Friday, November 20, 2009

Who will watch the hen house?

In an article Thursday, the Huffington Post went to some length to examine the tug-o-war occurring between the health industry (hospitals and insurance companies) and privacy/security advocates. The health industry wants a federal rule on health data breach notification to contain a "harm threshold" that says how many records are breached, or how much harm is done by the breach before notification is required. The reason there was anything to argue about is a piece of legislation crafted to encourage the move to electronic medical records. The article doesn't mention the bill by name, or any of it's authors, but apparently the original bill did not specify just how much data had to be mishandled before notification was required - and that is the same as saying ANY lost data meant notification was necessary. The HC industry lobbied the Department of Health and Human Services to add a "harm threshold" because if one bill went to the wrong address, that patient would have to be notified. Such stringent requirements scare hospital administrators and health insurers: "Such a requirement, they say, not only would be costly but also would overwhelm consumers and make them less likely to notice when a real problem occurred."

How many mistakes do they make every month? It sounds to me like hard-nosed notification requirements are overdue. Strict requirements with real consequences for failure to comply will force healthcare providers and insurers to fully train their employees in the regulations and give them the tools to do it right. If they are making so many mistakes right now that being required to send notifications of any mishandled data would overwhelm me with notifications there is a big problem. I don't trust the health care industry to police themselves and notify people any sooner than they absolutely have to. I think it's time to contact our congressman and tell them we want notification. The easiest way to contact your senator (if you don't already have the info):

http://www.senate.gov/general/contact_information/senators_cfm.cfm

Your Representatives:

http://www.house.gov/
Enter your zip code in the box in the upper left and click on "go".

3 comments:

  1. The problem with absolute notification is that, under the current regulations, any time an employee looks at their own medical record it is considered a breach of privacy. Notifying the public that a nurse looked at his/her own medical record is not what the laws are meant to cover. There does need to be some differentiation of a breach and a harmful breach.

    ReplyDelete
  2. Also, if a healthcare worker accidently hit a 3 instead of a 6 or a z instead of an s when looking up a medical record, that would also result in having to notify the patient and public that a breach occurred. In those cases, workers would normally just correct their mis-type and continue their day. Under strict reporting, the worker would have to gather info from the record that came up, notify their legal/compliance department, and prepare a release statement before continuing their day. All because they aren't able to type 100% correctly 100% of the time.

    ReplyDelete
  3. TG,

    I don't really have a problem with the case you give first. Having to go through channels even to get your own information is annoying, but could help prevent an attitude of "it's ok to take a quick look to save time." I'm aware that it could also have the opposite effect - but that becomes a matter of training and awareness.

    The second incident is more problematic. I can agree that press releases and patient notification probably aren't necessary, but I think some type of record should be kept. Of course, every mistake wouldn't have to be recorded because every mistake wouldn't access an unintended file. Some, maybe most, would simply generate an error. It would be interesting to know (and impossible to find out as it stands) how many file access errors actually result in bringing up the wrong patients file.

    ReplyDelete