Government told to lead in stopping medical data breaches

Identity theft continues to be a problem for organizations that retain personal information on customers, and a new report suggests the Obama administration’s ambitious health care reform effort could be another area that poses risks.

The report, issued Jan. 15 by the Health and Human Services Department, urges the administration to put safeguards in place as it develops its program. However, the report’s 31 recommendations largely center on evaluating the risk of identity theft, training medical personnel and local law enforcement agencies and evaluating proposed solutions.

Developing the actual measures to prevent or manage data breaches remains up to Congress, the administration and their advisers.

One key safeguard is to let consumers retain ownership of their data, said Edmund Haislmaier, senior research fellow of health policy at the Heritage Foundation.

“From a patient privacy perspective, we have a system open to abuse because it is not patient-centered, it is provider-centered,” he said. “Unless you deal with that issue upfront, then handing out money to doctors and hospitals to buy [information technology systems] isn’t going to get you very far.” Haislmaier’s proposal would have consumers control access to a central repository of their medical information maintained by the government.

The patients could authorize providers and payers to access their entire records or only relevant parts. Each payer and provider would continue to store the health information that is relevant to their treatment of that patient, but they would not have access to the entire record without the patient’s permission.

However, no such system exists. It would have to be built from scratch. The system would also need to include policies to cover emergencies, such as when a patient is unconscious and therefore unable to grant permission to the medical provider who needs access immediately.

State authorities should also be involved in the discussions on health IT investments and medical identity theft, said Jim Pearsol, chief of public health performance at the Association for State and Territorial Health Officials. “I think a collaborative approach will probably be best,” he said.

Data breaches of electronic medical record systems can be doubly dangerous. In addition to the potential theft of Social Security numbers and other information allowing thieves to impersonate people, someone could also alter a patient’s medical history or diagnosis, resulting in incorrect treatments that could be dangerous or fatal. There are also financial and privacy risks.