How Shifting to Electronic Records Has Endangered Patient Privacy

NCPA February 12, 2014

Policymakers should adopt privacy measures to protect patients from potential problems with electronic health records, say Christina England and Josh Archambault of the Pioneer Institute.

Electronic Health Records (EHRs) are one of the modern developments in health information technology (HIT), with 72 percent of doctors having some sort of EHR system. In short, EHRs are technological systems that allow providers to store and share medical information with the intended goals of reducing errors, saving money and increasing efficiency. State and federal governments have encouraged the use of EHRs, with Massachusetts being the most prominent promoter.

However, this increase in the use of electronic records has not come with much of a corresponding discussion of privacy and security issues, despite potential problems.

• An April 2013 report from a group of senators cited the Inspector General of Health and Human Services' concern that both the Office of the National Coordinator for Health Information Technology and Centers for Medicare and Medicaid Services security policies were "lax and may jeopardize sensitive patient data."
• Not only do EHRs contain private medical data, but they provide a substantial amount of personal information that could be used by identity thieves, including financial information. In 2009, one out of every six data breaches was targeted at the health care industry.
• Medical identity theft is also used to file false medical claims with another person's insurance, which leads to serious problems for the actual beneficiary in obtaining prescriptions and care. Moreover, beneficiaries have been incorrectly labeled as having diabetes, for example, when diabetics have stolen their medical identity and obtained services for such a condition.
• Selling a credit card on the black market that includes a health care identity profile increases the value of the card up to 20 times more.
• Evidence has emerged that "de-identification" mechanisms -- processes that are intended to secure medical data and keep it anonymous -- are not at all sufficient, allowing people to identify supposedly anonymous medical records with ease.

Using electronic networks is always going to carry a security risk, and steps must be taken to deal with the problem. The number of individuals with access to these records should be limited, and patients, not governments, should have more control over who can access their personal data. As technology advances, privacy and security concerns must be continually readdressed.

Source: Christina England and Josh Archambault, "How the Shift from Paper to Electronic Health Records Has Endangered Patient Privacy and Security and How to Calm the Flame," Pioneer Institute, January 2014