[Med-privacy] privacy and EMRs

Tue, 13 Jun 2006 13:06:11 -0700

--Apple-Mail-17-123279651
Content-Transfer-Encoding: base64
Content-Type: image/gif;
	x-unix-mode=0666;
	name="spacer.gif"
Content-Disposition: inline;
	filename=spacer.gif

R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==

--Apple-Mail-17-123279651
Content-Transfer-Encoding: base64
Content-Type: image/gif;
	x-unix-mode=0666;
	name="from_provider_globe.gif"
Content-Disposition: inline;
	filename=from_provider_globe.gif

R0lGODlhaQAUAPcAAP///wAAALu7uzMzM4iIiO7u7qqqqv7+/vz8/HR0dN3d3REREf39/fr6+mZm
ZrOzs5mZmfHx8ZGRkVVVVYaGhsLCwqampnZ2dgMDAzk5OfPz8729vb+/v3Nzc1hYWF1dXfb29vv7
+xISEoWFhaenp9bW1tfX14qKioGBgaGhobCwsOzs7MDAwPn5+cfHx/X19eDg4MvLy6WlpWtra6ys
rLGxsZqamhsbG319fQUFBXd3d+vr64ODg6mpqRQUFERERJWVlbq6ugICAvLy8mFhYX5+fjAwMAkJ
CSAgIFRUVNnZ2YSEhI6OjuXl5a6urre3t1tbWzc3NwEBAerq6rS0tBMTEyIiIt7e3hwcHOTk5B8f
H9PT03V1ddHR0ZSUlIeHhwQEBG9vb6CgoAoKCqurq1dXV3BwcLi4uPDw8BAQEHh4eObm5rm5uejo
6FNTU7W1tdLS0jY2NhYWFm5ubgwMDFFRUY+Pj/T09AsLC8rKysbGxuPj4+fn50ZGRoKCgu3t7SEh
IbKyssHBwXl5eYmJicnJyTw8PN/f319fX3JycjU1NWdnZ9vb287OztjY2KOjoxcXF2VlZTs7O2pq
allZWa+vr3FxcSgoKKSkpCUlJUhISJubm9zc3OHh4R4eHry8vLa2tlJSUsPDw52dnT4+Pg0NDZyc
nJ6ensXFxdXV1UlJSenp6eLi4r6+vmlpaZiYmFxcXG1tbRgYGM3NzZeXl0VFRff39w4ODpKSkpaW
ltTU1K2trXx8fGNjYwgICGRkZFpaWiQkJMjIyH9/fzIyMk1NTTQ0NNra2mBgYENDQ0JCQmxsbEtL
SysrKz09PRkZGUdHRy4uLs/PzzExMYCAgC8vLwcHB8TExIyMjIuLi5+fn05OTlZWViYmJgYGBnp6
ent7e0FBQfj4+C0tLT8/P5CQkMzMzEBAQO/v75OTk09PTwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwAAAAAaQAUAAAI/wABCBxI
