Skip to main content

Healthcare workers don't like to talk about this. Our Electronic Health Record System is not very secure. Most of us don't think about it much. Who wants to know about our personal health record? We all get sick. Many healthcare workers are diligent and don't break the rules. This isn't about them. The health record security system banks on people not really trying to pry into them, but if we really face up to it; we know our medical records aren't all that private.

How do you balance medical error prevention with privacy? What happens when the patient is a celebrity? What happens when the patient's condition is newsworthy? The sad truth is for the patient with the one off situation, they have less privacy; reporters demand their readers/viewers have a right to know. If you are a professional athlete or CEO of a large company, you have no medical privacy. If you are a corporate or political inconvenience, your medical records are a great way to start a whisper campaign that can lead to public embarrassment, loss of credibility, loss of promotions, fewer raises and possible job loss (even if that "public" is confined to the 30 people within your department and the management team).

The main reason our health records aren't very private is because most of us like to judge our friends, family and celebrity health habits. We like to be concern trolls for each other. "Oh, you have PTSD? Tell, me what happens when you wig out?" (That's a pretty ignorant question I heard asked a PTSD patient. Many PTSD patients are unidentifiable to the casual observer. They don't by definition, "wig out".) Look at Chris Christie, how many people feel totally entitled to look over his shoulder when he steps on the scale? Why do people think it's appropriate to ask the obese or anorexics about their medical condition?

Is it any wonder we like to keep our health issues private?

Health care privacy vs. quality of care has hard edges. If you go to doctors within a specific hospital system, it's nice that the doctor you see today, knows you are up to date on your immunizations, screenings, recent imaging studies and the drugs you take for chronic conditions. If you are the average anonymous person, this sharing doesn't bother you. The benefits of this sharing is profound. If keeps medical expenditures lower. It improves quality of care. It more readily identifies contraindications. It prevents medical errors. It's also open for every member physician and their staff within the same system to purview your files. It can be disconcerting if you aren't prepared for it.

What can go wrong? Lots. Our healthcare records won't be secure until we render serious consequences for breaches and it isn't the NSA you should be primarily worried about. To understand that, you need to stroll down Wonky Lane, but I get it if you read wonkiness as blah, blah, blah. So, I placed headings and summary lines along the trail to let you skip through the sections (skim reading) until you see "Practical Matters" in a heading. You can't skim anecdotes and you can always go back and read the whole thing if you need more background.

Medical Information Laws

We have a montage of laws that are supposed to protect us while expanding the role of EHR (Electronic Health Records). The laws are strong, but many medical workers don't take the possible consequences of violating confidentiality very seriously and many physicians will dress down a worker who casually violates confidentiality, but won't go further than that. Most troubling of all is that all of these privacy rules have exemptions for law enforcement warrants, subpoenas and court orders whenever they convince a judge the records are relevant to their investigation (a very loose standard).


HIPAA gave us an alphabet soup of regulations. Every doctor and health provider you see must give you an NPP (Notice of Privacy Practices) every 3 years of how your information will be used and shared under TPO (Treatment, Payment & Operations). The NPP discloses if and how your records will be shared, what the purpose is for sharing (like TPO, medical research, patient satisfaction surveys) and your opt out choices. A lot of times, if you choose to "opt out", the doctor will choose to not see you. It also says when your records will be shared without your consent for criminality, communicable disease or court orders. Note: the NSA can get everything under "court orders". Why they'd want it is anyone's guess, but medical record data is quite scoopable.

The "Administrative Simplification" (101 pg pdf) aspect of HIPAA has far more impact than the privacy rule. It specifies a standardized electronic format for how health records can be shared between providers, facilities, insurers, pharmacies and more. HHS now uses what I call the "X" files for the standardized format for sharing health records. x835, x837 (pdf), x273 might be meaningless to you, but mean a lot to health care administrators.

HIPAA also mandated HHS embark upon a rigorous anti-fraud program called the Health Care Fraud and Abuse Control Program (pdf). It's sort of a redundancy of a lot of anti-fraud statutes. It eventually with the Recovery Act led to the RAC program.


HIPAA wasn't enough. Privacy breaches were all over the place. Medicare and Medicaid fraud is $60-$80 billion a year. Medical fraud is a serious problem bleeding our economic resources dry. HITECH closed loop holes and established higher penalties for non-compliance and required self-reporting of breaches. It also added incentives and penalties for EHR. It cemented in place concepts like HL7 and created the environment for this awful organization called C-CHIT to thrive. (That's pronounced Cee Cee Hit, not the way it reads.) HITECH made greater specificity to the file formats used to communicate insurance claims, operative reports, special reports, patient notes, certificates of medical necessity, insurance payments, prescriptions, insurance eligibility, referrals to specialists. All of it.

Having this data in standardized formats makes for better and easier data mining to combat fraud. It's easier to ID over utilization patterns, which makes it easier for the FBI to investigate and the OIG to negotiate recovery of funds. The claim database already exists. It's queried daily. The results of these queries form the basis of RAC and fraud investigations that are shared with the FBI. There are some restrictions on access to the encryption methods for medical data transmission, but certifying your software under HITECH is based upon complying with the data formats. You can't comply if you don't know how to do it. Finding out how to do it isn't difficult.


HIPAA and HITECH combined wasn't enough. ACA further strengthened the push toward Electronic Health Records. The ACA specified software certification further cementing the stranglehold of C-CHIT. The healthcare exchanges are internet based and the privacy testing is running behind schedule. We will have these exchanges on line by October 1st, 2013 and that's a good thing, but the security of this system as of today, is questionable.

ACA also has an anti-fraud component. It focuses on Medicare and calls for, you got it, regular surveillance of Medicare Claims. It asks Medicare recipients to be aware of fraud, but a consumer report simply gives the FBI probable cause to sift through data that's already collected.

The bottom line is that our health record system uses largely, a single set of data formats. There's a web page to help you navigate the acronym stew. All medical software system developers must use these formats to communicate with Medicare MACs and Medicaid FIs (Medicare Administrative Contractors, Fiscal Intermediary). Doctors, hospitals, nursing homes and pharmacies use it to communicate to insurers and these days; a lot of it happens in the cloud. Typically, a hospital has a physician office complex surrounding it and shares their system to those with privileges. The system itself may be rock solid, secure; but the transmissions from that system can be highly hackable, interceptable and breachable.

