Scott R. Roberts
Prior to the Information Age, medical records were all stored in folders in secure filing cabinets at doctor’s offices, hospitals, or health departments. The information within the folders was confidential, and shared solely amongst the patient and physician. Today these files are fragmented across multiple treatment sites due to the branching out of specialty centers such as urgent care centers, magnetic resonance imaging, outpatient surgical centers, and other diagnostic centers. Today’s ability to store medical records electronically has made it possible to easily send these files from one location to another. However, the same technology which can unify the fragmented pieces of a patient’s medical record has the ability to also create a path for privacy and security breaches. This paper will examine how electronic medical records are used, how they are secured, how security is enforced, and what the consequences of security breaches are.
It is important for the purpose of clarity to distinguish the difference between electronic medical records (EMR) and electronic health records (EHR). Electronic medical records are an electronic composition of an individual’s medical history including such components as procedures, past diseases, diagnosis, medications, doctor’s names, and allergies. An electronic health record is an electronic means of documenting a patient’s procedures, diagnosis, billing information, etc. at each care facility (Badzek & Gross, 1999). A movement that was first initiated under the Bush administration, accepted by the Clinton administration, and now embraced by President Obama is the creation of the individual electronic medical record. In 2009 President Obama included $36 billion in the stimulus package to create electronic record systems, with the idea that technology will cut costs, eliminate paperwork and help doctors deliver high-quality, coordinated care to patients (Moore, 2009). Although there is a significant difference between an EMR and EHR, both are subject to the same type of security breach, and therefore for clarification purposes are both refereed to as EMRs in the context of this paper.
Security breaches of EMRs vary from someone without consent viewing the patient’s information, to a hacker using the information to steal one’s identity. According to Privacy Rights Clearing House, more than 260 million data breaches have occurred in the United States, including those of health related records. Approximately 12 percent of data breaches involve medical organizations (Gellman, 2012). According to Redspin, a provider of Health Insurance Portability and Accountability Act risk analysis and IT security assessment services, more than 6 million individual’s health records were compromised during a period from August 2009 and December 2010 (Author Unknown, 2010). A provision of the Health Information Technology for Economic and Clinical Health (HITECH) Act requires all breaches affecting 500 or more people to be reported to the Department of Health and Human Services. This reporting is to be accomplished within 60 days of discovery. The Redspin report covering the period above involved 225 breaches of protected health information. The amount of people with access to an individual’s health record creates concern with confidentiality. According to the Los Angeles Times, roughly 150 people (from doctors and nurses to technicians and billing clerks) have access to at least part of a patient's records during a hospitalization, and over 600,000 payers, providers and other entities that handle providers' billing data have some access (Foreman, 2006) .
In an effort to mandate the security of health related information, HIPAA was signed into law in 1996. The original purpose of HIPAA was to allow “Portability” of insurance. The portability component of the law establishes the right for an individual to obtain health insurance despite having pre-existing illnesses. Since Congress did not enact privacy legislation under the original law, the Department of Health and Human Services developed the Privacy Rule, which was published on December 28, 2000 (HIPAA, 2003). “A major goal of the Privacy Rule is to assure that individual’s health information is properly protected while allowing flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being” (Health Insurance Portability and Accountability Act, P.1,1996).
The Privacy Rule applies to health insurance plans, health care clearing houses, and to any health care provider who transmits health information electronically. Health care clearing houses are entities that process nonstandard information. Examples of such entities are billing services re-pricing companies, community health management information systems, and value – added networks and switches if these entities perform clearinghouse functions (Health Insurance Portability and Accountability Act, 1996). Entities in general can use the health information for the following reasons: Treatment, payment, and operational reasons. Treatment is the provision which allows for information of a patient to be shared amongst health care providers. The payment provision is used to obtain premiums, determine coverage, and obtain reimbursement for health care delivered. The operations portion can be considered quite vague. Operations include the activities of quality assessment, performance evaluation, audits, and risk rating. Often when breaches occur in the form of non-consented view of a person’s health information, the operations clause is the reasoning stated for the view.
Breaches occurring in the form of non-consented viewing, such as a staff member at a hospital who has nothing to do with a patient’s care may be high in number, but usually has a small impact on the patient. This type of breach could damage a patient’s reputation, be used as blackmail, or cause embarrassment for the patient. When the viewing is used beyond these examples and by someone with malicious intentions, then the impact could be far more severe. Medical identity theft is becoming a large problem in the United States and can have dire consequences not only on someone’s bank account but on their health as well. Thieves stealing medical records usually have access to all of the patient’s personal information such as social security number, address, date of birth, address, Medicaid/care number, and phone number. Once they have this and your medical records the thieves or someone they sell the information to has what hey need to schedule a doctor’s appointment, have test done, give birth, or have surgery all under the victim’s name.
