Breaches in patient data by the clinical documentation industry shine an uncomfortable light on the industry and when stories surface (Slip puts Patient data on the Internet) of lapses in security relating to a transcription company they should be a wake up call to all the participants in the production of clinical documentation (read medical transcription companies, transcription editors, technology and infrastructure providers etc).
In this instance the patient was seen by Northeast Orthopedics in NY and they outsource their transcription to MRecord based on Raleigh NC who offer both technology and outsourced transcription solutions. Northeast Orthopedics rightly posts a letter on their web site (Letter to our Patients Regarding Patient Confidentiality) getting front of the issue, notifying their patients of the possible breach, apologizing and providing contact information for anyone who has a concern. But surprisingly there is no statement on the web MRecord web site regarding the security breach and while I could find some legal notices they were all about the protection of their solution and usage and nothing regarding the security breach......I suspect no plan in place for dealing with such an issue and a lock down the hatches mentality that often permeates when such mistakes happen.
Like every advancement in the history of mankind it can have good and bad uses. The internet is no exception. I am sure most of us would find it hard to imagine our business and personal lives without the ready access to information. Those weighty tomes - Yellow Pages were relegated to the recycling bin in our house (after passing through a quick session on learning how to tear them in half) once we realized that searching the internet was faster and more relevant. But that same relevance and ease of searching provides instant access to everyone on for all sorts of information. In this instance it was a chance finding on the part of a relative searching for condolence messages for her deceased daughter.
So if your belief is that your security and confidentiality is fine in part because no one would be interested in the data your company deals with - think again. The internet is a great leveler - it only takes one person and that information can then be instantly available to everyone else on the internet. Google just makes that even easier with its constant searching and compiling of information on the internet.
In the medical documentation industry we are dealing with confidential data every day - imagine this was your data and treat it accordingly. Use this as a wake up call to review your security and data practices and take the time to prepare a PR Disaster plan with the expectation that you will never need it.
How is your security? Have you ever had a breach or seen a breach and if so what was your feeling about it?
Showing posts with label HIPAA. Show all posts
Showing posts with label HIPAA. Show all posts
Tuesday, February 24, 2009
Monday, August 25, 2008
Privacy of Information
There's a fun video posted to the ACLU web site - it is worth watching as it raises some legitimate issues on the privacy of information and the consequences of the sharing and linking of that information. You can watch the video here
What is interesting about this video is how close we are already to this reality. Many private companies can already link existing public sources of data to create an extensive and fairly detailed profile of individuals, their buying habits, preferences etc. You only have to visit your local Jiffy Lube to see how quickly they can pull up all the details on your car and based on this offer the best "treatments" for the "health" of your car! In this case best is probably as much about your car as it is for selling you additional services. In the case of you supermarket shopping card this tracks your purchases in excruciating detail and there have been many instances of this data being used against the individual. In this particular instance it turns out the data used while correct proved to be a red herring and in the words of Bruce Schneier:
So where is the balance - I believe unfortunately that as Lord Acton said:
So how do we balance the need to share relevant medical information with the concern that the sharing of that information could be used against you. The answer is unclear and the issue complex but several groups are working towards this goal, trying to balance the need for information with the need to protect everyone from the inevitable abuse that comes with total access and power.
Some of the EMR companies have a "Break the Glass" approach to urgent access - providing emergency access to anyone with a corresponding oversight in all cases where they felt the need to break the glass and access all the patient's data. The Voluntary Universal Healthcare Identifier (VUHID) group has taken a slightly different approach by creating a voluntary identifier which allows the individual to control and manage access to their clinical information on an ongoing basis:
What is interesting about this video is how close we are already to this reality. Many private companies can already link existing public sources of data to create an extensive and fairly detailed profile of individuals, their buying habits, preferences etc. You only have to visit your local Jiffy Lube to see how quickly they can pull up all the details on your car and based on this offer the best "treatments" for the "health" of your car! In this case best is probably as much about your car as it is for selling you additional services. In the case of you supermarket shopping card this tracks your purchases in excruciating detail and there have been many instances of this data being used against the individual. In this particular instance it turns out the data used while correct proved to be a red herring and in the words of Bruce Schneier:
The moral of this story is that even the most innocent database can be used against a person in a criminal investigation turning their lives completely upside down.Clearly today we already see data usage beyond what might be expected, and many would say beyond reasonable limits. But at the same time I think most patients would agree that any visit to a medical office is an extremely frustrating experience. Such visits require patient's to hand write all their data onto a paper form. Data that already exists in many other systems and often in the very system that it is destined to be entered into.
So where is the balance - I believe unfortunately that as Lord Acton said:
Power tends to corrupt, and absolute power corrupts absolutely. Great men are almost always bad menI also firmly believe that the sharing of information is essential to the delivery of high quality care. So while it is clear to me that ready access to the complete medical record is the most helpful to clinicians there has to be some limitations to accessibility.
So how do we balance the need to share relevant medical information with the concern that the sharing of that information could be used against you. The answer is unclear and the issue complex but several groups are working towards this goal, trying to balance the need for information with the need to protect everyone from the inevitable abuse that comes with total access and power.
Some of the EMR companies have a "Break the Glass" approach to urgent access - providing emergency access to anyone with a corresponding oversight in all cases where they felt the need to break the glass and access all the patient's data. The Voluntary Universal Healthcare Identifier (VUHID) group has taken a slightly different approach by creating a voluntary identifier which allows the individual to control and manage access to their clinical information on an ongoing basis:
.....to enable error-free linkage of clinical information,There are others solutions and ideas and no doubt there will be more added as the systems and ideas develop - whatever we end up with it is clear this is complex area and will require continued debate, careful consideration and ongoing participation by all parties from the vendor community, through government all the way to the individual to ensure we come out with a solution that everyone can live with
enhance the privacy of patient information, improve the quality of
medical care, reduce the rate of medical errors, decrease the incidence of healthcare-related identity theft, and help control healthcare costs.
Subscribe to:
Posts (Atom)
Posts
