Can digital health protect your privacy?
As hospitals begin to more widely adopt electronic health records, it will take more than technology to secure your privacy.
NEW YORK (CNNMoney.com) -- Digitizing health records. A good idea say most experts, but it will take a feat of policy, technology and education to ensure your records don't get into the wrong hands.
It all starts with one basic question: Who actually owns your health records?
"Right now, hospitals assume the liability, but the model has to shift to one where the patient controls the data and whether it is put online," said Dr. David Brailer, chairman of Health Evolution Partners and former health tech czar under President Bush. "The people who hold your data control your data."
Controlling the dissemination of patient data is becoming more of a hot-button issue as the push to go digital heats up. The Obama administration is spending $20 billion on incentives to hospitals and physician offices to ensure that a national digital health network is formed by 2014.
What are your rights? The current health information privacy laws were enacted in 1996 and appear outdated when it comes to Obama's digital plan. The Health Insurance Portability and Accountability Act (HIPAA) gives you the right to find out how your information may be used, and the ability to obtain a copy of your records and request corrections.
But patients don't own their records, so they don't have a say in how they are actually used or who sees them.
"HIPAA is yesterday's solution, as it was set up to protect privacy in a paper world, not for one that's electronic and streaming," said Brailer. "And HIPAA delegates policy to states, making it nightmarish for different people to come together. It's a big regulatory gap."
He suggested Congress pass an updated bill that gives patients the ability to opt in to allow information sharing. Similar to when Web sites ask whether or not you would like your contact information shared, patients would have to click a box to give doctors permission to disseminate their information.
An opt-in system's benefits extend beyond just privacy -- it could give patients more freedom to switch doctors, Brailer argued. A patient who is treated by Dr. X and wants to be treated by Dr. Y could simply give permission to share his or her information with Dr. Y, rather than requesting that Dr. X fax the files over.
"Portability and privacy are two sides of the same coin," said Brailer. "We want to make patient shopping easy, rather than the weeks-long riggamarol to get a doctor to see your records."
Securing your records. In the absence of new privacy laws, the burden lies with secure networks and solid physician training on the technology, say experts.
But that may be a tall order...at least in the near-term.
"Today, information gets converted from paper to digital and back to paper," said Sean Hogan, vice president of IBM's healthcare delivery systems. "It's incredibly convoluted and information is very exposed due to a lack of good processes."
IBM (IBM, Fortune 500) offers IT, hardware and maintenance services for about a dozen hospital networks that use electronic health records.
Hogan said many hospitals have different logins and passwords for each terminal. And rather than memorizing each login, many nursing stations and doctors offices have Post-its on the computer monitors with the username and password -- not exactly air-tight security.
IBM and other vendors are combating that lax security by creating unique logins for each user rather than for each terminal. It's a two-fold fix, said Hogan. First, it hopefully eliminates the Post-its and second, it restricts patients' records from being viewed by hospital personnel that don't have proper clearance to view that data.
In one more security measure, IBM trains doctors and other hospital personnel in how to properly use the technology to avoid slip-ups, said Hogan.
Still, no matter how secure the network is and how well-trained the hospitals' staff are, there is no fool-proof system.
Hogan said technology can be designed to anticipate and counter ways the "bad guys" will attempt to gain access to records. But government policy and hospital structure need to help support that technology.
"When we go in a direction that is more fine and robust in terms of policy and process, we can develop the technology that addresses the exposures," he said.