Why Your Patients' Data May Not Be Safe: 5 Steps to Protect It

Neil Chesanow


November 08, 2010


As more physicians switch to electronic health records (EHRs), opportunities and means to breach confidential patient data are growing. From a security standpoint, this is setting the stage for a nationwide privacy debacle.

The problem, says M. Eric Johnson, PhD, Professor of Science Administration at Dartmouth College's Tuck School of Business, is how all these new EHR users are going to protect patient data when so many doctors, hospitals, and health insurers who are already using EHRs are exposing confidential information about patients and even physicians.

Some doctors may think: "We don't have to worry about things like this in our practice." Once you go electronic, however, you will.

"For many doctors, this is a new technology," notes Amber Patel, Director of Policy and Compliance for the New York City Department of Health and Mental Hygiene Primary Care Information Project, which educates physician practices about security issues related to EHR adoption. "Providers don't always understand the implications in terms of privacy and security that come with having an EHR. If you lose a paper chart, it's one chart that's been lost. If you misplace a laptop, it could be thousands of patient charts that are lost."

The Problem Grows

A federal database has documented more than 120 security breaches in the healthcare field over the past year. During these breaches, confidential medical or financial information was exposed for more than 5 million people. That’s just the tip of the iceberg. "A little information is being stolen all the time," says Johnson. "But collectively, we're leaking confidential patient data like a giant sieve."

In 2009, to take one chilling example, a laptop was stolen from the car of an employee of the Blue Cross Blue Shield national association in Chicago. It contained unencrypted identifying information -- name, address, tax identification number, and national provider identifier -- for about 850,000 doctors in the BlueCard® network. The doctors were first told over a month later.

In June 2010, the University of Louisville in Kentucky revealed a data breach in which protected health and financial information for 708 patients in its kidney disease program, including name, Social Security number, type of dialysis received, and access point for treatment, was posted on a publicly accessible Website for 19 monthsbefore it was discovered.

In September 2010, a former employee of the UPMC Shadyside Hospital in Pittsburgh was indicted by the US Attorney's office for alleged Health Insurance Portability and Accountability Act (HIPAA) privacy violations. The 14-count indictment included accessing patient names, birth dates, and Social Security numbers, and disclosing them to others for personal gain. If convicted, he could face up to 80 years in prison.

Earlier this year, a team of Dartmouth investigators headed by Johnson revealed that peer-to-peer networks -- in which individual members grant limited access to each other's computers, primarily to share music and video files -- may inadvertently permit wider access to supposedly "private" patient information on some networked personal computers. One of the more than 3000 confidential files the researchers found on public display was a spreadsheet containing insurance details, personally identifying information, physician names, and diagnosis codes for more than 28,000 patients. Many of the documents contained sensitive patient communications, treatment data, and even psychiatric evaluations.

Fines Are Getting Stiffer

Perhaps because so much confidential patient data are already being compromised, the fines for permitting a security breach under HIPAA rules have been significantly increased. Previously, the maximum fine was $25,000. Now it's $1.5 million.

"The parties that would be hit by that huge a fine are those that are willfully negligent -- that have had repeated breaches and not taken corrective action," explains Rachel H. Yaffe, an attorney at McDonald Hopkins, a Chicago law firm with healthcare clients.

She adds, however, that if health data are breached, Health Information Technology for Economic and Clinical Health (HITECH) rules mandate that each patient affected be contacted by the practice. If the names of 500 patients are exposed, the practice must notify the local media.

It's frighteningly easy for data on 500 patients to be inadvertently exposed -- as easy as losing an unencrypted personal digital assistant (PDA), flash drive, or even smartphone that might contain hundreds or even thousands of patient records. "We’re all human. We all make mistakes," Yaffe says. "Those are the times when you have the biggest security breaches."

To reduce the risk for a patient data breach, privacy experts recommend taking the following steps.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as: