29
Fri, Nov
0 New Articles

Personal Health Records May Be Dangerous to Your Privacy

Analysis of News Events
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Many entities are offering consumers a way to store their healthcare information, but are these pie-in-the-sky offerings anathemas to privacy?

 

Many entities--from the U.S. Department of Veterans Affairs, to many insurance companies, to WebMD, Microsoft, and now Google Health--offer healthcare consumers (note: we are no longer patients; now we are consumers) the ability to store their personal health information online. This information, known as a personal health record (PHR), is maintained for individuals on secure Web sites and permits owners to organize their medical information and indicate who may access their information and how--whether read-only or the ability to add, modify, or delete information.

 

Microsoft jumped onto the build-it-and-they-will-come frenzy last fall with its HealthVault, but skeptics opine that consumers maintain a caveat emptor attitude--even though the services are free.

 

Why might that be, and why are consumers reluctant to jump in the PHR pool?

You Say PHR; I Say EHR. What's the Difference?

First, it is a good idea to get some housekeeping out of the way. You may have heard the terms electronic health records (or EHRs), personal health records (PHRs), and even other similar acronyms bandied about and used interchangeably. Well, there is a difference. A personal health record is a record the healthcare consumer (i.e., you) creates on a Web site such as Microsoft HealthVault, Google Health, or United Healthcare's myUHC.com (but only if you are a member).

 

Sometimes, personal health records are called portable health records (PHRs)--same acronym (why do we have so many acronyms?) but a slightly different meaning. A portable health record may be a card that has the look of a credit card, but it has an embedded chip with a portion of your medical record encoded on the chip. A portable health record can also be a card that can be swiped at a local hospital to which you were admitted previously. It can also simply be a card you carry in your wallet. This article will not examine portable health records and the technologies that support them.

 

While personal health records can and usually are maintained electronically, the term electronic health record (EHR) usually refers to the record your physician or other healthcare entity creates and maintains electronically.

 

So far so good?

 

Returning then to personal health records (PHRs), sites such as Microsoft HealthVault, Google Health, or, for example, United Healthcare's myUHC.com allow you to add, modify, or delete your healthcare information and (if you accept) will allow you to connect to other "programs" to learn about your medical conditions (e.g., diabetes, high blood pressure, etc.), track your medical information (e.g., blood pressure, glucose, weight, etc.), and so forth. And depending on the entity offering the service, sometimes you can e-chat with a nurse, receive lab results, refill prescriptions, have an online consult with your physician, email your physician, etc. Moreover, you as the consumer are the custodian of your information. And you can give that responsibility over to someone else as well as decide who (e.g., your physicians, spouse, pharmacy, etc.) can access your information and how.

 

So, what's the problem? First, even if you have granted access for your physician to view your PHR in the event of an emergency, and while it can be incredibly helpful to access information about your medical condition, allergies, and prescriptions quickly, it is still unlikely that a physician will rely on the information you have entered into your personal health record? Why? In a word: malpractice. No one knows if you entered incorrect or incomplete information that can be deadly to you and potentially result in a malpractice suit for your physician. So the physician will likely re-create the wheel and take an oral history as well as run a bunch of tests to determine your medical condition or at least corroborate your PHR.

 

Second, information that you enter onto a site--even if it claims to be secure--can still be compromised by a security breach. While we have come to entrust our financial information to our financial sources and can literally conduct virtually every financial transaction online, we are very hesitant to trust our medical currency (information about our health) to a third-party entity that appears to want to help us take control over our health.

 

As the banking and financial services industries became more and more automated, it took many years and many fits and starts (remember, ATMs did not always work virtually flawlessly, and they have been around for a long time) for them to earn our trust. In addition, if you look at IT spending as a percentage of annual revenue, the financial services industry has continually outpaced healthcare. Table 1 below shows healthcare IT spending compared with financial services IT spending as percentage of annual revenue as reported by InformationWeek over a three-year period.

 

InformationWeek 500 Industry Annual Revenue Spent on IT

Year

Healthcare

and Medical

Banking and Financial Services

Net Spend

(Healthcare v. Financial Services)

2007

4.0%

7.0%

-3.0%

2006

3.5%

6.0%

-2.5%

2005

3.0%

10.0%

-7.0%

Source: InformationWeek.com

Moreover, the banking and financial services sector has always been an IT leader, although it too has been attacked by hackers and has had its share of security breaches. While healthcare IT (HIT) has been around for more than three decades, it has been a slow follower--with siloed systems, islands of automation, and great fragmentation. And it has not traditionally invested a great deal of resources in R&D--certainly not compared to the banking and financial services industries. However, healthcare IT is catching up to its financial services brethren.

Privacy Policies and Persnickety People

Of course, every entity that offers you the ability to create and store your health records has a privacy policy, and for the most part, they are good. However, I am very persnickety about privacy policies, and they tend to unravel like cheap scarves under my scrutiny. (In some circles, I am known as "Oh Persnickety One," but I digress.)

 

It is not my desire to focus solely on Microsoft's HealthVault, but I did go through its privacy policy line by line, and while Microsoft may well provide great security and virtually guarantee privacy, the aforementioned "programs" that you may be accessing to receive data about a particular medical condition may not have privacy policies as good as Microsoft's. This is the weak-link-in-the-chain syndrome in which the "program" with the least solid privacy policy and/or the least bulletproof security could be the culprit responsible for your medical currency being scattered through cyberspace as well as falling into diabolical hands intent on stealing your medical identity.    

