Can Electronic Medical Records Be Secured?

While EMRs promise massive opportunities for patient health benefits and reductions in administrative costs, the privacy and security risks are daunting.
Policing medical records is difficult. Developers are working on algorithms to search for potential data breaches. For example, software searchers for healthcare workers accessing medical records of people with the same last name, or living at addresses near their own home, based on the possibility that they might be snooping on family members or neighbors. "Suppose a woman's partner is an abuser, she's left him, she goes to the hospital for treatment. If the abuser is an employee of the hospital, how is her privacy going to be protected?"

Amendments to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule in 2002 removed earlier privacy protections. "In the paper world, you were told by your doctor's office every time he got a request to release information. You were asked to sign off on that. But in the electronic world, your ability to do that has been taken away," she said. "This is very important, because once health information is out there, you can't put it back in the bottle."

Earlier, the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999 (a major contributor to the current financial meltdown) permitted companies to share medical records the way they share financial records, Peel said.

Medical privacy regulations, however, have been getting new teeth, said Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS). Under the Bush administration, the U.S. Justice Department said that HIPAA could not be applied against individual employees of healthcare providers, but ARRA said individuals can be prosecuted.

HIPAA now provides criminal penalties of fines up to $250,000 and up to 10 years in prison for disclosing or obtaining health information with the intent to sell, transfer or use it for commercial advantage, personal gain, or malicious harm, Gallagher said.

The law now requires patients must have access to their medical records, in electronic form. Providers are required to give an accounting to the patient any time medical information is disclosed.

"All in all, what you're seeing here is that there are significant privacy rules that have been put in place now," Gallagher said.

But Peel said more is needed. Patients need to have complete control over their own medical records. Patients' consent should be required to release medical records--to anyone. "We're still, essentially, voyeurs into our own medical records," she said. "Now, with audit trails, we're going to be able to see who's gotten into our medical records, but voyeurism isn't the same as control."

But it's not that simple, Gallagher said. "Consent puts most of the burden on the patient. The patient has to be involved in every transaction, and the patient needs to be knowledgeable enough to make the consent, and aware that they're not leaving out things through inaction that might hurt them later on," she said. Some people--like Peel--believe that's essential to privacy; others believe the issues are too complex to leave to patients. "In my view, Congress weeded out consent as a solution to the privacy problem," Gallagher said.

For Further Reading:

E-Health Records Put Patient Privacy At Risk

E-Health Records Could Flag Domestic Abuse

Why Your Next IT Job Will Be In Healthcare

Healthcare IT Career Tips

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Terry White, Associate Chief Analyst, Omdia
John Abel, Technical Director, Google Cloud
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer