Healthcare workers don't like to talk about this. Our Electronic Health Record System is not very secure. Most of us don't think about it much. Who wants to know about our personal health record? We all get sick. Many healthcare workers are diligent and don't break the rules. This isn't about them. The health record security system banks on people not really trying to pry into them, but if we really face up to it; we know our medical records aren't all that private.
How do you balance medical error prevention with privacy? What happens when the patient is a celebrity? What happens when the patient's condition is newsworthy? The sad truth is for the patient with the one off situation, they have less privacy; reporters demand their readers/viewers have a right to know. If you are a professional athlete or CEO of a large company, you have no medical privacy. If you are a corporate or political inconvenience, your medical records are a great way to start a whisper campaign that can lead to public embarrassment, loss of credibility, loss of promotions, fewer raises and possible job loss (even if that "public" is confined to the 30 people within your department and the management team).
The main reason our health records aren't very private is because most of us like to judge our friends, family and celebrity health habits. We like to be concern trolls for each other. "Oh, you have PTSD? Tell, me what happens when you wig out?" (That's a pretty ignorant question I heard asked a PTSD patient. Many PTSD patients are unidentifiable to the casual observer. They don't by definition, "wig out".) Look at Chris Christie, how many people feel totally entitled to look over his shoulder when he steps on the scale? Why do people think it's appropriate to ask the obese or anorexics about their medical condition?
Is it any wonder we like to keep our health issues private?
Health care privacy vs. quality of care has hard edges. If you go to doctors within a specific hospital system, it's nice that the doctor you see today, knows you are up to date on your immunizations, screenings, recent imaging studies and the drugs you take for chronic conditions. If you are the average anonymous person, this sharing doesn't bother you. The benefits of this sharing is profound. If keeps medical expenditures lower. It improves quality of care. It more readily identifies contraindications. It prevents medical errors. It's also open for every member physician and their staff within the same system to purview your files. It can be disconcerting if you aren't prepared for it.
What can go wrong? Lots. Our healthcare records won't be secure until we render serious consequences for breaches and it isn't the NSA you should be primarily worried about. To understand that, you need to stroll down Wonky Lane, but I get it if you read wonkiness as blah, blah, blah. So, I placed headings and summary lines along the trail to let you skip through the sections (skim reading) until you see "Practical Matters" in a heading. You can't skim anecdotes and you can always go back and read the whole thing if you need more background.
Medical Information Laws
We have a montage of laws that are supposed to protect us while expanding the role of EHR (Electronic Health Records). The laws are strong, but many medical workers don't take the possible consequences of violating confidentiality very seriously and many physicians will dress down a worker who casually violates confidentiality, but won't go further than that. Most troubling of all is that all of these privacy rules have exemptions for law enforcement warrants, subpoenas and court orders whenever they convince a judge the records are relevant to their investigation (a very loose standard).
HIPAA
HIPAA gave us an alphabet soup of regulations. Every doctor and health provider you see must give you an NPP (Notice of Privacy Practices) every 3 years of how your information will be used and shared under TPO (Treatment, Payment & Operations). The NPP discloses if and how your records will be shared, what the purpose is for sharing (like TPO, medical research, patient satisfaction surveys) and your opt out choices. A lot of times, if you choose to "opt out", the doctor will choose to not see you. It also says when your records will be shared without your consent for criminality, communicable disease or court orders. Note: the NSA can get everything under "court orders". Why they'd want it is anyone's guess, but medical record data is quite scoopable.
The "Administrative Simplification" (101 pg pdf) aspect of HIPAA has far more impact than the privacy rule. It specifies a standardized electronic format for how health records can be shared between providers, facilities, insurers, pharmacies and more. HHS now uses what I call the "X" files for the standardized format for sharing health records. x835, x837 (pdf), x273 might be meaningless to you, but mean a lot to health care administrators.