sKDBgwgTKlzIsKHDhxAjSpxIsaLFixgzatzIsaPHjyBDihxJsqTJkygzHlIy5QWCAysE0ZDwh2Ee
YKSgfFGwQg2Rk394SFglsMGeVg8OFHzRhIQLpQo1IKLjqxQkIwM+1AgggaEGV4kuRPFS402dALQg
NqDoQgeWAFXCAFkhAYMpg0M0SYHBkAWPIF7GKZNEKU+JANoYoukCwIkKKpIKrAg2RsFAqAMRDGzA
RZdEWxbG+Km0IRwkDgAqBSBzUEeAAgx3hOgyCM8TKgLzBLBg7oOLgYE6tCioJI2oS256IBAjZ5ZA
MYq8vBD4wAiOPVMmBMAhAACCC2E6Af/YMiOLIAcVCJq4cCZAgidtYsER6CSAAYFbmOGazkuKghmW
2CKQNH08QNAUUHRxQgAsBCJQDEIkkgIe3bQQASHkBLDNCgMpwAMGLviQRApXbFICAIwQkcAPAdRx
Ry+qROJNGhJ4EAAJqXwCywdCyPLJBgH8YooIImwhkAbNUCBOAMvYYEgA58xXHw0NAIFILQEoEoEf
GJyiDlcHlBMFEjnYMFAkNwAwTACN1PBgAEAAEEoOBzARQAxcVGEkAGcgo0UOenhSjBdxgDEHOhQE
UMEBPsTRiXsAVCDcCAFwAkA0PgBgQQAjgBCAKwD4EYCBAIASwAYhYIBICo3wEAAgO1D/EUAgrATQ
AQBlBLAHpVd4uggDYGQAAxKTDKQFMQB0gIEJKrxJAgCUHAEApTLIkMpAJjBgAxiMyIGDDE9EEQAV
EDAIwDN9wBAAEQokAwEAOARwYgZpchDACUMEsAQAmwQAikCvBPDGAWMkQcJaiQTwCJAqRBCAGQCo
EUATSwRwCAO39ALADUb0QINmAmlRBQKLiHCFE2/KAIAH0hIQgB0RGHRCESWUgcYoDVATACo2BNAK
ACLUEkEUQiRwiRCOJHqiM1oAEMS9+aKgaQBBCIRJAEUAQAcUPcSsSwBMsBCACp5CfMHEFV/BgCyw
AJDJDcIU5EYAr8zARAE0CDTLbitL/5voDgYx8MgXbmwAgAx38BIAB7SYK0IGAKxRBAMSBGDCFwE4
AkAGSAAgQACEaBCA1LsE0B0AJggBSCPG6EFCzFncUggbAdQgegIAnN0EpVkwICIAVsRh0NPW3ApC
swDY+yw30sYrCAAasDLQKUaUEkAAmixSwAWGwCBxClpn0EAHJ+yQ6DEJZO52FUPYi80OnALQg6ID
zRCAFahZoFQNYgBARgBs4EMAPACA9K1hEAIDQA4+EAIRYKENALgGQewAhhbhghAbeEAYsnSHDwQg
BRRIAx5m8ICaACALQJgCGlxghhwEgABw0MwugoGBDyTABGKYxhh8YIh0tCAbAchABafmIIUbeAAF
fHgaKUJAO0vwQSlDAEYAPHEBIjABCIUQyP+g8QRVBKAPscAEAgwgBwzMgQJtCEECpICEBKSHIHr4
BRZ8AQhwcOIFX1gCAkQxgQcwoAtlmETMBLIGRhCkBKOAzUBW8Q2pMaAQDVACF96oKS7A5gGhOINA
QDCIXBwAASjIxXAGQoMkYKEaRTjEZmzAAxCEwA4e4ItAlBCGHhDkAVBABQACAgA7

--Apple-Mail-17-123279651
Content-Type: multipart/alternative;
	boundary=Apple-Mail-18-123279652

--Apple-Mail-18-123279652
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=ISO-8859-1;
	format=flowed

HEALTH SENSE
Privacy issues loom in push for electronic medical records

By Judy Foreman =A0|=A0 June 12, 2006

Patients of the land, unite! You have nothing to lose but your privacy.

There's a growing national effort to bring medical records into the=20
21st century by converting the paper records now scattered in doctors'=20=

file cabinets to electronic records by 2014. It's a grand idea -- in=20
many ways.

If medical records were electronic, prescriptions would be more legible=20=

and could be filled more accurately. Public health officials could spot=20=

disease outbreaks quickly and track their spread. Doctors could=20
speedily check a patient's record, helping to avoid wasteful repetition=20=

of tests and minimize harmful drug interactions and other errors, which=20=

currently kill an estimated 98,000 people a year in the United States.=20=

Scientists would have access to a gold mine of data about diseases.

There could be other direct benefits, too. If I had a car accident in=20
San Francisco, say, an emergency room doctor there could check my=20
records in Boston to treat me correctly.

But -- call me paranoid, call me old-fashioned, call me an electronic=20
dummy -- the whole idea scares me. And not just me.

``I have spent 30 years seeing nothing but how people are harmed [in=20
their] reputation or livelihoods when sensitive medical records are=20
seen by anyone . . . outside of the few people you trust to actually=20
take care of you," said Dr. Deborah Peel , a Freudian psychoanalyst in=20=

Austin, Texas, and founder of the Patient Privacy Rights Foundation=20
(www.patientprivacyrights.org ), a nonprofit group. ``If privacy is not=20=

fully protected we won't be building anything except the most valuable=20=

motherlode of information for data mining on earth."

To be sure, paper records aren't all that secure, either. Anyone in a=20
white coat can peruse paper records and no one would ever know. At=20
least with electronic records, there can be ``audit trails," to show=20
who has peeked at what. Still, do we really want to make it easier for=20=

more people to see sensitive medical data?

We know now that personal electronic information on 26.5 million=20
military veterans, including their Social Security numbers and birth=20
dates -- and in some cases, disabilities -- was stolen from the=20
residence of a Department of Veterans Affairs employee who had taken=20
the data home without authorization. In another example of the=20
vulnerability of electronic records, we know that the National Security=20=

Agency has secretly been collecting the phone call records of tens of=20
millions of Americans. And we know that credit card information is=20
vulnerable to hacking and accidental release.

``If the Veterans Administration can't prevent the theft of 26 million=20=

names and Social Security numbers from an electronic file, why would=20
any patient believe their personal, sensitive health data is safe=20
online?" said Peel.

Already, roughly 150 people, from nursing staff to X-ray technicians to=20=

billing clerks, have access to at least part of a patient's records=20
during a hospitalization, according to the US Department of Health and=20=

Human Services. And 600,000 payers, providers, and other entities that=20=

convert providers' raw data into billing data have some access, too.

The national Health Information Technology effort, authorized by the=20
Bush administration in 2004, is now being hammered out by four groups=20
working through the Department of Health and Human Services.

One group is standardizing the way records are kept -- nitty-gritty=20
stuff like whether the patient's name or something else comes first on=20=

forms, said Dr. John Halamka , chief information officer for Harvard=20
Medical School and chairman of this group, called the Health=20
Information Technology Standards Panel.

Another group is working on the ``architecture" of the system -- who=20
gets to see which pieces of data and how the data can be secured. A=20
third is working on privacy policy, sorting through privacy protections=20=

from each of the 50 states, whose laws often offer better privacy=20
protection than federal rules called HIPAA, which have been in effect=20
since 2003. (Last week, the Washington Post reported that the federal=20
government has been fairly lax in enforcing HIPAA, receiving nearly=20
20,000 allegations of privacy violations, but imposing no fines and=20
prosecuting only two criminal cases.)

The fourth group is working on certification -- to see that electronic=20=

products offered by vendors have all the features they are supposed to=20=

have.

At first glance, all this sounds reassuring. But there is only one=20
consumer representative on the advisory panel, called the American=20
Health Information Community, that is overseeing the work of the other=20=

four groups. The other 16 members come from federal agencies, hospital=20=

or doctor groups, industry (Intel), an employer (Pepsi), and a state=20
health department (Indiana).

To ensure that patients have adequate privacy and control over their=20
own records, ``more could be done to increase consumer participation in=20=

the e-health records process," said privacy advocate Ray Campbell ,=20
executive director of the Massachusetts Health Data Consortium, a=20
nonprofit group that uses information technology to improve healthcare.=20=

The Massachusetts group is now working with the privacy committee of=20
the health information community.

One of the major issues is how centralized these health information=20
databanks should be.

What has worked well so far, said Halamka of Harvard, is a ``very=20
decentralized approach" like the one he has put in place at Beth Israel=20=

Deaconess Medical Center. ``The data live in the doctor's office or in=20=

the hospital. It never gets put into any central database where it=20
could be hacked. I would be worried if there were a central database in=20=

the basement of the White House that could be hacked, but we are not=20
building that."

Only limited information about each patient -- such as name, date of=20
birth and pointers to where care has been given -- would be kept in a=20
regional database, Halamka said. If a doctor needs more information and=20=

is authorized to get it, he or she can retrieve records directly from=20
the places the patient received care.

``Thus, the clinical data is local to hospitals and doctors offices,"=20
he said, ``but the map of places your data resides in is regional."

Stephanie Reel , chief information officer for Johns Hopkins Medicine,=20=

said she has confidence in the privacy efforts of top-notch hospitals,=20=

but worries about sharing information across a larger audience. ``Our=20
hospitals do a good job of protecting patient information," she said,=20
``but people's concerns are legitimate when you are sharing information=20=

across a larger audience."

How well privacy can be safeguarded in a national, electronic system is=20=

``the $64,000 question," said Carole Klove , chief compliance and=20
privacy officer for UCLA Medical Sciences.

It was valuable during Hurricane Katrina that New Orleans pharmacies=20
had electronic records so patients could still get prescriptions=20
filled, she said. ``But certainly there are risks in having all your=20
records electronic. Risks can result in inappropriate access."

The good news is that the push to make medical records electronic is=20
still a work in progress. It's not too late for more consumer voices.=20
If you're concerned, you can monitor the workings of the health=20
information technology effort at www.hhs.gov/healthit/ .

Judy Foreman is a freelance columnist and can be reached at=20
foreman@globe.com. =A0=

--Apple-Mail-18-123279652
Content-Transfer-Encoding: quoted-printable
Content-Type: text/enriched;
	charset=ISO-8859-1

<fontfamily><param>Helvetica</param><smaller><x-tad-smaller>

=
</x-tad-smaller><color><param>CCCC,0000,0000</param><smaller><x-tad-smalle=
r>HEALTH
SENSE</x-tad-smaller></smaller></color><smaller><x-tad-smaller>

=
</x-tad-smaller></smaller></smaller></fontfamily><bold><fontfamily><param>=
Helvetica</param><bigger><bigger><bigger>Privacy
issues loom in push for electronic medical records

=
</bigger></bigger></bigger></fontfamily></bold><fontfamily><param>Helvetic=
a</param><x-tad-smaller>By
Judy Foreman =A0|=A0 June 12, 2006

Patients of the land, unite! You have nothing to lose but your privacy.

There's a growing national effort to bring medical records into the
21st century by converting the paper records now scattered in doctors'
file cabinets to electronic records by 2014. It's a grand idea -- in
many ways.

If medical records were electronic, prescriptions would be more
legible and could be filled more accurately. Public health officials
could spot disease outbreaks quickly and track their spread. Doctors
could speedily check a patient's record, helping to avoid wasteful
repetition of tests and minimize harmful drug interactions and other
errors, which currently kill an estimated 98,000 people a year in the
United States. Scientists would have access to a gold mine of data
about diseases.

There could be other direct benefits, too. If I had a car accident in
San Francisco, say, an emergency room doctor there could check my
records in Boston to treat me correctly.

But -- call me paranoid, call me old-fashioned, call me an electronic
dummy -- the whole idea scares me. And not just me.

``I have spent 30 years seeing nothing but how people are harmed [in
their] reputation or livelihoods when sensitive medical records are
seen by anyone . . . outside of the few people you trust to actually
take care of you," said Dr. Deborah Peel , a Freudian psychoanalyst in
Austin, Texas, and founder of the Patient Privacy Rights Foundation
(www.patientprivacyrights.org ), a nonprofit group. ``If privacy is
not fully protected we won't be building anything except the most
valuable motherlode of information for data mining on earth."

