The steady migration to electronic health records, mandated by the HITECH Act, may lead to inevitable trade-offs between privacy and security on the one hand, and more efficient and, ultimately, perhaps, better health care on the other. At the heart of the matter are the Regional Health Information Organizations (RHIOs) that are critical to developing a National Health Information Network.
In a posting on the American Civil Liberties Union (ACLU) website, Corrine Carey, assistant legislative director, New York Civil Liberties Union, addresses the issue of patient health records being uploaded into massive RHIO databases without their consent. She addresses several cases in which patient data might be accessed without their consent, but zeros in on data breaches resulting from malicious cyber attacks or sloppy data handling practices or sloppy data handling practices (lost or stolen laptops, backup media, USB drives, etc.).
“In light of the tremendous risk to privacy posed by ubiquitous security breaches, it is critical that patients have the ability to consent to making their personal health information available electronically,” she writes.
I’m not sure that’s on the mark.
The security risks are very real. She is quite correct on that point. We have born witness to a rash of health information breaches in recent months, and there is considerable evidence that the healthcare industry lags behind other sectors in data protection. So we have the perfect storm:
- A rapid increase in highly sensitive personal data being transmitted and stored digitally and proliferating across distributed, electronically linked repositories
- Inadequate data protection
- Aggressive cyber criminal attacks
But here’s the rub. We hear justifiable complaints about our healthcare systems’ inefficiencies. Storing, transmitting and sharing patient medical information electronically, in standard formats, makes all the sense in the world. The upfront costs of conversion are high (under HITECH, the government has taken a carrot-and-stick approach, with incentive payments to organizations that comply in a reasonable time frame, and penalties for those that do not), but the potential advantages are clear.
So is patient consent to the distributed sharing of medical information really a debatable issue? We are not talking about sharing records with tabloids. We are talking about a coordinated healthcare information exchange network. If the goal is lower costs and improve healthcare, the discussion should not focus on patient consent, but on better data protection. By its very nature electronic data is more susceptible to loss and theft. If we stipulate that sharing it across this proposed national network is ultimately a good thing, then it is incumbent upon the entities that are custodians of the data to do a better job of securing it.
The recent breaches have had nothing to do with sharing health records and everything to do with poor data protection policies and procedures. True, the more entities that have sensitive data, the higher the risk of theft or loss. So talk about in the same terms that security is considered in the business world. What is the risk vs the benefits? I come down on the side of the benefits on this one.