Milton Freudenheim reports:
Federal health officials call it the Wall of Shame. It’s a government Web page that lists nearly 300 hospitals, doctors and insurance companies that have reported significant breaches of medical privacy in the last couple of years.
Such lapses, frightening to consumers, could impede the Obama administration’s effort to shift the nation to electronic health care records….. So the administration is making new efforts to enforce existing rules about medical privacy and security. But some health care experts wonder if the current rules are enough or whether stronger laws are needed, for example making it a crime for someone to use information obtained improperly.
Read more in The New York Times.
I would dispute the reporter’s claim that “The Obama administration has levied a string of stringent penalties for egregious violations of patient rights under the most commonly cited law, the Health Insurance Portability and Accountability Act, or HIPAA, of 1996.” What string? Where?
And while some, cited in the article, consider different approaches or models such as barring discrimination based on information about medical conditions that might be exposed, that does not deal with the issue of embarrassment and privacy that may have nothing to do with employment discrimination. People simply don’t want the whole world knowing their sensitive medical information and unless entities improve security, it remains at great risk.
Dear anonymous: you never post my comments, but I assume you read them. Your brief statements on this post assume that everyone shares a common position on the privacy of their healthcare information. This is simply not true. No population has a uniform opinion on any subject, including this one. Research supports that there is a spectrum of attitudes on healthcare information privacy. Many people actually care very little about keeping strict privacy around their healthcare information. Those who do report a high degree of concern tend to associate it with the possibility of discrimination, particularly in employment. Others report concern over identity theft. Few cite embarrassment as a concern. There are empirical data to support this, and it would be useful for you to do the background reading. From comments made before, I am certain you know how to do a literature search.
It is never useful to assume that one’s own opinion is the predominant one. If your opinion on healthcare data exposure were predominant, wouldn’t we see some sort of public outrage over breaches? Despite years of privacy advocates trying to stir up that outrage, it hasn’t happened, so clearly they are not tapping into a broadly-shared and deep-seated societal value.
In point of fact, the actual harm that has resulted from healthcare data breaches has been minimal. In many cases, the data are difficult to access, out-dated, or otherwise of very limited value. It has been reported that even freshly stolen medical records have been put on the black market and no one bought them.
I’m not saying that we shouldn’t do more to prevent breaches. We should. But the driver to do that will be unlikely to come from consumer pressure, because consumers have collectively shrugged their shoulders over this issue.
If you submit comments and they do not show up, it means that they got caught in the spam filter. I do not censor commenters and I see three previous comments submitted by you that have been posted on this site.
I do not assume my position is the dominant one. To the contrary. Indeed, if my view was the predominant one, I wouldn’t be blogging. That said, many of the views I espouse are also espoused by other patient privacy advocates, and I do not think it is coincidental that the head of Patient Privacy Rights, Deborah Peel, MD, is also a mental health practitioner. Those of us in the mental health field are more likely to be even more concerned about privacy and breaches than many other specialties, I would guess.
I am well aware of the empirical data. I am also aware that what people say in response to a survey may not be the best indicator of what they really feel or would do. For example, the parents I see on a regular basis are not worried about the privacy of their children’s mental health records because of employment concerns in the future. They are worried – and very much so – in the here and now over what their child’s school would think or might do if they found out the child’s diagnosis or family history and family situation. Adults with psychiatric disorders are worried about employment issues, but they’re also worried about other consequences of possible breaches – including whether an ex-spouse might try to use information against them in a custody dispute.
That more people aren’t more outraged over breaches is a measure of the “It can’t happen to me” mentality that is all too prevalent. If you read the news on breaches, every day, people are shocked and outraged over breaches – but not until it happens to them. And in many cases, even when they’re outraged, they don’t change what they do – often because of limited choices to go elsewhere or because they value a service so much that they’re willing to tolerate what happened.
On both sides of the equation: ultra-privacy advocate vs. do-nothing JQ Public there is clear evidence of the inability to properly understand risk and take the appropriate action to mitigate it. Privacy advocates over-state risks while others under-estimate it. The real answer, like so many things in life, is somewhere in the middle.
Just because I don’t share your opinion about the risks or their significance does not equate with not understanding them or not being familiar with research. Indeed, nonpublic sources inform me that some risks are much higher than what has been publicly reported or revealed – and that’s across all sectors, not just healthcare sector.
So you go ahead and take all the risks with your own data that you feel are reasonable, but do not try to impose your subjective beliefs about what is a “significant” risk on others. While “significant” has a statistical definition, it also has another definition and neither you nor I get to be the judge and jury of that determination for others.
Somewhere in there is a response to what I actually said, struggling to get out.
Then perhaps you don’t understand what you actually said, as my response was directly responsive to it.