Privacy and Security for EHR: US and EU Compared

PRIVACY AND SECURITY IN THE IMPLEMENTATION OF

HEALTH INFORMATION TECHNOLOGY (ELECTRONIC

HEALTH RECORDS): U.S. AND EU COMPARED

By Janine Hiller, Matthew McMullen, Wade Chumey, and David Baumer

Abstract

The importance of the adoption of Electronic Health Records (EHRs) and the associated cost savings cannot be ignored as an element in the changing delivery of health care. However, the potential cost savings predicted in the use of EHR are accompanied by potential risks, either technical or legal, to privacy and security. The U.S. legal framework for healthcare privacy is a combination of constitutional, statutory, and regulatory law at the federal and state levels. In contrast, it is generally believed that EU protection of privacy, including personally identifiable medical information, is more comprehensive than that of U.S. privacy laws. Direct comparisons of U.S. and EU medical privacy laws can be made with reference to the five Fair Information Practices Principles (FIPs) adopted by the Federal Trade Commission and other international bodies. The analysis reveals that while the federal response to the privacy of health records in the U.S. seems to be a gain over conflicting state law, in contrast to EU law, U.S. patients currently have little choice in the electronic recording of sensitive medical information if they want to be treated, and minimal control over the sharing of that information. A combination of technical and legal improvements in EHRs could make the loss of privacy associated with EHRs de minimis. The EU has come closer to this position, encouraging the adoption of EHRs and confirming the application of privacy protections at the same time. It can be argued that the EU is proactive in its approach; whereas because of a different viewpoint toward an individual’s right to privacy, the U.S. system lacks a strong framework for healthcare privacy, which will affect the  implementation of EHRs. If the U.S. is going to implement EHRs effectively, technical and policy aspects of privacy must be central to the discussion.

The entire .pdf can be found here.

Thanks to Ken Pope for this lead.

California patients can sue if personal data are released during billing disputes

The California Supreme Court determines that physicians and others are liable if the information is given to credit agencies

By Alicia Gallegos

amednews.com

The Supreme Court of California has ruled that patients can sue doctors, debt collectors and others who disclose their medical information to credit agencies during billing disputes.

The ruling exposes California physicians to more lawsuits and hinders their ability to collect outstanding bills, said an attorney involved in the case.

In the past, the Fair Reporting Credit Act protected doctors from lawsuits over such disclosures. The law says if doctors or others receive notice that a debt is in dispute, they are required to furnish accurate and complete information about the debt to the requesting credit agency.

But in its June 16 opinion, the state's high court said a more stringent California law on patient privacy trumps the FRCA, preventing doctors from releasing any confidential information to creditors without patient consent.

"It really inhibits the ability of health care providers to document the basis for [debt] claims," said Charles Messer, an attorney who represented the bill collector, Stewart Mortenson. "It makes collecting medical debts much more difficult."

The decision stems from a billing dispute between Robert Brown and his dentist, Rolf Reinholds. In 2000, Brown was billed for a treatment he said he never received. The bill was referred to a debt collector, who contacted Reinholds for more information after Brown denied the debt, according to court records.

Reinholds sent Mortenson a copy of Brown's medical history. The record included medical histories of Brown's children, which were in the same file. As the billing dispute continued, Mortenson disclosed the medical information to three national consumer reporting agencies.

Brown sued Reinholds and Mortenson, alleging that he never consented to the record disclosure. Among other details, the information included Brown's Social Security number, address, date of birth and telephone number, court records show. Reinholds was dismissed from the suit after settling out of court, according to attorneys in the case.

Lower courts cited federal law

The trial and appellate courts ruled in favor of Mortenson. The lower courts said the confidential information provided was protected by the FRCA.

But the Supreme Court said the law is preempted by the stricter state measure, and that Brown's original claim could move forward. The court said the state privacy law also trumps the Health Insurance Portability and Accountability Act, which allows for certain administrative disclosures.

Brown, an attorney who represented himself, said the high court analyzed the facts carefully and came to the correct conclusion.

"It means people working with health care records in California have to be very careful they are not violating patients' confidentiality," he said. "Without patients' consent, medical information, including a patient's identifying [details], cannot be turned over to credit agencies."

The decision restricts the free flow of information needed for fair and accurate credit reporting, Messer said. Doctors are now subject to legal claims for complying with federal law and providing debt information, he added.

"It becomes a Catch-22 and exposes health care providers to liability," he said.

Messer is considering asking the U.S. Supreme Court to review the case.

Additional Information

Robert A. Brown v. Stewart Mortenson, Supreme Court of California, June 16 (www.courtinfo.ca.gov/opinions/documents/S180862.PDF)

Survey: 90% of companies say they've been hacked

Are breaches becoming a statistical certainty for companies?

By Jaikumar Vijayan

ComputerWorld>Security

If it sometimes appears that just about every company is getting hacked these days, that's because they are.

In a recent survey (download PDF) of 583 U.S companies conducted by Ponemon Research on behalf of Juniper Networks, 90% of the respondents said their organizations' computers had been breached at least once by hackers over the past 12 months.

Nearly 60% reported two or more breaches over the past year. More than 50% said they had little confidence of being able to stave off further attacks over the next 12 months.

Those numbers are significantly higher than findings in similar surveys, and they suggest that a growing number of enterprises are losing the battle to keep malicious intruders out of their networks.

"We expected a majority to say they had experienced a breach," said Johnnie Konstantas, director of product marketing at Juniper, a Sunnyvale, Calif.-based networking company. "But to have 90% saying they had experienced at least one breach, and more than 50% saying they had experienced two or more, is mind-blowing." Those findings suggest "that a breach has become almost a statistical certainty" these days, she said.

The organizations that participated in the Ponemon survey represented a wide cross-section of both the private and public sectors, ranging from small organizations with less than 500 employees to enterprises with workforces of more than 75,000. The online survey was conducted over a five-day period earlier this month.

Roughly half of the respondents blamed resource constraints for their security woes, while about the same number cited network complexity as the primary challenge to implementing security controls.

The Ponemon survey comes at a time of growing concern about the ability of companies to fend off sophisticated cyberattacks. Over the past several months, hackers have broken into numerous supposedly secure organizations, such as security vendor RSA, Lockheed Martin, Oak Ridge National Laboratories and the International Monetary Fund.

Many of the attacks have involved the use of sophisticated malware and social engineering techniques designed to evade easy detection by conventional security tools.

The attacks have highlighted what analysts say is a growing need for enterprises to implement controls for the quick detection and containment of security breaches. Instead of focusing only on protecting against attacks, companies need to prepare for what comes after a targeted breach.

The survey results suggest that some organizations have begun moving in that direction. About 32% of the respondents said their primary security focus was on preventing attacks, but about 16% claimed the primary focus of their security efforts was on quick detection of and response to security incidents. About one out of four respondents said their focus was on aligning security controls with industry best practices.