Privacy Breach: My Shocking Experience
What a mammography registry, a waiver of consent and a hacker taught me about the privacy of medical information
Earlier this year I received a letter from the radiology department at a large university medical center in my state. The return address specified their mammography registry. Assuming that it was a reminder to get my yearly exam, I started to toss it out. Then I remembered that I’d never had a mammogram at that hospital. So I opened the letter. The first sentence was quite a surprise:
“Dear Ms. Carol Peracchio: I am writing to notify you about a security breach that may have resulted in the unauthorized exposure of your personal information.”
The letter explained that a computer server storing data for a state mammography registry had been “targeted in a computer hack.” When the staff discovered the breach all data on the server was removed. The next paragraph explained how the Registry collected data from participating mammography practices “to advance knowledge about the most effective ways to improve breast cancer detection, understand risk factors, guide future research and inform policy makers.”
So in two paragraphs I discovered that not only were my mammography records sent to a registry I didn’t even know existed, but my records may have been hacked.
It gets better:
“Unfortunately, some of your personal information was on the Registry’s server at the time of the hacking incident. This information included your name and Social Security number. In many cases, these data also included your date of birth, address, phone number, demographic information, insurance status and health history information.”
The letter went on to helpfully suggest that I place a fraud alert on my credit line. The letter’s author assured me that she was “devastated” and directed me to their “breach website” in case I had questions or concerns. I’m not sure “questions or concerns” fully described how I felt.
The FAQ section of the breach website explained that University IT staff discovered that the mammography data had been hacked two years prior. The technicians had no way of knowing whose information had been breached. Thirty-five practices in my state partner with the Registry and send data concerning their mammography patients.
From the breach website: “The data are evaluated for the radiologists to assist them in improving their ability to detect cancers. They also are interested in furthering research to improve screening mammography.”
I was confused. How does my Social Security and phone number factor into “their ability to detect cancer”? Do even Social Security numbers have a greater chance of being diagnosed? Does an out-of-state phone number increase the benefit of early detection?
As a nurse who worked in utilization review, I am pretty mindful of what I’m signing when I receive medical care. I didn’t recall giving permission for my records to be sent to any registry. It was eye-popping when I read that:
The federal regulations that govern research involving human subjects allow for some kinds of research to be conducted with a ‘waiver of consent,’ provided that certain criteria are met....Waivers of consent may be especially relevant for large scale ‘population-based’ research, where the goal is to represent or describe a broad group of patients, while avoiding the bias that can occur if consent must be obtained from each individual.
In other words, federal regulations allow researchers to apply for a “waiver of consent” to avoid “bias” which can occur when actually obtaining permission from all of us “individuals.” The website proceeded to describe all the precautions they had now implemented and, even though it was our right, beseeched all 180,000 of us to not withdraw our records. (I immediately requested my records be withdrawn.)
With the passage of the comprehensive healthcare reform bill, healthcare professionals can expect to see an exponential increase in the use of electronic health records (EHRs). The legislation passed this year provides federal funding to physicians from Medicare and Medicaid who demonstrate “meaningful use” of EHRs. Although “meaningful use” has not yet been defined, one aspect expected to be included is “establishing the capability to exchange clinical information among providers.”
It appears that the sharing of records among practices is about to become much more commonplace.
In 2003, the Health Insurance Portability and Account-ability Act (HIPAA) Privacy Rule took effect. Across America millions of healthcare workers attended numerous inservices to learn how the law establishes regulations for the use and disclosure of Protected Health Information (PHI).
There would be no more indiscriminate sharing of a patient’s status with anyone who called the hospital unit. Nurses were told that all PHI was on a “need to know” basis: if a healthcare worker didn’t have an excellent reason to be in a patient’s chart or EMR, that worker could be fired.
Patients are now asked to list exactly who can be given information, including the spouse; in other words, the patient should control the dissemination of his or her PHI. Like many of you, I’ve heard the complaints that at times we’ve gone overboard with confidentiality. However, I really don’t think we want to go back to the days when Mrs. Jones checked into the hospital and the news hit the beauty parlor on Main Street before she was in her room.
My personal breach experience has driven home to me the importance of safeguarding the privacy of the information entrusted to us.
Safeguarding our patients’ PHI is not rocket science. In fact, the best advice sounds a lot like what our mothers would tell us: Don’t go where you’re not supposed to go. Treat other people’s things (PHI) just like you want your own things to be treated. And when you’re finished, clean up after yourself and put everything safely away.
Carol Peracchio is a registered nurse and a regular contributor to the American Thinker website.
This article is from workingnurse.com.