ZDNetAsia : Printer Friendly - Patient privacy in peril?

To print: Select File and then Print from your browser's menu

--------------------------------------------------------------
This story was printed from ZDNet Asia.
--------------------------------------------------------------

Patient privacy in peril?

By Rachael King
Wednesday, April 08 2009 12:56 PM
URL: http://www.zdnetasia.com/news/security/0,39044215,62052986,00.htm

More than 1,000 people, many of them celebrities, have had their health records inappropriately viewed by hospital employees at UCLA medical facilities since 2003, according to legal complaints against the center and published reports.

In one case, a worker received payments from the National Enquirer in exchange for information. In many cases, hospital employees simply wanted to satisfy their curiosity about the conditions of such people as Britney Spears, Maria Shriver, and Farrah Fawcett. Soon, it may not be just public figures who need to worry about the privacy of electronic medical records.

The recent stimulus bill gives financial incentives to doctors and hospitals to digitize medical records for every American by 2014. "Our recovery plan will invest in electronic health records and new technology that will reduce errors, bring down costs, ensure privacy, and save lives," U.S. President Barack Obama told members of Congress on Feb. 24.

Privacy and civil liberties advocates already are expressing concern that privacy provisions in the legislation don't go far enough to protect records from prying eyes, whether they belong to nosy hospital workers, health insurance companies, a potential employer, or even the U.S. government.

Drafters of the stimulus law took steps to broaden existing privacy regulations, such as by requiring health plans to notify individuals if there is a breach of unsecured protected health information.

The stimulus law also expands some penalties for those who break the rules. Yet it fails to make changes to an existing rule that allows for the disclosure of private health information without an individual's consent when it is shared with health-related organizations for the purposes of treatment, payment, or other health-care operations.

Info is shared and sold
That's cause for concern, says Sue Blevins, founder and president of the Institute for Health Freedom, a nonpartisan, nonprofit, Washington-based think tank. "We've been consistently calling for patient consent before information is shared because that is the only way to gain privacy," Blevins said. There are 600,000 health-related organizations that could potentially see this information, which could include genetic data, she contends.

Under the new law, individuals can ask a doctor or hospital not to share their information with health plans, but consumers can only exercise this right if they pay out of pocket in full, a condition most people don't meet. The law also is silent on whether individuals can opt out of computerized records altogether, the Institute for Health Freedom says.

Privacy advocates also want to ensure the legislation goes far enough in protecting patients against the sale of their personal information. Currently, pharmacies are able to sell detailed records of patient medications to clearing houses, which then sell that information to interested parties such as insurance companies.

"They create profiles on individuals and sell that information to insurance companies for underwriting purposes," said Ashley Katz, executive director of Patient Privacy Rights, a nonprofit based in Austin, Tex. Insurance companies, in turn, have denied coverage to individuals seeking private insurance based on this data.

As written, the stimulus legislation allows for records to be sold for public health and research purposes. "On the surface, the exception for public health and research sounds reasonable, but all those things are incredibly broadly defined and you have the potential for a huge loophole with any exception," Katz said.

Some are also concerned about the government's access to patient records. Today, certain government agencies don't need patient consent in order to view medical records. The Secretary of the Health and Human Services Dept. legally has access to every citizen's health records, including psychotherapy notes, according to Blevins.

The Food and Drug Administration also has the right to see consumer records as they relate to problems with food or dietary supplements, she says. There's no evidence that government access to people's records will be curtailed by the stimulus package.

Discrimination worries
Researchers say access to large pools of digitized records will make it easier to find new treatments for diseases and to catch adverse drug reactions much more quickly than possible now.

In 2007, Kaiser Permanente started a large research project in the United States, electronically tracking genetic, health, and lifestyle information from hundreds of thousands of adult patients in Northern California. Researchers hope to glean new insights into illnesses such as heart disease, cancer, diabetes, high blood pressure, Alzheimer's disease, and asthma. Participation is voluntary and requires written consent.

Privacy advocates welcome some aspects of the new legislation. For example, it requires organizations to keep audit trails of those with whom they've shared patient information.

"There was clearly recognition by Congress that even as we move perhaps to a more efficient health-care system based on use of electronic records that we need to be very sensitive to privacy violations in the process," said Caroline Fredrickson, director of the Washington legislative office at the American Civil Liberties Union.

A big worry is that potential employers and health insurance providers that get their hands on data could discriminate against people--or their children--based on their future potential for acquiring certain diseases.

Fredrickson and others say much will depend on regulations that will be drafted in the next couple of years. Aside from consent, Fredrickson wants to know how much control patients will have with their records and whether there will be adequate penalties for companies that improperly obtain or use information.

One of the government's goals with electronic medical records it to make it easier to share health information among doctors, not only within a hospital but potentially nationwide as well. Even some doctors aren't comfortable with the security and privacy implications. Svetlana Kogan, a private practitioner of internal medicine on the Upper West Side of Manhattan, stores her paper charts in a secure area that is out of reach of anybody except authorized personnel. "If this becomes deposited on my hard drive, it's a matter of a memory stick and people have access to thousands of records," she said, adding, "That makes me feel vulnerable as far as privacy is concerned."