Large EMR privacy breach notification, two years later

[Dave Farber <dave () farber net>]

Begin forwarded message:

> From: "Ed Gerck, Ph.D." <egerck () nma com>
> Date: March 23, 2010 11:23:06 PM EDT
> To: David Farber <dave () farber net>, Ip Ip <ip () v2 listbox com>
> Subject: Large EMR privacy breach notification, two years later

> [Dave: for IP with your consideration]
>
> Large EMR privacy breach notification, two years later --
> a symptom or an exception?
>
> NOTE: A colleague and I are working on a paper discussing a number of
> red flags that can help here. A draft is gladly available to those who
> are interested, by private email request, for comments before
> publication.
>
> Electronic medical records (EMRs) are at the heart of health care  
> reform,
> and there is both a personal as well as a legal expectation of  
> privacy for
> EMRs.
>
> Promptly notifying users of privacy breaches can help bring  
> accountability
> to the system, and help users. But not when it happens years after  
> they
> occur.
>
> Last month, RelayHealth (also known as NDCHealth Corporation) notified
> California prescription holders that EMRs with full name, date of  
> birth,
> prescription number, insurance cardholder ID, and drug name, that were
> dispensed at Rite Aid as well as other retail chain pharmacies and
> independent pharmacies in the State of California, were sent to other,
> unauthorized pharmacies two years ago, between February 2008 and  
> December
> 2008.
>
> The 2010 breach notification did not disclose why the information was
> sent (Who requested? Under what authorization?), who incorrectly  
> received
> the EMR, and who was responsible for the breach, neither what  
> compensation
> or recourse users may have -- two years later.
>
> In a recent court case, Fortis (a health insurance company) was  
> found to
> have a practice of targeting policyholders with HIV. A computer  
> program
> and algorithm targeted every policyholder recently diagnosed with  
> HIV for
> an automatic fraud investigation, as the company searched for any
> pretext to revoke their policy.
>
> Companies such as Fortis can find out about anyone's recently  
> diagnosed
> HIV, or other illness, through pharmacies and claim processors, for
> example.
>
> This situation underscores the underlying conflicts of interest  
> between
> at least three distinct roles that RelayHealth plays. They are:
>
>   1) claims processor;
>   2) provider of patient EMR to their pharmacies and doctors;
>   3) provider/seller of EMR to providers other than the patient's.
>
> This last activity has the greatest conflict, as patients are included
> in a no-opt-out policy at www.RelayHealth.com that says (words in
> square brackets are comments, not from RelayHealth):
>
> "Your Provider, a Provider-Designated User [pretty much anyone] or
> authorized member of a Provider Group  [anyone] can use contact
> and/or health information about you stored by RelayHealth for many
> purposes including [ie, this  says that it does not exclude anyone
> or anything]:"
>
> and
>
> "RelayHealth may use the contact, billing and/or health information
> provided by you in our service to provide your physician or other
> healthcare provider [ie, anyone they want]  with updated and/or
> supplemental information for their files or systems."
>
> The point is that since EMRs also have a market value (for example,
> to insurance companies, pharmacies, etc.), health care service
> companies, for example, claims processing companies such as
> RelayHealth, have built automated information exchanges where they
> say they can make collected EMR available to other entities.
>
> That the same health care service companies also serve on behalf of
> the patients to protect the EMR from disclosure, is where the fox
> is taking care of the hens, and where the conflicts in 1-2-3 may
> also explain the large delay of more than two years of notifying
> the hens about any danger.
>
> What this means is that the expansion of health care into larger
> use of EMRs ought to call for a much broader review of procedures
> and conflicts of interest than what is currently available. And,
> obviously, it should also include stricter rules for information
> security and handling than what's currently used.
>
> Your comments are welcome, also by private email.
>
> Best regards,
> Ed Gerck



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com