The security and privacy arguments about healthcare IT

Over on ZDnet HealthCare, Dana Blankenhorn disagrees with the position of PatientPrivacyRights.org. I, too, disagree with PPR on some issues, but I also disagree with Dana’s proposed “solution” because it does not even begin to address the concerns I have.

For the record, I am a mental health professional. Deborah Peel of PPR is a psychiatrist (not a psychologist as Dana indicates). She and I both are highly sensitized to the importance of confidentiality and security of patient records precisely because we are both in the field of mental health and know that people will neither seek nor obtain treatment if they run the risk of job loss, insurance loss, or social stigma due to a mental health problem.

Speaking of PPR, Dana writes:

They just want informed consent for every release of records.

This sounds fine until you’re faced with your first HIPAA form. You can’t get service without signing the form. So what good is the form?

That’s not true. You certainly can get care. And signing the form does not indicate consent. It merely indicates that you’ve been informed about HIPAA, which does not require your informed consent for sharing your records. In that respect, I think the older system was better. If I wanted to share records with anyone concerning a patient, I sought and obtained a specific release/consent to do so. Despite HIPAA, I continue to do so and tell my patients why.

Far more important than releasing the information is assuring that it’s not misused. But PPA even opposes the use of anonymous data, like Google’s work tracking the flu.

Sadly, Dana seems to be accepting Google’s assertion that the data are anonymous. As I pointed out here, we really do not know that.

[…]

As Peel wrote to The New York Times this week, the bogeyman is the misuse of data in order to limit access to “jobs, credit and opportunities in life.”

And on that point, I disagree with PPR. The bogeyman is that what should be confidential patient information is being shared too broadly and not being adequately secured. Could it be misused to limit jobs, credit, and opportunities in life? Sure. But even if it wasn’t, who among us wants to see our personal health or mental health records smeared all over the internet for the world to read?

Isn’t the real enemy, then, health insurance underwriting, which pushes employers to get around privacy in order to limit risks and costs? Then look at PPA’s board and who do you find — a former Blue Cross lobbyist, Charles E. “Ed” Baxter!

If health coverage is guaranteed, and patient health is not an issue in making employment decisions, then the incentive to get private data on patients is greatly reduced.

Maybe it is, but that wouldn’t stop disgruntled employees or extortionists from threatening to expose deeply personal health records all over the web for the world to see.

Then, too, companies that might want to market to patients would also still have an incentive to collect and use patient data. I wonder if Dana has ever gotten a call from a total stranger saying, “Hi, I know that you have (insert one of your medical conditions here). I want to tell you about….” How many of us feel totally violated by that type of call or communication?

This does get right back into the question of health IT. Because, as Express Scripts has proven, there is no such thing as “ironclad security.”

What an odd statement. It seems to assume that Express Scripts had excellent security and despite everything, experienced a breach. We don’t know the facts about Express Scripts or the reported breach. Was it a disgruntled employee who downloaded the data before leaving? Did an employee accidentally leak the data by having a P2P application on a computer? Was there an attack that might have been prevented by timely patching and updating? Maybe Express Scripts did have good security, I don’t know. I do know that they used social security numbers in their records, which makes absolutely no sense to me in this day and age.

Deal with the underwriting issue and the value of most thefts like that at Express Scripts drops to near zero.

Not at all. Many companies would still pay the extortion demands rather than to publicly admit that they’ve had a breach — as other sources have pointed out for the banking industry.

And as long as such records contain social security numbers that could be used for ID theft purposes, there will continue to be value to them.

Sure, there will be blackmailers, and lawsuits, and incentives for individual people to go after your personal “secrets,” like the fact you were a psychological patient of, say, Dr. Deborah Peel.

But law enforcement can deal with that threat.

No, law enforcement generally cannot deal with that threat in a way that prevents the exposure of millions of medical records. Dealing with something after the cybercrime has occurred does not prevent the exposure of health records.

Security people can deal with most hackers seeking single records.

And where is the evidence to support that? How many hacks go totally undetected or are not discovered until months or even years later?

It can’t deal with the more systemic threat of employers or insurers seeking risk reduction by denying coverage or claims.

Actually, they seem to do a better job with that, as recent fines against some health insurers suggest. That said, I still think that universal health coverage is the way to go as long as we recognize that universal coverage does not deal with the issue that health records are to be kept confidential and secured and electronic records pose a risk of much greater exposure than paper records.

Thus are the problems of health care reform and health IT reform linked tightly together, by politics.

It’s not politics for me. It’s the privacy and confidentiality of health records, which you cannot protect without adequate security and without adequate informed consent.

About the author: Dissent

Comments are closed.