Kim Dixon of Reuters reports:
U.S. consumer groups, insurers and privacy advocates together with Google Inc and Microsoft Corp said on Wednesday they have agreed to standards intended to speed adoption of personal electronic health records.
That’s nice, but as you read further into the report, you read that:
“A policy and privacy logjam … has constricted some of the consumer uptake of these services,” said James Dempsey, deputy director at the Center for Democracy and Technology, a privacy rights group.
Principles for personal health records include an audit trail to track use of the data, a dispute resolution process for consumers who believe their personal information has been misused and a ban on using data to discriminate in employment.
Also signing on to the principles are WebMD, Consumers Union, which publishes Consumer Reports, AARP, the seniors’ lobbying group, and America’s Health Insurance Plans, which represents major insurers such as Aetna Inc.
So where are the “privacy advocates” in the above list? If they think that CDT represents most privacy advocates, may I politely point out that they don’t? CDT takes money from businesses, and their recommendations tend to be a lot more business-friendly than privacy organizations such as EPIC or the World Privacy Forum.
Privacy advocates do not speak with one voice. It may be fine for CDT, but where are the strict prohibitions on certain uses of data without express opt-in consent and the ability of the consumer to revoke consent at any time? An audit trail can point to abuses, but it doesn’t prevent them. Where are the real nuts and bolts of security and privacy here? Where are breach definitions and statements about notification and disclosure? And where are individual causes of action?
I look forward to seeing the details of these standards. Yesterday, CDT wrote:
CDT Policy Post: Privacy and Security Principles for Health Information Technology
CDT issued a policy post today on the topic of Privacy and Security Principles for Health Information Technology. In the document, CDT emphasizes the importance of building privacy and security into e-health systems from the outset and identifies the basic requirements of a comprehensive privacy and security framework for health information technology. The document makes several suggestions for Congress to consider when crafting legislation; it also calls on federal lawmakers to build a comprehensive framework for e-health through the enactment of incremental, workable policy solutions. June 24, 2008
CDT Policy Post 14.9 June 24, 2008
Electronic medical record storage is much more helpful than manual record storage. This is because the electronic storage methods are more organized, and can be accessed from anywhere in the world, provided a proper network connection.
And that very advantage also becomes its greatest liability if the records are not properly secured — because as you note, they can be accessed from anywhere in the world.
As a healthcare professional who has been in practice long enough to remember paper records and the old system of hospital charting, I love electronic records. It makes it easier to search and find info when I need it, etc., but as someone who has reported on security breaches in all sectors for the past seven years or so, I know how many breaches we see involving PII and PHI — and they are just the tip of the iceberg. Finjan’s recent findings of access to entire hospital systems databases on criminal web sites is downright scary.
So I wouldn’t argue with you about the potential advantages of EMRs. I would say to you, though, that you still need to demonstrate adequate security before I’d trust any system. And based on what I’ve seen and read for the past seven years, I suspect that cybercriminals will always be one step ahead of security professionals.
So…. how much of your personal medical history and details are you willing to risk having open to inspection or misuse by the whole world? Even if cybercriminals do not obtain or misuse your financial details, would you feel okay if your daughter’s treatment for a sexually transmitted disease or unwanted pregnancy was plastered over all over the web? Or what if you didn’t want your colleagues to know that you have cancer and your diagnostic tests and results showed up in Google’s cache?
And no, I’m not trying to use FUD techniques here. I’ve actually found sensitive medical files on named patients accidentally during Google searches for other things. I’m sure the professionals thought that EMR were a great idea, but didn’t count on human error. Just as all of the hospitals that used Verus’s online payment system for patient accounts didn’t count on a Verus employee forgetting to reactivate a firewall and leaving all of their clients’ patient accounts available to anyone and everyone on the web.
I am not interested in a tradeoff between convenience and improved treatment vs. privacy and security. I’m saying we need to have all of it. Even if someone doesn’t care about their records being exposed or accessed, the risk is that someone could go in and change their medical records and then instead of EMR saving lives, it theoretically might have the opposite effect.