To be sure, paper records aren't all that secure, either. Anyone in a
white coat can peruse paper records and no one would ever know. At
least with electronic records, there can be ``audit trails," to show
who has peeked at what. Still, do we really want to make it easier for
more people to see sensitive medical data?

We know now that personal electronic information on 26.5 million
military veterans, including their Social Security numbers and birth
dates -- and in some cases, disabilities -- was stolen from the
residence of a Department of Veterans Affairs employee who had taken
the data home without authorization. In another example of the
vulnerability of electronic records, we know that the National
Security Agency has secretly been collecting the phone call records of
tens of millions of Americans. And we know that credit card
information is vulnerable to hacking and accidental release.

``If the Veterans Administration can't prevent the theft of 26 million
names and Social Security numbers from an electronic file, why would
any patient believe their personal, sensitive health data is safe
online?" said Peel.

Already, roughly 150 people, from nursing staff to X-ray technicians
to billing clerks, have access to at least part of a patient's records
during a hospitalization, according to the US Department of Health and
Human Services. And 600,000 payers, providers, and other entities that
convert providers' raw data into billing data have some access, too.

The national Health Information Technology effort, authorized by the
Bush administration in 2004, is now being hammered out by four groups
working through the Department of Health and Human Services.

One group is standardizing the way records are kept -- nitty-gritty
stuff like whether the patient's name or something else comes first on
forms, said Dr. John Halamka , chief information officer for Harvard
Medical School and chairman of this group, called the Health
Information Technology Standards Panel.

Another group is working on the ``architecture" of the system -- who
gets to see which pieces of data and how the data can be secured. A
third is working on privacy policy, sorting through privacy
protections from each of the 50 states, whose laws often offer better
privacy protection than federal rules called HIPAA, which have been in
effect since 2003. (Last week, the Washington Post reported that the
federal government has been fairly lax in enforcing HIPAA, receiving
nearly 20,000 allegations of privacy violations, but imposing no fines
and prosecuting only two criminal cases.)

The fourth group is working on certification -- to see that electronic
products offered by vendors have all the features they are supposed to
have.

At first glance, all this sounds reassuring. But there is only one
consumer representative on the advisory panel, called the American
Health Information Community, that is overseeing the work of the other
four groups. The other 16 members come from federal agencies, hospital
or doctor groups, industry (Intel), an employer (Pepsi), and a state
health department (Indiana).

To ensure that patients have adequate privacy and control over their
own records, ``more could be done to increase consumer participation
in the e-health records process," said privacy advocate Ray Campbell ,
executive director of the Massachusetts Health Data Consortium, a
nonprofit group that uses information technology to improve
healthcare. The Massachusetts group is now working with the privacy
committee of the health information community.

One of the major issues is how centralized these health information
databanks should be.

What has worked well so far, said Halamka of Harvard, is a ``very
decentralized approach" like the one he has put in place at Beth
Israel Deaconess Medical Center. ``The data live in the doctor's
office or in the hospital. It never gets put into any central database
where it could be hacked. I would be worried if there were a central
database in the basement of the White House that could be hacked, but
we are not building that."

Only limited information about each patient -- such as name, date of
birth and pointers to where care has been given -- would be kept in a
regional database, Halamka said. If a doctor needs more information
and is authorized to get it, he or she can retrieve records directly
from the places the patient received care.

``Thus, the clinical data is local to hospitals and doctors offices,"
he said, ``but the map of places your data resides in is regional."

Stephanie Reel , chief information officer for Johns Hopkins Medicine,
said she has confidence in the privacy efforts of top-notch hospitals,
but worries about sharing information across a larger audience. ``Our
hospitals do a good job of protecting patient information," she said,
``but people's concerns are legitimate when you are sharing
information across a larger audience."

How well privacy can be safeguarded in a national, electronic system
is ``the $64,000 question," said Carole Klove , chief compliance and
privacy officer for UCLA Medical Sciences.

