Two weeks ago, I received a letter from the radiology department at a large university medical center in my state. The return address specified their mammography registry. Assuming that it was a reminder to get my yearly exam, I started to toss it out. Then I remembered that I'd never had a mammogram at that hospital. So I opened the letter. The first sentence was quite a surprise:
Dear Ms. Carol Peracchio: I am writing to notify you about a security breach that may have resulted in the unauthorized exposure of your personal information.
The letter explained that a computer server storing data for a state mammography registry had been "targeted in a computer hack." When the staff discovered the breach, all data on the server was removed. The next paragraph explained how the Registry collected data from participating mammography practices
to advance knowledge about the most effective ways to improve breast cancer detection, understand risk factors, guide future research and inform policy makers.
Two paragraphs into the letter, I discovered that not only were my mammography records sent to a registry I didn't even know existed, but my records may have been hacked.
It gets better:
Unfortunately, some of your personal information was on the Registry's server at the time of the hacking incident. This information included your name and Social Security number. In many cases, these data also included your date of birth, address, phone number, demographic information, insurance status and health history information.
The letter went on to helpfully suggest that I place a fraud alert on my credit line. The letter's author assured me that she was "devastated" and directed me to their "breach website" in case I had questions or concerns. I'm not sure "questions or concerns" fully described how furious I was.
The FAQ section of the breach website explained that University IT staff discovered in July 2009 that the mammography data had been hacked in 2007. The technicians had no way of knowing whose information had been breached. Thirty-five practices in my state partner with the Registry and send data concerning their mammography patients.
The data are evaluated for the radiologists to assist them in improving their ability to detect cancers. They also are interested in furthering research to improve screening mammography.
Obvious questions: How do my Social Security and phone numbers factor into "their ability to detect cancer"? Do even Social Security numbers have a greater chance of being diagnosed? Does an out-of-state phone number increase the benefit of early detection?
As a nurse who worked in
utilization review, I am pretty mindful of what I'm signing when I receive medical care. I didn't recall giving permission for my records to be sent to any registry. It was eye-popping when I read:
The federal regulations that govern research involving human subjects allow for some kinds of research to be conducted with a "waiver of consent," provided that certain criteria are met...These are typically projects that involve existing records that were collected for purposes other than research, such as hospital or clinic records. They are not studies where the researchers need to interact with subjects, or where something additional is being done purely for the sake of research (like testing drugs or gathering information that would not be obtained otherwise); those kinds of studies require consent.
Waivers of consent may be especially relevant for large scale "population-based" research, where the goal is to represent or describe a broad group of patients, while avoiding the bias that can occur if consent must be obtained from each individual.
Well, isn't this interesting! Federal regulations allow researchers to apply for a waiver of consent to avoid that pesky "bias" which can occur when actually obtaining permission from all of us annoying "individuals." The website proceeded to describe all the precautions they had now implemented and, even though it was our right, beseeched all 180,000 of us to not withdraw our records. I immediately requested my records be withdrawn.
This appalling incident prompted me to research Electronic Health Records (EHRs) in Nancy Pelosi's health care reform legislation, the
Affordable Health Care for America Act. When I entered "EHR" into the document word search, I discovered several references. On page 154, the Secretary of HHS is charged with conducting a study to increase the use of "qualified" EHRs. (What "qualifies" an EHR is not defined.) This study should include incentives such as "higher rates of reimbursement or other incentives for such health care providers to use electronic health records" and "promoting low-cost electronic health record software packages that are available for use by such health care providers."
EHRs also play a major role in the "integration of physician quality reporting and EHR reporting." Page 407 describes:
Not later than January 1, 2012, the Secretary shall develop a plan to integrate clinical reporting on quality measures under this subsection with reporting requirements under subsection (o) relating to the meaningful use of electronic health records...clinical quality of care furnished to an individual...The collection of health data to identify deficiencies in the quality and coordination of care for individuals eligible for benefits under this part... such other activities as specified by the Secretary.
The phrase "meaningful use of electronic health records" is repeated twice more in the references I found. What does Mrs. Pelosi mean by "meaningful"? And you can drive a truck through this loophole: "such other activities as specified by the Secretary." What it boils down to is a big push for centralized EHRs in order to gather data to be used for physician monitoring.
On page 943, one of the goals for approved medical residency training programs is to "be meaningful EHR users." Again it raises the question, exactly what does "meaningful" mean? EHRs appear again on page 1,324 in the section on "Implementation of Best Practices in the Delivery of Health Care."
The legislation does contain a nod toward the
HIPAA laws on page 82:
The Secretary shall ensure (through the promulgation of regulations or otherwise) that all data collected pursuant to subsection (a) are used and disclosed in a manner that meets the HIPAA privacy and security law (as defined in section 3009(a)(2) of the Public Health Service Act), including any privacy or security standard adopted under section 3004 of such Act.
Please forgive me if I am not reassured. Since federal regulations right now provide a "waiver of consent" for research entities to obtain my medical records without my knowledge, it should be a snap for Speaker Pelosi, Senator Reid, and Secretary Sebelius to concoct a "meaningful" reason to download any EHR they want. Look out America...you are about to be breached.
Carol Peracchio is a registered nurse.