Yep, all you need is a switch to copy and divert medical data and no one would be the wiser. What's more, the contents of those data packets are in a standardized format (encrypted with a known encryption key) for easy indexing and placement into a database. Medical record data could be headed for Utah and who would know? Why it would happen would be explained away as an anti-fraud effort which is increasingly tied to organized crime which is then loosely tied to (you guessed it) terrorism. All you need is paranoia, connect the dots and a new program for data collection and surveillance is born.

Many physicians maintain their own systems, but they still electronically submit claims (that may have an operative report or specific treatment details attached to it), check insurance eligibility, request treatment referrals, request imaging and lab tests and receive claim status reports and remittance information via the web. Despite encryption, those transmissions are all in a standardized format that is easily decrypted.

Physical, Administrative & Technological Safeguards - Trust, but Verify

We have to have locked doors, card key access points, automatic logouts, regular password changes, and protocols that require anything with PHI (Protected Health Information) be locked away, face down on our desks or within folders. We have laws for data retention and protocols for data purges and logs to verify compliance. We have compliance plans. We regularly meet and train employees to adhere to them. IT software can detect when an employee pulls up a patient name in error and notes how long before the operator detects the error and pulls up the correct record. A few seconds is a mistake, more than that and you can fire the employee for inappropriate access. As computer, scanner and photocopier equipment goes out of date, hard drives, backups, thumb drives associated with the equipment need to be destroyed. Erasure and degaussing isn't enough. Protocols for logging and confirming hardware maintenance are essential. Proof of data destruction is essential.

Training, background checks and confidentiality agreements can only do so much. The confidentiality of our medical records rests in the hands of the personal honor and integrity of the doctor, technician, medical assistant, nurse, medical biller, coder and health care administrator who comes in contact with the data. Someone with access can siphon off a file with names, addresses, birth dates and SSNs and sell them for $25 a pop.

We insist our employees don't talk about our patients. Even if both the wife and mistress of a well known professional athlete are both sitting in the waiting room. We don't talk about it when we get home, on Facebook or at a restaurant with friends. It comes down to making sure employees can't access what they have no business accessing and not talking about what they know - even if it will get you a free lunch.

Despite the exposure, a relatively low number of incidents that involve more than 500 records at a time considering our country has over 317 million people. That would seem small except those breaches, when sold, pay out $25 per name on the health data black market. Each record likely has name, address, birth date and Social Security Number - a veritable identity theft yatzee. It may be a "small" number, but it yields big bucks if the breach was done for criminal reasons.

Not all health care breaches are for financial gain. Many breaches are mistakes done with individual records for run of the mill screw ups. Those employees you can retain and retrain. The employees you have to fire are the ones who repeat mistakes or make huge mistakes and your liability insurer insists on termination.

The worst and most frequent breaches are personal. There are disclosures done for gossip or done to impress friends that they had contact with someone "important". Facebook is no place for healthcare workers to vent. Some breaches are done for monetary gain from reporters or private investigators. Sometimes it's a combination of money and personal revenge, not business.

Every healthcare worker is trained to protect patient privacy. Slip ups happen. Gossip happens. Revenge happens. Avarice happens.

The Practical Matters of Data Breaches

Chances are you don't think about how secure your health records are. You won't care until you are confronted by an uncomfortable situation where someone knows too much about you. You don't care until you open a $5,000 bill for a credit card account you never opened. You don't care until your boss takes you into their office and they ask you if your health condition is going to cause a problem or worse they fire you because they think your health problem interferes with your work. Maybe you find out after the fact, you didn't get a promotion because of your wrongly disclosed health problem. The reason health records are private is so they don't get in the way of your life.

The General Privacy Screw Up

A lot of times it isn't malicious. It's just dumb. It's sending an insurance claim form to the wrong insurance company or sending a statement to the wrong Maria Gonzalez or Jennifer Jones. It's leaving a too clear of a message on the home answering machine or not realizing you're talking to the mother instead of your patient, the daughter about her medical condition. It's faxing to the wrong number, forgetting to have the hard drive pulled from the photocopier before it's replaced. It's getting written assurance from your IT company they will destroy the old hard drive only to have it end up recycled. Sometimes a breach can occur when a chart left open on the desk is read. It's when the new employee thinks they put confidential paper in the shredder box, but it turned out to be recycling paper box instead.


Ireland - 1st "Legal" Abortion Case

Although newsworthy, this case is none of our business. It's was erroneously reported that it was done under Ireland's new abortion law. It's one thing when you speak about a case months or years later where you don't identify the facility or physicians involved. The parents lost their babies. The descriptive detail the news outlets reported made sure this couple is easily identified within their community. Typically hopeful parents tell friends and family that they lost the baby. They don't share the details. The newspaper jumped the gun in that they reported this abortion was sanctioned under the new law, but it hasn't been implemented yet. The news paper makes it too easy for a prosecutor to subject this woman and her doctors to an invasive and possibly humiliating investigation. They identify 1. The pregnancy was for relatively rare twins. 2. The Facility. 3. The physicians in on the decision making. 4. The probable diagnosis. 5. A relatively short date range. This family needs to heal, instead; they are exposed to any anti-choice whackadoodle who will use this information to find them and harass them. But, hey, the public "has the right to know". I don't know if Ireland has a HIPAA equivalent, but they should.

Rape Cases

A few years back a woman was attacked and raped in a local school's parking lot. The news reporters got nothing from the school and nothing from the hospital. All they had from the police was that she was attacked, but they could figure out the hospital as there was only two in the area. The hospital was overwhelmed. A few employees failed to realize there were eavesdroppers around and reporters got the whole scoop on the extent of her injuries. She made the local news for a whole week. The news coverage withheld her name, but said what her job function was at the school. The news reports told of her attack, rape and some detail of her injuries. The woman encountered managerial barriers when she wanted to go back to work. She was transferred to another school (which she didn't want) because "everyone" knew what had happened to her and were uncomfortable around her. She had problems at her new school because they knew what happened to her. She did nothing wrong. She wasn't even ill. She was just walking to her car and was raped by an asshole. All she wanted to do was return to her normal life. She got reassignment instead.


