Healthcare providers and other health businesses aren't stepping up to protect privacy, according to a recent study. Some 80% of healthcare organizations have experienced at least one incident of lost or stolen health information in the past year, according to the study, released this month from security management company LogLogic and the Ponemon Institute, which conducts privacy and information management research.

Also, some 70% of IT managers surveyed said senior management doesn't view privacy and data security as a priority, and 53% say their organizations don't take appropriate steps to protect patient privacy. Less than half judge their existing security measures as "effective or very effective."

Unauthorized use of medical records has created a new kind of crime: Medical identity theft, where a criminal poses as another person to obtain medical treatments using another person's insurance. This is a crime with multiple victims: The actual person with insurance coverage, whose medical records now have incorrect information, potentially leading to medical risk and financial harm, and the insurance company, which is paying for the criminal's medical procedure.

Seeking Solutions

John Halamka, CIO of Harvard Medical School and Beth Israel Deaconess Medical Center, is one of the people trying to solve the privacy problem.

Halamka is chair of the U.S. Healthcare Information Technology Standards Panel and co-chair of the HIT Standards Committee for the U.S. Department of Health and Human Services. HITSP is developing standards for EMRs that balance patients' right to control their information and keep it confidential against the needs of healthcare providers, insurers, and other businesses to share information to improve patient care and do business.

"You want to protect the patient's preferences for confidentiality," Halamka said. But you also need to get information where it's needed. "If you come to the emergency department in a coma, and you have a record that includes psychiatric treatment, HIV, drug abuse, and other information, would you share part of it or all of it? My preference would be all of it, with the hope that emergency workers would use it discreetly, to save my life." But other people may feel differently, Halamka said, and healthcare policy needs to serve all those needs.

Privacy conditions include access logs and encryption requirements for data that reside on mobile devices. Healthcare providers and other health businesses will be required to keep records of everyone who has access to a file, and the patient has a right to know who saw the record, who accessed it, and why, Halamka said.

The Carrot And The Stick

The Office of Civil Rights enforces standards and the Federal Trade Commission has the authority to process consumer complaints. ARRA also permits states' attorneys general to prosecute violations of the Health Insurance Portability and Accountability Act of 1996.

Money is a major incentive for healthcare companies to protect patient privacy. ARRA provides financial incentives for healthcare businesses to meet privacy guidelines, and punishment for people and businesses that fail. Between 2011 and 2015, every doctor in American can claim $44,000 for health IT implementations that meet federal privacy, security, and other standards. Every hospital can claim $2 million for four years under the same conditions. Organizations that fail the ARRA tests get nothing.

The regulations have a zero-tolerance policy for data breaches. If authorized people access records inappropriately, they are terminated, and can face criminal charges and fines, Halamka said.

"There is also a requirement to notify prominent media. If there are more than 500 records compromised, you have to notify the prominent media of the region. I would have to call the New York Times to say, 'look what we did.' Of course I respect federal law, but I'm more afraid of the Boston Globe and New York Times because if I lose the trust of my patients, I'm not going to be given a second chance," said Halamka.