Abstract
Thepersonalhealth informationofpatients intheUnitedStates is not safe, and it needs to be. The vulnerability of health data is clear from the research letter by Liu and colleagues1 in this issue of JAMA. Organizations for which the management of healthinformationisregulated under the Health Insurance PortabilityandAccountability Act(HIPAA),whichareso-calledcoveredentities,mustpromptly reportdatabreachesaffectingmore than500 individuals to the USDepartmentofHealthandHumanServices.Examiningthese reports for 2010 through2013, theauthors found949events affecting29.1millionrecords,withincreasingnumbersofbreaches over time.Two-thirdsofdatabreaches involvedelectronicdata, almost three-fifths theft, and nearly 10% (in 2013) hacking. However,Liuetal1 cannotconcludethat29milliondifferent peoplewere affected. Someunlucky individualsmayhave had theirhealth informationcompromisedmultipletimes,andsome recordsmayhavebeenduplicates.However,even ifonly15millionor5millionpatientshadtheirdatabreached,thatistoomany. Anationwideelectronichealth information systemhas the potential not only to improve the care of individuals but also to createmajornewsourcesofhealthdata for researchandhealth carequalityimprovement.Butifpatientshaveconcernsthattheir digitizedpersonalhealth informationwillbecompromised, they will resist sharing itviaelectronicmeans, thusreducing itsvalue in their own care and its availability for research and performance measurement. Concerned patients may also withhold sensitive information about issues such asmental health, substance abuse, human immunodeficiency virus status, and geneticpredispositions. Surveys suggest thismayalreadybehappening to some degree.2 Loss of trust in an electronic health information system could seriously undermine efforts to improve health and health care in the United States. Thequestioniswhattodo.Partof theresponsibility lieswith theprivatecustodiansofhealthdata,mostlyclinicians,healthcare organizations,andinsurers.Althoughmalicioushackinggetsthe mostmediaattention,morethan80%ofdatabreachesresultfrom amuchmoremundaneandcorrectibleproblem:thefailureofcovered entities to observe what might be called good data hygiene.1,3,4 Theyneglect to implementbasic precautions such asencryptinghealthdata,prohibitingthestorageofpersonal informationonemployees’personalelectronicdevices (whichare vulnerable to loss and theft), and using sound practices for authenticatingauthorizedusers.The importanceofgooddatahygiene explains why inmany legal settlements between federal regulatorsandcoveredentities thathaveexperiencedbreaches, theremediesinvolvemorerobustandconsistenttrainingforclinical andadministrativepersonnelonhowtoprotecthealthdata. Butpartof theresponsibility toprotectpatients’healthcare dataalso lieswithpolicymakers.Healthcareorganizationsand practitionersbemoanHIPAA’s requirements, but in fact the law isantiquatedandinadequate toprotectpatients’healthcareprivacy and security. Congress enactedHIPAAbefore the Internet and before current electronicmethods for recording and transmitting data existed. As a result, there are substantial gaps in HIPAA’sprotections.Forexample, the lawdoesnot regulate the useofpersonalhealth informationbydigitalbehemoths,suchas Apple, Google, Facebook, and Twitter, that are already collecting(intentionallyornot)health-relateddataonpatientsandcould becomemajorcustodiansofsuchdatainthenearfuture.Thefact thatHIPAAregulatesonlycertainentities thatholdhealthdata, rather than regulating health data wherever those data reside, seems illogical in today’sdigitalworld.5Beyondtheadequacyof HIPAA, the security of the nation’s health information systems is inextricably linkedtotheability to fendoffcyber threatsmore generally.Nationalpolicyonthislargerquestionremainsnascent. The stakes associatedwith the privacy and security of personalhealth informationarehuge.Threats tothesafetyofhealth caredataneedmuchmore focusedattention than theyhave received in the past from both public and private stakeholders.
Published Version
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call