Emerging Ethical Threats to Client Privacy in Cloud Communication and Data Storage.

By Samuel D. Lustgarten
Professional Psychology: Research and Practice, Apr 27 , 2015. http://dx.doi.org/10.1037/pro0000018

Abstract

In June 2013, Edward Snowden released top-secret intelligence documents that detailed a domestic U.S. spying apparatus. This article reviews and contends that current APA ethics and record-keeping guidelines, the Health Insurance Portability and Accountability Act, and the Health Information Technology for Economic and Clinical Health Act do not adequately account for this new information and other emerging threats to client confidentiality. As psychologists bear the responsibility for being informed, protecting and maintaining client records, and preventing breaches, it is vital that the field establish specific best practices and present regular security updates to colleagues.

Here is an excerpt:

Unfortunately, on top of data-mining practices, most cloud storage and communication providers do not provide adequate information about data-retention policies. Google's Drive cloud storage service for personal users (not Google Apps) offers no specific data-retention policy (Google, 2014c). This amorphous data-retention policy stands in contrast to APA's (2007) record-keeping guidelines, which suggest that client records and data may be destroyed after 7 years in the absence of superseding legal requirements. It also calls into question a practitioner's ability to maintain and provide confidentiality and proper informed consent when using certain corporate providers. Moreover, it is questionable whether practitioners could ever believe that records had been deleted if the cloud provider did not clearly and publicly state its data-retention standards.

The entire article is here.

Record Keeping in the Cloud: Ethical Considerations

*Professional Psychology: Research & Practice" has scheduled an article for publication in a future issue of the journal: "Record Keeping in the Cloud: Ethical Considerations."

The authors are Robert L. Devereaux and Michael C. Gottlieb.

Here's an excerpt: "In this article, we briefly review technological advances in electronic storage, define "the cloud" and explain how it functions, discuss risks and benefits of its use, and provide questions for practitioners when considering the appropriateness of maintaining patient records in this manner."

Here's another excerpt: "Consider the following example. A practitioner, using an online patient management system, decides to change service providers for any number of reasons (e.g., cost, poor service). The stored patient data may be contained within a proprietary system that cannot be easily migrated to a new system/provider. As mentioned previously, online service providers each have a unique system and moving from one to another might require unknown amounts of time, resources, and temporary loss of access to patient records during the move. In addition to the possible frustration of a transition process, it would be important for the practitioner to understand how data are deleted from the old system. For example, Facebook, a cloud-based social profile software system, maintains user accounts even after they are inactivated at the user's request. Permanently deleting the account is much more involved, and there is no way of knowing if Facebook maintains historical records of old accounts, although this may be discussed in their Terms and Conditions of Use Agreement. This could also be the case for other online storage or electronic medical record companies, and practitioners are well advised to investigate this matter before agreeing to store records on the cloud. Also, a practitioner would need to decide how much information to disclose to clients as part of a continued informed consent process if/when he or she decides to move records from one company to another. Such disclosure would need to be consistent with the level of detail about record keeping provided to the client at the onset of treatment."

Here's how the article concludes: "With the broad spectrum of electronic storage and management options available to practitioners, the abdication of control to a third-party, cloud-based company may represent unnecessary additional risk at this relatively early stage. In part, aggregation of documents from users worldwide may create a much more appealng target for malicious hackers than a single office with only a few patient documents. Also, the question of liability has not yet been clearly defined. We are responsible for protecting patient information, but computing companies carry no such obligation beyond their own internal policies and contractual obligations. We recommend that practitioners who move their EHR to the cloud do so with caution and careful consideration of the accompanying risks and benefits."

The author note provides the following contact information for reprint requests, questions, or comments: Robert

L. Devereaux, Division of Psychology, Department of Psychiatry, University of Texas Southwestern Medical Center, Dallas, TX 75390-9044;  E-mail: robert.devereaux@utsouthwestern.edu

Thanks to Ken Pope for this information.

