Posts Tagged ‘Medical Privacy’

Dartmouth Study Finds P2P Networks Hemorrhaging Sensitive Data

While peer-to-peer may be a good metaphor for human interaction – social networking comes to mind – it may not always be the greatest model for the sharing of sensitive information.   Your medical history for instance, shouldn’t be shared with others on a P2P network.  Is this happening? Absolutely.  A study presented this week by Professor Eric Johnson of Dartmouth’s Tuck School of Business, describes how researchers found mounds of sensitive medical data on popular P2P networks: medical history, contact information, insurance details, treatment data, diagnosis and psychiatric evaluations – all mixed in with the song and movie downloads that usually make up the traffic on these networks.

So, how is this sensitive medical data getting on P2P networks in the first place?  Primarily through an employee’s computer – the employee downloads a P2P application on her work machine, and then uses that same machine to process sensitive medical data at work.  Sometimes the employee takes work home, making edits to a spreadsheet on her home computer (yes, a hospital-generated spreadsheet containing SSNs and other personally identifiable information for employees was one of the documents that the Dartmouth researchers found).  In both cases, the user configures the P2P application incorrectly, making all their personal data visible to other users on the P2P network.  Once that happens, the data is a prime target for cybercriminals and fraudsters who engage in identity theft.  Sensitive medical data is a particularly lucrative prize.  As Professor Johnson put it: “For criminals to profit, they don’t need to “steal” an identity, but only to borrow it for a few days, while they bill the insurance carrier thousands of dollars for fabricated medical bills.”

Arguably, this could be a potential area of concern for the companies covered by HIPAA and that deal with sensitive medical data online. But although HIPAA and the FTC’s Health Breach Notification Rule set out requirements for what companies need to do in case of a “breach” of sensitive medical data, they give little guidance to companies on what policies they could be implementing internally to prevent such breaches in the first place. Some may view this as a nod to self-regulation, but the truth is there are “best practices” that both HHS and the FTC could endorse.  A simple best practice that addresses the “data hemorrhaging” that Professor Johnson alludes to in his study, would be an internal policy against the use of P2P networks on machines that also handle sensitive medical data.  Another best practice – companies that deal with this type of data should consider partnering with regulators and health care providers to educate patients on the importance of securing their medical data – and how certain file-sharing technologies can promote medical ID theft when configured incorrectly.  Already, there’s collateral for such an effort – the FTC’s  tips to deter medical ID theft, which could be required patient reading (along with those HIPAA notices).

Categories: Regulation Tags: ,

Are We Ready for Electronic Health Records?

January 26, 2010 1 comment

With health care reform fast fading from the national agenda, we can’t forget that one part of that reform – adoption of  electronic health care records (or EHRs) – is still alive and kicking.  In fact, there’s a huge push by the federal government to articulate standards around privacy and data security – especially for medical health information.  To give this push some oomph, the feds are giving out $19 billion worth of incentives to entities who adopt EHRs, a move that is funded by provisions of the “HITECH Act“ under the stimulus bill. Healthcare organizations will receive increased Medicare/Medicaid reimbursements if they adopt EHRs by 2015 – which is why we’ve seen a big boost in medical IT spending, with companies like GE providing financing for medical IT projects.

With so many companies jumping on this bandwagon, EHRs should provide a much-needed jolt to the tech sector while also giving patients more control over their medical information and treatment (both laudable goals).  And yet, many uncertainties remain surrounding the push to digitize medical health information (a recent investigative piece on EHR adoption by Huff Post highlights some of these concerns). An additional uncertainty arises from the increasingly complex regulatory web that has started to encircle the medical health information sector.

Under federal law, HIPAA – administered by Health & Human Services – protects personal health information held by healthcare organizations (known as covered entities). The stimulus bill extended HIPAA’s reach even further – to include the business associates of covered entities.  Put differently, a medical IT provider, working with a health care organization on their EHR adoption, could be liable for HIPPA violations (and should be thinking about compliance accordingly).  And while the old version of HIPAA provided for an affirmative defense, the new version does not – increasing penalties significantly, from $25,000 to $1.5 million (for willful violations that have been corrected).

The stimulus edits to HIPAA also give State Attorneys General the right to bring actions for HIPAA violations.   Earlier this month, AG Richard Blumenthal of Connecticut brought the first HIPAA action by a state AG against HealthNet, a Connecticut based insurer that allegedly waited 6 months to report the breach of private medical and financial information of 446,000 of its members. And in addition to HIPAA, state law also may apply — since many states include “medical information” in the definition of “personal information” under their data breach notification statutes.

The Federal Trade Commission also has a stake in the issue – along with HHS and the state AGs.  In fact, Congress has asked the FTC and HHS to study the issues around medical health data privacy and issue a joint report on their findings. Congress will then decide which of the two agencies has the resources and expertise to enforce the ensuing regulations.

The regulatory uncertainly and patchwork will lead to increased compliance costs – especially for entities operating in multiple jurisdictions.  But the bigger concern here is whether business is even ready to comply-  a recent study by the Ponemon Institute and Crowe Horvath LLP found that only 6% of the 77 companies surveyed were prepared to comply with the HITECH Act provisions.