How often do we see HIPAA violations issued because a regulated entity did not secure the electronic records at the hospital and small clinics? Large scale security breaches and, sometimes, the selling of your e-records by various third party sources are in the news. In Massachusetts and New Hampshire an e-record vendor recently admitted to large scale e-record breaches. The FDA has provided some guidance on what is expected for e-records, but no real guidance on security. That may be one of the reasons that so many of the E-Systems I have reviewed meet the minimal requirements but have security vulnerabilities.
The second half of this story will send shivers down your spine, and then make you mad. Your e-records are being sold to insurance companies, debt collectors, and prospective employers. Yes your e-records are for sale to the highest bidder. The 1996 HIPAA law left provisions for certain entities to access your entire medical record. Some of the stolen or hacked e-records get sold, and that’s terrible of course, but ironically most of the time your e-records are sold it is “legal.” Securing medical e-records comes with a price and even with some of the best security there may still be a breach. In most business models for building e-record systems security is last on the list. Sadly, it doesn’t appear to be much different in the healthcare industry.
So, what’s to be done?
Will it take a 21st century modernization of HIPAA, written almost twenty years ago and before the e-record mandate? Or will we limp along with legislation that is increasingly showing its age?
In our digital age of e-records our security should be insured since we pay for the care we receive. HHS and congress should be focusing on this but they are currently being distracted by advocating or decrying Obamacare.
And speaking of Obamacare, that new law also has some troubling provisions about who is allowed access to your records, and some “interesting” exceptions to those provisions.
But don’t get me started on Obamacare implentation before we deal with HIPAA.
For now we can only trust (read: hope) but not verify who really has access to our medical e-records that are weakly protected by a 20th century law.