Interesting People mailing list archives
Large EMR privacy breach notification, two years later
From: Dave Farber <dave () farber net>
Date: Wed, 24 Mar 2010 10:25:00 -0400
Begin forwarded message:
From: "Ed Gerck, Ph.D." <egerck () nma com> Date: March 23, 2010 11:23:06 PM EDT To: David Farber <dave () farber net>, Ip Ip <ip () v2 listbox com> Subject: Large EMR privacy breach notification, two years later
[Dave: for IP with your consideration] Large EMR privacy breach notification, two years later -- a symptom or an exception? NOTE: A colleague and I are working on a paper discussing a number of red flags that can help here. A draft is gladly available to those who are interested, by private email request, for comments before publication.Electronic medical records (EMRs) are at the heart of health care reform, and there is both a personal as well as a legal expectation of privacy forEMRs.Promptly notifying users of privacy breaches can help bring accountability to the system, and help users. But not when it happens years after theyoccur. Last month, RelayHealth (also known as NDCHealth Corporation) notifiedCalifornia prescription holders that EMRs with full name, date of birth,prescription number, insurance cardholder ID, and drug name, that were dispensed at Rite Aid as well as other retail chain pharmacies and independent pharmacies in the State of California, were sent to other,unauthorized pharmacies two years ago, between February 2008 and December2008. The 2010 breach notification did not disclose why the information wassent (Who requested? Under what authorization?), who incorrectly received the EMR, and who was responsible for the breach, neither what compensationor recourse users may have -- two years later.In a recent court case, Fortis (a health insurance company) was found to have a practice of targeting policyholders with HIV. A computer program and algorithm targeted every policyholder recently diagnosed with HIV foran automatic fraud investigation, as the company searched for any pretext to revoke their policy.Companies such as Fortis can find out about anyone's recently diagnosedHIV, or other illness, through pharmacies and claim processors, for example.This situation underscores the underlying conflicts of interest betweenat least three distinct roles that RelayHealth plays. They are: 1) claims processor; 2) provider of patient EMR to their pharmacies and doctors; 3) provider/seller of EMR to providers other than the patient's. This last activity has the greatest conflict, as patients are included in a no-opt-out policy at www.RelayHealth.com that says (words in square brackets are comments, not from RelayHealth): "Your Provider, a Provider-Designated User [pretty much anyone] or authorized member of a Provider Group [anyone] can use contact and/or health information about you stored by RelayHealth for many purposes including [ie, this says that it does not exclude anyone or anything]:" and "RelayHealth may use the contact, billing and/or health information provided by you in our service to provide your physician or other healthcare provider [ie, anyone they want] with updated and/or supplemental information for their files or systems." The point is that since EMRs also have a market value (for example, to insurance companies, pharmacies, etc.), health care service companies, for example, claims processing companies such as RelayHealth, have built automated information exchanges where they say they can make collected EMR available to other entities. That the same health care service companies also serve on behalf of the patients to protect the EMR from disclosure, is where the fox is taking care of the hens, and where the conflicts in 1-2-3 may also explain the large delay of more than two years of notifying the hens about any danger. What this means is that the expansion of health care into larger use of EMRs ought to call for a much broader review of procedures and conflicts of interest than what is currently available. And, obviously, it should also include stricter rules for information security and handling than what's currently used. Your comments are welcome, also by private email. Best regards, Ed Gerck
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Large EMR privacy breach notification, two years later Dave Farber (Mar 24)