Link to APA's Record Keeping Guidelines

Electronic medical records rarely encrypted: expert

(Reuters) - Electronic medical records, which the Obama administration would like to see widely used, are rarely encrypted so a data breach could be triggered by the simple theft of a laptop or misplaced thumb drive, a privacy expert told lawmakers on Wednesday.

Regulations require healthcare providers to report data breaches unless the data lost had been encrypted.

(cut)

"The bottom line is that people have a right to privacy and to know that their data is safe and secure, and right now that right is not a reality," Franken said after the hearing.

The entire story can be found here.

New data spill shows risk of online health records

By Jordan Robertson

AP Technology Writer

Until recently, medical files belonging to nearly 300,000 Californians sat unsecured on the Internet for the entire world to see.

There were insurance forms, Social Security numbers and doctors' notes. Among the files were summaries that spelled out, in painstaking detail, a trucker's crushed fingers, a maintenance worker's broken ribs and one man's bout with sexual dysfunction.

At a time of mounting computer hacking threats, the incident offers an alarming glimpse at privacy risks as the nation moves steadily into an era in which every American's sensitive medical information will be digitized.

Electronic records can lower costs, cut bureaucracy and ultimately save lives. The government is offering bonuses to early adopters and threatening penalties and cuts in payments to medical providers who refuse to change.

But there are not-so-hidden costs with modernization.

"When things go wrong, they can really go wrong," says Beth Givens, director of the nonprofit Privacy Rights Clearinghouse, which tracks data breaches. "Even the most well-designed systems are not safe. ... This case is a good example of how the human element is the weakest link."

Southern California Medical-Legal Consultants, which represents doctors and hospitals seeking payment from patients receiving workers' compensation, put the records on a website that it believed only employees could use, owner Joel Hecht says.

The personal data was discovered by Aaron Titus, a researcher with Identity Finder who then alerted Hecht's firm and The Associated Press. He found it through Internet searches, a common tactic for finding private information posted on unsecured sites.

The data were "available to anyone in the world with half a brain and access to Google," Titus says.

Titus says Hecht's company failed to use two basic techniques that could have protected the data — requiring a password and instructing search engines not to index the pages. He called the breach "likely a case of felony stupidity."

One of the patients affected was Paul Thompson, who learned of the breach from Titus.

The Sugarloaf, Calif., electrician blew out his shoulder four years ago on a job wiring up a multiplex movie theater. His insurance company denied his claim, which led to a protracted dispute. He eventually settled.

Thompson says his injury has been a "long, painful road."

Unable to afford surgery in the U.S. to fix his torn rotator cuff, he paid a medical tourism company that was supposed to schedule a cheaper procedure in Costa Rica. The company went bankrupt, however, and Thompson said he lost nearly $7,300.

To have his personal information exposed on top of that was a final indignity.

"I'm totally disgusted about everything," he said, calling the breach "another kick in the stomach."

Thomson is worried that hackers may have spotted his information online and tagged him for future financial scams. He contacted his bank and set up a fraud alert with the credit reporting agencies.

He says the prospect of all health records going electronic — which federal law mandates should happen by 2014 — "scares the living hell out of me."

When mistakes occur, the fallout can be more severe than the typical breach of email addresses or credit card numbers.

The rest of the story can be read here.

When EHRs Meet Malpractice Suits: New Concerns

By Neil Versel InformationWeek

An electronic health record (EHR) is more than just an electronic representation of a paper chart. It is a legal representation of a patient's medical condition and treatment at a given point in time, one that could be admissible in court. And that could present a whole new set of challenges for healthcare organizations.

"There is no guide out there to walk people through all that changes with an EHR," Adam Greene, a Washington, D.C.-based partner in the law firm of Davis Wright Tremaine, said this week at the American Health Information Management Association (AHIMA) Legal EHR Summit in Chicago.

EHRs make patient information more readily accessible to far more people than any paper chart stashed away in a filing room. They also change how and to what extent medical professionals document patient encounters and add in safety-related features such as clinical decision support.

"There are all sorts of liability fears with all these improvements," Greene told InformationWeek Healthcare. The Health Insurance Portability and Accountability Act privacy and security rules require anyone that handles electronic healthcare data to keep an audit log of access to any personally identifiable information, and records have helped organizations catch employees taking unauthorized looks at patient records--sometimes also landing the organizations themselves in hot water.