The most common breaches occur when health workers gossip about a patient. It's bad enough in the break room, but at least there; you can enforce some rules. The difference between gossip and an object lesson is anonymity. From the wife and mistress comment I made earlier you can't identify the patients. I didn't say who the athlete was, where or when it happened, the women's ages or the medical specialty. Gossip by it's very nature calls for prurient details to make the story salacious. You might be chatting waiting in line for your latte, and think you're speaking in code. You might think a description like: woman about 35 years old, pretty, foul mouthed lives out in Weston was here on Tuesday morning just before lunch and drives a Volvo had to run off to take her kids to the ice rink for practice is nondescript, but the person in front of you figures out you are talking about her daughter's BFF's mother.

A friend of mine was at a restaurant with a bunch of doctors. A colleague of theirs had recently committed suicide. One of the doctor's had him for a patient and totally violated the deceased's privacy in order to give the other doctors insight as to why the man killed himself. It made my friend squirm. Later, she ran into the deceased's daughter in the restaurant's lady's room. She was highly embarrassed when when realized the daughter was sitting only a few feet away from her table and was nearby during that non-compliant gossip session.

Worker's Compensation

The most common breach of privacy in Worker's Compensation cases occurs when an inexperienced worker clues in the employer that their worker has a chronic condition like HIV+, Parkinson's, diabetes or Bi-Polar Disorder. The drugs these patients take can complicate the treatment for on the job injury treatments. The Worker's Compensation practice that only sees W/C cases won't make this mistake. It's the new hospital administrative assistant that blows it. The employer is only entitled to know how the worker's injury will impact their job performance. The amount of time they will miss, what physical limitations the worker has and how long those limitations will prevail. They are not entitled to diagnosis information for concurrent conditions like HIV+, anxiety or whatever.


Prior to June of this year, my only concerns about patient privacy centered around wondering if my implemented compliance plan was enough. If I focus on compliance, I can secure our medical records and keep them safe from casual curiosity, personal vendetta and identity theft exploits. That is the main concern - non governmental breaches of privacy. I cannot protect medical records from a cavalier, federal agency. What proof do I have that this information is being diverted to the NSA? None, but two months ago; I would have said it was ridiculous to think that my telephone metadata was collected and stored by the NSA. I would have said collecting vast amounts of text messages and email was ridiculous, to what end? Is the NSA collecting wholesale medical records? I don't know, but the idea makes me squeamish. Every time I see a picture of that facility in Utah, I wonder what's going to be stored there. I know that our Medicare and Medicaid claim data is regularly sifted for fraud patterns and that is not only protected by law, but is required by law to be done. That's not necessarily a bad thing, it's not a stretch to think there's a medical record data base out there. What's to stop these programs from going deeper into the EHR data? What is the potential for misuse by federal agencies that have no duty to protect the patient's confidentiality? None.

If I see a story in the NYT, WaPo Der Speigle or The Guardian that says the NSA is spying on our medical claims; no one should be surprised. It's not a revelation. It's predictable.

UPDATE: Thank you Rescue Rangers. I thought I was going to slide off the recent diaries today.

Originally posted to JDWolverton on Mon Aug 26, 2013 at 09:08 AM PDT.

Also republished by Community Spotlight.

Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags


More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  Sorry, I did it again. It's not a conspiracy (14+ / 0-)

    It's a lack of respect for giving people the privacy they deserve when it comes to their health records.

    If a nation expects to be ignorant and free, in a state of civilization, it expects what never has and never will be. Thomas Jefferson

    by JDWolverton on Mon Aug 26, 2013 at 09:14:40 AM PDT

  •  YOUR health care records (18+ / 0-)

    I am a healthcare worker with access to people's medical records and I do use them as a triage nurse.  Let me assure you that I am not in the least interested in reading folk's records beyond the data I need to treat them.  If you come in unconscious I am going to look at your record for pertinent info ie diabetes, ETOH abuse history or any other condition that may have caused you to arrive at an ER.  Reading people's EHR for fun IS a violation and can be monitored by a facility.  Not to mention just boring........after 12 hours of dealing with people in crisis, I am surely NOT interested in reading EHR records for fun!

  •  Try maintaining confidentiality (8+ / 0-)

    when you work in a clinic with a lot of low income patients who are taken to and from appointments by people who are not related to them, and in some cases barely know the person. Try maintaining confidentiality when you work in a mental health clinic where parents insist on conducting all the medical business of their adult children even though they are not legal guardians, and refuse to sign POA or ROI paperwork. I know most health care professionals do their best to maintain confidentiality, but some HIPAA practices just don't fit reality.

    I'm no philosopher, I am no poet, I'm just trying to help you out - Gomez (from the song Hamoa Beach)

    by jhecht on Mon Aug 26, 2013 at 11:19:42 AM PDT

  •  This doesn't feel... (11+ / 0-)

    like anything that happens at the dr's office

    Like - they have to bellow your first name in the waiting room, and then call you that, even when you tell them that you would prefer to be called "Ms. So and So" or by your nickname.

    Or, why the receptionist fights with you about the date you were initially diagnosed - because she hasn't finished reading your chart - and she "confides" to the NP your story, as she sees it.  Loud enough for the patients seated around the desk to hear.

    But, then, maybe they didn't include that page in the HIPAA disclosure pages I signed

    •  You're describing a typical doctor's office (10+ / 0-)

      that ignores privacy and it's rampant. You can complain about it to the Office of Civil Rights who is in charge of enforcing HIPAA. Your best recourse is to tell the doctor how you feel when they get in the examining room with you. You have a valid concern.

      If a nation expects to be ignorant and free, in a state of civilization, it expects what never has and never will be. Thomas Jefferson

      by JDWolverton on Mon Aug 26, 2013 at 11:37:28 AM PDT

      [ Parent ]

      •  Calling a name in waiting room is compliant. (2+ / 0-)
        Recommended by:
        JDWolverton, SteelerGrrl

        There is an exemption for privacy in that public area where people can see who one another are because they're sitting across from one another.

        "Jersey_Boy" was taken.

        by New Jersey Boy on Mon Aug 26, 2013 at 06:27:49 PM PDT

        [ Parent ]

        •  Name is fine. Calling by name to pay $25 isn't (0+ / 0-)

          Or calling out a question if they still have Humana insurance and all sorts of things I've cringed when I've heard them.

          As to names, that's a little bit of a gray area. It's ok for unknown people, but call out Justin Timberlake, or in this town Fredica Wilson and I bet you, people will look. A local hospital near me went to using restaurant style beepers to ensure privacy.

