Wednesday, February 24, 2010

Large EMR privacy breach notification, two years later -- an exception or a symptom?

NOTE: A colleague and I are working on a paper discussing a number of  privacy and security red flags that can help call attention to these and other issues, especially in the context of secure email. A draft is gladly available to those who are interested, by private email request, for comments before  publication. 
Electronic medical records (EMRs) are at the heart of health care reform, and there is both a personal as well as a legal expectation of privacy for EMRs.

Promptly notifying users of privacy breaches can help bring accountability to the system, and help users.

In February 2010, RelayHealth (also known as NDCHealth Corporation) acting as a claims processing company, notified prescription holders that EMRs of two years ago, dating between February 2008 and December  2008, with full name, date of birth,  prescription number, insurance cardholder ID, and drug name, that were  dispensed at Rite Aid as well as other retail chain pharmacies and  independent pharmacies in the State of California, were sent to an  unauthorized pharmacy.

After I mentioned this case online, RelayHealth has contacted us in March 2010 and stated  that the data was sent in error only in November 2009, so the delay in informing consumers was not two years but three months.

However, we note that this information was not provided to RelayHealth's consumers when the privacy breach was disclosed in February 2010.  RelayHealth may want to look into that communication and verify why they did not disclose a delay of three months.

Further, what matters to our analysis here is the consumer privacy risk, which includes the two-year delay.  If, for example, three-year old files are wrongly disclosed today and the EMR processor informs the patient tomorrow,  this is not a lesser problem for the patient (as the next mentioned Fortis case exemplifies).

The 2010 breach notification did not disclose why the information was sent (Who requested it? Under what authorization? Who approved it?), who incorrectly received  the EMR, and who was responsible for the breach, neither what compensation or recourse users may have.

In a recent court case, Fortis (a US health insurance company) was found to have a practice of targeting policyholders with HIV. A computer program and algorithm targeted every policyholder recently diagnosed with HIV for an automatic fraud investigation, as the company searched for any pretext to revoke their policy.

Companies such as Fortis can find out about anyone's diagnosed HIV, or other illness, through pharmacies and claim processors, for example.

This situation underscores the underlying conflicts of interest between at least three distinct roles that RelayHealth plays. They are:
  1. claims processor;
  2. provider of patient EMR to their pharmacies and doctors;
  3. provider/seller of EMR to providers other than the patient's.
This last activity has the greatest potential conflict, as patients are included in a no-opt-out policy at that says (words in square brackets are comments, not from RelayHealth):

"Your Provider, a Provider-Designated User [pretty much anyone] or  authorized member of a Provider Group  [anyone] can use contact and/or health information about you stored by RelayHealth for many purposes including [ie, this  says that it does not exclude anyone or anything]:


"RelayHealth may use the contact, billing and/or health information [EMR] provided by you in our service to provide your physician or other healthcare provider [ie, anyone they want]  with updated and/or supplemental information for their files or systems." 
A pattern that seems to emerge here is that because EMRs also have a market value (for example, to insurance companies, pharmacies, etc.), health care service companies can build automated information exchanges where they can make collected EMR available to other entities, and build a business on this activity.

That the same health care service companies (with different hats) also serve on behalf of the patients to protect the EMR from disclosure, is where the fox is taking care of the hens, and where the conflicts in 1-2-3 may play a role.

What this means is that the expansion of health care into larger use of EMRs ought to call for a much broader review of procedures and conflicts of interest than what is currently available. And, obviously, it should also include stricter rules for information security and handling of EMRs than what's currently used.

Your comments are welcome.

Best regards,
Ed Gerck