Privacy and Security Law Blog

By Charlene Brownlee

California extended its data breach notification law to include incidents involving electronic medical and health insurance information. California's data breach law, SB 1386, had previously covered only financial records. The new law, AB 1298 took effect January 8, 2008. The law adds medical and health-related information to the existing breach notification law definition of "personal information" and expands the application of the Confidentiality of Medical Information Act (CMIA) to include any business organized for the purpose of maintaining medical information.

Posted by Thomas Jeffry

The clash between privacy advocates and those companies who make millions of dollars collecting and selling data about pharmaceutical prescription patterns was perhaps inevitable. When the State of New Hampshire passed the Prescription Confidentiality Act last year, leading health information brokers were quick to challenge the law which prohibited prescription information records which contain identifiable data about a patient or prescriber from being transferred, licensed, sold, or used for most commercial purposes. The Act specifically precluded the use of prescriber-identifiable data for "physician detailing" used by pharmaceutical companies to track the prescribing-habits of physicians in order to target individual sales pitches to such physicians.

Posted by Thomas Jeffry

Intel CEO Paul Otellini was quoted recently in the  Financial Times attacking the healthcare industry as "the slowest moving industry in the world" because it was the least penetrated by IT. 

Mr. Otellini’s comments follow several post-mortem reports posted last week by Health Affairs  discussing the reasons for the demise of the Santa Barbara County Care Data Exchange (SBCCDE) last December. SBCCDE was considered a pioneer for community-based electronic health information exchange (HIE) also know as regional health information organization (RHIO). In principle, HIEs are intended to create a simple and secure way to electronically share patient data between health care providers, caregivers, and consumers.

Posted by Thomas Jeffry

An interesting development from the American Medical Association is worth noting.

The AMA House of Delegates met in Chicago at the end of June where it received a report previously requested by that group’s governing body on the medical and ethical implications of the use of implantable radio frequency identification (RFID) microchips in humans. Use of RFID chips were approved for use in humans by the Food & Drug Administration in 2004. Similar versions of such chips are commonly used to tag pet dogs and cats for identification purposes. 

Posted by Peerapong Tantamjarik

In today's New York Times Dr. Klitzman, a psychiatrist at Columbia University, writes a short essay describing how a mother reviewed her paper medical chart at a clinic and, without informing any clinic staff, removed certain pages from her records. Those pages contained information revealing that she was at risk for Huntington's Disease, a fatal genetic disorder for which famous folk singer, Woody Guthrie, died of. As the mother put it, "I stole it for my kids' sake" - which is not all too hard to fathom. She was frightened that because Huntington's is hereditary, her kids would be denied health coverage if insurance companies found out about it.

Posted by Brian Bennett

The Chairperson of the House Federal Workforce subcommittee, Jon C. Porter, is proposing legislation to promote the use of electronic health records in the federal employee health insurance program. Health information technology is viewed by many health professionals as an important step towards the availability of accurate and complete patient information, and ultimately cost-effective treatment of patients. Privacy advocates are concerned about threats to patient privacy posed by a national electronic health records system. Congressman Porter says that he would expect electronic medical records to be at least as safe as transactions involving financial information, which may not be much comfort to federal employees given the spate of recent data breaches.

Posted by Peerapong Tantamjarik

In a recent poll conducted for the Markle Foundation, an information technology policy organization, over 70% of Americans favored the use of electronic health records that can be accessed over the internet. The poll results have made national news. President George Bush has called for nationwide paperless health records by 2014, and the survey reports that four in five Americans (80%) believe that if physicians kept electronic medical records on their patients, health care quality would improve and medical errors would be reduced, because authorized doctors would be able to retrieve a patient's medical history in a matter of seconds. An equal number (81%) believe that the ability of researchers to review millions of records anonymously to determine best treatment practices would help all doctors improve the quality of medical care.

Posted by Peerapong Tantamjarik

While not involving computer hackers, here's a story about an old-fashioned invasion of privacy. The Kansas City Star reported on September 28th that a University of Missouri hospital faces a class-action lawsuit after allegedly releasing confidential medical records for hundreds of patients to a company it hired to solicit business. The suit was filed earlier this year on behalf of approximately 800 patients with liver diseases, including hepatitis C. The complaint alleges that records were turned over by University Hospital's internal medicine chairman to a home health care provider dba Option Care, who then allegedly called the patients in an effort to sell them antiviral drugs and keep them in the hospital network. The Option Care nurse who contacted the patients using the list from the hospital stated that the calls were not for solicitation, but for patient safety.