          If a nation expects to be ignorant and free, in a state of civilization, it expects what never has and never will be. Thomas Jefferson

          by JDWolverton on Mon Aug 26, 2013 at 06:38:51 PM PDT

          [ Parent ]

          •  No one in the waiting room would recognize (1+ / 0-)
            Recommended by:

            a celebrity until their name is called?

            Waiting room rules are different. It's also okay to have people sign in on a sheet of paper with other people's names on it. It's the same thing.

            "Jersey_Boy" was taken.

            by New Jersey Boy on Mon Aug 26, 2013 at 07:15:04 PM PDT

            [ Parent ]

            •  That's been my experience. (2+ / 0-)
              Recommended by:
              splashy, SteelerGrrl

              I've been in South Florida a long time and usually celebs go through a back door after hours in a doctor's office and come to the ED by ambulance and bypass all the people up front.

              Sometimes, there are local people who locals know, but they aren't known nationally and they might not use an ambulance. I used national names to give you a point of reference.  Also, people without makeup and body shapers, wearing sunglasses and a base ball cap look totally different than they do on stage or in film. BTW, I stood behind Miami Marlin's Jeff Conine in a grocery store for 20 minutes without knowing who he was in the 1990's and I went to Marlin games once a week at the time. I clued in when the bag boy talked to him about baseball. It happens.

              I usually write more simply at dkos so people who don't work in medical businesses understand the wonkiness. I suggest you go to the federal sites, Health, NEJM or any of the Fierce healthcare sites to get the nitty gritty I'm not writing here. I get it you are a critical thinker and like to pick things apart - that's what dkos is all about. I wrote this diary because I've been discussing data security with my co-workers and it's bothering us and I wrote what I know.

              If a nation expects to be ignorant and free, in a state of civilization, it expects what never has and never will be. Thomas Jefferson

              by JDWolverton on Mon Aug 26, 2013 at 07:40:55 PM PDT

              [ Parent ]

              •  That's fine, but accommodating a celebrity (5+ / 0-)

                is not the same as being compliant with HIPPA, which is what we were discussing.

                I'm not just a critical thinker who likes to pick thing's apart, I'm a physician who knows what HIPPA compliance rules are in the waiting room.

                I'm clarifying the HIPPA rules so people don't read this diary and think their privacy, or worse yet - the law - is being violated when their name is called at a doctor's office. It's not.

                Posting correct information is another thing dkos is about. Most of the readers here are concerned about their regular old privacy - not how Justin Timberlake gets in to and out of his yearly check up. (Which I'm sure in his case is a house call.)

                "Jersey_Boy" was taken.

                by New Jersey Boy on Mon Aug 26, 2013 at 08:02:35 PM PDT

                [ Parent ]

  •  All of this is very real. (11+ / 0-)

    As a retired RN, I know that it is so easy to break confidentiality regarding a patient -- even before any of the hi tech stuff. And I don't mean to diminish what JDWolverton has written, because that just exposes how much worse it is now than when I left my last job.

    I had an acquaintance who worked in Medical Records who spied on many people (and their spouses) that she knew.

    Furthermore -- where I worked -- voices carried down long hallways and into patient rooms. Sometimes legitimate conversations between co-workers are accidently overheard.

    The laws are in place because "from abuse comes restrictions".  And yet no law will stop this. No law can stop this unfortunately. Electronic digital technology just opens it all up for more abuse.

    •  Not to mention (5+ / 0-)

      the little curtain dividers in the ER, the press calling for information and the aide or secretary being helpful, the people in the waiting rooms, etc.

      As a lowly nobody, I am not crazy about this but also understand human nature. What I mind is the mailing and the other communications from companies selling drugs that target my specific condition. But off course, that is probably done in a legal way.

      "I want to live in a world where George Zimmerman offered Trayvon Martin a ride home to get him out of the rain that night." Greg Martin, Bishop of the Episcopal Diocese of Central Florida

      by CorinaR on Mon Aug 26, 2013 at 01:04:47 PM PDT

      [ Parent ]

  •  Important issue. (9+ / 0-)

    I'm one of the few who has been concerned about this for decades. I worked in IT back then and a short stint at an Insurance company gave me shudders even that long ago.

    Fast foreward to today my current provider posts my lab results on the internet for me to view.  No discussion, only electronic communication.  You can bet that information about anyone who has a serious problem indicated by lab tests and/or medication will arrive at their multiple 'business partners' (that now included banks).

    Thanks for bringing this important subject up.

    Be the change you want to see in the world. -Gandhi

    by DRo on Mon Aug 26, 2013 at 11:41:10 AM PDT

  •  A good Electronic Health Records system (8+ / 0-)

    should lead to an increase in privacy over paper records.

    Suppose I go to a clinic with paper records. If someone picks up my chart and reads it, there's no record that they've done so. Maybe it wasn't even on purpose - they thought they had the chart for someone else (I've had that happen in reverse - the nurse grabbed my dad's chart instead of mine). Maybe they just slip it open long enough to take a quick photo of the contents.

    With a good EHR, you can limit access. The receptionist/schegistrar can see what s/he needs to do the job - name, phone number, insurance info - but can't see any of your medical information. A medical professional who tries to open your chart without being assigned to you triggers a warning screen checking if they have the right patient (and an email to security if they continue).  Access leave a record. Security can see who accessed what, but can't actually see the medical information. All of this makes it easier for people to do their jobs (less extra information in the way) and harder to violate privacy undetected (except by the people who have the right to look at your information anyway).

  •  And sometimes it's not even true (15+ / 0-)

    I was in a minor accident (minor in the sense I was able to get to ER under my own steam) earlier this year. I had been to that hospital previously so of course I was in the system. When the intake person pulled up my screen I saw to my suprise I had a history of "psychiatric illness", which I've never had. The next day I called the hospital's medical records department, said I had noticed an inaccuracy and asked how I could correct it. When they sent my records I noticed not only did they list "psychiatric illness", they also claimed a history of rubella, which I've never had.

    After many moons  and multiple forms filled out and several letters and phone calls, they told me they could not delete the information because it was sent them, without my knowledge or consent, by a second facility and only that facility could correct the record. I contaced, in writing, the second facility who ignored me. I sent a follow up letter which they ignored. I am now working with a state agency in hopes of getting the invented information - and I do mean invented, as in made up out of thin air - out of my records, at which time I will have the tedious task of discovering and contacting everyone to whom the made up information was sent to get it out of their records - which they may or may not do.

