Privacy, Crime, and Disaster: The Achilles Heel of Health Reform?

Health IT is being treated as an integral aspect of reform across the political spectrum, from Bush and Gingrich on the right to Clinton and Edwards on the (relative) left. But the proliferation of confidential health information in digital form has already created the risk of a major privacy disaster, and large amounts of this data are lost with embarrassing frequency.

So, what is the Federal government doing to protect this information? Not enough, according to the Director and Assistant Director of the Health Privacy Project. They’ve resigned in protest from a government-funded IT working group.

The Health Privacy project is a subcommittee of the American Health Information Community (AHIC). AHIC was created by the Federal government “to advise the Department of Health and Human Services on market-driven ways to better use information technology to improve health care and cut costs,” writes eWeek magazine.

eWeek observes that “From the start, the subcommittee seemed an afterthought. Though AHIC held its first meeting in October 2005, the Confidentiality, Privacy, and Security Workgroup, or CPS, was only instituted in the latter half of 2006. ”

A GAO Report rapped HHS for failing develop a comprehensive policy for health privacy issues, while another GAO report found that Medicare patient data is at risk.

This frequent loss of data should be of concern to insurance companies that provide E&O, liability, and other related coverages. It’s only a matter of time before somebody’s personal data is revealed and a lawsuit results. And then there’s that disaster I alluded to earlier.

What do I mean by a “major privacy disaster”? As I’ve been reporting for some time (here, here, here, and here), losses of health data occur with alarming frequency. A major disaster could occur if this information got into underworld hands, where it could be used for crimes such as the following:

1. Identity theft
2. Use of false identities to obtain prescriptions that medical records indicate were written for a patient with that name
3. Blackmail of individual with compromising medical histories
4. A black market in false insurance cards and certifications of coverage
5. Cyberterrorism
6. Thousands (or hundreds of thousands) of personal medical records are posted on the Internet as an act of random vandalism

OK. I started this piece as a critique of government efforts so that I could offer recommendations to government and industry. Instead, I’m coming up with new and creative suggestions for evil criminals.

Believe me, if I can think of it so can somebody else.

So what’s to be done? Here are some suggestions:

1. Ramp up R&D in privacy technology for healthcare
2. Improve underwriting for E&O and liability insurance to address exposures for data loss or theft
3. Start a major government initiative in health privacy

If these things don’t happen soon, our country may look back with regret at a lost opportunity to mitigate risk … and prevent disaster.