In response to the guilty plea by three employees of St. Vincent Health System, reported here earlier today, Dr. Deborah Peel of PatientPrivacyRights.org issued the following statement:
Facebook users can keep people from seeing their walls, but patients can’t keep anyone from seeing their electronic medical records.
What’s interesting is how severe the penalties could be for snooping: “Each faces up to a year in prison and-or a fine of up to $50,000. Sentencing has not been set.”
But the most dangerous data snoops are not hospital employees, but the corporations and industries whose business is the systemic theft, data mining, and sale of Americans’ health records. None of the corporate mega-snoops have been hauled before a judge.
The problem is bad technology. Every US hospital allows thousands of employees access to hundreds of thousands or millions of electronic patient records without informed consent.
Because HIT systems are so poorly designed, VERY FEW snoops are ever caught.
HIT should be designed to keep almost all hospital staff OUT of your records. Only those with your informed consent should be able to get in.
Would you keep your money in a bank if every employee could open your bank account and do as he/she pleased, including copying, using, stealing, or selling your account information or assets?
Fines of $50K and prison sentences will discourage some snoops, if any of them are actually fined or sentenced to jail, but existing privacy-enhancing DRM systems or existing consent management systems applied to HIT could totally BLOCK all snoops from seeing records by ensuring that only those caring for you can see your records. Fines and jail won’t be needed if snoops can’t get into electronic records.
DRM—digital rights management could be used to protect health records, as it does to keep other data private and protected. Why isn’t DRM being used in healthcare? Because the vendors of legacy systems refuse to update their ancient technology. They are not interested in Americans’ longstanding health privacy rights or protecting our data. Vendors and data miners do not want to stop selling OUR electronic health records. Why would they give up billions in revenue unless forced?
The stimulus billions should be spent on NEW, privacy-enhancing health IT—-not wasted purchasing existing dinosaur technologies. But the new HIT Policy and Standards Committees are dominated by industry appointees protecting turf and revenue, and dedicated to opposing to patients’ rights and control of PHI.
The public and Congress must weigh in to prevent the HIT and data mining industries from certifying privacy-destructive systems as the national standard.
I would guess that some people will strongly disagree or even be offended by Dr. Peel’s statements. And if any representative of any of the groups she described would like to respond, I’d be happy to post their response or any debate on these important issues. I’ve repeatedly advocated for much more respect for, and inclusion of informed consent standards when it comes to sharing PHI. HIPAA’s current provisions, some of which are left intact by HITECH Act, allow sharing that I do not think should be allowed without the express consent of patients. But more on that another time.