“The fantastic advances in the field of electronic communication constitute a greater danger to the privacy of the individual” 1963 quote from Supreme Court Chief Justice Earl Warren.
I moderated a panel last week for Xconomy that was focused on consumer-oriented healthcare information technology. The panel included 2 hospital chief information officers (one current, one former) and two healthcare IT company executives. The panel itself was preceded by a presentation from Dr. Kevin Patrick, a preventive medicine specialist at UC San Diego and director of the Center for Wireless and Population Health Systems at the California Institute for Telecommunications and Information Technology. Dr. Patrick talked about many things, but among them was a program he is leading that relies on Facebook to support individuals’ weight loss goals. By engaging ones friends and friends-of-friends, goes the theory, one can more effectively stay on track with a weight loss program and work to prevent the scourge of Type II diabetes, among other problems. Dr. Patrick hypothesized that this approach could work with other health-related areas beyond weight management.
In fact, there are already companies trying to cash in on this approach, including PatientsLikeMe, the Cambridge, MA-based company that supports different online communities of patients who share the same life-changing diagnoses. Such specialized communities of electronic show-and-tell may become increasingly prevalent as the era of personal genomics makes it easier and less expensive to diagnose every person’s inherent disposition to disease.
It’s an interesting time for consumers who are theoretically trying to (or being forced to) become more engaged in their own health and to take a greater role in managing their own healthcare. One of the issues oft discussed in this context is privacy and its companion, data security. There is a generally accepted view that patients worry a great deal about the privacy of their healthcare information and much effort is made to protect healthcare data security as a result. Or is it?
One of the questions I asked my panel to respond to was this: does anyone really care about privacy and security when it comes to healthcare or is that just one of those things people are supposed to say? The response from everyone on the panel was the appropriately emphatic “yes, it’s important”, but I am not sure I’m convinced. If Dr. Patrick’s patients are going to use Facebook to share healthcare information with each other, can they really care about privacy and data security? Let’s be real; Facebook is about as secure as Tiger Woods’ hotel room: pretty much anyone can get in.
Some people feel very comfortable freely discussing their healthcare particulars with others in person and on-line, asking everyone they know for advice and joining on-line support groups where data security is an afterthought at best. On the other hand, people who fear reprisals from employers if their health status became widely known go to great lengths to keep their information secure. I think the truth of the matter is that some people care a lot about this issue and some people don’t and those people may switch categories depending on circumstances. No doubt this issue is highly correlated with the seriousness of one’s healthcare condition. If your only problem is hangnails, who cares if the neighbors know? If you have a life-threatening or job-threatening condition you’re steering a wide berth from the virtual water-cooler.
In this day and age of ever-increasing digitization of our healthcare data, it is important to remember who owns all that healthcare data that resides electronically, namely the providers from whom we get our care. It’s kind of like your house. You may say it’s yours, but for about 30 years it really belongs to the bank, no matter what name you stick on the mailbox. So if that’s the case, what we consumers really have to worry about is how well our providers guard our data, right? Well, you may as well put your medical record in the status bar of your Facebook page because, frankly Scarlet, they don’t give a damn.
There was a report recently released from a company called ID Experts working in conjunction with Ponemon Institute, a well-known research center dedicated to privacy, data protection and information security policy. The report, entitled Benchmark Study on Patient Privacy and Data Security, found that data breaches at U.S. healthcare organizations cost providers more than $6 billion/year as a result of employee actions, third-party error and lost or stolen devices (the last being the biggest problem according to the U.S. Department of Health and Human Services). Moreover, the Ponemon study illuminates the fact that the nation’s largest healthcare organizations aren’t trying very hard to solve the problem.
In fact, according to the study, most provider institutions aren’t even making patient privacy and data security a priority. In the press release about this study it was noted that 70% percent of hospitals said that protecting patient data is not a top priority and 67% reported having less than two staff members dedicated to data protection management. 58% of respondents said they have “little or no confidence” in their ability to adequately protect patient records and 71% admitted they have inadequate resources to implement the technology and procedures required to lockdown millions of individual patient files. Well, isn’t that special? If you want to really freak yourself out about this issue, read this article entitled “10 Egregious Patient Privacy Breaches.”
The Ponemon study further found that the average healthcare organization incurred 2.4 significant data breaches in the past two years, costing each hospital more than $2 million per organization. You would hope this problem would begin to abate with the passage of the HITECH Act (the law enacted as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and meaningful use of health information technology) but that isn’t looking too good either at the moment.
“Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds.” John Barlow, Fellow at Harvard University‘s Berkman Center for Internet and Society and, more impressively, lyricist for the Grateful Dead
Prior to the HITECH Act, the Department of Health and Human Services could not impose a penalty of more than $100 for each security or privacy violation or $25,000 for all identical violations of the same provision. Additionally, a covered health care provider, health plan or clearinghouse could also avoid a civil monetary penalty by showing it didn’t know that it violated the HIPAA rules. (this reminds me of that old Steve Martin routine where he says, “I forgot armed robbery was against the law,”, but I digress). The HITECH Act significantly increased the cost of breaching security by increasing the minimum penalty amounts and raising the maximum penalty to $1.5 million for all violations of an identical provision. Also, you can no longer weasel out of fines for an unknown violation unless you successfully correct the violation within 30 days of discovery.
Guess what? In the Ponemon study, 71 percent of senior managers queried said they didn’t think the HITECH Act regulations have significantly changed their practices for handling patient records. Swell.
Rick Kam, president and co-founder of ID Experts, a party to the research report, puts it in pretty stark terms, “We talk with healthcare compliance people dealing with data breach risks every day and they just can’t get their arms around the problem of data exposure. Unfortunately, in healthcare organizations, patient revenue trumps risk management.”
That last quote may contain the answer to the problem. Fining providers when they breach patient security apparently isn’t the right way to structure the incentive. The government must learn what parents have known all along: bribery works. Kid cleans room, kid gets allowance. Kid washes car, kid gets $20. Kid gets a good report card, kid gets to use the car. Okay government: time to make one of those fabled pay-for-performance incentives a reward for keeping patient data safe. If paying providers to adopt electronic means of managing patient data is driving them to adopt EMRs, then paying them to turn on the privacy features might just help.
Note: a version of this post also ran November 23, 2010, in Xconomy