    •  At least you saw it (5+ / 0-)

      If it was on a paper chart rather than on a screen, you'd probably still be in the dark. But there's no excuse for the medical facility to refuse to correct inaccuracies in the record. I had one in mine once and my doctor took it right off.

    •  You might consider (11+ / 0-)

      talking to an attorney familiar with HIPAA.

      True story: a few years ago, I treated a patient who'd been in a car accident. Between the field and the hospital, her blood sample was apparently mixed up with another victim, and she was labeled as having tested positive for cocaine.

      The next day, the trauma MD tried to interrogate her about her "drug abuse." She was outraged and insisted that she'd never touched drugs, and the tests should be repeated. They were, and there was nothing in her system the hospital hadn't put there.

      She later developed coronary artery disease, and had to have annual cardiac stress tests. Even though she exercised daily with no symptoms, she got a hard time from every single cardiologist she saw when she requested an exercise (rather than chemical) stress test. Charts were still mostly paper then, but that one word "cocaine" haunted her.

      A medical error can cost you for years down the road. I'd lawyer up. Sorry this is happening to you :(

       I can think of no more stirring symbol of man's humanity to man than a fire engine.     -- Kurt Vonnegut

      by SteelerGrrl on Mon Aug 26, 2013 at 01:32:46 PM PDT

      [ Parent ]

    •  note (0+ / 0-)

      It depends upon the state, but generally if they do not want to correct the information they are required to allow you to add a note to the file in which you could say the information is wrong.

      don't drone me, bro

      by BradMajors on Mon Aug 26, 2013 at 06:44:36 PM PDT

      [ Parent ]

    •  thank you for bringing up errors!! (1+ / 0-)
      Recommended by:

      It took me three times to get the local hospital to change my record to send the stuff from my specialist to the actual doctor who is my GP and not to the one they had listed and said they would correct each of those three times. Now granted they were having electrical problems the first two times (and it's kinda scary to watch ALL the lights go out leaving not even any safety lights for about 5 minutes before they got it together and got the power back, considering I was there to discuss my pre-op procedure- were they going to lose power in the OR too?) and the third time it was 'only' computer problems...
         Now my doc is getting the results, but not before they were sent several times to the doctor I was trying to avoid.

      We are all pupils in the eyes of God.

      by nuclear winter solstice on Tue Aug 27, 2013 at 10:46:38 AM PDT

      [ Parent ]

  •  I would suggest records be encrypted (3+ / 0-)
    Recommended by:
    SteelerGrrl, JDWolverton, sillycarrot

    with one set secured by the provider's general code and another set based on a key using subset of the patient's credit card number or cell phone serial number or other legally retrievable key such as the address where you first lived.

    There is a conflict regarding medical records - they must be open for state mandated access and closed to casual viewing.

    ER people can pull out your credit card or cell phone and get access to your medical history, but nosey people generally couldn't.

  •  The HL7 formats (2+ / 0-)
    Recommended by:
    JDWolverton, jfdunphy

    now have opened copyright access.

  •  A person is a walking medical record (1+ / 0-)
    Recommended by:

    The drugs you take are often in the skin that falls off you, the sweat you excrete, etc.

    Managers will check your pupils if you work with machinery or drive a public transport vehicle.

    Managers, like doctors, have eyes.

  •  Does every drop of piss (1+ / 0-)
    Recommended by:

    go to the recreational drug testing lab?

    [one drop to a special lab is all it takes]

    sample on $25 prepaid card 3750546 - don't hire

  •  Thankyou (7+ / 0-)

    Thank you for writing this diary. All those "privacy" pamphlets might as well be written in Martian for the sense they made to me. Records technology is mystifying, but I think it important to have some idea of the damage that can be done. I feel I have a little better idea now of how it all works. If something inappropriate is done with someone's record, at least a starting point is necessary. I've just discovered my starting point will have to be with a specialist.

  •  Interesting and scary diary. (6+ / 0-)

    A few points.  One, someone needs to be an IT specialist, a security specialist, and a lawyer to understand all of this.  (I don't mean you didn't make it plain, I mean what the actual laws are and how to interpret them.)

    Our healthcare records won't be secure until we render serious consequences for breaches and it isn't the NSA you should be primarily worried about.
    I'm worried about both equally.   Especially because I don't know what kind of backdoor to medical records is available to the NSA.


    This is one of the biggest jokes of all:

    Every doctor and health provider you see must give you an NPP (Notice of Privacy Practices) every 3 years of how your information will be used and shared under TPO (Treatment, Payment & Operations).
    I have had to sign paper after paper for myself or my family which included the standard line, paraphrasing, "I have received a copy of the NPP and understand the content."

    No freakin' way.  I wouldn't sign it.  No medical office ever gave me a copy. When I returned to the front desk and they pointed out that I hadn't signed that line, I pointed out that they didn't give me a copy.  

    Some offices would scrounge around for the NPP and try to "show it to me."  I used to give them a hard time and tell them they want me to sign that I received my copy, so where is it.  Some offices would make a photocopy.

    Other offices have the NPP hanging on their wall, period.  That's it.

    I gave up and just signed the damn thing.  


    The employer is only entitled to know how the worker's injury will impact their job performance. The amount of time they will miss, what physical limitations the worker has and how long those limitations will prevail. They are not entitled to diagnosis information for concurrent conditions like HIV+, anxiety or whatever.
    IANAL, but I understand that each state's laws are different.  

    I can't speak to if the employer actually receives any and all medical information, but the Workers' Compensation insurance company certainly does.  They are entitled to subpoena all medical records for the injured employee, and they're not redacted.  i.e., if an employee claims they injured their back on a specific date and time at work and files a Comp claim, then testifies their back never hurt them before that day, but then previous medical records show the employee had complained of back pain to their doctor a month earlier, let's say, the insurance company is entitled to know that.

    And while the ins. co. is reviewing previous medical records, all medical history is there for them to see.


    As far as Medicare fraud is concerned, I would love to see an education campaign, so to speak, to teach Medicare recipients and their families what to look for in finding fraud and how to easily report it.

    For instance, a few years ago, an elderly relative of mine had surgery, needed a side walker while recuperating.  Some medical device company dropped it off at their home, and they got a copy of an exorbitant monthly bill for the "rental" of side walker.  It would have been cheaper to buy it, yet Medicare paid the high price of a rental.  In other words, the company kept "renting" the same piece of equipment over and over again for what I can only imagine was like a million times its worth.  