HIPAA also mandated HHS embark upon a rigorous anti-fraud program called the Health Care Fraud and Abuse Control Program (pdf). It's sort of a redundancy of a lot of anti-fraud statutes. It eventually with the Recovery Act led to the RAC program.
HITECH
HIPAA wasn't enough. Privacy breaches were all over the place. Medicare and Medicaid fraud is $60-$80 billion a year. Medical fraud is a serious problem bleeding our economic resources dry. HITECH closed loop holes and established higher penalties for non-compliance and required self-reporting of breaches. It also added incentives and penalties for EHR. It cemented in place concepts like HL7 and created the environment for this awful organization called C-CHIT to thrive. (That's pronounced Cee Cee Hit, not the way it reads.) HITECH made greater specificity to the file formats used to communicate insurance claims, operative reports, special reports, patient notes, certificates of medical necessity, insurance payments, prescriptions, insurance eligibility, referrals to specialists. All of it.
Having this data in standardized formats makes for better and easier data mining to combat fraud. It's easier to ID over utilization patterns, which makes it easier for the FBI to investigate and the OIG to negotiate recovery of funds. The claim database already exists. It's queried daily. The results of these queries form the basis of RAC and fraud investigations that are shared with the FBI. There are some restrictions on access to the encryption methods for medical data transmission, but certifying your software under HITECH is based upon complying with the data formats. You can't comply if you don't know how to do it. Finding out how to do it isn't difficult.
ACA
HIPAA and HITECH combined wasn't enough. ACA further strengthened the push toward Electronic Health Records. The ACA specified software certification further cementing the stranglehold of C-CHIT. The healthcare exchanges are internet based and the privacy testing is running behind schedule. We will have these exchanges on line by October 1st, 2013 and that's a good thing, but the security of this system as of today, is questionable.
ACA also has an anti-fraud component. It focuses on Medicare and calls for, you got it, regular surveillance of Medicare Claims. It asks Medicare recipients to be aware of fraud, but a consumer report simply gives the FBI probable cause to sift through data that's already collected.
The bottom line is that our health record system uses largely, a single set of data formats. There's a web page to help you navigate the acronym stew. All medical software system developers must use these formats to communicate with Medicare MACs and Medicaid FIs (Medicare Administrative Contractors, Fiscal Intermediary). Doctors, hospitals, nursing homes and pharmacies use it to communicate to insurers and these days; a lot of it happens in the cloud. Typically, a hospital has a physician office complex surrounding it and shares their system to those with privileges. The system itself may be rock solid, secure; but the transmissions from that system can be highly hackable, interceptable and breachable.
Yep, all you need is a switch to copy and divert medical data and no one would be the wiser. What's more, the contents of those data packets are in a standardized format (encrypted with a known encryption key) for easy indexing and placement into a database. Medical record data could be headed for Utah and who would know? Why it would happen would be explained away as an anti-fraud effort which is increasingly tied to organized crime which is then loosely tied to (you guessed it) terrorism. All you need is paranoia, connect the dots and a new program for data collection and surveillance is born.
Many physicians maintain their own systems, but they still electronically submit claims (that may have an operative report or specific treatment details attached to it), check insurance eligibility, request treatment referrals, request imaging and lab tests and receive claim status reports and remittance information via the web. Despite encryption, those transmissions are all in a standardized format that is easily decrypted.
Physical, Administrative & Technological Safeguards - Trust, but Verify
We have to have locked doors, card key access points, automatic logouts, regular password changes, and protocols that require anything with PHI (Protected Health Information) be locked away, face down on our desks or within folders. We have laws for data retention and protocols for data purges and logs to verify compliance. We have compliance plans. We regularly meet and train employees to adhere to them. IT software can detect when an employee pulls up a patient name in error and notes how long before the operator detects the error and pulls up the correct record. A few seconds is a mistake, more than that and you can fire the employee for inappropriate access. As computer, scanner and photocopier equipment goes out of date, hard drives, backups, thumb drives associated with the equipment need to be destroyed. Erasure and degaussing isn't enough. Protocols for logging and confirming hardware maintenance are essential. Proof of data destruction is essential.
Training, background checks and confidentiality agreements can only do so much. The confidentiality of our medical records rests in the hands of the personal honor and integrity of the doctor, technician, medical assistant, nurse, medical biller, coder and health care administrator who comes in contact with the data. Someone with access can siphon off a file with names, addresses, birth dates and SSNs and sell them for $25 a pop.
We insist our employees don't talk about our patients. Even if both the wife and mistress of a well known professional athlete are both sitting in the waiting room. We don't talk about it when we get home, on Facebook or at a restaurant with friends. It comes down to making sure employees can't access what they have no business accessing and not talking about what they know - even if it will get you a free lunch.
Despite the exposure, a relatively low number of incidents that involve more than 500 records at a time considering our country has over 317 million people. That would seem small except those breaches, when sold, pay out $25 per name on the health data black market. Each record likely has name, address, birth date and Social Security Number - a veritable identity theft yatzee. It may be a "small" number, but it yields big bucks if the breach was done for criminal reasons.
Not all health care breaches are for financial gain. Many breaches are mistakes done with individual records for run of the mill screw ups. Those employees you can retain and retrain. The employees you have to fire are the ones who repeat mistakes or make huge mistakes and your liability insurer insists on termination.
The worst and most frequent breaches are personal. There are disclosures done for gossip or done to impress friends that they had contact with someone "important". Facebook is no place for healthcare workers to vent. Some breaches are done for monetary gain from reporters or private investigators. Sometimes it's a combination of money and personal revenge, not business.
Every healthcare worker is trained to protect patient privacy. Slip ups happen. Gossip happens. Revenge happens. Avarice happens.
The Practical Matters of Data Breaches
Chances are you don't think about how secure your health records are. You won't care until you are confronted by an uncomfortable situation where someone knows too much about you. You don't care until you open a $5,000 bill for a credit card account you never opened. You don't care until your boss takes you into their office and they ask you if your health condition is going to cause a problem or worse they fire you because they think your health problem interferes with your work. Maybe you find out after the fact, you didn't get a promotion because of your wrongly disclosed health problem. The reason health records are private is so they don't get in the way of your life.
The General Privacy Screw Up
A lot of times it isn't malicious. It's just dumb. It's sending an insurance claim form to the wrong insurance company or sending a statement to the wrong Maria Gonzalez or Jennifer Jones. It's leaving a too clear of a message on the home answering machine or not realizing you're talking to the mother instead of your patient, the daughter about her medical condition. It's faxing to the wrong number, forgetting to have the hard drive pulled from the photocopier before it's replaced. It's getting written assurance from your IT company they will destroy the old hard drive only to have it end up recycled. Sometimes a breach can occur when a chart left open on the desk is read. It's when the new employee thinks they put confidential paper in the shredder box, but it turned out to be recycling paper box instead.
Newsers
Ireland - 1st "Legal" Abortion Case
Although newsworthy, this case is none of our business. It's was erroneously reported that it was done under Ireland's new abortion law. It's one thing when you speak about a case months or years later where you don't identify the facility or physicians involved. The parents lost their babies. The descriptive detail the news outlets reported made sure this couple is easily identified within their community. Typically hopeful parents tell friends and family that they lost the baby. They don't share the details. The newspaper jumped the gun in that they reported this abortion was sanctioned under the new law, but it hasn't been implemented yet. The news paper makes it too easy for a prosecutor to subject this woman and her doctors to an invasive and possibly humiliating investigation. They identify 1. The pregnancy was for relatively rare twins. 2. The Facility. 3. The physicians in on the decision making. 4. The probable diagnosis. 5. A relatively short date range. This family needs to heal, instead; they are exposed to any anti-choice whackadoodle who will use this information to find them and harass them. But, hey, the public "has the right to know". I don't know if Ireland has a HIPAA equivalent, but they should.
