EHRs: “Legitimate” Privacy Violation
As dialogue surrounding the upcoming mandatory adoption of Electronic Medical Records continues, many health care providers, along with their patients, continue to voice concerns that a system based entirely on electronic records may put patients at a significantly higher risk for having their confidential data stolen or illegally accessed.
While many programmers and physicians alike are searching for ways in to protect data from hacking and other types of malware, it seems that one of the most vulnerable entry points for sensitive data is in fact by way of individuals who have legitimate access to records, or those with access to sensitive information such as a patient’s birth date and social security number.
Recently the FTC has called out a number of health data brokers for their lack of transparency and underhanded dealings in obtaining personal information of patients. These patients are unaware of the data collection process that companies are using to make money.
This problem presents a number of challenges to the physicians concerned with maintaining their patients’ privacy and, while there may be no way of fully eliminating instances of nefarious medical professionals, there may certainly be some ways in which cases of internal violations of HIPAA laws may be lowered.
The Many Access Points to Sensitive Information
While the share-ability of electronic systems certainly offer a number of benefits when it comes to patient safety, this is precisely the aspect of them that poses a potentially greater threat to patient data. What once started as an easy way to obtain one’s medical records, has turned into a number of entities who may now have access to EMRs.
Remote Cloud Storage
Because of the high costs associated with physical storage, many practices are using cloud storage to manage their data, which can certainly be costly. This means that the task of storing important data is placed in the hands of a third party business, who is often based remotely, and may even be based in another country.
A 2012 study showed that as many as 41% of all practices at the time used cloud-based storage, and that number seems to be rising as cloud storage becomes increasingly cost efficient.
There are a number of ways in which physicians choosing a company with which to contract their storage may be able to lower their risk for having information compromised.
One key step is insisting on a contract at the beginning of service, which allows practices to review a number of important points, including:
- Where exactly data is stored, and, if it is stored in another country, what the local laws are surrounding data storage and privacy
- With what frequency back-ups are preformed and where said back-ups are stored
- Exact descriptions of the ways in which doctors may access data and whether there will ever be periods of time during which data is inaccessible
- A detailed breakdown of the ways in which security is assured
- A full understanding of HIPPA Compliant levels and methods of security
- Proper data encryption to avoid a breach
Once a contract has been drawn, it is prudent for all practices to enlist the opinion of an attorney who is very familiar with data storage and data storage privacy laws. Taking these steps may help drastically lower instances of fraudulent or dishonest activity.
Easily Traced User Records
There may be little that can be done to change the fact that human error and intentional dishonesty is unavoidable in small amounts. To this end, the best way to minimize the amount of illegal or abusive use of information is to make certain that all users in any given recording system are given user identification numbers that are unique and can effectively be watermarked on any document that is used by any given user.
This means that all changes made and all documents viewed by a user should be recorded and stored in a permanent log that may be easily accessed in case of a question regarding an employee’s use of records. It is also good practice for regular audits to be done on user activity across the system. Any irregular activity should be investigated immediately.
Certain Conditions Present a Higher Risk For Security Breaches
There are a number of patients who may be at risk for having their private data accessed because of the nature of the condition for which they are being treated. Patients with conditions like HIV/AIDS or those undergoing procedures like abortions may be subject to privacy violations because of the level of controversy surrounding these respective issues.
Individuals seeking treatment or procedures that are particularly controversial should be afforded additional security measures. Mental health records receive a higher level of confidentiality due to the sensitive nature of the contents.
Therefore, EHR systems should make available extra protection for the information that each mental health patient’s record might include. This is to avoid the release of their personal information to companies who might take advantage of a patient.
These measures may including using an alias on all records or assigning account numbers to patients to help maintain their anonymity. This may also apply to patients who are publicly recognizable and are thus at a much higher risk for breaches to security due to gossip or even financial gain in the form of selling private information to news sources or other public forums.
Controversial Government Seizures
It is certainly possible for security breaches or alleged security breaches to be committed by even the entities and put to task with enforcing security and privacy. Government agencies may be just as likely as others with access to abuse their access to private records.
Recently, a class action lawsuit was filed against the IRS when the agency was found to have accessed private and sensitive medical records as part of a tax fraud investigation, despite the fact that they did not have a valid search warrant.
Many legal and civil liberties experts agree that this case represents an important opportunity to set forth presidents that maintain patient privacy in an era where many of their records are stored in one easily accessible place.
The case brought forth an interesting legal question, as to whether it is indeed within an agency like the IRS’s rights to access to a large number of medical records to be “filtered through,” in the process of searching for information that may be accessible under the terms of a search warrant.
It seems likely that as similar legal questions are posed, the medical community may be in a position where it must defend the privacy and security of the patients who have been entrusted in their care.