Tag: Privacy

Privacy and Security of Patient Records: The Lesson of the Weakest Link

DHarlow headshot The Queen of Soul famously wailed about being a link in a chain of fools. Today’s lead story in the Boston Globe tells us about another sort of link in the chain — the weakest link in the chain of custody of patient records. In brief, a pathology billing service bought out by another service apparently dumped all records more that a year old in a town dump; a Globe photographer taking out his own trash noticed that the paper records (which he was looking at because he thought they ought to be recycled rather than dumped) had identifiable patient data and represented at least four hospitals from across Eastern Massachusetts. Clearly, these records ought to have been shredded or otherwise destroyed before disposal. Assuming they had some airtight contracts in place, the hospitals involved may well be looking to the seller of the billing service in this case to reimburse them for costs of:

  • identifying the patients involved in this data breach
  • notifying affected patients of the breach
  • providing credit monitoring services to affected patients
  • any damages incurred by patients
  • any fines incurred by the hospitals

Under the HITECH Act’s “Son of HIPAA” rules, the hospitals could be on the hook to the federales for up to $1.5 million in fines each as a result of this incident, and the state AG could get in on the action as well, filing suit on behalf of the affected Massachusetts residents and seeking to ensue that proper procedures are in place. There may also be a violation of the state data security law here as well. Massachusetts has a particularly stringent data security law on the books that took effect within the past year, and not all affected businesses have come into compliance. The AG may be on the prowl for a few high-profile cases, like this one, in which to levy substantial fines and convince the laggards that compliance would be more than worth their while.

The natural question to ask, given the facts of this case, is: What Would a Meaningful User Do?

Continue reading…

The Circle of Trust

Picture 24 Every day millions of Americans and billions of people around the globe are routinely accepting colorful pieces of paper in return for their labor and placing those hard earned possessions in modern glass buildings whose owners they do not know. It took a few hundred years to change how business transactions are conducted, but today, there is very little apprehension about depositing one’s wealth in a bank. Public trust in both the government issued paper and the financial institution’s ability to safely store the increasingly virtual representation of buying power had to be painstakingly created and watchfully maintained.

When people, for one reason or another, lose trust in government paper or banks, the entire financial system fails miserably. Public trust is a prerequisite to any national monetary system and public trust is a very delicate thing. Nations create laws and regulations around financial institutions specifically aimed at building public trust. 

People have to trust that paper and its virtual counterpart can be exchanged for goods and they need to trust that banks, while safely storing their funds, will always make them available to their rightful owner on demand. Banks have a legal and fiduciary responsibility to take good care of your possessions, thus very few folks feel the need to store their family jewels in a strong box under their floor boards.

Continue reading…

RFID Tags for Nurses. Then Everybody?


The recent City of Ontario v. Quon decision has had a mixed reception among privacy advocates. Though many are disappointed that employees’ privacy rights have once again been narrowed, some have discerned helpful dicta in the case. However, I worry that, whatever the drift of thought among swing justices, economic imperatives and cultural shifts will mean a lot less privacy in the workplace of the future. Health care in particular offers a few interesting bellwethers.

As an opinion piece by Theresa Brown explains, maintaining proper staffing levels in hospitals is becoming increasingly difficult. Surveillance systems are offering one way to address the problem; work can be performed more intensively and efficiently as it is recorded and studied. But such monitoring has many troubling implications, according to Torin Monahan (in his excellent book, Surveillance in a Time of Insecurity):

The tracking of people [via Radio Frequency Identification Tags] represents a . . . mechanism of surveillance and social control in hospital settings. This includes the tagging of patients and hospital staff. . . . When administrators demand the tagging of nurses themselves, the level of surveillance can become oppressive. . . . [because nurses face] labor intensification, job insecurity, undesired scrutiny, and privacy loss. . . . To date, such efforts at top-down micromanagement of staff by means of RFID have met with resistance. . . . One desired feature for nurses and others is an ‘off’ switch on each RFID badge so that they can take breaks without subjecting themselves to remote tracking. (122)

Like the “nannycam” employed by many a wary parent, the nurse-cam may be seen as a way to protect the vulnerable. It may also increase the accuracy of evidence in malpractice cases. On the other hand, inserting a tireless electronic eye to monitor what is already an extremely stressful job may create many unintended consequences, or deter people from going into nursing altogether. Even advocates of pervasive surveillance recognize these difficulties.Continue reading…

Do Physicians Have a Right to Privacy?

As we move to Electronic Health Records (EHR), the debates over security and privacy are becoming more frequent and more poignant. We of course have HIPAA laws on the books and ONC has a Tiger team assembled to recommend privacy and security policies to Secretary Sebelius. CIOs and entire IT departments are all focused on protecting the privacy of patients and their Personal Health Information (PHI). This is, of course, as it should be, but how about privacy of those taking care of patients? Do physicians have a right to privacy too?

As EHRs become more prevalent and interconnected, increasing amounts of clinical and administrative data will be flowing out of doctors’ offices and into the great beyond. Most of this data is indeed patient data, but some of it could be combined, sliced and diced to derive pretty extensive information about doctors. For example, and in no particular order:

  • Prescribing patterns – Prescription data has been collected and sold to pharmaceutical companies for decades. EHRs will make this much easier to accomplish and the data will become richer and more granular, since it will contain the exact nature of the visit where a particular drug was prescribed or discontinued, including physician notes on the subject. Of course, such information finding its way to public websites would present a novel difficulty if, say, we can look up Dr. X and see that she wrote 30 prescriptions for contraceptives last month, half of which were for girls under 16 years of age.Continue reading…

Healthcare’s Privacy Problem (Hint: It’s Not What You Think It Is )

Picture 27 I recently applied for life insurance. The broker, whom I’ve never met, asked about my health history. “So you’ve just had a baby,” he began. I asked him how he knew. “You’re on Twitter.”

In the last couple of years concerns about the privacy of online health information have grown, as health care finally catches up to other sectors in its use of information technology (IT). The Stimulus package will pump $19.2 billion into healthcare IT, especially electronic medical records for doctors.

While technology can make your medical records safer in some ways than they’d be in a paper chart (using encryption, fire walls, audit trails, etc.), the fact is, no system is totally fail-safe. And when screw-ups happen, technology tends to super-size them. Continue reading…

Medical Data in the Internet “Cloud” – Data Privacy


The concepts of “security” and “privacy” of medical information (Protected Health Information, or PHI) are closely intertwined. “Security,” as described in the second part of this series, has to do with breaking into medical data (either data at rest, or data in transit) and committing an act of theft. “Privacy,” on the other hand, has to do with permissions, and making sure that only the intended people can have access to PHI.

So, who actually “owns” the medical record? The legal status of medical records “ownership” is that they are the property of those who prepare them, rather than about whom they are concerned. These records are the medico-legal documentation of advice given. Such documentation, created by physicians about patients, is governed by doctor-patient confidentiality, and cannot be discovered by any outside party without consent. HIPAA Privacy Rules govern the steps needed to ensure that this level of confidentiality is protected against theft (security) and against unauthorized viewing (privacy). HIPAA-covered entities (medical professionals and hospitals) are held accountable for ensuring such confidentiality, and can be penalized for violation.

The question of privacy, then, revolves around sharing PHI between professionals in order to coordinate health care – after all, health care is delivered by networks (formal or informal), and data sharing is necessary to deliver best-practices levels of care. In the traditional world of paper charts, record-sharing is accomplished by obtaining consent from the patient (usually a signed document placed in the chart), and then faxing the appropriate pages from the chart to the intended recipient. Hopefully the recipient’s fax number is dialed correctly, since faxing to mistaken parties is a vulnerability for unintended privacy violation using this technology.

When medical data moves from a paper chart to a locally-installed EHR, the organization of medical data across the landscape is not really changed – each practice keeps its own database (the equivalent of its own paper chart rack), and imports/exports copies of clinical data to others according to patient permission (just like with traditional paper records). Such clinical data sharing is often done by printout-and-fax, or by export/import of Continuity of Care Documents (CCDs) if the EHR systems on each end support such functionality.

As technology evolves, new layers of medical data sharing emerge, which challenge the simple traditional “give permission and send a copy” method of ensuring privacy. Health Information Exchanges (HIEs) are emerging regionally and nationally, and are supported by the Office of the National Coordinator (ONC) for health IT. HIEs are intended to be data-exchange platforms between practitioners who might be using different EHR systems (that do not natively “talk” to each other). Only certain types of data are uploaded by an EHR into an HIE – patient demographic information, medication lists, allergies, immunization histories. HIEs, then, function as a sort of evolving “library” of protected health data, where local EHRs feed their data on a patient-permission-granted basis, and can download data (if granted the permission to do so) as needed. The potential impact on quality of care is dramatic.

In addition to being a “library” of shared data, HIEs can serve to assist in public health surveillance. This can range from CDC-based surveillance of the emergence or prevalence of specific diseases, to FDA-based post-market surveys of the use of new medications (and shortening the timeline for identifying problems should they arise). This sort of use of HIE data is de-identified, so that permissions around using PHI are not violated – patient-specific data in HIEs is only used with permission, and used for direct patient care (e.g. downloading into your own EHR your patient’s immunization history).

