providers. The legal burden of protecting
patient data actually falls on his clients: the physicians and hospitals
who entrusted his nonprofit with their files.
The laws create a perverse outcome, he says. It was our fault, but
from a federal perspective, it wasnt our breach.
Mr. Tripathi narrowed down the group of patients whose data put them at
serious risk for identity theft to 998 people across seven physician
practices.
Only one practice broke the 500-patient threshold requiring disclosure on
the Department of Health and Human Services Web site.
His office got to work notifying the affected patients of the data
breach. They offered free credit monitoring though less than 10 percent
took them up on the option spending a total of $6,000.
In the aftermath, Mr. Tripathi says his company destroyed all patient
data on mobile devices and temporarily prohibited employees from removing
patient data from clients offices.
The company now mandates that all data be encrypted, and employees are
required to tell health providers what data they will need to access and
how they plan to use it.
He never found the stolen laptop, and the incident, all told, cost his
nonprofit $288,000.
In many ways, Massachusetts eHealth Collaborative got off easy.
In October, a desktop computer containing unencrypted records on more
than four million patients was stolen from Sutter Health, a nonprofit
health system based in Sacramento. A rock was thrown through a window to
gain access to the computer. The theft is now the subject of two class-
action suits, each of which seeks $1,000 for each patient record
breached.
Breaches are going to be one of the big challenges as more physicians
and hospitals adopt electronic health records, Mr. Tripathi says. Were
entering a brave new world.
<http://www.nytimes.com/2011/12/19/technology/as-patient-records-are-
digitized-data-breaches-are-on-the-rise.html?nl=todaysheadlines&emc=tha26>
--
Cheers,
Stephen
More information about the Link
mailing list