Saturday, January 14, 2012

2011 Closes on a Note of Electronic Medical Record Privacy Breach Shame

At my Oct. 2011 post "Still More Electronic Medical Data Chaos, Pandemonium, Bedlam, Tumult and Maelstrom: But Don't Worry, Your Data is Secure" and others in this query link on medical record privacy, I wrote:

"Don't worry, your medical data's safe."

Joseph Conn of apparently disagrees (with my sarcasm, that is) and states the obvious outright. I post his story with few comments and several emphases which are mine:

Year closes on a note of breach shame
Modern Healthcare
Dec. 2012

Three-eighty. Three-eighty. Do I hear four hundred?

With 2011 winding down, there are now 380 major data breaches involving 500 or more patients' records listed on the "wall of shame" website kept by HHS' Office for Civil Rights.

So far, from the first wall postings in September 2009 through the latest on Dec. 8 this year, there have been 18,059,831 "individuals affected," and even that massive number is an undercount of the breach problem.

First, the civil rights office hasn't yet released the records of tens of thousands of breaches it has received under a federal reporting mandate on breaches affecting fewer than 500 patients per incident. I've been asking for electronic copies of those records since June. I hope to hear soon on an appeal of a decision last fall by HHS, claiming that the civil rights office can hide those reports while it "investigates" an estimated 30,000 or more breaches they describe.

Second, even the OCR's posted numbers are low.

A Nov. 4 public notice on a breach reported by the UCLA Health System states that "some personal information on 16,288 patients" was stolen, but the wall of shame lists the "individuals affected" in the UCLA incident as 2,761.

UCLA spokeswoman Dale Tate said in an e-mail that the nearly six-times-larger number in its notice "represents the number of individuals who had some information on the hard drive," while the 2,761 figure sent to the OCR "represents the number of people that met the specific criteria" under the federal breach notification rule.

Under the federal rule, Tate says, "the information for these individuals could possibly cause more than a minimal amount of financial, reputational or other harm." Information on the rest of the individuals, Tate said, did not meet the criteria.

Not to get too harpy, but this breach stuff is long past being ridiculous.

The lawyers are already all over it, and maybe that's what it will take for the industry to finally start addressing the problem. Brian Kabateck, a California lawyer, thinks so.

In the past three months, his Los Angeles law firm has filed a pair class-action breach suits against two of the most highly regarded healthcare systems in the state, University of California, Los Angeles and Stanford, as well as one of the latter's business associates, Multi-Specialty Collection Services.

"I think this is a short blip on the radar," Kabateck said. As the settlement costs pile up, he said, "I think big institutions are going to learnfive years from now, these lawsuits are going to be obsolete."

Class-action lawsuits are needed as much for health IT risk and safety issues causing near-misses, injuries and death as for security breaches, I note.

I think five years is highly overoptimistic as well on the breach issue, considering the degree of "institutional learning" that's occurred on how to do health IT "right" over the past ~ three decades, and considering that the breaches that are increasing, not decreasing, in intensity and severity across all industry sectors. That includes industry sectors far better equipped to manage IT security than hospitals.

Right now, though, Kabateck says, "This is not to the level of being an epidemic, but it's close."

I think it is epidemic.

Rather than being a miracle that will revolutionize medicine, health IT is like any other information and communication technology (ICT): it has unintended consequences (UC's) that can dilute or even negate its advantages. The issue of damaged medical record privacy, confidentiality and security is but one UC of health IT.

-- SS


Steve Lucas said...

I have always found that when the phrase:

“people that met the specific criteria"

is used this is code that someone is gaming the system.

Here and in the previous post we have a large disparity in the number of people put at risk and the cost factors involved.

Sadly, as long as people are paid we will not see a change in the corporate response to these issues. I have been criticized for being overly harsh in wanting felony convictions for the corporate executives involved in these scams. My reality is the only way to change this behavior is for some executives to loose the ability to hold a high paying position in the future.

Steve Lucas

Anonymous said...

One at a time on a daily basis, I receive mewdical records that are sent or faxed in error, from labs, medical offices, and hospitals. The errors are all HIT generated though human error will always be blamed. The increased incidence in these violations patients' civil rights is directly proportional to the square of HIT penetrance.

It is also consistent with the confusiopn created in the users by instruments of care that have no surveillance for defects and human factors.

Afraid said...

You've missed it entirely Scot, HIPAA is efficiently used to protect the hospital.

Just like every other regulation and law, HIPAA has been twisted. It provides a way to stop true reporting of results if the results contradict the PR positioning.

Protect the patient? They obviously don't care about that.

Joe@EMRSoftware said...

Privacy concerns will always be an issue and HIPPA is certainly the most preventative method to protect privacy.

Live IT or live with IT said...

Best to spell the acronym right if you place such reliance upon it.

water testing equipment said...

The primary electronic media sources familiar to the community are better known as video sessions, audio tracks, multi-media demonstrations, fall demonstrations, CD-ROM and online content.