HIEs, however, are essentially a “bridge technology” that tries to connect a landscape where health data remains segregated into “data silos.” A newer frontier of technology can be seen arising from web-hosted, Internet “cloud”-based EHRs, such as Practice Fusion. In this setting, a single data structure serves all practices everywhere, and local user-permissions determine which subset of that data are delivered as a particular practice’s “charts.” This technology raises the potential to actually share a common chart among multiple non-affiliated practitioners – based upon one physician referring a patient to another for consultation (with the patient’s permission to make the referral), both practices are then allowed access to the shared chart, see each other’s chart notes, view the patient medications, review labs already done (reducing duplication of services), see what imaging has already been accomplished, securely message one another, and even create their own chart-note entries into the common, shared chart.

This “new frontier” of technology, where clinical chart sharing between practices (based on patient permission) occurs across all boundaries of care, makes the Practice Fusion vision an “EHR with a built-in HIE.” Extending this even further – shared EHRs and linkage with Personal Health Records (PHRs) – is beyond the scope of this particular article, and will be addressed subsequently. With good design, as pioneered here, the balance between ensuring security and privacy of PHI on the one hand, and permission-based sharing of clinical information for the betterment of overall health care delivery on the other hand, a truly remarkable technology is being built. The impact on transforming health care is profound.

Dr. Rowley is a family practice physician and Practice Fusion’s Chief Medical Officer. Dr. Rowley has a first-hand perspective on the technology needs and challenges faced by healthcare practitioners from his 30 year career in the sector, including experience as a Medical Director with Hill Physicians Medical Group and as a developer of the early EMR system Medical ChartWizard. His family practice in Hayward, CA has functioned without paper charts since 2002.  You can find more of his writing at the Practice Fusion Blog, where this post first appeared.

If you liked this post you might be interested in these related posts:

Medical Data in the Internet “Cloud” (part 1) – Data Safety
Is “Cloud Computing” Right for Health IT?
Freenomics and Healthcare IT
Practice Fusion gets investment from

September 27, 2009 in EHR/EMR, Privacy | Permalink

HIPAA’s Broken Promises

SFox - LgIf you hate HIPAA, it’s your lucky day. Paul Ohm is handing you ammunition in his article, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization.” His argument: our current information privacy structure is a house built on sand.

“Computer scientists…have demonstrated they can often ‘reidentify’ or ‘deanonymize’ individuals hidden in anonymized data with astonishing ease.”

Ohm’s article describes HIPAA, in particular, as a fig leaf – or worse, as kudzu choking off the free flow of information.

“[I]t is hard to imagine another privacy problem with such starkly presented benefits and costs. On the one hand, when medical researchers can freely trade information, they can develop treatments to ease human suffering and save lives. On the other hand, our medical secrets are among the most sensitive we hold.”

Continue reading…

Social Media: Disruptive Force in Medicine

Before the Obama administration set aside billions to accelerate the dissemination of EHRs, providers were slow to adopt them. As recently as 2 years ago for example, a study published in the NEJM revealed that only 4% of non-hospital based providers had fully implemented an EHR, and only 13% more had a partial installation.

By contrast, the growth of social media including Facebook, Twitter, YouTube, blogs and virtual communities like Sermo and Physician Connect, has been explosive.Enterprising providers have already deployed sophisticated social media strategies to extend their brand around the world. The Mayo Clinic for example, maintains several blogs, a Facebook fan page (which has 8,800 fans), a library of YouTube videos and a Twitter page (7,120 followers).Continue reading…

KP lawsuit doesn’t sniff quite right

It’s about time we had a fun Kaiser Permanente scandal, as it’s been a while, and it appears that they’re having some influence on the side of the angels in DC these days. And tracking vis HISTalk apparently there is one. You can wonder over to this blog to get the full rhetoric but basically it comes down to KP being sued by a former relatively senior techie in the Northern California region who has had a big time falling out with his boss.He has three main accusations.

1. KP kept a registry of dementia patients on an open internal network2. KP employees were dumping personally identified data in the trash3. KP was and is not tracking deductibles and was forcing their members to count up to them—presumably costing their members money for those who were paying cash when they’d already met their deductible.

So let’s parse these apart.

Continue reading…

The Red Flags Rule

HalamkaYou may have seen the recent headlines “FTC delays Red Flags Rule
implementation until August 2009”. What is the Red Flags Rule and how
does it relate to healthcare?

The FTC has a great website that it explains it all in detail.

the FTC requires most clinical offices, hospitals, and other health
care providers to develop a written program to spot the warning signs
of identity theft – “red flags”  If a patient’s name on a photo ID and on their insurance card do not match, that’s a red flag. If a patient visited last week as John Smith but today is Fred Jones, that’s a red flag. If patient seems to travel from provider to provider seeking numerous expensive treatments, that’s a red flag.

law was initially designed to cover creditors and it seems odd for
healthcare providers to be considered creditors. The FTC defines a
creditor as anyone who enables the customer to carry a balance after
services are rendered. Unless a clinician asks for payment upfront (all
balances not covered by insurance), the clinician is a creditor.

Continue reading…


Forgotten Password?