“Privacy is not something that I’m merely entitled to,
it’s an absolute prerequisite.” -Marlon Brando
Marlon Brando might be on to something here. Is privacy an entitlement or “absolute prerequisite?” In the case of EHR technology, this is certainly a hot topic.
While we know EHRs can improve patient quality of care/safety and reduce healthcare expenditures, questions remain on how to manage and prioritize patient’s privacy in the digitized world. In addition, there is intense debate on exactly what defines a significant breach in privacy to which patients should be notified.
Privacy breaches are a reality we have to face. The October 2009 Ponemon report, Electronic Health Information at Risk: A Study of IT Practitioners, revealed that 80 percent of surveyed healthcare organizations had experienced at least one incident of lost or stolen electronic health information in the past year. On a more serious note, four percent had more than five patient data breaches.
Security breaches could increase exponentially as more practitioners take advantage of the Health Information Technology for Economic and Clinical Health Act (HITECH), which offers billions of dollars in federal assistance to adopt “meaningful use” (yet to be defined) of electronic health record systems. Safeguards have been put into place, as HITECH does expand the 1996 Health Insurance Portability & Accountability Act (HIPAA) rules for data security and privacy.
The New HIPAA rules include increased audits, enforcement and penalties, and mandatory patient data breach notification requirements. However, a recent study sponsored by LogLogic, a leader in log and security management solutions, and conducted by the Ponemon Institute, a privacy and information management research firm, confirms healthcare IT security professionals still have reasonable concerns despite HIPAA safeguards.
Under the Privacy Rule, at 45 C.F.R. § 164.530(f), “mitigation is required, where practicable, for known harmful effects caused by the covered entity’s own workforce misusing or disclosing electronic PHI or by such misuse or wrongful disclosure by a HIO that is a business associate.” Who defines a “harmful effect” from a security breach? Should a victim be notified of any breach in privacy, or just those determined to cause a “harmful effect?” This ambiguous language gives reason to question how privacy breaches are determined and mitigated with the victims.
Perhaps we should reflect back to the value we place on privacy, like Mr. Brando. Do we exchange high quality, more cost-effective and efficient health care for some level of inherent privacy breach? Or, is privacy an absolute prerequisite, hands-down? If so, healthcare security has a long way to go to ensure compliance in maintaining the complete safety and security of EHR information in the digital world.