A provisional rule announced by Congress will only force health care providers to notify patients of breaches to customer data only if the breach “poses a significant risk of financial, reputational, or other harm to the individual.” How will the risk factors be determined? Will existing state laws on data breaches provide protection where the federal government falls short? Who is the real threat to your electronic health record?
In a poll sponsored by RSA of 400 top level executives, 52% described the majority of their data losses as accidental. Many of the reported data losses were due to inappropriate access by the wrong people. This data supports a problem that internal controls of access and control of data is the largest issue facing our healthcare providers in protecting our patient data. According to the Data Loss Open Security Foundation, 12% of all data losses are medical related. With the push to a national electronic healthcare technology infrastructure, that number is surely to increase over the next five years. Most consumers appreciate notification of these negligent data breaches. Perhaps even assign a healthcare provider rating based on the breaches to better inform consumers of the most secure and trustworthy healthcare providers.
Hospital and insurance representatives argue that notification costs would be too high if every breach was reported. Examples for routine breaches of handling data include statements sent to wrong addresses and improper employee access but when your health information is part of this routine error in handling would you want to know? Consumers should be asking “why is my health information mishandled so often?” Proper investment in security and access controls should limit risk and subsequently the cost of data breaches. The arguments provided by hospital and insurance representatives seem best used as evidence of gross negligence not an argument limiting notifications to patients.
But do you have any legal protection? Many states have already passed laws that would include a breach of patient health data in the state mandated reporting requirements of an improper access or loss of data but new federal rulings could preempt those state laws where your medical record is concerned. Negligent security requirements mandated for protection of electronic health records at the federal level will not sufficiently protect your records with the current requirements and restrictions. With federal laws regarding reporting on health care data breaches most likely winning out over state mandated reporting requirements, it appears the corporate lobbyists are exposing the nation to public electronic health records rather than private electronic health records and you may never even know when your record is breached.
Write your state and federal Congressmen and let them know your concerns for the protection and privacy of your health records. While network security should never be overlooked, the majority of data breaches occur inside an organization. Increased controls and requirements for handling patient health records is needed to sufficiently protect your private and personal information. As with too many points of privacy and security with the electronic health records, there are too many unanswered questions and undefined points of protection.
Leyden, John. Incompetence a bigger IT security threat than malign insiders.
(2009) : Internet. http://www.theregister.co.uk/2009/08/25/rsa_accidental_security_breach_survey/
November 15, 2009.
Schwartz, Emma. Health Industry Winning Round On Privacy of Digital Health
Records. (2009) : Internet. http://www.huffingtonpost.com/2009/11/13/health-industry-winning-r_n_357476.html
November 15, 2009.
State-by-State Listing of Data Loss and Freedom of Information Legislation
(2005-2009) : Internet. http://datalossdb.org/us_states
November 14, 2009.
Data Loss Statistics.
(2005-2009) : Internet. http://datalossdb.org/statistics
November 14, 2009.