Security breaches are up 32%—but because of a loophole, if your patient data is stolen, you may not even be told about it!
Why wouldn’t an identity thief love electronic patient records? They are a veritable goldmine. Each record contains the patient’s name, Social Security number, birthdate, contact info, and insurance, not to mention private health and treatment data. Security breaches cost the industry $6.5 billion dollars—most breaches occur when a computer is stolen—with the number of thefts increasing dramatically each year; this year there were 32% more breaches, the New York Times reported this week.
That 32% comes from data reported to the Department of Health and Human Services. But here’s the zinger: Federal law requires health organizations to report data breaches to HHS only if they affect more than 500 people. And it requires disclosure only in cases that “pose a significant risk of financial, reputational, or other harm to the individual affected.”
Who gets to decide this? The company that was handling the data—and was responsible for the breach. It’s in their own interest, of course, to minimize their exposure. So a record listing your name alone would be ignored; 499 complete records may be ignored; and any number may be ignored if supposedly not posing a risk of harm. In these instances, victims would never be notified.
The CDC says about 57% of doctors’ offices use electronic medical records (EMRs); just last year it was only 45%. EMRs are a requirement of the Affordable Health Care Act, and as more and more hospitals and healthcare systems begin to comply, the problem will only get worse in the future.
In October, a desktop computer containing unencrypted records on more than four million patients was stolen from Sutter Health, a nonprofit health system based in Sacramento. The theft is now the subject of two class-action suits, each of which seeks $1,000 for each patient record breached.
You may recall that ANH-USA has consistently opposed a nationwide mandatory electronic records system. We believe that allowing hundreds of thousands of parties to access your records, including mental health and other sensitive information, is by definition a serious invasion of privacy. At the very least, patients should be able to opt out.
Another problem is that EMRs allow state medical boards to go on “fishing expeditions” targeting integrative physicians, because they can more easily search to see what treatments the physicians are using that may be outside some arbitrarily and vaguely defined “standard of care.” Fortunately, EMRs are only mandatory for doctors who participate in insurance or other federal programs; many integrative physicians do not take insurance and do not use EMR. Unfortunately this just means that the patients have to pay twice for healthcare, once for insurance they won’t use, and once in cash to the physician of their choice.
Of course, it’s not only electronic data that can fall into the wrong hands. In Minneapolis last month, sensitive medical information was found on the back of a child’s drawing she had made at elementary school—including the patient’s name, account number, birthdate, and job. An attorney’s office had donated old scrap paper to the school for an after-school program; the attorney had been hired by the patient after a car accident, and the office employee who made the donation didn’t think there was any personal information on the papers. The attorney apologized for the mistake, saying that the donation was a violation of the firm’s privacy policies.
The elementary school sent out a message to every child in the after-school program to check if any other medical records have ended up in students’ homes, and asked students to return them.
Of course, if some cyber-terrorist destroyed the electronic systems, then it might be nice to have paper records like the ones that ended up in elementary school.
The larger problem with government mandates is usually one of unintended consequences, especially when we are all forced into a one-size-fits-all pseudo-solution. If government would leave medical professionals alone, they might come up with more creative solutions to the record-keeping problem, solutions that protect our privacy and take into account our individual needs and wishes.