Featured Product
This Week in Quality Digest Live
Health Care Features
Etienne Nichols
How to give yourself a little more space when things happen
Chris Bush
Penalties for noncompliance can be steep, so it’s essential to understand what’s required
Jennifer Chu
Findings point to faster way to find bacteria in food, water, and clinical samples
Smaller, less expensive, and portable MRI systems promise to expand healthcare delivery
Lindsey Walker
A CMMS provides better asset management, streamlined risk assessments, and improved emergency preparedness

More Features

Health Care News
Showcasing the latest in digital transformation for validation professionals in life sciences
An expansion of its medical-device cybersecurity solution as independent services to all health systems
Purchase combines goals and complementary capabilities
Better compliance, outbreak forecasting, and prediction of pathogens such as listeria or salmonella
Links ZEISS research and capabilities in automated, high-resolution 3D imaging and analysis
Creates one of the most comprehensive regulatory SaaS platforms for the industry
Resistant to high-pressure environments, and their 3/8-in. diameter size fits tight spaces
Easy, reliable leak testing with methylene blue
New medical product from Canon’s Video Sensing Division

More News

Patrick Stone

Health Care

Sold: Electronic Medical Records to the Highest Bidder

HIPAA laws are unequal to the task of safeguarding e-records

Published: Friday, July 19, 2013 - 11:41

How often do we see Health Insurance Portability and Accountability (HIPAA) violations issued because a regulated entity did not secure the electronic records at the hospital and small clinics? Large-scale security breaches and, sometimes, reports of illegal sales of electronic medical records by various third-party sources are in the news. In Massachusetts and New Hampshire, for example, an e-record vendor recently admitted to large-scale e-record breaches.

The FDA has provided some guidance on what is expected for e-records, but no real guidance on security. That may be one of the reasons that so many of the e-systems I have reviewed meet the minimal requirements but have security vulnerabilities.

But perhaps you’re not aware of another security breach: Your e-records are for sale to the highest bidder. They are being sold to insurance companies, debt collectors, and prospective employers. The 1996 HIPAA law left provisions for certain entities to access your entire medical record. Although some of the stolen or hacked e-records get sold—and that’s terrible, of course—in most cases when your e-records are sold it is done “legally.”

Securing medical e-records comes with a price, and even with some of the best security in place, there may still be a breach. In most business models for building e-record systems, security is last on the list. Sadly, it doesn't appear to be much different in the healthcare industry.

So what’s to be done? Will it take a 21st-century modernization of HIPAA, written almost 20 years ago and before the e-record mandate? Or will we limp along with legislation that is increasingly showing its age?

In our digital age of e-records, our security should be safeguarded because we pay for the care we receive. The Dept. of Health and Human Services as well as the U.S. Congress should be focusing on this but, they are currently being distracted by advocating for or decrying Obamacare.

And speaking of Obamacare, that new law also has some troubling provisions about who is allowed access to your records, and some “interesting” exceptions to those provisions.

But don’t get me started on Obamacare implementation before we deal with HIPAA.

For now we can only trust (read: hope) but not verify who really has access to our medical e-records that are inadequately protected by a 20th-century law.

This article first appeared in the July 18, 2013, edition of the AssurX blog.


About The Author

Patrick Stone’s picture

Patrick Stone

Patrick Stone works toward a future where disease cures and prevention are the main goal of all new test articles. Stone is president and lead consultant at TradeStone QA LLC, which serves the global public by protecting the supply and quality of healthcare products before entering the market place. Stone specializes in Institutional Review Board (IRB) compliance and quality assurance audits; computer system validation and 21 CFR Part 11 compliance; LIMS/data management system compliance; and 21 CFR, GCP, cGMP, and ICH compliance. Stone is the author of Bubble Gum Badge—An FDA His-Story (Xlibris Corp., 2011). You can follow Stone on Twitter.