Last December, someone smashed the window of a car belonging to an employee of Providence Health System in Oregon and stole
computer backup tapes and disks containing records of 365,000 home health patients.
In an age when organized crime traffics in pilfered Social Security numbers, incidents like this put a chill on the growing
movement to computerize patient data. The same technology that can save lives and money can also create opportunities for
privacy violations on a massive scale. After all, it's hard to imagine identity thieves finding 365,000 paper charts in somebody's
car.
Jumbo breaches in computer security also plague the rest of society, but when the wrong eyes are looking at your medical history
as well as your Social Security number, there's even more cause for angst. And healthcare IT has had plenty of scary mishaps
besides the one in Oregon over the last 12 months:
- Wilcox Memorial Hospital in Lihue, HI, lost a thumb-sized data drive with information on 130,000 former and current patients.
- Backup tapes containing information on 57,000 enrollees of Blue Cross Blue Shield of Arizona were stolen in a burglary of
a managed care company that worked for the insurer.
- A hacker broke into a server and nabbed 42,000 patient records at the health center of Colorado University in Boulder.
- Kaiser Foundation Health Plan was fined $200,000 by the state of California for posting information on approximately 150
patients—without their permission—on a public website.
No one knows the extent to which all this footloose data translated into typical identity theft, but such security failures
are still troubling, especially since they also support the growing criminal specialty of medical identity theft—using someone else's insurance information to receive care. 
Power Points
|
"The medical community is leaping into this technology without doing its homework," says Pam Dixon, executive director of
the nonprofit World Privacy Forum in Cardiff by the Sea, CA. "We can't guarantee 100 percent privacy, but we better do this
thing right."
And maintaining the privacy of electronic patient data isn't just a challenge for doctors and hospitals. An article in Consumer Reports noted that HIPAA allows providers to share data with healthcare-related businesses, which could misuse this confidential
information, or let it slip into the wrong hands.
Although surveys show most Americans believe that EHRs will improve medical care, they also worry about showing up in the
next stolen laptop. According to a Harris Interactive survey, while 48 percent said the expected benefits of EHRs outweigh
the privacy risks, 47 percent said the opposite.
These are sobering numbers for the healthcare industry as well as for the Bush administration, which envisions a national
health information network, or NHIN, that connects doctors, hospitals, and patients. For all the fear of identify theft, though,
a society that loves ATM machines and online shopping isn't likely to return to paper records.
So the challenge will be to reduce privacy risks to an acceptable level. Penalties like the one levied against Kaiser will
pressure healthcare organizations to clean up their data act. So will lawsuits filed by identity theft victims and recent
state legislation that mandates more safeguards for consumer information. Two proposed federal bills are also under consideration.
Healthcare IT safeguards are a work in progress
An hysterical attitude toward the vulnerabilities of electronic patient data doesn't help matters, though. After all, dramatic
privacy lapses also occur in the paper world. In April 2005, for example, thousands of Cleveland Clinic hospital bills blew
through downtown Cleveland after they fell out of a delivery truck.
Practice Tools
