Health data, like financial records, are vulnerable to abuse by outsiders.

By Veronica Salazar
USA Today - February 16, 2009

Content Source

In the digital age, switching patients' medical records from unwieldy paper to computerized data is a no-brainer. Electronic records make it easier for patients to keep up-to-date health data themselves; for doctors, hospitals and emergency rooms to share data; and for the health care system to provide better quality care at lower cost.

That was the impetus for President Obama's push to include $20 billion in the stimulus bill, passed Friday, to provide incentives for physicians, hospitals and other health providers to go digital. But the very things that make digital records so appealing — easy access, sharing and speed of transmission — make them vulnerable to everyone from snoopers and thieves to businesses that want to use your medical records for their profit.

For the first time since digital systems took off this decade, Congress has added some strong privacy safeguards in the measure Obama is expected to sign this week. But the fierce, down-to-the-wire battle between health care industry players who opposed many safeguards and privacy advocates shows how difficult it is to make patient privacy a priority. Failing to do so will leave patients vulnerable to many abuses:

Marketing. Many pharmacies share your prescription data with third parties, without your permission, in order to send refill reminders. But in the past, the data have been used to, in their words, "educate" consumers about more costly drugs pushed by pharmaceutical companies or less expensive ones pushed by health care plans. Consumers have loudly protested when they've discovered such arrangements. The new measure seeks to stop this practice, unless customers give their permission.

Breaches. Electronic medical records are as vulnerable to invasion as credit card data, and thousands have occurred. According to the Privacy Rights Clearinghouse, a non-profit group that tracks breaches, these include the theft of an unencrypted laptop from a Manhattan veterans hospital in 2006 — exposing 1,600 patient records — and the breach of 187,000 patient records in San Jose, Calif., when a clinic manager stole computer equipment. Under the new measure, providers must notify patients of stolen unencrypted data.

Identity theft. Criminals also have used patients' identities in schemes to obtain expensive medical treatment charged to the victim's health insurance, according to a 2006 report by the World Privacy Forum. Victims are left with error-filled medical records showing serious ailments that could prevent them from getting life or health insurance or a job. The measure offers no new tools to deal with this problem.

The worst fear of privacy experts is that medical data, once computerized, will go the way of financial data — something to be sliced and diced by data miners. Credit bureaus tag consumers with credit scores. Medical data in the hands of businesses outside strict privacy laws could be turned into health scores, which would follow an individual through life, leading to discrimination by employers or other punitive actions.

That's not a reason to shun electronic medical records. But it is a reason to be vigilant. Lobbying over government privacy rules to flesh out the new law will begin soon, and whether the patients' interests will prevail is anyone's guess.