Sunday, March 08, 2009

Smart Health Care's privacy pitfalls

The stimulus bill's strengthened data privacy laws are raising hackles in health care

Thanks to a $19 billion kick from the Obama administration's stimulus package, electronic health records are on the way. And with them, new privacy laws, a result of fears that digital records could lead to more spillage or theft of sensitive medical data.

But now that health care's emergence from the dead-tree era has nearly become reality, some industry executives are arguing that the stimulus bill's health 2.0 push will create the opposite privacy problem: overwhelming protections that could create costly red tape for the health care industry or flood consumers with meaningless warnings that their privacy has been violated.

Under the bill, any insurance company or hospital that accepts grant money for digitizing records will become subject to new breach disclosure laws, demanding that consumers be notified if their personal health information somehow leaks beyond the company or hospital's control. And industry executives complain that unlike similar breach laws that have passed in more than 40 states in the past several years, the bill doesn't limit those breach notifications to situations that involve a "reasonable risk of harm." Many seemingly trivial breaches will now have to be formally reported to the patient.

"The privacy provisions in the new economic stimulus bill are more than overly burdensome. They're counterproductive," says Kim Gray, chief privacy officer of health insurer Highmark.

If a doctor were to send an appointment reminder to the wrong patient, for instance, Gray says that under the new laws, the intended recipient of that notice would have to be mailed a breach disclosure letter. A postcard that wasn't concealed in an envelope might constitute a breach. Or if an insurer sent a patient an explanation of benefits and it was misdirected, that too would require notifying the patient about his or her data's being violated. Even a misdirected breach notification would itself require another notification. Gray argues that none of these cases represents a real risk of medical or financial identity theft.

"You can see that we're talking about potentially millions of breach notices just for misdirected explanations of benefits," says Joel Slackman, a managing director at Blue Cross Blue Shield. "That's a concern not just because it's an expensive administrative burden, but because it desensitizes patients."

Slackman and Gray argue that the bill's privacy statutes--which will only go into effect in a month after it's approved by the secretary of Health and Human Services, likely in September--will create a wave of "fear followed by numbness," in Gray's words. Too many disclosures in situations where identity theft isn't likely could cause consumers to waste time and money shutting down bank accounts or paying for credit monitoring. And those non-risky disclosures might dilute the effect of notices in breaches that are more likely to result in fraud, like insider theft or hacker intrusions on a network.

Privacy advocates, on the other hand, are strongly in favor of the bill's data-protection statutes. Pam Dixon, executive director of the World Privacy Forum, argues that even in the "no-risk" hypotheticals imagined by insurers, there's a potential for real privacy invasion, if not identity theft. "If the wrong person gets an appointment reminder from an AIDS or cancer clinic, that is a big deal," Dixon says.

But she also argues that the rise in breach notifications that insurers and hospitals fear isn't likely. In California, she points out, a health care privacy bill went into effect on Jan. 1 that follows a similar model to the privacy elements of the stimulus bill, requiring disclosure of all health data breaches without "risk of harm" specifications. Those new laws--largely a response to news that employees at the University of California at Los Angeles Hospital had snooped on patient records--including those of Maria Shriver, Gov. Arnold Schwarzenegger's wife--haven't resulted in more than the usual number of breach disclosures in California, Dixon says.

In fact, breaches of all kinds are growing: The Identity Theft Resource Center tracked 646 data breach incidents reported in 2008, a 47% increase over 2007's total of 446 breaches. But since the California law went into effect, only one California health organization has reported leaking patient data. An employee of Hegarty Chiropractic in Rancho Cordova, Calif., left about 200 patients' files in a dumpster, where they were found by local news media.

Still, the fallout from the California bill isn't clear. With only two months since the law went into effect, most providers still don't know what constitutes a reportable data loss incident, says LaVonne LaMoureaux. "The bill is vague," she says. "We're trying to get that sorted out, and we need some language cleanup." That means the approaching impact of the stimulus bill's privacy provisions are also somewhat unknown, says Highmark's Gray. "Once everyone understands what this means, incidents that happen fairly often because of human error will have to be reported," she says. "Things that people now don't consider as breaches are going to result in a flood of notifications."


Australia: Huge ambulance bungle

HUNDREDS of thousands of dollars have been spent on ambulance stretchers that are too high for resuscitation and won't fit in highrise lifts. The stretchers, imported from Canada at a cost of $6500 each, are claimed to be injuring paramedics, sending WorkCover claims though the roof. "They're an absolute disaster," one ambulance officer told The Courier-Mail yesterday. "There has been no end of problems with them. They don't fit into highrise lifts, they're too high to do CPR on and they're injuring paramedics left, right and centre. It's a major stuff-up. The QAS haven't done their homework." The new stretchers are 96cm tall - 13cm higher than the existing models, which can be shortened further.

The revelation is an embarrassment for the Bligh Government in the midst of an election campaign where its economic credentials are on the line. The State Government has been trumpeting its decision to buy the stretchers, capable of carrying patients up to 228kg, as part of a $17 million roll-out of new ambulances across Queensland. "These pieces of equipment make ambulance transport safer and more comfortable for both patient and paramedic," Emergency Services Minister Neil Roberts boasted in a press release last November.

But paramedics and their union say the stretchers have been nothing but trouble since coming into service six months ago. They said WorkCover claims by paramedics had skyrocketed by millions of dollars as they struggled with the "unstable and unsteady" stretchers. "Some paramedics are refusing to use the stretchers because they're afraid of being injured, but we're being forced to use them against our will," one officer said. "The QAS is breaching its own workplace health and safety policies by making us use them. The number of handling injuries is diabolical."

He said two paramedics were needed to lift the stretchers but many rural ambulance stations were one-man operations. The QAS had designed its new ambulance fleet around the new stretchers rather than the other way around, he said.

Prebs Sathiaseelan, president of the Emergency Medical Service Protection Association, said QAS management had refused to listen to the concerns. The Department of Emergency Services yesterday did not respond to a list of questions from The Courier-Mail, with its media unit saying QAS senior managers were tied up in meetings.


No comments: