Electronic medical records: great, but not very private

medical_records.top.jpg By Shelley DuBois, reporter

FORTUNE -- If you live in Texas, your medical records are definitely up for sale by the state. If you live anywhere else in the United States, they probably are for sale there, too.

Medical health records provide key information to researchers, who have lobbied hard to keep them accessible, despite government concerns about the privacy of patient data. The controversy dates back to 1996, when Congress passed the Health Insurance Portability and Accountability Act (HIPAA) to protect patients. "Researchers have very broad access rights to health care records under HIPAA," says Pam Dixon, director of a non-profit called the World Privacy Forum "The rules are pretty loose, and there are a lot of ways to get around them." That's especially true since the act wasn't designed to cover common scenarios today: records stored online in a vast, hackable cloud. In the rush to digitize all electronic health records, Dixon says not everyone is taking the proper steps to de-personalize the data and protect patients.

All medical records will turn digital by 2014, according to a provision in President Obama's economic stimulus package. This would allow physicians to store patient data in the cloud, making it much easier to connect fragmented medical records, saving time and money. Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act alongside the stimulus, which is meant to reinforce security as those records go digital. The 2009 stimulus bill also offers financial incentives for companies that create electronic records.

The money in medical records

That has caused health care facilities to scramble to find companies that will help them store electronic data. "When there's money, everybody comes out," says Kurt Long, CEO of FairWarning, a company that monitors privacy breaches in electronic health records. But the effort to offer electronic health record services might have outpaced efforts to secure the data. Long says "we've got a wild west here in health care."

A report last week in a Texas watchdog publication called the Austin Bulldog outlined the problems with electronic medial records in the state. According to the report, the Texas Department of State Health Services (DSHS) has been selling de-identified patient data to groups who can prove they would use it for research. Some of the roughly 100 buyers from January 1, 2009, through April 1, 2010 included Blue Cross Blue Shield of Texas, Los Angeles business consulting firm EconOne, and Sanofi Pasteur, the vaccines arm of French pharma giant Sanofi-Aventis. The Texas DSHS charges between $2100 and $5600 per year for data collected after 2007 and under $1000 per year for data collected between 2004 and 2006. Data collected before 2003 is free, and available online.

But de-identification is far from foolproof. The de-identification process can mean changing some of the digits in the patients' zip code, withholding the dates of the hospital visit, and providing an age range instead of patients' actual age. But most records still include diagnoses, gender, address, billing information, and information about patients' next of kin. This leaves plenty of ways to re-identify patients by cross-referencing it with other information on the web. That's easy to do, Long says, "it's certainly not rocket science."

It's not a problem unique to Texas either, according to Deborah Peel, psychiatrist and founder of a watchdog group called Patient Privacy Rights, "I am very certain this is happening in every state," she says. But there's no way to know, says World Privacy Forum's Dixon. The Department of Health and Human Services could launch a national study, but probably doesn't have the resources. Also, states--not the federal government--regulate digital medical record security.

"The problem is that states are massively underfunded," Peel says. They don't have the resources to do this, so they do this stuff without getting any kind of expert advice. They've been incredibly casual with this sensitive data."

Most researchers who buy the data - key to their work -- don't do so with the intention of selling it to bad guys. But the problem is that unencrypted medical data is easily hackable and there's no way of knowing how researchers are safeguarding the data once they buy it. Breaches happen often, says Long, can include anything "as innocent as looking at your neighbor's medical records to employees stealing the identities of patients so they can produce false federal tax returns."

Many hackers are curious, trying to figure out whether their neighbors, celebrities or athletes have a history of alcoholism or mental illness. "We always bust people looking at all those records whenever there's a Super Bowl," Long says.

Past breaches in electronic health record security have also resulted in identity theft, false Medicare and Medicaid claims, and credit card scams.

Cyber security has been playing catch-up, says Long. "There were no laws until HIPAA," which wasn't enforced when it passed in 1996. "It's not until the HITECH stimulus bill passed in 2009 that all of these things became more serious."

Now that safety is starting to be a priority, "there has to be a better balance between privacy needs and researchers needs," Dixon says. "Technology has moved quickly, the regulation was weak to begin with, and now we're in a free for all." To top of page

Just the hot list include
Frontline troops push for solar energy
The U.S. Marines are testing renewable energy technologies like solar to reduce costs and casualties associated with fossil fuels. Play
25 Best Places to find rich singles
Looking for Mr. or Ms. Moneybags? Hunt down the perfect mate in these wealthy cities, which are brimming with unattached professionals. More
Fun festivals: Twins to mustard to pirates!
You'll see double in Twinsburg, Ohio, and Ketchup lovers should beware in Middleton, WI. Here's some of the best and strangest town festivals. Play
Company Price Change % Change
Ford Motor Co 8.29 0.05 0.61%
Advanced Micro Devic... 54.59 0.70 1.30%
Cisco Systems Inc 47.49 -2.44 -4.89%
General Electric Co 13.00 -0.16 -1.22%
Kraft Heinz Co 27.84 -2.20 -7.32%
Data as of 2:44pm ET
Index Last Change % Change
Dow 28,210.82 -97.97 -0.35%
Nasdaq 11,484.69 -31.80 -0.28%
S&P 500 3,435.56 -7.56 -0.22%
Treasuries .82 0.02 2.38%
Data as of 1:01am ET


Bankrupt toy retailer tells bankruptcy court it is looking at possibly reviving the Toys 'R' Us and Babies 'R' Us brands. More

Land O'Lakes CEO Beth Ford charts her career path, from her first job to becoming the first openly gay CEO at a Fortune 500 company in an interview with CNN's Boss Files. More

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.