For an industry that stands to make billions of dollars on electronic health records (EHR) – if we can get people to use them – storage vendors are strangely passive on the issue of health privacy. Even the good guys like HP and NetApp are silent. What’s up?
The problem
According to Dr. Deborah Peel, a psychiatrist and founder of Patient Privacy Rights said in a recent column in the Wall Street Journal:
In 2002, under President George W. Bush, the right of a patient to control his most sensitive personal data—from prescriptions to DNA—was eliminated by federal regulators implementing the Health Insurance Portability and Accountability Act. Those privacy notices you sign in doctors’ offices do not actually give you any control over your personal data; they merely describe how the data will be used and disclosed.
But patients are right to fear the release of potentially embarrassing information on such health issues as STDs, depression or substance abuse problem, abortions or miscarriages and other issues that should be between a patient and their doctor – not a mortgage company or an employer.
Today our lab test results are disclosed to insurance companies before we even know the results. Prescriptions are data-mined by pharmacies, pharmaceutical technology vendors, hospitals and are sold to insurers, drug companies, employers and others willing to pay for the information to use in making decisions about you, your job or your treatments, or for research. Self-insured employers can access employees’ entire health records, including medications. And in the past five years, according to the nonprofit Privacy Rights Clearinghouse, more than 45 million electronic health records were either lost, stolen by insiders (hospital or government-agency employees, health IT vendors, etc.), or hacked from outside.
One poll found that 1 in 8 people have withheld information from doctors out of privacy concerns. Another poll found that fully 59% were not confident that their health records would be protected if stored electronically.
This is America, where non-compliance with “official” policy is a way of life. If you hope your company will make billions on the EHR market, maybe you think again.
The solution
Dr. Peel’s organization is lobbying Congress to protect patient privacy. Kudos to the ONLY computer or storage company that has joined her in the fight: Microsoft.
The StorageMojo take
Maybe I expect too much from vendors. Why should they care if rampant abuse hoses the EHR market and sours public attitudes towards major users of storage products?
But somehow it doesn’t seem like too much to ask for at least IBM, HP, Oracle and NetApp to get involved to ensure that massive data storage infrastructures are not abused. Having millions of consumers hate and fear your products – or their use – seems counter-productive.
I hope this is just an oversight and that vendors jump aboard. Vendors?
Update: Sign a petition to Congress for a Do Not Disclose law that gives you control over your health information. End update.
Courteous comments welcome, of course.
Medical records, access to data and long term archive.
With encryption everywhere in storage (to the disk and tape level now) and secure network protocols starting to be common now, some of the access to data will be solved. The main problem are the applications that drives the data. If not secure enough some of the data is exposed in clear, and often exportable, to unwanted peoples. This is where the problem reside. Not so much in storage for access.
The other side is long term archive. With digital medical record you want to protect for the life of an individual plus few years for legal reason. As life expectancy reach 85 years that mean most new born will require data to be available for at least 90 to 95 years. I do not include billions people who are part of the papers, films time to digital age.
No massive digital storage devices AND archive software last that long yet. Who run’s DOS apps on 8 inches floppy today…and it is not even 40 years old. To get around we need to copy massive amount of data from one devices to the new architecture (hardware and software) without data lost during the conversion. Might sound easy but it is not considering all tests done by Google and CERN on data lost using all kinds of storage and software. Error can occur just about everywhere in the chain from computer memory to disk plater and tape medium.
That is why some archive committees are form to try to solve this issue. Here is one of them http://sun-pasig.ning.com/
As of today very few vendors own medical archive space with questionable long term solutions and quality assurance of data store for a century. Scary…
HIPAA runs over 900 pages and a HUGE portion of it is dedicated to patient privacy and security. It DOES, in fact provide all kinds of protection for the patient including protection from the type of abuses quoted from the wall street journal article. I can only conclude that Deborah Peel is severely misinformed. Any and all identifiable patient data sold to insurers, pharmaceuticals etc violates existing HIPAA laws. HIPAA also ALREADY allows patients (and requires providers to track) who has accessed their medical records. Suppose you argue the law is vague and confusing and that not much money is invested in enforcement of HIPAA (true but passing MORE laws won’t help that). Patients still have the right to file civil law suits if such violations occur.
I’m truly baffled by this post and what you expect storage vendors to do. Security and encryption at the storage level already exists – it’s up to application layer providers to use it and for medical providers to work within HIPAA guidelines.
Darren,
Your confidence in HIPPA is misplaced. Read the summary (http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html), especially the Permitted Uses section and the Uses and Disclosures for Treatment, Payment, and Health Care Operations section. The abuses outlined in the WSJ article are specifically allowed in the law. You are correct that the Bush administration made no effort to enforce the law – as was their habit with almost any business regulation – but it is full of privacy holes.
Remember that most of our laws are written with heavy input from highly paid lobbyists and minimal input from the people whose lives are affected. HIPPA is no exception.
It is in the economic interest of storage companies to expand the use of data storage equipment and applications. Their senior management should recognize that a large and lucrative market is in danger if US citizens decide that EHR is not to be trusted – as many have already decided. Therefore, large storage companies should weigh in with Washington to ensure that patient privacy is protected. Microsoft gets this – why doesn’t HP?
Robin