“Privacy is not something that I’m merely entitled to,
it’s an absolute prerequisite.” -Marlon Brando
Marlon Brando might be on to something here. Is privacy an entitlement or “absolute prerequisite?” In the case of EHR technology, this is certainly a hot topic.
While we know EHRs can improve patient quality of care/safety and reduce healthcare expenditures, questions remain on how to manage and prioritize patient’s privacy in the digitized world. In addition, there is intense debate on exactly what defines a significant breach in privacy to which patients should be notified.
Privacy breaches are a reality we have to face. The October 2009 Ponemon report, Electronic Health Information at Risk: A Study of IT Practitioners, revealed that 80 percent of surveyed healthcare organizations had experienced at least one incident of lost or stolen electronic health information in the past year. On a more serious note, four percent had more than five patient data breaches.
Security breaches could increase exponentially as more practitioners take advantage of the Health Information Technology for Economic and Clinical Health Act (HITECH), which offers billions of dollars in federal assistance to adopt “meaningful use” (yet to be defined) of electronic health record systems. Safeguards have been put into place, as HITECH does expand the 1996 Health Insurance Portability & Accountability Act (HIPAA) rules for data security and privacy.
The New HIPAA rules include increased audits, enforcement and penalties, and mandatory patient data breach notification requirements. However, a recent study sponsored by LogLogic, a leader in log and security management solutions, and conducted by the Ponemon Institute, a privacy and information management research firm, confirms healthcare IT security professionals still have reasonable concerns despite HIPAA safeguards.
Under the Privacy Rule, at 45 C.F.R. § 164.530(f), “mitigation is required, where practicable, for known harmful effects caused by the covered entity’s own workforce misusing or disclosing electronic PHI or by such misuse or wrongful disclosure by a HIO that is a business associate.” Who defines a “harmful effect” from a security breach? Should a victim be notified of any breach in privacy, or just those determined to cause a “harmful effect?” This ambiguous language gives reason to question how privacy breaches are determined and mitigated with the victims.
Perhaps we should reflect back to the value we place on privacy, like Mr. Brando. Do we exchange high quality, more cost-effective and efficient health care for some level of inherent privacy breach? Or, is privacy an absolute prerequisite, hands-down? If so, healthcare security has a long way to go to ensure compliance in maintaining the complete safety and security of EHR information in the digital world.
Tags: ehr, emr, Health IT, healthcare, HIPAA, HIT, HITECH Act, privacy
3 Comments
Robin - Oct 29, 2009
Keeping patient information secure is always a challenge whether the issue is a paper chart or an EHR. Guardianship of private information is a challenge but one that is taken seriously by all health care institutions. Having said that I agree with the author, until all EHR’s are 100% secure, there is serious work to be done.
Angioplasty - Nov 4, 2009
Just think if everyone had an EMR. If everyone would have a flash drive around their neck or on their person likes an electronic dog tag. You would not need the Internet. All you would need to do is plug the flash drive into the USB port and a pre-set form would come up with all the pertinent info. All the info needed to treat a patient. Like medical history, allergies and medications. We would save so much money, because of the time saving element. No need to run so many tests. And of course a lot less medical mistakes because they would have a great base to work from with each patient.
Paul Roemer - Nov 5, 2009
Is there any chance the PHR may implicitly imply some agreement to wave privacy?
What’s your take on who owns the patient data? In many industries, content is king, and this is the content.