Rape Cases
A few years back a woman was attacked and raped in a local school's parking lot. The news reporters got nothing from the school and nothing from the hospital. All they had from the police was that she was attacked, but they could figure out the hospital as there was only two in the area. The hospital was overwhelmed. A few employees failed to realize there were eavesdroppers around and reporters got the whole scoop on the extent of her injuries. She made the local news for a whole week. The news coverage withheld her name, but said what her job function was at the school. The news reports told of her attack, rape and some detail of her injuries. The woman encountered managerial barriers when she wanted to go back to work. She was transferred to another school (which she didn't want) because "everyone" knew what had happened to her and were uncomfortable around her. She had problems at her new school because they knew what happened to her. She did nothing wrong. She wasn't even ill. She was just walking to her car and was raped by an asshole. All she wanted to do was return to her normal life. She got reassignment instead.
Gossip
The most common breaches occur when health workers gossip about a patient. It's bad enough in the break room, but at least there; you can enforce some rules. The difference between gossip and an object lesson is anonymity. From the wife and mistress comment I made earlier you can't identify the patients. I didn't say who the athlete was, where or when it happened, the women's ages or the medical specialty. Gossip by it's very nature calls for prurient details to make the story salacious. You might be chatting waiting in line for your latte, and think you're speaking in code. You might think a description like: woman about 35 years old, pretty, foul mouthed lives out in Weston was here on Tuesday morning just before lunch and drives a Volvo had to run off to take her kids to the ice rink for practice is nondescript, but the person in front of you figures out you are talking about her daughter's BFF's mother.
A friend of mine was at a restaurant with a bunch of doctors. A colleague of theirs had recently committed suicide. One of the doctor's had him for a patient and totally violated the deceased's privacy in order to give the other doctors insight as to why the man killed himself. It made my friend squirm. Later, she ran into the deceased's daughter in the restaurant's lady's room. She was highly embarrassed when when realized the daughter was sitting only a few feet away from her table and was nearby during that non-compliant gossip session.
Worker's Compensation
The most common breach of privacy in Worker's Compensation cases occurs when an inexperienced worker clues in the employer that their worker has a chronic condition like HIV+, Parkinson's, diabetes or Bi-Polar Disorder. The drugs these patients take can complicate the treatment for on the job injury treatments. The Worker's Compensation practice that only sees W/C cases won't make this mistake. It's the new hospital administrative assistant that blows it. The employer is only entitled to know how the worker's injury will impact their job performance. The amount of time they will miss, what physical limitations the worker has and how long those limitations will prevail. They are not entitled to diagnosis information for concurrent conditions like HIV+, anxiety or whatever.
Vulnerability
Prior to June of this year, my only concerns about patient privacy centered around wondering if my implemented compliance plan was enough. If I focus on compliance, I can secure our medical records and keep them safe from casual curiosity, personal vendetta and identity theft exploits. That is the main concern - non governmental breaches of privacy. I cannot protect medical records from a cavalier, federal agency. What proof do I have that this information is being diverted to the NSA? None, but two months ago; I would have said it was ridiculous to think that my telephone metadata was collected and stored by the NSA. I would have said collecting vast amounts of text messages and email was ridiculous, to what end? Is the NSA collecting wholesale medical records? I don't know, but the idea makes me squeamish. Every time I see a picture of that facility in Utah, I wonder what's going to be stored there. I know that our Medicare and Medicaid claim data is regularly sifted for fraud patterns and that is not only protected by law, but is required by law to be done. That's not necessarily a bad thing, it's not a stretch to think there's a medical record data base out there. What's to stop these programs from going deeper into the EHR data? What is the potential for misuse by federal agencies that have no duty to protect the patient's confidentiality? None.
If I see a story in the NYT, WaPo Der Speigle or The Guardian that says the NSA is spying on our medical claims; no one should be surprised. It's not a revelation. It's predictable.
UPDATE: Thank you Rescue Rangers. I thought I was going to slide off the recent diaries today.