How health care data sharing puts you at risk

By Phil Elmore

The recent stir over electronic health care record requirements and the much-debated stimulus package raises important issues related to the portability and interoperability of your medical information. Interoperability is, according to SearchSOA.com, “… the ability of a system or a product to work with other systems or products without special effort on the part of the customer.” Interoperability is critical to information technology because the ability to exchange information and use that information is what makes IT networks, well, work. If my network and your network cannot talk to each other, and if my database cannot make use of your data, our two systems may as well be on different planets. If, however, our systems can exchange data easily and quickly, the reach of our networks has increased – and the depth of our databases (and thus the value of those databases in our information technology applications) has grown.

Just what is a “certified electronic health record”? There is some confusion over the terminology, which has been used interchangeably, but to grossly over-simplify, your Electronic Medical Record (EMR) – the “core of a computerized health care system in the near future” – is made up of Electronic Health Records, which are subsets of data within the EMR. Again, to over-simplify, what we’re basically talking about is the conversion to digital information of all your medical records and your medical history. This electronic health information would then be easily transmitted and exchanged among the various health care providers who treat you, giving them full and ready access to your medical records. This is fine in theory; it enhances the medical care available to you by ensuring that any individual who treats you can access the same detailed information, and access it quickly. No longer would large piles of paper records have to be transferred physically among care providers. Gone would be the delays associated with first releasing, then sending this information. You would, essentially, have a single set of records accessible by all concerned.

There are a couple of laws that have direct bearing on such electronic medical records, too. These are HIPA and Sarbanes-Oxley. According to M.M. Denny at Associated Content, HIPA, the Health Insurance Portability and Accountability Act passed in 1996, “affects electronic data and record keeping of all individual health info, on disk or electronic tape. The legislation ‘ensures the integrity and confidentiality of data by eliminating access to it by outside intrusion or by internal, unauthorized personnel.'”

The Sarbanes Oxley Act, enacted in 2002, has largely to do with accountability for corporate reporting. According to the National Underwriter, it “may have a significant direct impact on health care organizations relative to changes in U.S. Sentencing Guidelines. … [New] sentencing guidelines amendments, many generated in direct response to Sarbanes-Oxley, will significantly impact compliance officers and senior management in a number of ways.” What this means is that the management of health care organizations has explicit responsibilities with regard to oversight, financial reporting and corporate ethics within the organizations concerned. Failure to safeguard and document properly your electronic medical information violates these requirements.

The question we must ask ourselves then becomes, do these government regulations, and others like them, constitute sufficient protections of our civil liberties? What are the chances your medical information will be accessed improperly or otherwise misused? What are the ramifications of this misuse?

The drive to centralize or otherwise make more interoperable and portable your medical data is the promise, and the threat, of electronic health records. The benefits are obvious; the risks should be obvious as well. If your information can be accessed, it can be accessed by people who should not do so, and it is only a matter of time before it is.

More than a hundred financial institutions were affected by a breach of credit data at Heartland Payment Systems. The Internal Revenue Service ignored more than a dozen security vulnerabilities in its online filing system two years ago; this is an agency whose employees routinely access personal data improperly, simply because they can. These are just a couple of examples from a virtually limitless supply. Do we really want our personal medical information to be as accessible – and thus as vulnerable – as our financial information?

The short-term risks of improper access to (and public disclosure of) your health information pale in comparison to the potential long-term risks. As our government contemplates the latest in a what is now a long history of nationalized health care schemes, we must resign ourselves to the possibility that government bureaucrats will have access to the specifics of our medical histories. Given this, it is not so far a leap to conclude that your fate, based on the most intimate details of your personal life, could one day be in the hands of a government functionary who is perusing your medical records while rendering judgment on a seemingly unrelated matter. “I’m sorry, Mr. Elmore, but your health records indicate you are overweight and your good to bad cholesterol ratio is poor. I’m afraid your tax refund will have to be docked in order to account for the increased drain on the national health care system we believe you represent.” Sound farfetched? That’s only the beginning of the potential and far-reaching applications of your health care data.

Interoperability is neither good nor bad. It can only be judged in context. When asking ourselves how portable and easily exchanged certain data should be in any information technology application, we have to consider the consequences for misuse of that increasingly accessible data. The fact that security precautions exist, and that those who fail to take those precautions (or who circumvent them) may be punished, is not enough to protect civil liberties. We must ultimately ask ourselves at what point we should stop allowing different systems to exchange data. Whenever the government is involved, ease of access is an exceptionally sharp double-edged sword.

Phil Elmore

Phil Elmore is a freelance reporter, author, technical writer, voice actor and the owner of Samurai Press. Visit him online at www.philelmore.com. Read more of Phil Elmore's articles here.