    Okay, maybe I'm exaggerating there about the million times, but it just made no sense.  What do you do about that?  


    And lastly, I have a grave concern about the security of medical records in small offices with two or three doctors.  How much can they afford to pay IT people to keep their system up to date?  Who does the patches?  Who looks after it all?  How much does that cost.  It's one thing to have full time employees in a university hospital setting working on IT, but small offices?  

    Small offices have such high overhead with not only their equipment, but having to hire several employees to deal with a million insurance companies' what's covered, what's not, referrals, all that needless bullshit.  Not to mention the doctors having to spend hours and hours on the phone trying to convince some lackey at an insurance company that Ms. Jones needs this or that test or procedure.

    I find it funny that for, I don't know, several decades that medical offices never found the need to take a photograph of the patient with either a Polaroid or film camera and get it developed, but now, oh, no.... WE MUST, WE MUST take a digital photo of you.  wtf for?  Because they can.

    And Social Security number?  wtf does the place that takes an x-ray of my foot need to have my SS number?  They have my picture (oh, forgot to mention a digital copy of my driver's license, wtf) and my healthcare ins. card.  

    Social Security numbers were designed for, what do they call it.... Social Security, not some temp help who's not bonded who is working as a receptionist in a doctor's office to be privy to.  

    The whole process of trying to actually get affordable and good healthcare and have privacy while doing so is so effed up and demoralizing.

    •  Well (2+ / 0-)
      Recommended by:
      JDWolverton, SoCalSal

      The small family practice probably is going to stick with paper records...but it's also going the way of the dinosaur. These days it's more likely that the small practice is affiliated with a hospital or large clinic that handles the IT and extends their EHR to the little guys.

      The point of taking your picture is to reduce errors. If two patients have the same name but there's a picture on the chart, it's easier to tell if they have the wrong chart.

      •  Small practices will be the last to adopt EHR (1+ / 0-)
        Recommended by:

        There are fines as of 2015 if they don't use some form of EHR and you're right they are most likely to take an extension off a hospital system (it's less expensive).

        I see EHR as great for efficiency. My job kind of requires me to promote EHR as a good thing, but like I wrote; if I face it honestly, the systems have vulnerabilities.

        If a nation expects to be ignorant and free, in a state of civilization, it expects what never has and never will be. Thomas Jefferson

        by JDWolverton on Mon Aug 26, 2013 at 04:39:29 PM PDT

        [ Parent ]

      •  If that's the case, then why haven't been they (1+ / 0-)
        Recommended by:

        doing that since the camera was invented?

        The point of taking your picture is to reduce errors.
        No, the point of taking someone's picture is to reduce fraud, make sure no two people are using the same insurance card.

        Which is riduculous to begin with because if you're going to a small office for years, don't do hospital rounds, they don't need your damn picture.

        A radiology building, no errors there:  They don't need your damn picture.

      •  No, it really isn't. (2+ / 0-)
        The small family practice probably is going to stick with paper records...but it's also going the way of the dinosaur. These days it's more likely that the small practice is affiliated with a hospital or large clinic that handles the IT and extends their EHR to the little guys.
    •  Amazing... (1+ / 0-)
      Recommended by:

      That the health staff doesn't even realize what their NPP form says, let alone the NPP itself.

      We run into exactly the opposite problem where I'm at. Patients see so many different specialists sometimes that they get pretty tired of reading all those NPPs, especially since some specialist practices require a new one every calendar year. So nearly all patients waive and sign that they were offered the NPP, and the patient agree to the policy, but that they declined the copy to which he or she is entitled.

      "Fast, Cheap, and Good... pick two." - director Jim Jarmusch

      by AnnCetera on Tue Aug 27, 2013 at 06:02:24 AM PDT

      [ Parent ]

  •  Compliance issues are VERY complex (7+ / 0-)

    and in how they relate to privacy issues, well, you're basically screwed. While that primarily applies to medicare and medicaid, private insurers tend to follow the CMS guidelines as well.

    I have to deal with this every single day at work because our company is under a compliance agreement with the federal government, and, well, its pretty impractical to put a medical billing professional on every ambulance :)

    Anyhow, there is definitely a TON of "gossip" tossed around about our patients, but I will assert most of it is rather generic "I had a call where this happened" stuff between providers in a private setting. It is beneficial both in way of venting about a tough call, and to get feedback from other people, but it is definitely close to the line of privacy violations. Especially so when it comes to "frequent fliers" when basically everyone in the company knows the person by name.

    To tweet or not to tweet. I tweet therefore I am.

    by RadicalParrot on Mon Aug 26, 2013 at 01:37:32 PM PDT

  •  Valid concerns, all (4+ / 0-)

    From the perspective of an RN in a major urban hospital system, I can't imagine myself or any of my colleagues violating HIPAA or using the information we have access to for financial gain, let alone gossip fodder.

    In the unlikely event any temptation were to exist, it would be quashed by corporate culture and peer pressure. And if you know our IT guy, you know you WOULD get caught.

    I'm terrible at connecting names and faces, which is a HIPAA-friendly trait in an RN. I'm also not easily star struck, if I even recognize a VIP. They all look the same in a hospital gown on a heart monitor.

    Privacy breaches may be a problem in less regulated settings, but IMO anyone trying to profit from Private Health Information was a bad seed to begin with. Maybe they think it's easier than diverting drugs.

     I can think of no more stirring symbol of man's humanity to man than a fire engine.     -- Kurt Vonnegut

    by SteelerGrrl on Mon Aug 26, 2013 at 02:07:59 PM PDT

  •  Wow. Have a question though.. (3+ / 0-)

    Thanks for this! Wow. I worked in HC a long time ago as a Corpsman... was there @ the beginnings of HIPPA..

    I only ask becuase it seems pertinant to this author & thread?

    Question: I have some outstanding medical debt from an emergency visit(s). The hospital is trying to collect on the debt & am trying to pay. However, it went to collections. The collectors now have the bills of my care in the ER. With some stuff that I think shouldn't be on the bills that was passed to the collectors. Is this in violation of something?

    Our healthcare file should belong to us... It should be guarded by us & anytime someone wishes to view our file there should be a log & a request as such. The tech is there OTS to do this.

