"Hospitals let thousands and thousands of employees see millions of patients' data," she said. Hospitals have rules-based systems governing who gets to see patient data -- for example, doctors and nurses get to see data, but not clerks and office workers. If someone is accessing records inappropriately, often the only barrier is a pop-up warning -- and often not even that.
"That's why people looked at the Octomom's records," Peel said. Fifteen hospital workers were fired and another eight disciplined in March for unauthorized access to the medical records of octuplet mother Nadya Suleman. "And a hospital employee was able to get into Farrah Fawcett's records and leak the story before she even told her own family. Typically, the nurses get fired and the doctors don't."
Monitoring Privacy Breaches
Policing medical records is difficult. Developers are working on algorithms to search for potential data breaches. For example, software searches for healthcare workers accessing medical records of people with the same last name, or living at addresses near their own home, based on the possibility that they might be snooping on family members or neighbors. "Suppose a woman's partner is an abuser, she's left him, she goes to the hospital for treatment. If the abuser is an employee of the hospital, how is her privacy going to be protected?"
Amendments to the HIPAA Privacy Rule in 2002 removed earlier privacy protections. "In the paper world, you were told by your doctor's office every time he got a request to release information. You were asked to sign off on that. But in the electronic world, your ability to do that has been taken away," she said. "This is very important, because once health information is out there, you can't put it back in the bottle."
Earlier, the Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, permitted companies to share medical records the way they share financial records, Peel said.
However, medical privacy regulations have been getting new teeth, said Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society. Under the Bush administration, the U.S. Justice Department said that HIPAA could not be applied against individual employees of healthcare providers, but ARRA now says that individuals can be prosecuted.
HIPAA now provides criminal penalties of fines up to $250,000 and up to 10 years in prison for disclosing or obtaining health information with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm, Gallagher said.
The law now requires that patients must have access to their medical records in electronic form. Providers are required to give an accounting to the patient any time medical information is disclosed.
"All in all, what you're seeing here is that there are significant privacy rules that have been put in place now," Gallagher said.
Consent And Control
But Peel said more is needed. Patients need to have complete control over their own medical records. Patients' consent should be required to release medical records -- to anyone. "We're still, essentially, voyeurs into our own medical records," she said. "Now, with audit trails, we're going to be able to see who's gotten into our medical records, but voyeurism isn't the same as control."
But it's not that simple, Gallager said. "Consent puts most of the burden on the patient. The patient has to be involved in every transaction, and the patient needs to be knowledgeable enough to make the consent, and aware that they're not leaving out things through inaction that might hurt them later on," she said. Some people -- like Peel -- believe that's essential to privacy; others believe the issues are too complex to leave to patients. "In my view, Congress weeded out consent as a solution to the privacy problem," Gallagher said.