Report: Questions about EHR vulnerability
A national system of electronic health records (EHRs) which is being pushed by the government on a national level might not be as safe as hoped and could be open to abuse. This is the result of an investigation published in the March issue of Consumer Reports which raises a lot of troubling questions. The report does not dispute the myriad benefits of EHRs – saving countless lives and healthcare costs – but does say that the system could potentially jeopardize the security of very private health information for the users of such medical records.
The investigation raises several questions as to how private health information will be safeguarded against, for example, marketers or potential employers who could use the information to either target you for a sale or not hire you, depending on the case. Perhaps even scarier is the challenge of finding a way to protect the information from hackers who might seek to expose personal details on the Internet. Finally, how will patients be able to control who views the information in their records?
The Healthcare Information Technology Standards Panel, which is charged with establishing standards for exchange of information within the new electronic medical records framework, claims that the security will be the tightest available, according to a summary of the investigation.
Yet, HIPAA regulations permit people to access medical records without a patient’s knowledge in the instances of treatment or billing processes. Moreover, it’s possible that the data could be seen by healthcare-related businesses of which there are 600,000, according to information from the Department of Health & Human Services (HSS). The information also possibly could be passed to affiliates of these businesses. Another area of worry is healthcare researchers which in some cases can be allowed access to some medical information without a patient’s knowledge, the report states.
Some privacy advocates fear that HIPAA does not properly monitor such organizations as insurance companies or pharmacy groups which could pass information off to affiliates. The information that could be passed could include a patient’s name, diagnosis code, and how much a patient paid, any of which could be very personally damaging. The reason these vulnerabilities exist, according to the report, is that HIPAA does not require a disclosure audit which can track how information is being passed.
Certain large-scale thefts of credit card and banking information also have some worrying that the same could happen to EHRs, the report states.
The investigation raises several questions as to how private health information will be safeguarded against, for example, marketers or potential employers who could use the information to either target you for a sale or not hire you, depending on the case. Perhaps even scarier is the challenge of finding a way to protect the information from hackers who might seek to expose personal details on the Internet. Finally, how will patients be able to control who views the information in their records?
The Healthcare Information Technology Standards Panel, which is charged with establishing standards for exchange of information within the new electronic medical records framework, claims that the security will be the tightest available, according to a summary of the investigation.
Yet, HIPAA regulations permit people to access medical records without a patient’s knowledge in the instances of treatment or billing processes. Moreover, it’s possible that the data could be seen by healthcare-related businesses of which there are 600,000, according to information from the Department of Health & Human Services (HSS). The information also possibly could be passed to affiliates of these businesses. Another area of worry is healthcare researchers which in some cases can be allowed access to some medical information without a patient’s knowledge, the report states.
Some privacy advocates fear that HIPAA does not properly monitor such organizations as insurance companies or pharmacy groups which could pass information off to affiliates. The information that could be passed could include a patient’s name, diagnosis code, and how much a patient paid, any of which could be very personally damaging. The reason these vulnerabilities exist, according to the report, is that HIPAA does not require a disclosure audit which can track how information is being passed.
Certain large-scale thefts of credit card and banking information also have some worrying that the same could happen to EHRs, the report states.