    •  Yes. They needed a Business Assoc. Agreement (4+ / 0-)

      signed before the purchase and all their employees are subject to the privacy rule. The collection agency is considered a covered entity under HIPAA. They have to adhere to the same privacy rule and have to have a compliance plan like any other provider.

      You should ask them. You can also go back to the hospital and try and work out a deal with them directly and have them "recapture" your account.

      If a nation expects to be ignorant and free, in a state of civilization, it expects what never has and never will be. Thomas Jefferson

      by JDWolverton on Mon Aug 26, 2013 at 02:57:16 PM PDT

      [ Parent ]

      •  Thank you so much for your reply! (3+ / 0-)

        Am doing! I tried talking to the hospital b4 but couldn't get through to the "chargemaster.."

        I cannot tip & recommend enough what you have done here...

        I am still reading! With important issues & diaries (there are so many others here @ dkos that I have now made my own mandible sling - not stroking either... just floored..) like this I read from the bottom up...



  •  2 Points (3+ / 0-)
    Recommended by:
    SteelerGrrl, dotdash2u, JDWolverton

    HIPPA is a joke.  When you have concrete evidence, try to get it enforced.  My guess is that if the culprit is a large medical provider you may get some help.  If the culprit is a community hospital you will have to pay a five figure retainer and $500 per hour to one of the few lawyers that will pursue HIPPA (most will not).

    When I met with my lawyer about our case I told him that I have not provided anyone any medical information for the past year.  My identity information and my wife's were used to run up credit card debt.  I knew the medical record collector for the insurance company was in town and demanding my records.  I went to the local library that offers free fax service and sure enough the collector came in and spread out the medical records of about 10 people and then left for a 15 minute break (there was a line).  The medical cover sheet from my doctors contains SSNs, date of birth, address, phone numbers, etc.  More than enough to copy anyone's identity.  Her stack was placed right next to the free copy machines.  My lawyer picked up my medical records and was dumbfounded by the amount of identity information available.

    •  Hipaa didn't start levying fines until 2012 (3+ / 0-)
      Recommended by:
      jfdunphy, tardis10, SoCalSal

      The first one was a 3 doctor Arizona cardiology practice that showed patient names on their on-line calendar. That cost them $100,000 Well-Point got nailed for $1.7 million recently.

      HHS Office of Civil Rights has been slow to issue these fines. I think they are seeing it as a revenue source and are getting to it.

      If a nation expects to be ignorant and free, in a state of civilization, it expects what never has and never will be. Thomas Jefferson

      by JDWolverton on Mon Aug 26, 2013 at 04:33:56 PM PDT

      [ Parent ]

  •  Life is easier if one just accepts there is no (1+ / 0-)
    Recommended by:


  •  On the research side, your medical (2+ / 0-)
    Recommended by:
    JDWolverton, emeraldmaiden

    records can be de-personalized, so that, for example, researchers can access clinical histories for a particular disease, and study the effects of adverse reaction levels to various medications. If they find that there is a combination that gives an allergic reaction or sensitivity, for instance, and figure out a method to reduce or reverse the condition, there's no easy way to get back to the patient who really needs the info, other than hoping that broadcasting the findings, or publishing them in a professional journal, gets the word back to you. The Omaha system, for example, is a major research data base, which is a model for other areas. For those interested in how their medical data can be used in research, it's worth a look.
         On a personal note, one of my relatives died of a long, chronic disease, but one of the aspects that made that death easier to accept is that the patient did pretty well on an experimental pharmaceutical treatment, a form of steroid, and it helps knowing that their success with the treatment will eventually help many more with the same condition. Other people will benefit from their experience.  That's one of the hopes that research offers, and it's quite a powerful hope for the afflicted and their families.

  •  I searched the thread before posting... (2+ / 0-)
    Recommended by:
    Tinfoil Hat, AnnCetera

    I was looking for the word "browser." As in, "Web browser," where most EHR-keeping is conducted.

    There is a lot of pressure upon EHR providers to build recordkeeping applications that can be used without installing software. To do this, they standardize on Web applications, most of which are optimized for (or even require) Internet Explorer... not the latest version, because good old Windows XP can't handle that, but (if you're lucky) IE8.
    Internet Explorer is notoriously insecure, and Microsoft's response to criticism is "update to the latest version..." but that's impossible in an environment that requires a legacy browser for compatibility.
    Speaking of compatibility, these Windows machines with the outdated browsers are not dedicated to EHR only. They are used to do timesheets, print pay stubs, surf the Web, search for work-related and frivolous topics, play online games, update Facebook, watch videos, and all the other activities that happen on any Internet-connected computer.
    Many of the business-related pages are Java-centric, and require a fixed (and, by definition, outdated) Java virtual machine (VM) on the workstation. An outdated Java VM is the biggest security hole you can have on any computer, and the other Web surfing that naturally takes place exposes the browser and operating system to countless exploits that can infect the computer... and then steal information.

    Even if a computer doesn't catch anything that could be considered a "virus," lesser threats from this exposure can release PHI (private health information) to the Internet. Toolbars and other 'adware' deliver details of Web pages viewed to the companies that distribute them. Most of us have seen ads on computers that reflect what we're viewing online; adware makes this process much more invasive. Imagine a sleazy company like Conduit (look it up) skimming everything that appears in your Web browser, including your patient's name, DOB, SSN, and treatment history...

    Such releases, when they happen (and they do, every minute of every day), are unlikely to be reported to anyone. A support technician, faced with an infested browser, will simply clean it up. They are unlikely to spend any time trying to figure out how long it's been compromised, let alone what and whose information might have been released...

    Things are more like they are now than they've ever been before...

    by Tom Seaview on Mon Aug 26, 2013 at 05:50:53 PM PDT

    •  My husband's software is cloud based, but doesn't (2+ / 0-)
      Recommended by:
      Tom Seaview, AnnCetera

      use a browser. Mostly due to your concerns. It makes his healthcare software more secure, but every time he needs it to do a new internet trick it's a pain in his neck. I think he swore fluently for 3 weeks while he initially wrote it.

      The cloud is where most of the shenanigans happen.

      If a nation expects to be ignorant and free, in a state of civilization, it expects what never has and never will be. Thomas Jefferson

      by JDWolverton on Mon Aug 26, 2013 at 06:44:08 PM PDT

      [ Parent ]

  •  Interesting Diary. (2+ / 0-)
    Recommended by:
    Susan G in MN, Curt Matlock

    However, you're conflating two issues that have in common only the anxiety provoking idea that medical information can be leaked.