After the person using the stolen identity begins receiving treatment under the victim’s name, another dire consequence develops. The imposter now begins adding medical history to the victim’s medical record. This could lead to the victim receiving the wrong treatment in the future or not receiving the proper treatment. For example if the victim is being seen at a medical facility then the attending physician will pull his/hers record to see what type of history they have and what type of medications they are on. If the imposter has been treated for a condition that the victim does not have, such as cancer, then the victim could be exposed to harmful treatments. Another example would be the victim needing a type of medication for a medical condition; however, the imposter has had the record altered so the condition is no longer in the history (Dixon, 2006). All this may seem implausible, however in the emergency setting in a hospital when the patient is unconscious or has altered mental status; medical treatment is often initiated based on the patient’s medical record. In order to assure all information on a person’s medical record is adequate, it is recommended they occasional review their records to see that the record is accurate.
A current event involving the breach of medical records occurred on April 18, 2012 at Emory University Hospital in Atlanta. President and CEO John Fox announced that back up disks of 315,000 patients had come up missing. On these disks were approximately 228,000 social security numbers. Most of the missing information includes patient names, procedures, surgeon names, dates of surgery and diagnoses. Mr. Fox said the missing information belongs to people who had surgery at Emory University Hospital, Emory University Hospital Midtown and Emory Clinic Ambulatory Surgery Center between September 1990 and April 2007 (Byfield, 2012). It is too early to know exactly what will be done with the missing information. However, with the fact that stolen information is being used to conduct fraudulent purchases and steal medical identity, one would speculate that the chances of this occurring to some extent would be high. Fox, in a press conference urged the affected patients to regularly review their credit information and health records.
Frequently reviewing credit information and health records are a way to keep an eye on if fraudulent activity has taken place against ones credit or medical records. However, this does nothing for preventing these acts from occurring. In order to keep medical records secure, entities have provisions in place, which some are mandated by HIPAA and the HITECH Act. HIPAA mandates that entities providing health care or handling heath care plans develop and implement policies and procedures that are consistent with the Privacy Rule. The covered entity must also designate a privacy official who is responsible for the implementation of the policy. All entities are required to provide training to workforce members on the Privacy Rule and HIPAA. Entities covered by HIPAA must also “maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information in violation of the Privacy Rule” (Health Insurance Portability and Accountability Act, P.14, 1996).
In the event an entity covered by HIPAA is found to not be compliant with any portion of the Privacy Rule, the department of Health and Human Services may impose civil penalties of $100 per failure. This penalty cannot exceed $25,000 per year for multiple violations. A person who knowingly obtains, or discloses health information in violation of HIPAA faces a fine of $50,000 and up to one-year in prison. The criminal penalties increase to $100,000 and five years in prison if the conduct involves false pretense and $250,000 and up to ten years in prison if the conduct involves intent to sell, transfer, or use individual’s health information for commercial advantage, personal gain, or malicious harm (Health Insurance Portability and Accountability Act, 1996).
Electronic Medical Records provide for less storage space, faster consulting between physicians, easier billing and faster reimbursement of insurance companies, efficient treatment of patients and an easier way for person’s to view and track their medical records. However, just as any information stored and transmitted electronically, it also creates a means for privacy to be breached. No matter how sophisticated security systems become, people will always manage to defeat them. Therefore, the ultimate responsibility for ensuring confidentiality falls upon the individual person. A frequent review of medical records is just as important, if not more, than the review of credit reports.
Author Unknown. Breach Report 2010, Redspin Inc. Dec. 2010. Retrieved from http://www.redspin.com/resources/whitepapers-datasheets/index.php on April 19, 2012. Badzek, L., Gross, G. Confidentiality and Privacy: At the Forefront for Nurses. The American Journal of Nursing, Vol. 99, No. 6 (June, 1999), pp.52-54. Lippincott Williams & Wilkins. Retrieved April 18, 2012 from http://www.jstor.org/stable/3472150. Byfield, E. 315,000 Patients' Information Disappears From Emory Healthcare. WSBTV. Retrieved April 18, 2012 from file:///F:/Ethics%20information%20age/315,000%20patients%27%20information%20disappears%20from%20Emory%20Healthcare%20_%20www.wsbtv.com.htm Dixon, P. MEDICAL IDENTITY THEFT: The Information Crime that Can Kill You, March 3, 2006. World Privacy Forum. Retrieved from http://www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf on April 24, 2012. Foreman, Judy (26 June 2006). "At Risk of Exposure”. Los Angeles Times. Retrieved April 23 , 2012. Gellman, R. Fact Sheet 8a: HIPAA Basics: Medical Privacy in the Electronic Age. Privacy Clearing House. March, 2012. Retrieved April 19, 2012 from http://www.privacyrights.org/fs/fs8a-hipaa.htm. Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-9 (2010).
Moore, J. Electronic Medical Records Stimulus Package. Dec. 2009, Retrieved from http://www.electronicmedicalrecords.com/emr-stimulus-hitech-act.php on April 19, 2012.