So says a new report from Dartmouth College telling us that in the US “data hemorrhages” are coming from all over the health sector including hospitals, physicians, laboratories, as well as outsourced service providers.
For example, the researchers found a 1,718-page document from a medical testing laboratory containing patient Social Security numbers, insurance information, and treatment codes for thousands of patients exposed on a P2P network, as well as two spreadsheet databases from a hospital system detailing highly sensitive personal information on over 20,000 patients, including codes revealing their diagnoses.
Among the many troubling issues raised in this report, what strikes us is that a source of the problem is not necessarily a scheming employee intent on medical identity fraud but rather inadvertent disclosures on internet-based file sharing networks. Stories like these are just one more reason for patients to be worried about the privacy of their personal health information. And with the new funds flowing in support of electronic health records development here in Canada, there needs to be some sober second thought on how the health care sector proceeds to maintain patient trust.
The Canadian Medical Association reported on this question at a health conference in January 2009. They said they have public opinion survey results over the last ten years that consistently show 11% of respondents holding back information from their physicians because of concerns about their privacy. The Alberta Medical Association expressed similar concerns in its comments in Committee around Bill 52 (status) in that province: “If patients don’t believe we can protect their privacy and that we may be forced to share the information that they confide in us, they will stop telling us everything we need to know to make the right diagnosis and provide the right care.“
The rush toward electronic health records may well cause more people to feel concern and anxiety about the privacy of their health information so it will be important to keep these views in mind over the coming years.
Research we co-funded through EKOS in 2007 found that 45% of respondents worried that their information could be accessed for malicious or mischievous reasons, 37% were worried that privacy and security procedures would not be followed by those with access to their records, and 55% wanted the ability to mask or hide sensitive information in their file from some users who would be authorized to have access to their health records.
We believe that a patient’s ability to exert some control over who gets to see this most sensitive, personal information seems crucial to preserving patient trust in the health care system. The last thing we need is more patients withholding information from their health providers because they don’t trust their privacy will be protected and because they continue to hear about privacy breaches involving medical information.
What’s needed is respect for patient wishes, patient control of their personal health information, strong legislation to protect patient privacy as well as transparency and accountability to patients. And it goes without saying that organizations need to protect against the privacy breaches, such as exposure on P2P networks, that undermine patient trust in the whole system.
(Thanks to SC Magazine for reporting on this research at Dartmouth College.)