One of the better, more balanced articles on privacy and security of medical records can be found in today’s WSJ. Unlike many articles on the subject of privacy of digital medical records, this article actually goes into some depth on the issue, what have been some of the major breaches as of late, a classic quote from Jill Dennis, a SVP at AHIMA (see below), as well as what some hospitals are doing to insure the privacy of medical records.
The internal mistakes and the internal carelessness seem to be more prevalent than the stranger from the outside trying to crack into your system. -Jill Dennis, Senior VP, AHIMA
As with just about any article in the popular press that addresses privacy and security of medical records, there is always some issue that gets skipped or is not addressed in adequate depth that would bring even greater balance to an article. As good as it is, this article misses a couple of important points:
Article lacks any risk/benefit analysis of moving to a digital construct. Yes, there are certainly a fair share of risks as we move to digital records, but they also can bring a wealth of benefits such as better population disease management, improved diagnosis, better medication management (and minimizing adverse drug events), etc. Also, digital records may, in many cases, guarantee a higher level of security as one has to physically log-in to view a record, thereby leaving an audit trail. This is how many breaches have been caught to date. And as the SVP from AHIMA points out, risks may not be so much a function of the technology ( I would argue it has absolutely nothing to do with the technology) but of internal processes, or lack thereof, to insure proper procedures are in-place and precautions are taken.
Managing Sensitive Data
As we move to a digital healthcare environment (it is inevitable), how will the consumer manage their records more effectively and more broadly, how will providers manage these records?
The CIO, John Halamka, who had a good post last week that I referenced on the “Ideal EHR System“, has a post this week on what they are doing internally to digitize care practices via integrating all of the digital silos at Beth Israel Deaconess Medical Center here in Boston. Unfortunately, though he provides an extensive list of some 40 interconnects and interoperability touch points for their Integrated Delivery Network (IDN), nowhere in those 40 is there any mention of security and privacy.
In such a broad distributed network of providers in this region, I sure would like to know what rights I have as a customer to sequester data that I may not want to share within this network, but just with those that truly need to know. Taking this one step further beyond the IDN, as we move to a National Health Information Network (NHIN), again, how will I, as a consumer, have some say as to what is distributed in that network and who has access to it? As an extension of this theme, as more and more computing moves to the Web, e.g., MS’s announcement last week of Live Mesh, how will sensitive records such as these be managed in such cloud computing environments?
Granted, these are some tough questions, but what I want to see are some well-thought out answers and unfortunately, they seem to be too few and too far between.
To close, a couple of action items for you dear reader:
First, go over to the WSJ and take their quick poll on whether or not the digitization of medical records makes you nervous (FWIW, I answered No). Somewhat surprising to me, I am in the majority with two-thirds of voters casting a No vote.
Second, the Healthcare IT consulting firm Kroll did a report with HIMSS Analytics on data security and privacy. They published a report a couple of weeks ago and as serendipity would have, will be sponsoring a webcast today at 2pm EST. Here’s the link to register.