Over in her blog, Well, on the New York Times, Tara Parker-Pope recently blogged about the recent disclosure that an employee at UCLA had peeked at Farrah Fawcett’s records.
In response to her blog, one commenter, “SavvyDoc,” commented that it was a “HUGE” invasion of privacy and the employee should have reprimanded (just “reprimanded,” SavvyDoc?), but then went on to write:
However, I do think the concerns over patient privacy are a little overblown it is not like they gained access to Mrs. Fawcett’s bank account, which in my experience many people equate these situations to. Patient privacy is important but in a lot of ways concern over it is preventing the type of progress in health care IT that is necessary for eventually reducing costs and subsequently affordable health insurance.
Such false dichotomies — that if we choose to insist on privacy and security, we are preventing “progress” in healthcare IT, do not serve the public any better than this administration’s lame attempt to use FUD to trample on Fourth Amendment protections by suggesting that we must choose privacy or national security.
We do not have to choose. We can — and should — have both. The recent UCLA disclosures are examples of known privacy and security threats that have not been adequately addressed, despite the fact that alternatives and solutions are available.
When a hospital has repeated incidents of employee snooping and still does not implement better systems, then is that hospital trustworthy?
Furthermore, suggesting that gaining access to (and misusing) financial data is more serious than gaining access to (and misusing) medical or patient data reflects a bias that I do not share. It might be easier to change a bank account number and deal with garden-variety ID theft than to deal with the aftermath of your most personal and confidential health info being revealed to the wrong parties. Perhaps SavvyDoc did not read the stories concerning breaches involving HIV status of patients, or how medical information was used to try to sabotage political campaigns, or perhaps SavvyDoc has not read the stories of medical ID theft and their consequences. Then again, perhaps he has read those stories, but just doesn’t see them as being that serious.
In Ms. Fawcett’s case, if that employee or any other employee at UCLA was responsible to leaking her details to the Inquirer or the Globe (as appears to be the case), then they have caused her more anguish than had they leaked her financial details.
As a healthcare professional, I am required to protect my patients’ information. If you held a gun to my head and said, “You must choose between revealing your patients’ financial details or their health information,” I’d choose financial details every day and twice on Sunday.
If my doctor said to me, “I will guarantee you low-cost (or FREE) healthcare, but your personal information may be snooped on by office clerical staff or others and may be exposed outside of this office,” I’d find another doctor. Even if I had no money to pay for my healthcare.
Protecting the privacy and confidentiality of health information really is just that important, and instead of trying to suggest that concerns are “overblown,” health IT entities would be better advised to ensure that they have robust protections in place before they try to sell their plans to the public.
On his own blog, SavvyDoc discussed the recent theft of an NIH laptop with PHI on 2500 research participants. He writes, in part:
As more patient information is placed on electronic medical records issues of security will undoubtedly occur and with more frequency and likely with greater consequences to individuals, however these growing pains will be necessary in order to create a more efficient and effective healthcare system. Those in control of healthcare information need to trust that the public will react appropriately when there are security issues. Not doing so will only make the public more leery and stifle an already slow process.
I wonder what SavvyDoc would consider an “appropriate” response to a security issue? As someone who has reported on security breaches and privacy breaches for the past 7+ years, I think it’s fair to say that there are breaches, and then there are breaches. When an entity uses sloppy security with inevitable consequences, what is the “appropriate” response? I suspect SavvyDoc would be more inclined to shrug his shoulders, while I would be more outraged. And perhaps SavvyDoc’s approach, which I view as too casual and too accepting, is the more prevalent view among the public and I am in the minority. That may be the case, but I will continue to be a very vocal minority and to insist on adequate security and privacy protections.