Welcome to EMR and EHR

Someone sent me an email with this link to the list of HIPAA breaches affecting 500 or more individuals. One of my popular searches on EMR and HIPAA is about HIPAA lawsuits, so you can imagine the lawyers are salivating over this list.

In a quick count, I found 31 on the list that were desktop, laptop, or other computer related device. In another quick count, I counted 46 on the list (feel free to correct my counts, but the range is right). The person who emailed me suggested that most of the list was breaches of EMR. I personally don’t think that’s the case.

One thing seems pretty certain. Technology has opened the doors for larger breaches. In the paper world, it’s a little harder to lose/misplace/steal 500 or more individuals information. It happens, but it’s much easier in the digital world. Plus, there’s a lot more vagueness in technology when a breach happens.

In the digital world, it’s often a best guess about what happened during a breach. Most of the time breaches happen in the technical world, they probably didn’t give a rip about the healthcare data. However, there’s the potential that they did, so you get to report it. Enough of that tangent.

One other problem with the assertion that most of this list is from an EMR breach is that I was surprised how many insurance providers were on the list. In fact, it seems like a large portion of the breaches were insurance lists probably. Not sure that’s an EMR breach.

I think it’s also interesting to note that this list of breaches is probably far below the reality. This is just the list of reported cases. I can’t imagine how many breaches happen that go unreported.

Of course, this begs the question of whether we should be moving to electronic records at all if there’s more possibility for breaches. My answer is that of course we should. Although, it should give us real pause as we consider the security of those systems as well. Stuff happens, but we shouldn’t put the possibility of breaches make us set aside the benefits of technology.

Healthcare InformationWeek has an article that discusses the challenges of EMR security and privacy. A lot of the stuff is nothing new to those of us in the healthcare space. Although, it’s interesting to see how they summarize things like the goal to be full EMR by 2014 and the EMR stimulus money.

However, the article did include these interesting stats on the number of breaches that happen in healthcare and the focus IT managers put on privacy and data security in healthcare.

Healthcare providers and other health businesses aren’t stepping up to protect privacy, according to a recent study. Some 80% of healthcare organizations have experienced at least one incident of lost or stolen health information in the past year, according to the study, released this month from security management company LogLogic and the Ponemon Institute, which conducts privacy and information management research.

Also, some 70% of IT managers surveyed said senior management doesn’t view privacy and data security as a priority, and 53% say their organizations don’t take appropriate steps to protect patient privacy. Less than half judge their existing security measures as “effective or very effective.”

I was surprised that 80% of organizations have had an incident of lost or stolen health information. However, I honestly don’t see this ever changing. Stuff happens even with the very best efforts.

I did also like this quote of John Halamka about the challenge of balancing privacy and security with sharing the patient information to provide better patient care.

“You want to protect the patient’s preferences for confidentiality,” Halamka said. But you also need to get information where it’s needed. “If you come to the emergency department in a coma, and you have a record that includes psychiatric treatment, HIV, drug abuse, and other information, would you share part of it or all of it? My preference would be all of it, with the hope that emergency workers would use it discreetly, to save my life.” But other people may feel differently, Halamka said, and healthcare policy needs to serve all those needs.

I’m a little surprised that Halamka has had psychiatric treatment, HIV and drug abuse. He’s doing quite well considering that history. (that’s sarcasm in case you didn’t note it) His history aside, I’m totally with him on wanting that information available as well. However, he’s totally correct that many people wouldn’t want that stuff shared. Enabling the consumer to make that decision though is a hard nut to crack.

Another example of a lost laptop storing sensitive information:

A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Assn. employee. It is not yet known whether any identity theft has resulted from the data breach.

The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors, Jeff Smokler, spokesman for the Chicago-based Blues association, said Oct. 6. That number represents every physician who is part of the BlueCard network, which allows Blues members to access networks in other states, Smokler said.

Some 16% to 22% of those physicians listed — as many as 187,000 — used their Social Security numbers as a tax ID or NPI number, Smokler said.

The association updates its file of BlueCard network physicians weekly, Smokler said. An unidentified employee downloaded the unencrypted file onto his personal computer to work on it at home, a practice that is against company policy, he said.

“We are re-evaluating that protocol and how we prevent this from happening again,” Smokler said.

This is why we’ve required and checked that our EMR software doesn’t store any PHI on our computers. It’s all stored on the server.

From an Interview with Bill Gates of Microsoft. Some of his views about electronic medical records and healthcare. See complete article.

Mr. Gates was also critical of the United States government’s unwillingness to adopt a national identity card, or allow some businesses, like health care, to centralize data-keeping on individuals. “It has always come back to the idea that ‘The computer knows too much about you,’ ” he said. The United States “got off to a bad start” when it comes to using computers to keep data about its citizens, he said. Doctors are not allowed to share records about an individual patient, and virtual doctor visits are banned, he said, which “wastes a lot of money.” The United States “had better come up with a better model” for health care, he said.

I agree and disagree with Mr. Gates. We need more data sharing and more interoperability BUT confidentiality IS an important issue. Just look at how the drug tests became public about Major League Baseball Players when they were PROMISED it would be strictly confidential!!!! I don’t trust big government or big business. Question: How do you tell an attorney or politician or corporate executive are lying? Answer: Their lips or moving or their fingers are typing!

We have to make sure medical information about individuals remains confidential and remains in the control of the individual.