From MinnPost.com, a post on Sen. Al Franken’s second hearing as chairman of the Senate Subcommittee on Privacy, Technology and the Law. Franken’s take was that federal agencies tasked with enforcing digital privacy are not doing so. While we might be aware on some subliminal level about the lack of enforcement, when presented in sheer numbers, the statistics are shocking.

According to the MinnPost article:

“Total, there have been 364 “major breaches” of 18 million patient’s private data since 2009, Franken said. Meanwhile, enforcement of data privacy laws have been lax — out of the 22,500 complaints the Health and Human Services Department has received since 2003, it’s levied only one fine and reached monetary settlements in six others. Of the 495 cases referred to the Department of Justice, only 16 have been prosecuted.”

Here on the HHS website, you can see all the breaches affecting 500 or more people (sort by Breach Date to see recent breaches). Even with all the rules around reporting, effectively, given the lack of enforcement, hospitals and care organizations stand to gain the most in this lax enforcement landscape. I’d be curious to know the process of fining and reaching settlements, whether it is proportional to the amount of data stolen/lost. More importantly, I’d like to know what organizations are doing differently if data thefts have been identified – the worst thing for an organization would be to pay the fine, and continue with the same faulty processes that led the breach in the first place.

Healthcare InformationWeek has an article that discusses the challenges of EMR security and privacy. A lot of the stuff is nothing new to those of us in the healthcare space. Although, it’s interesting to see how they summarize things like the goal to be full EMR by 2014 and the EMR stimulus money.

However, the article did include these interesting stats on the number of breaches that happen in healthcare and the focus IT managers put on privacy and data security in healthcare.

Healthcare providers and other health businesses aren’t stepping up to protect privacy, according to a recent study. Some 80% of healthcare organizations have experienced at least one incident of lost or stolen health information in the past year, according to the study, released this month from security management company LogLogic and the Ponemon Institute, which conducts privacy and information management research.

Also, some 70% of IT managers surveyed said senior management doesn’t view privacy and data security as a priority, and 53% say their organizations don’t take appropriate steps to protect patient privacy. Less than half judge their existing security measures as “effective or very effective.”

I was surprised that 80% of organizations have had an incident of lost or stolen health information. However, I honestly don’t see this ever changing. Stuff happens even with the very best efforts.

I did also like this quote of John Halamka about the challenge of balancing privacy and security with sharing the patient information to provide better patient care.

“You want to protect the patient’s preferences for confidentiality,” Halamka said. But you also need to get information where it’s needed. “If you come to the emergency department in a coma, and you have a record that includes psychiatric treatment, HIV, drug abuse, and other information, would you share part of it or all of it? My preference would be all of it, with the hope that emergency workers would use it discreetly, to save my life.” But other people may feel differently, Halamka said, and healthcare policy needs to serve all those needs.

I’m a little surprised that Halamka has had psychiatric treatment, HIV and drug abuse. He’s doing quite well considering that history. (that’s sarcasm in case you didn’t note it) His history aside, I’m totally with him on wanting that information available as well. However, he’s totally correct that many people wouldn’t want that stuff shared. Enabling the consumer to make that decision though is a hard nut to crack.