Posted by Peerapong Tantamjarik
While not involving computer hackers, here's a story about an old-fashioned invasion of privacy. The Kansas City Star reported on September 28th that a University of Missouri hospital faces a class-action lawsuit after allegedly releasing confidential medical records for hundreds of patients to a company it hired to solicit business. The suit was filed earlier this year on behalf of approximately 800 patients with liver diseases, including hepatitis C. The complaint alleges that records were turned over by University Hospital's internal medicine chairman to a home health care provider dba Option Care, who then allegedly called the patients in an effort to sell them antiviral drugs and keep them in the hospital network. The Option Care nurse who contacted the patients using the list from the hospital stated that the calls were not for solicitation, but for patient safety.
This complaint, whether valid or not, highlights the major privacy concerns surrounding access to patients' medical records. The privacy discussion reached a fever pitch in the build-up to the passage of the federal Health Insurance Portability and Accountability Act, more (un)popularly known as "HIPAA." HIPAA has been touted as a major step in affording patients their proper privacy protections, as the law and regulations outline the parameters and limitations in which providers and businesses can access, share, and transfer certain protected health information of individuals as well as security requirements. In fact, one of the highlighted concerns leading up to HIPAA was access to patient medical records by private companies for business solicitation purposes.
The concerns only multiply when dealing with electronic medical records, or EMRs, given the ease and speed with which such records can be disseminated and exploited. Privacy advocates recently have had to grapple with this issue in the national push for widespread use of EMRs, which are touted for their efficiencies and for the potential safety benefits that arise from appropriate parties having quick access to patient records. A recent story run by the Washington Post in the wake of Hurricane Katrina would seem to confirm this latter perspective, highlighting the way in which uniform EMRs can save lives. In short, countless paper medical records were lost due to Katrina, but doctors still needed to treat patients. The federal government's Department of Health and Human Services spearheaded an effort to make medical information on Katrina evacuees available online to doctors. This data included prescription drug records, with the involvement of national pharmacy chains. Overall, the system took about 10 days to organize and federal officials did note that privacy was among the top concerns in setting up the online database.
While hard to dispute the immediate benefits to Katrina evacuees from these EMRs, privacy advocates are concerned that even beneficial efforts during an emergency can expand beyond the scope of the original crisis. For example, certain HIPAA and state privacy regulations were suspended in light of the dire nature of the circumstances. Overall, the discussion involving EMRs and access to EMRs will be a forum to address the tension between individual privacy rights and public health improvements - the classic example of the individual's right versus the common good. For example, while there is a need to limit access to each individual's medical record, public health authorities can benefit greatly and better track progression of diseases or epidemics from the enormous wealth of data that EMRs, in centralized depositories, can provide. Maybe one of the lessons that Katrina can provide is how to better strike the balance and understand the different contexts in moving forward on establishing EMR networks.