Privacy

HEALTH IT: California Cracks Down on Health Cyber-Snoops

Joanne Kenen — Wed, 27 Aug 2008 20:58:00 -0400

What do Britney Spears and Farrah Fawcett have in common with California First Lady Maria Shriver? How soon we forget: someone snooped in their medical files. The California state Senate hasn't forgotten. It just passed legislation that would require health care providers to monitor employees to ensure that they do not violate patients' medical rights, the LA Times reports. California Gov. Arnold Schwarzenegger—Shriver's husband—supports the bill, which still must pass the state Assembly.

Much of the language in the California bill sounds like the federal HIPAA Privacy law. It would require health care providers to have clear and appropriate safeguards to protect patient privacy and "reasonably safeguard confidential medical information from unauthorized or unlawful access, use or disclosure."

But the California initiative differs from HIPAA in several ways. First, it would allow an individual to sue the person who negligently released confidential medical information. The federal law, in contrast, only allows the Secretary of Health and Human Services to investigate complaints and assess penalties. California would also impose fines up to $25,000—but this pales in comparison to the possible monetary damages available in a civil lawsuit.

Second, the California bill would establish a new Office of Health Information Integrity in the state health department to enforce confidentiality laws and assess fines. This is a clear signal that the California legislature is not interested in waiting for the federal government to investigate whether hospitals are properly protecting health information.

A pending companion bil in the state Senate would allow for fines against health care providers themselves, although opponents say such violations are already investigated by the Medical Board of California. Still, these bills are more evidence that the privacy of health information isn't just a concern for movie stars and first ladies. Protecting privacy is a hot button issue that will be a factor as we move to expand health IT, as we must, as part of health care reform. It will be interesting to see whether other states follow California's lead.

HEALTH IT: The Not-So-Private View from HHS

Joanne Kenen — Thu, 08 May 2008 18:10:00 -0400

Earlier this week we posted our interview about the future of health IT with Carol Diamond of the Markle Foundation. (Part one, and part two). Today we'd like to point you to The Hill 's interview with Health and Human Services Secretary Mike Leavitt on the same topic.

Two points struck us. First, neither the article nor the full Leavitt transcript mentions the word "privacy"—a big issue both for policymakers and for the public who keep reading about nosy hospital staff, researchers who do sloppy things like leave laptops with patient records in the car, and thieves who steal credit card numbers and other financial identity information from medical records. Not insurmountable but essential if we're going to get the country on board with health IT. Second, Leavitt really depicted the health IT challenge primarily as a technology question involving interoperability (letting different computer systems talk to each other) while Markle's Connecting for Health program and conversations with some other experts have made us think about a far broader range of policy challenges that won't be solved only by the computer geeks.

We did like that Leavitt pointed out that the electronic medical records (with appropriate privacy safeguards) won't just improve care for individual patients. Properly designed, they will provide a huge data pool for researchers to track public health threats, emerging trends or epidemics, drug side effects and the like as well as do research into what treatments work best for patients. But first we've got to get there. Leavitt sounds optimistic, but we've heard that health IT is just around corner for some time. Let's hope he's right sooner rather than later.

HEALTH IT: Crime and Punishment (Please)

Joanne Kenen — Wed, 30 Apr 2008 19:18:00 -0400

The Wall Street Journal had a great piece and blog item yesterday about Health IT and privacy breaches — we would have blogged about it then had we not, coincidentally, been out much of the day with some other think-tankers and foundation folks educating ourselves about that very topic. Among other things, the Journal article made the key point that privacy breaches are rarely prosecuted. That's not the right way to build public confidence in electronic health records.

Some 35,000 reports of privacy violations have been reported to the Department of Health and Human Services under HIPAA (Health Insurance Portability and Accountabilty Act) since 2003, but not a single civil fine has been levied, WSJ reported. HHS says several hundred reports of violations have been referred to the Department of Justice for criminal prosecution; about 200 cases have been filed although it's not clear how many of them were under HIPAA.

So we were pleased to see the LA Times report today (Charlie Ornstein's done a lot of good work on this whole phenomenon of Hollywood sneaky peeky) that an alleged celebrity snoop at UCLA Medical Center had been indicted for allegedly selling information from medical records of celebrities to the media (apparently the National Enquirer).

The paper reported that Lawanda Jackson, 49, could face up to 10 years in prison if convicted of the charge of obtaining individually identifiable health information for commercial advantage. The paper had earlier reported that Jackson had allegedly pried into the private medical records of California First Lady Maria Shriver, Farrah Fawcett, and 60 others. In an April 8 interview with the newspaper, Jackson denied that she had leaked the information or otherwise profited from it.

Hospitals can (and should) take multiple steps to make records more secure; for instance, walling off parts of the computerized records so that people can access only what they need to know. But the feds (or state governments) have responsibilities too. Getting electronic records right, from technical, economic, and privacy standpoints, is hard enough. If all the public hears about is breach after breach, snooping, spying, and carelessness (medical records left on a laptop in someone's car trunk...) they aren't going to buy into Health IT. And we need them to; Health IT may not save as much as quickly politicians are promising but it is essential for quality, for coordinated care, for efficiency and for research. So when there's a crime, let's see some punishment.