Electronic Medical Records: The Good, Bad, And Ugly

While electronic medical records promise massive opportunities for health benefits, the privacy and security risks are equally enormous.

The Obama administration has set an ambitious goal -- to get electronic medical records on file for every American by 2014. The administration is offering powerful incentives: $20 billion for EMRs included in the American Recovery and Reinvestment Act of 2009, and stiff Medicare penalties for healthcare providers that fail to implement EMRs after 2014.

EMRs offer huge benefits: Improved efficiency by eliminating tons of paper files in every doctor's office, and improved medical care using the same kinds of database and data mining technologies that are now routine in other industries. EMR systems can flag symptoms and potentially harmful drug interactions that busy doctors might otherwise miss.

But the privacy and security threats are massive as well. When completed, the nation's EMR infrastructure will be a massive store of every American's most personal, private information, potentially abused by marketers, identity thieves, and unscrupulous employers and insurance companies.

Unlocking Benefits, Minimizing Risks

Regulators are attempting to craft rules that would unlock the benefits of EMRs while protecting Americans from the security risks. Healthcare IT pros will be required to implement systems and business processes that conform to these regulations or face lost funding, institutional fines, and even -- in some cases -- personal criminal penalties.

The new regulations come as the healthcare industry faces big privacy problems, going back years. In 2003, a medical transcriptionist in Pakistan threatened to post patient records from the University of California San Francisco's Medical Center on the Internet unless she was paid for her work for a transcription service company hired by the university. The dispute was resolved but many patients were shocked to learn that their records were being sent overseas.

In another breach, two computers that held a disc containing the confidential records of close to 200,000 patients of a medical group in San Jose, Calif., were posted for sale on Craigslist.org. The FBI recovered the information and the medical group informed current and former patients of the theft, according to a 2006 report in the HIPAA Bulletin.

Celebrities aren't immune. Last year, more than a dozen staff at the UCLA Medical Center faced disciplinary charges for prying into the medical records of Britney Spears. The same hospital got in trouble again when employees accessed Farrah Fawcett's medical records after she went there for cancer treatments. Healthcare providers and other health businesses aren't stepping up to protect privacy, according to a recent study. Some 80% of healthcare organizations have experienced at least one incident of lost or stolen health information in the past year, according to the study, released this month from security management company LogLogic and the Ponemon Institute, which conducts privacy and information management research.

Also, some 70% of IT managers surveyed said senior management doesn't view privacy and data security as a priority, and 53% say their organizations don't take appropriate steps to protect patient privacy. Less than half judge their existing security measures as "effective or very effective."

Unauthorized use of medical records has created a new kind of crime: Medical identity theft, where a criminal poses as another person to obtain medical treatments using another person's insurance. This is a crime with multiple victims: The actual person with insurance coverage, whose medical records now have incorrect information, potentially leading to medical risk and financial harm, and the insurance company, which is paying for the criminal's medical procedure.

Seeking Solutions

John Halamka, CIO of Harvard Medical School and Beth Israel Deaconess Medical Center, is one of the people trying to solve the privacy problem.

Halamka is chair of the U.S. Healthcare Information Technology Standards Panel and co-chair of the HIT Standards Committee for the U.S. Department of Health and Human Services. HITSP is developing standards for EMRs that balance patients' right to control their information and keep it confidential against the needs of healthcare providers, insurers, and other businesses to share information to improve patient care and do business.

"You want to protect the patient's preferences for confidentiality," Halamka said. But you also need to get information where it's needed. "If you come to the emergency department in a coma, and you have a record that includes psychiatric treatment, HIV, drug abuse, and other information, would you share part of it or all of it? My preference would be all of it, with the hope that emergency workers would use it discreetly, to save my life." But other people may feel differently, Halamka said, and healthcare policy needs to serve all those needs.

Privacy conditions include access logs and encryption requirements for data that reside on mobile devices. Healthcare providers and other health businesses will be required to keep records of everyone who has access to a file, and the patient has a right to know who saw the record, who accessed it, and why, Halamka said.

The Carrot And The Stick

The Office of Civil Rights enforces standards and the Federal Trade Commission has the authority to process consumer complaints. ARRA also permits states' attorneys general to prosecute violations of the Health Insurance Portability and Accountability Act of 1996.

Money is a major incentive for healthcare companies to protect patient privacy. ARRA provides financial incentives for healthcare businesses to meet privacy guidelines, and punishment for people and businesses that fail. Between 2011 and 2015, every doctor in American can claim $44,000 for health IT implementations that meet federal privacy, security, and other standards. Every hospital can claim $2 million for four years under the same conditions. Organizations that fail the ARRA tests get nothing.

The regulations have a zero-tolerance policy for data breaches. If authorized people access records inappropriately, they are terminated, and can face criminal charges and fines, Halamka said.

"There is also a requirement to notify prominent media. If there are more than 500 records compromised, you have to notify the prominent media of the region. I would have to call the New York Times to say, 'look what we did.' Of course I respect federal law, but I'm more afraid of the Boston Globe and New York Times because if I lose the trust of my patients, I'm not going to be given a second chance," said Halamka. But the ARRA regulations aren't enough, said Deborah Peel, founder and chair of the political group Patient Privacy Rights.

"Hospitals let thousands and thousands of employees see millions of patients' data," she said. Hospitals have rules-based systems governing who gets to see patient data -- for example, doctors and nurses get to see data, but not clerks and office workers. If someone is accessing records inappropriately, often the only barrier is a pop-up warning -- and often not even that.

"That's why people looked at the Octomom's records," Peel said. Fifteen hospital workers were fired and another eight disciplined in March for unauthorized access to the medical records of octuplet mother Nadya Suleman. "And a hospital employee was able to get into Farrah Fawcett's records and leak the story before she even told her own family. Typically, the nurses get fired and the doctors don't."

Monitoring Privacy Breaches

Policing medical records is difficult. Developers are working on algorithms to search for potential data breaches. For example, software searches for healthcare workers accessing medical records of people with the same last name, or living at addresses near their own home, based on the possibility that they might be snooping on family members or neighbors. "Suppose a woman's partner is an abuser, she's left him, she goes to the hospital for treatment. If the abuser is an employee of the hospital, how is her privacy going to be protected?"

Amendments to the HIPAA Privacy Rule in 2002 removed earlier privacy protections. "In the paper world, you were told by your doctor's office every time he got a request to release information. You were asked to sign off on that. But in the electronic world, your ability to do that has been taken away," she said. "This is very important, because once health information is out there, you can't put it back in the bottle."

Earlier, the Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, permitted companies to share medical records the way they share financial records, Peel said.

However, medical privacy regulations have been getting new teeth, said Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society. Under the Bush administration, the U.S. Justice Department said that HIPAA could not be applied against individual employees of healthcare providers, but ARRA now says that individuals can be prosecuted.

HIPAA now provides criminal penalties of fines up to $250,000 and up to 10 years in prison for disclosing or obtaining health information with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm, Gallagher said.

The law now requires that patients must have access to their medical records in electronic form. Providers are required to give an accounting to the patient any time medical information is disclosed.

"All in all, what you're seeing here is that there are significant privacy rules that have been put in place now," Gallagher said.

Consent And Control

But Peel said more is needed. Patients need to have complete control over their own medical records. Patients' consent should be required to release medical records -- to anyone. "We're still, essentially, voyeurs into our own medical records," she said. "Now, with audit trails, we're going to be able to see who's gotten into our medical records, but voyeurism isn't the same as control."

But it's not that simple, Gallager said. "Consent puts most of the burden on the patient. The patient has to be involved in every transaction, and the patient needs to be knowledgeable enough to make the consent, and aware that they're not leaving out things through inaction that might hurt them later on," she said. Some people -- like Peel -- believe that's essential to privacy; others believe the issues are too complex to leave to patients. "In my view, Congress weeded out consent as a solution to the privacy problem," Gallagher said.