Indeed, some worry that audit logs can reveal too much. "There are concerns by providers that access reports could be used in malpractice suits," Greene said.

In fact, such reports already are, according to Stacey Cischke, an attorney with Chicago firm Cassiday Schade who teaches a course in legal issues in e-health at Loyola University Chicago. "The scope of traditional discovery is expanded," Cischke said. "More and more courts are finding that metadata and access to the inner workings of the EHR system is relevant and discoverable."

The general public and even plaintiffs' attorneys do not always comprehend how EHRs work, Cischke added. Because there is so much to chart, physicians and nurses are rushed and things get missed. From the patient's perspective, all the doctor should have to do is click and check off boxes in a list, but, according to Cischke, physicians often are "overwhelmed" by time and economic pressures, and skip steps or simply forget to check some boxes. "The metadata will show this," Cischke said.

Cischke said she prepares clinicians for trial by making sure they understand what each piece of metadata means. Knowing when something happened then opens up questions of why the doctor took a certain action.

On the other hand, with an EHR, users can't "fudge" charts as they could with paper, since EHR systems generally won't allow any modifications after a physician signs off on the record of a patient encounter. But plaintiff's attorneys do not always consider this. "It's logistically challenging," Cischke said. It is hard for the layperson to understand individual records, flow sheets, and audit trails.

Thus, Cischke recommended that providers adopt a multidisciplinary approach to identifying potential lawsuits, and promote consistency in how they produce reports and respond to threatened legal action. Both in-house and outside counsel and staff need to learn how the EHR works and how to navigate through electronic records before they find out the hard way, after being sued.

The rest of the story can be round here.

NYT: Breaches Lead to Push to Protect Medical Data

How private is our medical information?

Will electronic record keeping increase the likelihood of breaches of confidentiality?

Here is the beginning of an article from The New York Times by Milton Freudenheim.  The article highlights the how the level of carelessness with health information has forced government regulators to increase enforcement, including significant fines.  Confidentiality is the cornerstone of our profession.  This article heightens awareness about the entire healthcare system, not psychology in particular.

=====================

Federal health officials call it the Wall of Shame. It’s a government Web page that lists nearly 300 hospitals, doctors and insurance companies that have reported significant breaches of medical privacy in the last couple of years.

Such lapses, frightening to consumers, could impede the Obama administration’s effort to shift the nation to electronic health care records.

“People need to be assured that their health records are secure and private,” Kathleen Sebelius, secretary of health and human services, said in an interview by phone. “I feel equally strongly that conversion to electronic health records may be one of the most transformative issues in the delivery of health care, lowering medical errors, reducing costs and helping to improve the quality of outcomes.”

So the administration is making new efforts to enforce existing rules about medical privacy and security. But some health care experts wonder if the current rules are enough or whether stronger laws are needed, for example making it a crime for someone to use information obtained improperly.

“The consequences of breaches matter,” conceded Dr. Farzad Mostashari, a former New York public hospitals official who recently became the Obama administration’s national coordinator for health information technology. “People say they are afraid that if their private information becomes known, they may not be able to get health insurance.”

In the last two years, personal medical records of at least 7.8 million people have been improperly exposed, according to the government data. One particularly egregious case involved information about 1.7 million patients, staff members, contractors and suppliers of Bronx hospitals and clinics operated by the Health and Hospitals Corporation, the New York public health agency. Their electronic files were stolen from an unlocked van belonging to a record management company.

The affected patients got the disquieting news that their medical and personal information, like Social Security numbers, had been violated when their health care providers notified them under federal rules.

Showing just how lax security can be, the inspector general of the Department of Health and Human Services said two weeks ago that the agency had found dozens of vulnerabilities in systems to protect records of patients at seven large hospitals in New York, California, Illinois, Texas, Massachusetts, Georgia and Missouri. Auditors cited such problems as personal information that was not encrypted and was stored on computers that could be easily used by unauthorized users.