November 3, 2009
Health Care Reform in the BreachBy Carol Peracchio
Two weeks ago, I received a letter from the radiology department at a large university medical center in my state. The return address specified their mammography registry. Assuming that it was a reminder to get my yearly exam, I started to toss it out. Then I remembered that I'd never had a mammogram at that hospital. So I opened the letter. The first sentence was quite a surprise:
The letter explained that a computer server storing data for a state mammography registry had been "targeted in a computer hack." When the staff discovered the breach, all data on the server was removed. The next paragraph explained how the Registry collected data from participating mammography practices
Two paragraphs into the letter, I discovered that not only were my mammography records sent to a registry I didn't even know existed, but my records may have been hacked.
It gets better:
The letter went on to helpfully suggest that I place a fraud alert on my credit line. The letter's author assured me that she was "devastated" and directed me to their "breach website" in case I had questions or concerns. I'm not sure "questions or concerns" fully described how furious I was.
The FAQ section of the breach website explained that University IT staff discovered in July 2009 that the mammography data had been hacked in 2007. The technicians had no way of knowing whose information had been breached. Thirty-five practices in my state partner with the Registry and send data concerning their mammography patients.
The data are evaluated for the radiologists to assist them in improving their ability to detect cancers. They also are interested in furthering research to improve screening mammography.
Obvious questions: How do my Social Security and phone numbers factor into "their ability to detect cancer"? Do even Social Security numbers have a greater chance of being diagnosed? Does an out-of-state phone number increase the benefit of early detection?
As a nurse who worked in utilization review, I am pretty mindful of what I'm signing when I receive medical care. I didn't recall giving permission for my records to be sent to any registry. It was eye-popping when I read:
Well, isn't this interesting! Federal regulations allow researchers to apply for a waiver of consent to avoid that pesky "bias" which can occur when actually obtaining permission from all of us annoying "individuals." The website proceeded to describe all the precautions they had now implemented and, even though it was our right, beseeched all 180,000 of us to not withdraw our records. I immediately requested my records be withdrawn.
This appalling incident prompted me to research Electronic Health Records (EHRs) in Nancy Pelosi's health care reform legislation, the Affordable Health Care for America Act. When I entered "EHR" into the document word search, I discovered several references. On page 154, the Secretary of HHS is charged with conducting a study to increase the use of "qualified" EHRs. (What "qualifies" an EHR is not defined.) This study should include incentives such as "higher rates of reimbursement or other incentives for such health care providers to use electronic health records" and "promoting low-cost electronic health record software packages that are available for use by such health care providers."
EHRs also play a major role in the "integration of physician quality reporting and EHR reporting." Page 407 describes:
The phrase "meaningful use of electronic health records" is repeated twice more in the references I found. What does Mrs. Pelosi mean by "meaningful"? And you can drive a truck through this loophole: "such other activities as specified by the Secretary." What it boils down to is a big push for centralized EHRs in order to gather data to be used for physician monitoring.
On page 943, one of the goals for approved medical residency training programs is to "be meaningful EHR users." Again it raises the question, exactly what does "meaningful" mean? EHRs appear again on page 1,324 in the section on "Implementation of Best Practices in the Delivery of Health Care."
The legislation does contain a nod toward the HIPAA laws on page 82:
Please forgive me if I am not reassured. Since federal regulations right now provide a "waiver of consent" for research entities to obtain my medical records without my knowledge, it should be a snap for Speaker Pelosi, Senator Reid, and Secretary Sebelius to concoct a "meaningful" reason to download any EHR they want. Look out America...you are about to be breached.
Carol Peracchio is a registered nurse.