Privacy and Security Considerations for Emerging Health Information Exchanges: Notes from Utah and New York

Earlier this month the Utah Department of Health issued a press release describing a cyber attack on its server, in which hackers removed information for approximately 780,000 individuals. According the Department of Health, the information contained personal records of individuals within the state, including Medicaid and Children’s Health Insurance Plan recipients.

Permutations of this scenario- whether hacking into a computer server, losing a USB key, or a stolen laptop- are all familiar news headlines announcing a security breach of individuals' health and personal information. Human error and human opportunism make it likely that we will continue to see such information breaches in the future, despite steps to mitigate potential security threats.

As states begin to develop legislation and promulgate rules to govern their electronic health information exchanges (HIE), they should carefully balance residual security and privacy risks with the potential promises of a functional HIE when determining policies relating to how a system enters an individual’s electronic health record (EHR) and what portion of the EHR the state enters into the HIE.

Last month, the New York Civil Liberties Union (NYCLU) issued a report, Protecting Patient Privacy: Strategies for Regulating Electronic Health Records Exchange, which articulated numerous privacy, security, and functional concerns with the state’s emerging HIE. Currently, New York employs a blanket consent procedure for record access and enrolls patients of participating providers into the state's regional health information organizations (RHIOs). 

Among numerous concerns, NYCLU’s Report highlights two distinct issues with this approach:

(1) New York does not provide a mechanism for patients to limit sharing stigmatizing sensitive information such as substance abuse records or mental health treatment if they consent to participate in the exchange; and

(2) Although physicians must obtain consent to view patient information in the exchange, participating providers enter patient medical information into the exchange without patient consent and patients cannot opt-out of the record locator system.

The Office of the National Coordinator for Health Information Technology’s HIT Policy Committee has asserted that a form of granular control over health data can protect the confidentiality of narrow categories of sensitive health information while fostering patient autonomy, promoting trust in medical providers, and building confidence in the growing use of HIT. Although too much data segmentation or exclusion options could confuse patients and undermine the purpose of the HIE as a comprehensive record system, some groups, such as the NYCLU, argue that existing state law requires the capacity for granular control over statutorily identified categories of sensitive medical information. This assertion serves as a reminder that each state contains varied protected categories of sensitive medical information as well as different standards defining additional measures relating to sharing and accessing this information. Earlier this month, the New York Department of Health and the New York eHealth Collaborative established the State Health Information Network of New York Policy Committee to examine these and numerous other concerns over the state’s current policies and procedures governing the exchange.

Patients may also be wary of the security of their identifying records available in the HIE registry system, as a breach could reveal both personal information and the entirety of the patient’s medical records that providers have entered into the HIE. A breach of the HIE would not only invade the patient’s abstract notion of privacy over sensitive information, but could also expose the patient to quantifiable concrete harms such as identity theft, fraud, and the costs associated with investigation and mitigation.

Some victims involved in major medical security breaches have asserted that once information such as social security numbers, patient demographic information, and medical records are accessible in a breach, victims face an imminent and continuing risk arising from the security breach itself regardless of whether an outside party has used the information. Currently, some courts have ruled that even where a third party steals media containing patient information, if the victims cannot prove that a third party actually accessed or used the information, then claims for future financial harm arising from a security breach are insufficient to constitute an actionable injury. To address these legitimate concerns, jurisprudence should evolve with the recognition that potential third party use of this information may be difficult to identify and costly to monitor. Further, months may pass following the initial breach before victims notice fraudulent activity, such as in the substantial TRICARE data breach.

State legislatures should remain cognizant of both patients' desire for privacy and their corresponding wish to limit access to sensitive medical information as well as security concerns from both accidental as well as intentional breaches of patient information during the initiation or expansion of the state's HIE .

-Katherine Drabiak-Syed

Mercy Health Plan's Medical Data Security Breach Should Inform OCR's Harm Standard

A recent medical data security breach occurring in Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan in Philadelphia lends support to removing the harm threshold written into the Interim Final Rule of HIPAA and the HITECH Act before promulgating the Final Rule. In August of 2009, the Office of Civil Rights (OCR) published the Interim Final Rule with request for comments on breach notification of protected health information (PHI), which set forth additional definitions and standards to relating to the Privacy Section. OCR is expected to issue the Final Rule by the end of this year or early next year.

When OCR published the Interim Final Rule last year, the media jumped on the inclusion of instructing the covered entity responsible for a breach of PHI to perform a risk assessment as a deciding factor of whether or not to disclose the breach to the individuals and the Department of Health and Human Services (HHS). Eight members of Congress expressed their concern by writing a letter to Kathleen Sebelius, noting that the American Recovery and Reinvestment Act (ARRA) that sets forth the statutory mandates relating to privacy of PHI does not include nor imply a harm standard and urged HHS to repeal or revise the harm threshold standard.

Section 13402 of the ARRA states that health care entities must notify the individual when there is an “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of that information.” In order to decide whether a breach compromises the individual’s security or privacy, the Interim Final Rule set forth a risk assessment criteria and translated a “compromise” of security or privacy to mean a “significant risk of financial, reputational, or other harm” to the individual. Problematically, the covered entity is tasked with assessing the risk of harm to determine whether it meets the threshold for disclosing the breach to the individual and HHS. The Interim Final Rule states that the covered entity should consider to whom the information was disclosed, the type and amount of information, and whether the information contained materials relating to potentially stigmatizing health conditions.

The letter written on behalf of eight Congressional representatives clarified that Congress specifically excluded a threshold for harm when promulgating Section 13402. Furthermore, requiring mandatory disclosure serves as a powerful incentive to health care entities to enact strict privacy and security protections to decrease the likelihood of a breach even occurring.

The Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan (MHP) incident is only the latest in a long line of PHI breaches. In late October, the Philadelphia Inquirer reported that a computer flash drive belonging to Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan (MPH) was lost at a community health fair. The flash drive contained the medical record information of over 280,000 Pennsylvanian Medicaid recipients.

Donna Burtanger, Vice President of Communications at MHP, stated that company representatives were trying to use the health plan members’ PHI to personalize service at community health fairs. Burtanger offered the example of when a health plan member visits a church sponsored health fair, the insurance company representative can access the member’s medical record to schedule an appropriate screening test such as a mammogram.

As one article pointed out, MHP assumes that the patients under the plan would want company employees to have and access the patient’s full medical record or bring that sensitive health information into a less secure location such as a community health fair. This situation highlighted the vast discrepancy between how an insurance company and its members would view the risk-benefit calculation of permitting non-essential access of their sensitive medical information.

If a health insurance company such as MHP does not know when its members would not want their information shared, accessed, or transported, it likely would also face a disconnect when attempting to determine potential harm arising from a breach of its members’ PHI and whether that level of harm would require disclosure of the breach.

OCR should consider whether placing a level of discretion in the hands of health care entities given the knowledge of this difference will build the public’s trust of using electronic health information.

--Katherine Drabiak-Syed

Will electronic medical records threaten my privacy? No, but…

I’ve been thinking a lot about privacy lately. For example, among the ways President Obama has indicated his commitment to a 21st century health care system, is “by computerizing medical records … saving countless lives and billions of dollars.”

His proposal is already underway in many communities around the country, including Indianapolis, whose Regenstrief Institute is a nationally recognized leader in the development and diffusion of electronic medical records [EMRs]. The conversion of millions of paper records to electronic records, and the organization of hospitals and physician groups to agree on how best to access and share these records, presents a number of logistical and technical challenges. None of these are insurmountable. Moreover, given sufficient resources and political will, it is likely that the President’s vision can be translated into reality sooner rather than later – so long as we can figure out how to handle the elephant in the room (and no, this is not the Republican caucus). The elephant is privacy – the idea that access to personal health information is something that we as individuals should be able to completely control, and that access by others (especially unauthorized third parties) constitutes a serious breach of personal space, let alone any negative repercussions from malicious use. But does the move to EMRs require a dramatic change in the ethics of privacy? Should people be more worried once their records are accessible to more health providers? How can they be sure that errors will be quickly corrected?

I thought I had completely settled views on these questions: namely that the risks from privacy invasion are potentially serious and people are entitled to be frightened. In the case of my personal health information, I have confidence that those experts working on the architecture for the system – the checks and balances, the encryption techniques, gateways, passwords, algorithms and who knows what else – will construct it with exactly those worries in mind. Interestingly, I’m more upset right now that in the past few days someone with plenty of time on their hands has figured out a way to upload a picture of me from the internet and create a brand new Facebook page using my name. This is creepy and it’s wrong. Should I be more worried about a breach in my electronic medical record that accidentally discloses to the world that Eric Meslin suffers from migraines (true by the way), or the Facebook hacker who convinces unsuspecting people to become “friends of Eric Meslin” in order to expose them to “wall-to-wall” postings that attribute opinions about privacy to me which aren’t my own?

--Eric M. Meslin