 

And medical identity theft, especially electronic medical identity theft, can both ruin you financially and, well, kill you. In the U.S. today, it is easier to detect financial identity theft than medical identity theft, which occurs when someone assumes someone else's identity (without permission or knowledge) for the purpose of obtaining medical treatment, services, and/or prescription medications. Medical identify theft could actually kill you because your medical records could be either combined with, or replaced by, the perpetrator's medical records so that recorded medical diagnoses, blood type, allergies, contraindications, and medications may be incorrect, inviting medical error in treatment, especially if you were to present unconscious to an emergency department. This could result in your death if you were transfused with an incorrect blood type or were given a medication to which you were deathly allergic. 

 

The fact is, it is easier to correct financial infringements such as fraudulent credit card charges than it is to navigate and unravel the labyrinth of medical identity theft. In addition, many people may not know for a long time, if ever, that medical fraud or medical identity theft has been committed, and others simply do not report it. Moreover, the biggest obstacle is that there are no reporting agencies that specifically handle medical identity theft. And few perpetrators are ever actually caught, let alone prosecuted.

 

A third (if we are counting chronologically from above) problem is with aggregated data. Microsoft's HealthVault Beta Version Privacy Policy has a section on how it uses aggregate information and statistics. The company states that "[it] may use aggregated information from the Service for marketing of the Service (for example, to tell potential advertisers how many Service users live in the United States). This aggregated information is not associated with any individual account." The privacy policy goes on to inform you that there are certain legal conditions, such as subpoena, under which Microsoft would surrender your personal health record. And, as if this is not enough...

HIPAA 101

...the Health Insurance Portability and Accountability Act (HIPAA) of 1996 permits data mining by certain healthcare entities--that is, as long as the information is anonimized (i.e., all information linking you personally to your health data is removed). Given the enormity of cyberspace and the fact that information about us is likely scattered everywhere, how long will it be before a snippet of our personal healthcare record here and another there are assembled into the whole enchilada? Ah, the rub!

Mining for Gold?

Through data mining, healthcare entities can examine large amounts of data, optimally for altruistic reasons such as for trends and national public health. Data mining is usually done with anonimized information--that is, the patient's name is not affiliated with the data. The downside is, if an individual's name as well as other identifying information (such as credit numbers, social security number, and other medical insurance identification numbers) were somehow accessed, the individual could become a victim of identity theft or experience discrimination, job loss, insurance cancellation, credit compromise, and/or excessive monetary expenditures to correct the violation.

Bottom Line

Caveat emptor. Privacy policies on PHR sites may provide some assurance, but they do not unilaterally protect consumers' medical currency. Technology has far outpaced policy. This was true 30 years ago, and it is painfully true today. HIPAA needs to be updated. Baseline's Ericka Chickowski recently wrote an article entitled "Are Privacy Standards Enough to Push Electronic Health Records?" In the article, she reports on the The Markle Foundation's Connecting for Health Common Framework for Networked Personal Health Information. The Common Framework is a needed next and crucial step toward actually defining realistic and viable security and privacy standards. We have too-long tolerated HIPAA's inchoate babble without substance. However, as Chickowski's article notes, "Perhaps the Achilles heel of the Common Framework is the matter of enforcement. Unlike HIPAA, this standard is not an enforceable government regulation. Nor is there legal and contractual leverage for compliance as is the case between retailers and credit card companies regarding PCI data security standards." And HIPAA's track record has not been great, with few actual cases prosecuted. Watch this space for more on the Common Framework Initiative.

 

Given my above dissertation, the question is, which will it be? Either "Fuhgeddaboudit;" we're all going to relinquish a little privacy here or the potential for, and reality of, privacy violations and their resulting staggering implications? I think federal legislation has to be passed that enforces privacy legislation, and violators should be prosecuted to the fullest extent of the law.

 

What do you think?

MARIA DEGIGLIO

Maria DeGiglio is president and principal analyst of Maria A. DeGiglio & Associates. Current clients of Maria A. DeGiglio & Associates include the Visiting Nurse Service of New York ; Experture, LLC; and MC Press. Ms. DeGiglio has more than 20 years of experience as an IT consultant, industry analyst, and executive. From 1997 to 2005, she worked for Andrews Consulting Group and the Robert Frances Group.

 

Ms. DeGiglio received her Masters Degree in Health Advocacy from Sarah Lawrence College and graduated Cum Laude from Cornell University with a Bachelor of Arts Degree.

 

 

Ms. DeGiglio has worked with IT and C-level executives to enable IT alignment with business goals and to implement best practices. She has experience and expertise in both large enterprises and in small- and medium-sized business. Ms. DeGiglio has authored over one hundred articles, reports, and white papers.

 

 

Since 2004, she has worked in the healthcare industry and in health IT investigating the legal, ethical, and regulatory aspects of creating, implementing, and exchanging electronic health records (EHRs). Ms. DeGiglio is an expert in security, privacy, and HIPAA regulatory compliance.

 

 

Ms. DeGiglio may be contacted at This email address is being protected from spambots. You need JavaScript enabled to view it..

 

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: