Friday, September 14, 2012

A Good Reason to Refuse Use of Today's EHR's in Your Health Care, and Demand Paper

I've written before that health IT, including the technology and the social infrastructure in which it resides, is not ready for widespread diffusion.  Its widespread dissemination (on largely economic grounds) at this point in its development is premature, and is destructive.

So much, in fact, that I am considering demanding that any physician I see or hospital I visit use paper records, not any EHR they have available.

Think that extreme?  In the real world as it exists today, perhaps the notion that one should freely spill one's deepest confidences into an insecure EHR system is the extreme view.

The reason (aside from the risk today's clinical information technology presents):  yet another addition to my series of posts on health IT privacy breaches at this query link, this time from ABC News:

Your Medical Records May Not Be Private: ABC News Investigation


Sept. 13, 2012

Psychiatric Therapy Notes Get Shared Within One Health Care System; and Other Info Spreads on a Black Market

You walk into the doctor's office. They lead you to a private room and shut the door. The nurse enters writes on a chart (or maybe an iPad) and shuts the door. A doctor enters and shuts the door.

It all screams of privacy -- privacy you expect.

But what if you were to find out those medical records containing your private history, family history and medication history weren't so private after all?

Considering electronic breaches in other sectors, and the fact that hospitals' core competencies do not include computing or computer security, why would anyone expect privacy?

Julie, a lawyer from Boston, discovered that her sensitive health information was available to anyone who worked at the hospital.  (See video of Julie at this link).

For an attorney who might be involved in nasty litigation, that is not a career-enhancing prospect.

"My expectation was that my records were going to be private, especially my therapy records," Julie said. "And if another doctor wanted to see my records, they'd ask me and then I'd give my authorization for them to view my records if they needed to see them."

In an ideal world not pervaded by inappropriate leadership of health IT and incompetence, perhaps.

Julie, who requested her last name not be used, was diagnosed with in her late teens and began seeing a psychiatrist in 2002 after speaking with her primary care physician.

She, like millions of Americans, thought her conversations with her psychiatrist were confidential.

"I thought I had protection under HIPAA (the Health Insurance Portability and Accountability Act) for my psychotherapy notes to be private and I thought only my psychiatrist could see those," the 42-year-old said, adding that she noticed over the years her physician started entering them electronically.

A law is only as good as the technology and people behind it, and technology and the people may not be so good:

According to the HHS Health Information Privacy Tool, there were at least 78 breaches so far this year affecting 500 or more individuals, many affecting thousands, some tens of thousands.

Known to those in the health IT world as the "Wall of Shame," the HHS site lists more than 21 million individuals who have been victims to date.

The Privacy Rights Clearinghouse found more than 130 breaches so far in 2012 -- breaches affecting any number of individuals.

Try that with many 18-wheel trucks would it take to haul 21 million charts?

What she didn't realize was that her physician's notes could be accessed by doctors and other health-care providers who worked in the same health-care system (6,000 doctors and nine affiliated hospitals) to have access -- information she learned after going to see an on-call physician for a stomach issue and realizing he knew about intimate relationship information only disclosed to her psychiatrist.

Concerned, she requested a copy of her medical records from the health care system.

Within those records she saw every note, every meeting, every conversation she had with her psychiatrist.

"It was pretty traumatic because I felt that, you know, this man read without -- against my wishes -- without my consent," Julie said. "He read private information that I disclosed to a therapist that I didn't even tell my best friends about."

There are supposed to be multiple levels of access security in EHR's, but that has to 1) work properly out of the box, 2) be implemented properly, and 3) be enforced.  That's three very large assumptions...

And while most hospitals have rules about who may access medical records, compliance for the most part is not strictly regulated.


In fact, an ABC News investigation found that often medical information is so unprotected, millions of records can be bought online. Because so many people have access, the entire system is vulnerable to theft, experts told ABC News.

These are an on-their-face reasons to refuse entry of your data in EMR systems.

To see exactly how easy it was to find medical records online, ABC News enlisted the help of IT specialist Greg Porter, a consultant with Allegheny Digital.

"This isn't very sophisticated," Porter said. "If you can use a Web browser and you can search to, you can begin to try and obtain some of this information."

With two clicks of a mouse, Porter found somebody willing to sell a data dump of diabetic patients with information including their names, birth dates and who their insurance provider was, among other details. Another seller offered 100,000 records of customers who purchased health insurance in the last three to 12 months.

"Typically, what we find are things like first name, last name, address, medical condition, whether they were a smoker, diabetic patient, perhaps even as intensive as, or invasive as whether they are HIV-positive or not," Porter said. "Some of the most intimate information about all of us potentially could be revealed if appropriate safeguards aren't put in place.

Putting appropriate "safeguards" into place hurts healthcare organizations' bottom lines.

Security professionals are seeing an increase in theft via the "insider threat," Porter said.

"It's a depressed global economy," Porter added. Thieves might approach medical staff and offer upward of $500 per week for providing 20 to 25 insurance claim forms, medical records or health financing records, Porter said. Those documents fall under HIPAA security rules and are considered protected health information.

