Electronic medical records (EMRs) are at the heart of health care reform, and there is both a personal as well as a legal expectation of privacy for EMRs.
Promptly notifying users of privacy breaches can help bring accountability to the system, and help users.
In February 2010, RelayHealth (also known as NDCHealth Corporation) acting as a claims processing company, notified prescription holders that EMRs of two years ago, dating between February 2008 and December 2008, with full name, date of birth, prescription number, insurance cardholder ID, and drug name, that were dispensed at Rite Aid as well as other retail chain pharmacies and independent pharmacies in the State of California, were sent to an unauthorized pharmacy.
After I mentioned this case online, RelayHealth has contacted us in March 2010 and stated that the data was sent in error only in November 2009, so the delay in informing consumers was not two years but three months.
However, we note that this information was not provided to RelayHealth's consumers when the privacy breach was disclosed in February 2010. RelayHealth may want to look into that communication and verify why they did not disclose a delay of three months.
Further, what matters to our analysis here is the consumer privacy risk, which includes the two-year delay. If, for example, three-year old files are wrongly disclosed today and the EMR processor informs the patient tomorrow, this is not a lesser problem for the patient (as the next mentioned Fortis case exemplifies).
The 2010 breach notification did not disclose why the information was sent (Who requested it? Under what authorization? Who approved it?), who incorrectly received the EMR, and who was responsible for the breach, neither what compensation or recourse users may have.
In a recent court case, Fortis (a US health insurance company) was found to have a practice of targeting policyholders with HIV. A computer program and algorithm targeted every policyholder recently diagnosed with HIV for an automatic fraud investigation, as the company searched for any pretext to revoke their policy.
Companies such as Fortis can find out about anyone's diagnosed HIV, or other illness, through pharmacies and claim processors, for example.
This situation underscores the underlying conflicts of interest between at least three distinct roles that RelayHealth plays. They are:
- claims processor;
- provider of patient EMR to their pharmacies and doctors;
- provider/seller of EMR to providers other than the patient's.
"Your Provider, a Provider-Designated User [pretty much anyone] or authorized member of a Provider Group [anyone] can use contact and/or health information about you stored by RelayHealth for many purposes including [ie, this says that it does not exclude anyone or anything]:
"RelayHealth may use the contact, billing and/or health information [EMR] provided by you in our service to provide your physician or other healthcare provider [ie, anyone they want] with updated and/or supplemental information for their files or systems."
A pattern that seems to emerge here is that because EMRs also have a market value (for example, to insurance companies, pharmacies, etc.), health care service companies can build automated information exchanges where they can make collected EMR available to other entities, and build a business on this activity.
That the same health care service companies (with different hats) also serve on behalf of the patients to protect the EMR from disclosure, is where the fox is taking care of the hens, and where the conflicts in 1-2-3 may play a role.
What this means is that the expansion of health care into larger use of EMRs ought to call for a much broader review of procedures and conflicts of interest than what is currently available. And, obviously, it should also include stricter rules for information security and handling of EMRs than what's currently used.
Your comments are welcome.