• Privacy is a big deal

    Almost all of my research is in health information technology, and there are very few days when we’re not cursing HIPAA. In case you don’t know, that’s the Health Insurance Portability and Accountability Act, which protects patients’ health data from being let loose.

    The things we hate about HIPAA are its inconsistencies, and its overall effect. For instance, there are tons of restrictions on sending even the simplest of emails without major encryption, but nothing about faxes at all. The law’s severe penalties create panic-like behavior in my clinic, where we worry about how a patient wandering into a back room might glance at a chart and see another patient’s name. My favorite is when the system makes me change my password every few months, which means that everyone has to write it down (so they don’t forget it), which makes the password protection much less secure.

    So, in order to prevent the worst case scenario from happening, we’re all subject to seemingly insane restrictions that many of us see as impeding care. And then something like this makes the news:

    A medical privacy breach led to the public posting on a commercial Web site of data for 20,000 emergency room patients at Stanford Hospital in Palo Alto, Calif., including names and diagnosis codes, the hospital has confirmed. The information stayed online for nearly a year.

    Since discovering the breach last month, the hospital has been investigating how a detailed spreadsheet made its way from one of its vendors, a billing contractor identified as Multi-Specialty Collection Services, to a Web site called Student of Fortune, which allows students to solicit paid assistance with their schoolwork.

    Gary Migdol, a spokesman for Stanford Hospital and Clinics, said the spreadsheet first appeared on the site on Sept. 9, 2010, as an attachment to a question about how to convert the data into a bar graph.

    The size of the breach is incomprehensible. The length of it even more so. And everything Stanford had likely done to try and prevent it has failed.

    My problem with the way wo do HIT policy like HIPAA, though, is what the actual ramifications of this breach will be. The actual monetary penalty here could be in the gazillions of dollars, but I doubt the federal government will impose it. The likely actual harm to patients isn’t clear either. What will likely happen is that Stanford and the rest of the world will freak out. I’ve already received five different emails from different levels of my own institution at varying levels of panic.

    The most likely outcome is that HIT policies will become even more draconian towards the vast majority of people who are playing by the rules. This will make it even harder for those who are providing patient care to do so efficiently. I doubt, however, that it will prevent people who just don’t know, or don’t care, from making stupid mistakes and monstrous blunders like the above.

    I was thinking a lot about this over the weekend, because it reminds me of terrorism. We’re not going to be able to prevent breaches like this entirely, and we have to be able to make sure that the rest of us can go about our lives in eace and happiness. Yet, no one in power wants to have left on the table a measure that that could have theoretically prevented an unwanted occurrence. There has to be a sweet spot; I wish I knew where it was.

    • I blogged on this breach on Friday, and share your concern with finding the “sweet spot” between privacy protection and beneficial information sharing. This was a particularly odd breach — concerning for its duration, magnitude of information, and sensitivity of information — but also maybe an example of how after shocks can be worse than the original incident. I keep wondering how many “Students of Fortune” actually saw the PHI and, of those who did, how many realized it was real data. It seems students had to pay for access to the bar graph creating exercise, and while I don’t know anything about the demographic for this group of users, I suspect some high school and college age students are so information-saturated that they might be less likely to pay attention to details such as emergency room diagnosis codes.

    • One of the main reasons we go to extremes is the lack of universal health care. Information needs to be kept from potential employers. If we had universal care we could, I believe, relax many of these standards. As a physician, one who is going to be on call at a trauma center tonight, I would like to have access to the records of the patients I treat.


      • Steve:

        Thanks for the insight. As a patient, I am opposed to electronic records precisely because of the side effects of all their potential benefits. If they are easy to access they will be. Once released, they are easily copied and distributed. If you want access to my paper records you have to actively seek them out.
        As for the treatment benefits, I see little. Are you in the ED really going to trust those records? Heck, can you even ID me to access those records? Can you get those records in time? Are they going to prevent you from running a test just to be sure? Have they ever? Or are you more likely to say I need to do more because of X,Y and Z?
        In the end, breaches like this indicate that privacy is not really taken seriously by the medical field. Why should they if they are not going to suffer any real financial penalty or nobody goes to jail.

        • MV- I am an anesthesiologist. I work at a tertiary care, trauma center. What I frequently face are emergency cases where I have no information on patients. Older patients are confused. Younger patients may be intoxicated. For many of my emergencies I have little or no time to prepare. I end up guessing about past medical histories. When I am lucky enough to have a patient in my computer, it is very helpful in terms of treating safely.

          As to costs, even during regular working hours I am unable to access data outside of our network. If a patient had a stress test a week ago at a competing facility 10 miles away, I have no access to it. Same for echo studies, EKGs, X-rays. From my POV, since I need to keep things moving, it takes me less time to just repeat these studies. (In the blogosphere everyone is bright and usually well informed. In real life, patients are under stress and tired. They forget major bits of their history.)