When it comes to protecting the privacy of patients’ computerized information, the main threat the health-care industry faces isn’t from hackers, but from itself.
In a spate of recent security lapses at hospitals, health insurers and the federal government, private information on hundreds of thousands of patients, ranging from Social Security numbers to fertility-treatment and cancer records, has been compromised. The incidents have included the theft of an unencrypted laptop from an employee of the National Institutes of Health and the inadvertent posting of personal data on the Web from insurers WellCare Health Plans Inc. and WellPoint Inc. At the UCLA Hospital System, several employees were fired or disciplined recently for sneaking peeks at Britney Spears’ computerized medical files.
In another recent incident, a former patient-admissions employee at NewYork-Presbyterian Hospital/Weill Cornell Medical Center was arrested this month for allegedly selling at least 2,000 patient identification records, according to the U.S. Attorney for the Southern District of New York. The employee improperly accessed nearly 50,000 patient records in a computer system storing names, Social Security numbers and addresses, court documents allege. Hospital spokeswoman Myrna Manners says some patients have told the hospital they suspect their information had been ”used,” though it wasn’t clear for what purpose or whether identity theft had occurred.
Health care isn’t the only industry whose slip-ups can upset consumers or expose them to identity theft. But hospitals are notable for the sheer number and types of employees – including billing staff, nurses, doctors, researchers and lab technicians – who have quick access to individuals’ private information. A number of hospitals have been installing controls that limit by job function the types of data that employees can see. But institutions also are reluctant to control access to patients’ private data too tightly, for fear that doing so could get in the way of patient care, especially in emergencies.
”There are just thousands of people who have access – and need to have access – to confidential information, and to try to change their behavior is a challenge,” says Donald Bradfield, a senior counsel for Johns Hopkins Health System.
The steady stream of privacy breaches threatens to undermine the health-care industry’s effort to adopt electronic medical records. That push is meant to make medical care both safer and more convenient for patients, but a major barrier to health-care digitization has been anxiety about preserving the security of such sensitive data.
”What patient is going to want their data to be transmitted electronically if they can’t trust the system to keep their data safe?” says Jill Dennis, a senior vice president at the American Health Information Management Association, a professional organization. ”The internal mistakes and the internal carelessness seem to be more prevalent than the stranger from the outside trying to crack into your system.”
Patient advocates criticize as too lax institutions’ enforcement of a federal privacy law that restricts health providers, insurers and certain other entities from allowing access to private health information to those who don’t need to see it. Since the privacy provisions of the law, the Health Insurance Portability and Accountability Act, were implemented in 2003, some 35,000 reports of privacy violations have been submitted to the Department of Health and Human Services. But the department has not levied a single civil fine.
Instead, the department says, it has sought and gained ”voluntary compliance” with the law in 6,000 cases. An HHS spokeswoman said the department’s approach has led to ”improvements that were constructive and were achieved more quickly than through imposition of monetary penalties.” Those actions have often involved educating employees about what the law says and how to follow it.
HHS says several hundred reports of violations have been referred to the Department of Justice for criminal prosecution. A DOJ spokeswoman says the department has filed around 200 criminal cases since the 2003 fiscal year under a statute that includes HIPAA, but didn’t have a breakdown of just HIPAA-related cases.
David Feinberg, chief executive of the UCLA Hospital System in Los Angeles, calls the celebrity snooping incident ”almost mind-boggling,” considering that employees had been repeatedly warned not to look at patients’ files. Prior to the privacy breaches, UCLA had a computer system that audited who was looking at information on a handful of patients. The hospital permits any patient to request auditing, though high-profile patients more commonly do so.
In the coming months, UCLA plans to start using a new system that will block certain details of patients’ records, depending on who is accessing them. For instance, a lab technician would get only lab results, rather than a full medical chart that may also contain radiology reports and notes from doctors and nurses. The system will also allow for auditing on a larger scale, and will include features that require all employees to list their relationship to the patient and will warn them if they’re entering ”an especially protected chart,” Dr. Feinberg says.
Another health system beefing up security is Johns Hopkins, in Baltimore, which has increased employee education on privacy and started adding encryption software to its computers. The action comes after an embarrassing episode last summer, when a computer chained to a desk at Johns Hopkins was pried loose and stolen by a Hopkins employee and an outside vendor’s employee. The computer, which was password-protected but not encrypted, had information on about 5,800 patients who were in a registry for people with tumors, including their names, addresses, dates of birth, Social Security numbers, genders, races, medical record numbers and cancer diagnoses.