Electronic Storage of Health Insurance Data may Lead to Trafficking of Patient Information

Of all of the risks regarding electronic health records, the largest is perhaps to privacy and confidentiality, and other civil liberties through the ability of information technology to rapidly duplicate and disseminate massive amounts of data, reports hcrenewal.blogspot.com. This duplication and dissemination can be performed in a controlled manner for the betterment of patient and public health, but it can also occur in a harmful manner that serves the interests of others, often without meaningful informed consent by the patients.

This can occur in, for example, the stealing of computers and computer backup disks, tape, etc., which seems to be a common occurrence in the news in recent years, or through corporate processes that carry the inherent risk of abuse.

Here is just one recent example of both data mismanagement and theft involving not patients (by chance) but physicians themselves:

Blue Cross: Thousands of doctors' computer data stolen

Wednesday, October 07, 2009

By Bill Toland, Pittsburgh Post-Gazette

Advertisement

Tens of thousands of doctors under contract with Pittsburgh's Highmark Inc. are being notified that their personal information, including Social Security numbers or tax ID numbers, may have been compromised when a laptop containing sensitive data was stolen from a Blue Cross-Blue Shield Association employee.

Physicians and specialists in western and central Pennsylvania are being notified of the breach this week, according to a Highmark spokesman. Across the country, the number of affected doctors is expected to reach the hundreds of thousands once a review of the theft is complete, said national Blue Cross-Blue Shield Association spokesman Jeff Smokler. The stolen computer did not contain patient information.

Advertisement

The letter sent to Highmark providers said "a BCBSA employee [transferred] provider data information onto a personal laptop, in violation of BCBSA's established data security policies."

Here is an example of purposeful corporate healthcare data trafficking that makes one pause and ponder.

Cerner’s LifeSciences traffics in patient data taken from the EMRs its company sells to healthcare organizations. See the document below. They advertise:

Cerner LifeSciences’ data warehouses and consulting services help you manage your R&D opportunity through Cerner’s analytical solutions. Through our data mining of our vast warehouse of electronic health records (EHRs), you can accelerate development processes and reduce business risks. Each year, new compounds debut new abilities or first-in-class molecules. Far more common are new compounds that target the same receptors as compounds already in the market ... This is when Cerner LifeSciences makes it possible to analyze anonymous, HIPAA-compliant, EHR-derived data for efficacy and safety.

Cerner apparently includes contract language with their HIT customers that allows them to traffic in "de-identified" patient data for sale to drug companies and others, getting the data essentially as a "value add" (to the HIT vendor, that is) from its healthcare IT customers.

Source-Medindia