Could never happen, right?

In June, a hospital medical technician at Howard University pleaded guilty to selling patient information, including names, birth dates and Medicare numbers, for $500 to $800 per transaction for more than a year.

In August, a hospital employee at Florida Hospital Celebration was arrested for accessing more than 700,000 patient records in two years.

According to the FBI, Dale Munroe accessed car accident victims' date and sold it to someone who passed it on to chiropractors and attorneys.

And this week, the University of Miami Health System said that two workers had "inappropriately" accessed patient data and "may have sold the information to a third party."

On the black market, "health information is far more valuable than Social Security numbers," said Dr. Deborah Peel, founder and chairwoman of Patient Privacy Rights.

I stand corrected.

ABC News' searches found one seller offering database dumps for $14 to $25 per person. After a quick email inquiry into the sale of records, ABC News was sent, unsolicited, 40 individuals' private health information, including their names, addresses and body mass index.

Another inquiry yielded an offer of more than 100 records that, if purchased, would have included everything from Social Security numbers to whether someone suffered from anxiety or hypertension, or even their HIV status.

ABC News contacted patients from one of the lists to see if they knew their information was being sold over the Internet and if they had consented.

One victim named Rafael said he had not "recalled" giving anyone permission to sell his information.

"I'm appalled, I'm disgusted and I'm very much concerned," Rafael said. "Who's giving out my personal information like that? I thought there were security and safeguards for these things. I thought … your medical records are confidential."

So, in addition to the risks to good care posed by today's EHRs, now one has to be concerned about risks to one's privacy, damage to one's career, and to one's financial health as well.

... [Privacy advocate Dr. Deborah] Peel believes ways to fix the privacy vulnerabilities are available. "Technologies exist today to allow you to selectively share parts of your record that are relevant on a need-to-know basis with your other physicians and no one else, but we don't have those technologies in wide use," she said.

Not in the short term, unfortunately.

For Julie, privacy is a battle she continues to fight.

"I asked … please restrict the records and of course they said 'No,'" she said.

Great.  How reassuring.

"Let me also assure you that our physicians and other staff access information on a strictly 'need to know' basis and as such, we do not restrict access to clinical information from any department or physician," the hospital told her. "I take your concerns very seriously and understand your need for privacy with your psychiatric records. Sometimes it can be a challenge to balance access to records for patient care purposes with the need for privacy."

Bullsh*t, I say, having led EMR implementations at large hospitals where these exact issues were considered.

Since discovering her records were available to the whole health system, Julie has stopped seeking care out of concerns for her privacy.

That. of course, destroys the whole purpose of electronic records to "improve access" to "accurate medical information."

... In sharing her story, Julie wanted to come forward for those who couldn't.

"The difference in this situation is I actually chose to come here and I actually chose what I'm gonna say and what I'm not gonna say; but when my medical information is available to everybody, I don't have that decision," she said. "Somebody else is making that decision for me and that really makes me feel violated. So that's why I'm here: Because I think it's a really big problem and I wanted to do something about it. "

The people who in essence are "making that decision for me" are technologists, or technology hyper-enthusiasts, who ignore technology's downsides and ethical considerations.  I defined that defective character type at this post.

The systemic technological and attitudinal problems (further) exposed by this ABC investigation cannot reasonably be expected to be fixed, and probably cannot be fixed, in a short time frame.

Thus, I suggest patients who do not desire to be guinea pigs on health information security, privacy and confidentiality consider refusing use of EHR's to record and diffuse their confidential medical information. A person should not be coerced to risk their privacy and financial security while the health IT industry "gets its act together."

On a pragmatic basis alone in 2012, the risk-to-benefit ratio may simply be too high.  For instance, what are the odds that you'll be found unconscious and without contact information in some distant land, vs. privacy breach or ID theft from an EHR?

Further, there is no legal requirement that electronic records be used for rendering of medical care.  There is also no legal requirement that live patients consent to be used as test subjects for hospitals and software companies in refining their IT systems ("beta testing") to make them secure.

If a physician or hospital refuses to honor the request, and/or refuses to provide care, litigation should be pursued.

-- SS


Anonymous said...


Now that we're all into "patient-centered care," this seems like a completely reasonable request.

Keep pushing this: it's the only way to slow down this madness.

InformaticsMD said...

Anonymous September 14, 2012 12:03:00 PM EDT writes:

It's the only way to slow down this madness.

It's not madness to the profiteers.

-- SS

Anonymous said...

Can you imagine telling the university medical center emergency room, upon registration (if you are able to), that you forbid them from putting any of your information in a computer? I wonder if they will turn you away, and if so, what could you do about it?

InformaticsMD said...

Anonymous September 14, 2012 7:23:00 PM EDT wrote:

Can you imagine telling the university medical center emergency room, upon registration (if you are able to), that you forbid them from putting any of your information in a computer? I wonder if they will turn you away, and if so, what could you do about it?

They could conceivably try to turn such patients away, and get themselves embroiled in huge liabilities, since there is no law that states an EHR must be used by clinicians or hospitals.

-- SS