Electronic health records have been way oversold. Expecting every little medical office to have industrial-grade data protection makes them far more of a liability than they are worth.
At best mostly subjective observations, at worst full of outright errors, they're largely useless from a health care perspective let alone for research purposes.
In my (relatively limited) experience, most small medical offices pay for cloud-based EHRs on a subscription basis for this exact reason. Have you observed differently?
With regards to the usefulness of medical records, I don't know enough on the topic to address that point.
There's some kind of database called MIB that sells all your medical information like a credit report. I haven't figured out how to opt out of it or where exactly they get the data so I can opt out of it before they even send it. It's some kind of horrific atrocity. Please somebody expose this to everyone: https://www.mib.com/request_your_record.html
Have you applied for term life insurance in the last ten years? Based on what I'm reading in an application from Grange, you may be able to revoke any authorization through the insurance provider. It may nullify your policy though.
Maybe. It's up to the member company to obtain the consent and report as such to MIB.
I just started shopping for term life insurance recently and have an application that was emailed to me by a local agent. It looks very much like this one (http://www.adkissoninsurance.com/forms/grangelifeapp.pdf), EXCEPT someone has removed the Notice of Information Practices at the top
I wonder how many of these are encrypted systems. I see a lot of "theft" and "loss" on that list. I know if I were to lose a system that had PHI on it I would be required to report the breach even if the system had full disk encryption. I'd bet many or most of these are similar.
> if I were to lose a system that had PHI on it I would be required to report the breach even if the system had full disk encryption
According to the Texas Medical Association[0],
> there are only two reasons a lost device may not have to be reported as a breach under the HIPAA Breach Notification Rule: (1) no PHI was on the device, or (2) the PHI is unusable - encrypted with FIPS 140-2 encryption
I’d guess that a lot of the encrypted systems had a password written on a sticky note on the desk or in the laptop bag. Encryption doesn’t do much unless you take the other sensible steps.
It’s more worrying to me that a doctor might not report a breach because the data is encrypted, but had the keys stolen along with the computer.
> As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals.
Well, I'm glad this random webpage is broadcasted into the internet and therefore everyone is properly informed about these breaches.
This is the same as Google providing that page somewhere deep in the account settings where you can view what data they have on you. It's beneficial for them to provide this, because 99.99% of users will never find it anyways. And those that are concerned can be calmed down by it.
I care less about health info privacy than identity. When I was a kid, hospital admissions were published in the daily paper. Nobody thought much of it.
The number of people interested in your health is tiny. The number of people interested in your money, and motivated to try to take it from you, is much higher.
I think it's interesting that while there are a ton of breaches, we only know about them because HHS requires breach reporting when it affects over 500 patients. How often is this happening in other industries where such regulations don't exist?
This is the thing. HIPAA is really a gold standard in data security legislation. As terrible as it is (e.g. the fax machine loophole, which is surely put there for lawyers), at least there's something punitive. And other things can be tied to it: grants, FDA can disbar them from collaborating in drug development, etc.
Imagine breach notifications for a company like Facebook. FCC could disbar you from transmitting data over mobile networks.
In California that’s been the law for over a decade. Arguably, California’s breach disclosure law is the reason we know about the vast majority of large breaches we hear about.
HIPAA creates an illusion of trust for medical customers to not question the right of their private information be destroyed. Enforcement comes secondary if rarely at all.
> Note: I have had hipaa training for prior jobs and no penalties were ever discussed
I've had HIPAA training for several jobs stretching back to 2001, and civil and criminal penalties, and the fact that the latter especially were available against individual employees as well as covered entities, were stressed every time.
At best mostly subjective observations, at worst full of outright errors, they're largely useless from a health care perspective let alone for research purposes.