It was valuable during Hurricane Katrina that New Orleans pharmacies
had electronic records so patients could still get prescriptions
filled, she said. ``But certainly there are risks in having all your
records electronic. Risks can result in inappropriate access."

The good news is that the push to make medical records electronic is
still a work in progress. It's not too late for more consumer voices.
If you're concerned, you can monitor the workings of the health
information technology effort at
=
</x-tad-smaller><color><param>0000,0000,6666</param><x-tad-smaller>www.hhs=
.gov/healthit/</x-tad-smaller></color><x-tad-smaller> .

Judy Foreman is a freelance columnist and can be reached at
=
</x-tad-smaller><color><param>0000,0000,6666</param><x-tad-smaller>foreman=
@globe.com</x-tad-smaller></color><x-tad-smaller>. =
=A0</x-tad-smaller></fontfamily>=

--Apple-Mail-18-123279652--

--Apple-Mail-17-123279651
Content-Transfer-Encoding: base64
Content-Type: image/gif;
	x-unix-mode=0666;
	name="dingbat_story_end_icon.gif"
Content-Disposition: inline;
	filename=dingbat_story_end_icon.gif

R0lGODlhBgAIAIABAE5OTgAAACH5BAEAAAEALAAAAAAGAAgAAAIIhI+py+EPXQEAOw==

--Apple-Mail-17-123279651
Content-Type: multipart/alternative;
	boundary=Apple-Mail-19-123279653

--Apple-Mail-19-123279653
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	format=flowed

--Apple-Mail-19-123279653
Content-Transfer-Encoding: 7bit
Content-Type: text/enriched;
	charset=US-ASCII

<fontfamily><param>Helvetica</param><x-tad-smaller>

</x-tad-smaller></fontfamily>
--Apple-Mail-19-123279653--

--Apple-Mail-17-123279651
Content-Transfer-Encoding: base64
Content-Type: image/gif;
	x-unix-mode=0666;
	name="spacer.gif"
Content-Disposition: inline;
	filename=spacer.gif

R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==

--Apple-Mail-17-123279651
Content-Type: multipart/alternative;
	boundary=Apple-Mail-20-123279653

--Apple-Mail-20-123279653
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=ISO-8859-1;
	format=flowed

  =A9 Copyright  2006 The New York Times Company
=A0
 =20=

--Apple-Mail-20-123279653
Content-Transfer-Encoding: quoted-printable
Content-Type: text/enriched;
	charset=ISO-8859-1

<fontfamily><param>Helvetica</param><smaller><x-tad-smaller> =A9
=
</x-tad-smaller><color><param>0000,0000,6666</param><x-tad-smaller>Copyrig=
ht</x-tad-smaller></color><x-tad-smaller>=20
2006 The New York Times Company

=A0

 </x-tad-smaller></smaller></fontfamily>=

--Apple-Mail-20-123279653--

--Apple-Mail-17-123279651
Content-Transfer-Encoding: base64
Content-Type: image/gif;
	x-unix-mode=0666;
	name="s26615638642858.gif"
Content-Disposition: inline;
	filename=s26615638642858.gif

R0lGODlhAgACAIAAAP///wAAACH5BAEAAAAALAAAAAACAAIAAAIChFEAOw==

--Apple-Mail-17-123279651
Content-Type: multipart/alternative;
	boundary=Apple-Mail-21-123279654

--Apple-Mail-21-123279654
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset=US-ASCII;
	format=flowed

--Apple-Mail-21-123279654
Content-Transfer-Encoding: 7bit
Content-Type: text/enriched;
	charset=US-ASCII

<fontfamily><param>Helvetica</param><x-tad-smaller> </x-tad-smaller></fontfamily>
--Apple-Mail-21-123279654--

--Apple-Mail-17-123279651
Content-Transfer-Encoding: base64
Content-Type: image/gif;
	x-unix-mode=0666;
	name="blank.gif"
Content-Disposition: inline;
	filename=blank.gif

R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAEBMgA7

--Apple-Mail-17-123279651--