[Med-privacy] loose EMRs

[peter marshall]

http://www.latimes.com/news/nationworld/nation/la-110701private.story

Los Angeles Times
Web Mishap: Kids' Psychological Files Posted
By CHARLES PILLER
Times Staff Writer

November 7 2001

Detailed psychological records containing the innermost secrets of at
least 62
children and teenagers were accidentally posted on the University of
Montana Web
site last week in one of the most glaring violations of privacy over the
Internet.

The 400 pages of documents describe patient visits and offer diagnoses by
therapists of mental retardation, depression, schizophrenia and other serious
conditions.

In nearly all cases, they contain complete names, dates of birth and sometimes
home addresses and schools attended, along with results of psychological
testing.

Unlike a medical file left open on a counter in a doctor's office, these
electronic medical records, once placed on the Internet, were exposed to a
potentially vast audience. "You're talking about sensitive information that
could scar a child for life being available to anyone for any purpose," said
Evan Hendricks, editor of Privacy Times newsletter.

The mother of an 11-year-old, whose records of an attention
deficit/hyperactivity disorder were posted on the university's Web site, was
appalled. "He's just a kid, and he shouldn't have his whole life splattered
around for the whole world to know. It makes me sick," she said.

The mother declined to be identified. She recalled attending her son's therapy
sessions and watched the therapist "taking notes in her book, and [I] thought
maybe that was the extent of it. I guess I was kind of naive about that."

The medical files were placed on the University of Montana Web site Oct.
29 and
were available for eight days. The files were removed Monday after a local
paper, the Missoulian, reported the story, university officials said. The
records were for patients at clinics mainly in Minnesota, as well as in Montana
and other states.

A University of Montana student or technical employee may have accidentally
placed these private files on the Web site, officials said.

It is unclear how many people viewed these records.

The Montana case is the latest in a series of unauthorized disclosures of
medical data over the Internet. Earlier this year, Eli Lilly & Co.,
maker of the
antidepressant Prozac, inadvertently divulged the names and e-mail
addresses of
600 psychiatric patients in a mass e-mail.

Similarly, Kaiser Permanente last year sent e-mails with confidential medical
information to the wrong Kaiser members.

"That's the danger with having all of these electronic records," said
Daniel B.
Borenstein, a former president of the American Psychiatric Assn. and a UCLA
professor.

"If you push the wrong button or put something in the wrong spot on your Web
site, it [can mean] immediate distribution of a massive amount of private
medical information," Borenstein said.

Last year, a Nevada woman bought a used computer only to find that its previous
owner, a drugstore, had left the pharmacy records of thousands of
patients on
the machine's storage drive. But the buyer did not publicly disclose the
records.

Also last year, a computer hacker broke into the medical records system
at the
University of Washington Medical Center and gained access to some 4,000 patient
records--although these were not made public.

What sets the Montana incident apart is the youth of the patients, the
amount of
detail disclosed and its placement on a public Web site that allowed complete
access to private records.

The detailed accounts by therapists reveal children suffering from all
manner of
emotional problems:

"[She] has 'extreme mood swings' and is very aggressive with her sisters and
other children," read one file about an 8-year-old girl diagnosed with autism
and mental retardation. "She has been cruel to animals, . . . often
refuses to
eat and will make herself vomit."

An 8-year-old boy was described as suffering from "anger outbursts, gender
identity issues" and bed-wetting.

Raymond Ford, the University of Montana technology manager, said the
incident is
under investigation. "We have no evidence that this was malicious--all the
evidence that we have suggests that the person who uploaded [the patient files]
probably had no idea what [he was] doing," he said.

But once the records were placed on the school's Web server, a computer that
manages its online files, they became available to Internet search
engines and
were visible to casual Web surfers who requested a keyword contained in a
patient's record.

For example, a search for "confidential" or "neuropsychological" turned up
dozens of these medical records. Those files could then be copied to the
computer of any visitor.

Therapists whose patients were involved were stunned by the lapse.

"I'm shocked. I have no idea how this can happen. Obviously, this
information is
confidential, and we go to great lengths to keep it confidential," said Bonnie
Carlson-Green, a psychologist at Children's Hospital in St. Paul, Minn., the
source of some of the patient records.

Ford said the university will attempt to tighten its Web security, but
that it
must depend on users' vigilance and care to restrict private materials.

Medical records experts said the university has an ethical obligation to inform
the patients' parents.

"The least the [university] can do is contact the families and let them know
that there was this error and the steps they've taken to correct it," Borenstein
said.

"There should be special privacy protections for all medical records,
even more
special protections for disclosure of any psychiatric records," because
of a
real threat of discrimination against people whose treatment for mental illness
becomes known, Borenstein said.

Borenstein fears that fewer people will seek treatment if they think their
private information may be accidentally disclosed.

Many psychiatrists are so concerned about inappropriate electronic
disclosure of
medical reports that they write only cryptic comments in patient records,
trusting the rest to memory, Borenstein said.

David Aronofsky, the University of Montana's attorney, said accidental online
releases of private legal or medical information are not unusual and are
corrected quickly.

Patients and medical institutions have not been contacted about the
release of
these records. They will be contacted if it seems necessary, after the internal
investigation is concluded, Aronofsky said. "We're not understating the
significance of what happened here, nor are we trying to cover it up,"
he said.

Fiona Anderson, a University of Minnesota psychologist whose patient records
were among those released online, said the records may have been removed against
her institution's rules.

"As things become more electronic and more easily accessed . . . edited and
altered, it's difficult for our ethical rules and guidelines to keep up
with the
technology," she said.

But such victims of accidental disclosures face steep legal challenges
to gain
compensation, said Peter Swire, a law professor who was chief privacy counselor
for the Clinton administration.

Part of the problem is new, more stringent federal standards for medical records
privacy will not take effect until 2003, and state regulations vary widely.

Posting a private document online--no matter how injurious it may appear--can
cause legal liability only if the victim can prove damages in court.

"What if one of the patients has something bad happen to him or her as a result
of this disclosure--if they are turned down for a job later in life?" Swire
said. "This is where you are open to a [legal] suit."

As more medical records are stored digitally, routine electronic
disclosure to
insurers and health maintenance organizations has increasingly troubled some
clinicians and privacy advocates, although such transfers are legal and often
required for provider reimbursement.

Paul Appelbaum, president-elect of the American Psychiatric Assn., said patients
should be given the option of having their information kept on paper.

A few health-care providers, such as the Harvard Pilgrim HMO, offer such an
option.

The alternative for patients may be decreasing control over their medical
histories.

Appelbaum added: "The mobility of electronic information is almost unlimited."

Copyright 2001 Los Angeles Times