When I seek medical care, I assume I’m establishing some kind of partnership with the doctor and others in the health field with whom I must consequently come in contact. We’re going to put our heads together and figure out what’s going on, using the many wonderful tools available, including imaging and lab work if they seem called for to address my issue.
Of all the relationships in my life — outside of my immediate family, of course — the one between doctor and patient requires the most trust, I think. I confide things others may not know. I talk about worries I may not share with anyone else. I answer questions that from any other source might be considered intrusive, even rude.
It’s also a relationship that has at least the patina of protection and secrecy built in. The federal government has thrown its backing behind my privacy, assuring through the Health Insurance Portability and Accountability Act of 1996 that my data is secure and my medical secrets safe from those with no right to my very personal information.
And yet ...
Three times, I’ve been notified that my personal data, including my Social Security number, birthdate and potentially other information might have been compromised during data breaches that directly involved someone accessing medical records that weren’t secured.
In those cases, I never saw evidence the information was used for nefarious purposes, but it could have been. Each time, the health provider who didn’t adequately protect the data apologized and took after-the-breach steps to secure data. The horses were gone, but the barn door got closed.
It’s an ongoing and potentially serious problem. Last week, ProPublica and broadcast journalists from Germany’s Bayerischer Rundfunk reignited worries about medical information security, reporting that hundreds of computer servers all over the world containing medical images and data have not been secured against breaches with even something as simple as a password. ProPublica said the medical records they found in their search (and they make no claim it was exhaustive) put private information on at least 5 million Americans at risk. Besides actual images, they found names, birthdates and sometimes Social Security numbers. They found millions of other patients at risk globally.
Accessing the information took little more than rudimentary computer skills.
The comforting news is most large providers, like hospital chains and large medical groups, take data protection seriously. The report said unexposed data was more likely with independent radiologists, medical imaging centers and archiving centers.
Still, it’s another layer of sorrow for those of us who are increasingly convinced our personal data is out there somewhere it doesn’t belong. As the article noted, insurer Anthem had private records on 78 million Americans potentially exposed in a hack. And the U.S. Department of Health and Human Services has reported at least 40 million Americans have had personal medical data exposed.
Patients have to act. They can’t assume information is safe, but must ask how data is secured. They must be prudent, even stingy when providing information. For instance, medical care shouldn’t require a Social Security number. If your insurance company uses that as the policy number — finally uncommon now — ask them to stop.
Medical providers need to hold those they hire to manage electronic and digital records to very high standards when it comes to security.
Good relationships require care on both sides.
I think it’s naive to hang hopes on HIPAA to protect medical information. It might deter snooping medical staff from prying into files because they’re curious. But it’s not going to keep a hacker out; they don’t plan to get caught. And HIPAA is seldom used to punish those who fail to protect patient information, although hefty fines are attached to get providers to shore up protections.
That needs to change. The government needs to deliver on its promise to come down hard on those who fail to protect patient privacy. Punishment should be swift and harsh for lax practices.