    The first is gov't impropriety with medical data and the second is personal impropriety with medical data.

    Neither is particularly new.

    Government access to medical information is built in to "Government Insurance." So that means: Medicare, Medicaid, and the Veteran's Administration. And how old are those systems?  It's like saying since the IRS knows your Social Security number, they COULD steal your identity and raid your bank account. (Well they could!)

    ACA and the concept of single payor government insurance requires that we trust the government. This borderline CT about data mining is really more appropriate for people who just don't trust the gov't and want to repeal "Obamacare" and just need a new reason.  So I'm not really interested in what might happen when the government gets access to health information. It's as old the VA system.

    Describing the individual failure type of privacy violations that only very recently were made illegal in the form of HIPPA, as if to suggest this is a new vulnerability is simply disingenuous. People gossiped, the press pryed, and folks just used bad judgment before HIPPA and it wasn't even a violation of any law.

    Now it's not just a bad idea - it's the law!  

    So, I'm not sure if you're just trying to stir the pot, but medical information was and always will be only as secure as the weakest person who has access to it. The rest is window dressing.

    "Jersey_Boy" was taken.

    by New Jersey Boy on Mon Aug 26, 2013 at 06:53:48 PM PDT

    •  Agree. Nothing New. (1+ / 0-)
      Recommended by:

      About 30 years ago there was a very active 'gossip' community of women on my mother's street.

      A woman in the office there had been phoned from the hospital that her husband was there and she should come down immediately.

      On her way out to her car, and just out the door, the neighbor lady ran out and hugged her and said 'I'm so so sorry George died!

      A hospital volunteer pink lady had phoned a friend when poor George was brought in dead with a heart attack, who then called the neighbor, and the lady was shocked by the news in her driveway.  

      There were rumors there was a cash settlement by the hospital.   There are supposed to be protocols for release of information.  

  •  There must be some variance in state laws (1+ / 0-)
    Recommended by:

    on patients' privacy rights. California seems to have some stringent laws in that regard, though I'm not inclined to do the research myself to prove it. I'm insured with Kaiser Permanente in Southern California, and Kaiser seems highly concerned with privacy, protecting patient information, and information security. Signs are posted in elevators and elsewhere to remind medical personnel to not talk about patients.

    Kaiser also makes good use of electronic medical records, a significant convenience for patients. Possibly CA patient privacy laws and Kaiser's records use can be used as models for other areas.

    As for leaks to news media, the media has to take the large share of blame for digging into personal information that should be off limits.  

    “We do not inherit the earth from our ancestors; we borrow it from our children” ― Chief Seattle

    by SoCalSal on Mon Aug 26, 2013 at 08:48:31 PM PDT

  •  A lot of this stuff is related... (2+ / 0-)
    Recommended by:
    JDWolverton, Betty Pinson the fact that for some reason the healthcare industry continuously clings to the most outdated, obsolete, and inefficient record keeping practices imaginable. There seems to be almost no standardization, and all the healthcare providers I've ever seen in the U.S. use a monstrous hodgepodge of mutually incompatible and obsolete systems that are unmanageable as far as even just basic maintenance, much less security and privacy. And when new stuff (including new regulations, or new tools) gets added, it just joins the giant mess that's already there instead of replacing old stuff that shouldn't even be used anymore.

    It seems like modernizing IT infrastructure just isn't a priority for the U.S. healthcare system, given the poor results that have come out of past attempts to do so. I'm sure that one of the major contributing factors behind this is that the system is so decentralized, with no one coordinating all of the different players involved or even setting and enforcing standards. I would bet that a single payer system would be able to force some real change in this area in a way that isn't really possible right now. Some of the best healthcare systems in the world make heavy use of coordinated electronic records nationwide, typically managed by the single payer system and linked to a national ID card. Something like that would be a major step forward for the U.S., but of course we'd have to be willing to tell all the idiots who think ID cards are the "mark of the beast" to STFU and let the grownups work on the problem.

    There also just seems to be rampant stupidity everywhere on the administrative side of our healthcare system. The whole thing is just way overly complex, with way too many layers of idiots who don't do anything useful involved. Additionally, a lot of the workers who have to actually run the systems are either too busy with other concerns to do much about the issues (doctors, nurses) or too uneducated/underpaid (most frontline healthcare administrative workers) to know or care about doing anything about the problems.

    A complete mess, and not one that will ever be solved without massive government intervention in the "marketplace" to clear out the garbage.

    •  Not sure your assessment has any relation to (1+ / 0-)
      Recommended by:
      Betty Pinson

      the concerns about privacy this diary outlines, but everything else is so spot on I had to comment.

      It's like you read my mind.

      "Jersey_Boy" was taken.

      by New Jersey Boy on Tue Aug 27, 2013 at 02:26:30 PM PDT

      [ Parent ]

      •  The relation to privacy... (0+ / 0-) that obsolete and poorly maintained IT infrastructure is a privacy nightmare. It's not possible to implement effective controls over access to information that is managed by IT systems if those IT systems are a total mess. And any sort of medical information privacy issue these days is going to be deeply intertwined with IT issues, given the degree to which computers are used to manage that information.

        As someone pointed out above, electronic control of medical information could actually be more secure and private than a paper record system, if implemented properly. The problem is, some serious thought needs to go into that and how electronic medical privacy issues interface with human factors and so on (for example, how well is physical access to the data stored in electronic systems controlled? Is someone carefully studying how insiders are using this stuff?). And it seems that no one is taking responsibility for doing that when it comes to the health care system, just like no one takes responsibility for a huge number of other serious problems with the system.

        And I would say that there is something about the culture of the healthcare industry in the U.S. that seems particularly resistant to modernization efforts. You would think that they would be more forward thinking about this stuff, given the huge potential gains in efficiency, privacy, security, patient care, and so on, but they are the opposite. I think it's a "too many cooks in the kitchen" problem, which is why I think a strong single payer system could help.

  •  Centralized Database of Med Records Already Exists (1+ / 0-)
    Recommended by:
    Betty Pinson

    It's called the Medical Information Bureau, and functions sort of like a credit bureau does in the financial space--it allows companies to vet health and life insurance applications for truthfulness.

    Of course, other potential applications also exist...

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site