Musings of a Cancer Doctor

Wide-ranging views and perspective from George W. Sledge, Jr., MD

Monday, September 12, 2011

On Privacy

Two signs of the times, for your consideration, one widely noticed, and one buried on the back pages of a local paper. 


In the first, a New Mexico state policeman was caught on one of those ubiquitous security cameras having sex with a woman on the hood of a car in a public place (if being miles from anywhere in rural New Mexico constitutes a public place). His indiscretion became public (YouTube, Internet, TV, the whole nine yards) and he was fired.  Last year he had been the state policeman of the year in his district, now he’s out of a job.


In the second, reported in the back pages of the San Francisco Chronicle, the names, diagnosis codes, account numbers, admission dates, and charges for 20,000 Stanford University emergency room patients were posted on a public website.


The chain of events went something like this: Stanford sent the records to its billing agency, which turned them over to a subcontractor, which created a spreadsheet.  Somehow (the “how” isn’t entirely clear) the spreadsheet was then posted on a website called Student of Fortune, “uploaded as an attachment to a question about making bar graphs.” And there it sat for a year, until a patient noticed it.


What these two stories have in common is the word “privacy," which (as these tales suggest) is an increasingly nebulous concept, perhaps even a meaningless one.


Privacy is increasingly under technologic attack, as both stories make clear. On the one hand, the modern surveillance state has become increasingly intrusive, as the unfortunate state cop discovered. There is a camera just about everywhere, even out in the sticks. The sphere of privacy is shrinking.


On the other hand, institutions are porous.  They cannot keep a secret, or not for very long.  The story leaks out, a computer goes missing, or a data set is posted to a website.  Sometimes this is maliciousness, but more often simple incompetence. We have always had malice and incompetence, but in the past there was not a camera sitting on every pole, and patient files were written on paper rather than in an easily exportable Excel file.


The story about the New Mexico state policeman has gotten more traction that the Stanford ER story, presumably because it involves a man in uniform and sex. Its titillation quotient was higher. 


But the Stanford story was the more appalling one. Twenty thousand ER patients is a wide playing field for human frailty.  How many drug overdoses, how many abused wives and children, how many cases of AIDS or syphilis? Would you hire a middle-aged man if you knew he had suffered a heart attack? Or a twenty-two-year old if she came in stinking drunk or suicidal? Would you trust Rupert Murdoch with this information?


The Chronicle story mentions that there have been more than 100 such incidents this year alone in the United States, and the Stanford case isn’t even the largest one.  That honor goes to HealthNet, Inc., which reported a security breach involving nearly 2 million members.


Which naturally brings us to HIPAA, the Health Insurance Portability and Accountability Act, now 15 years old. The act was designed (among other purposes) to protect patient privacy, and to that end provided rules for administrative, technical, and physical safeguards of patient data.  Despite millions of man-hours of employee education seminars at hospitals nationwide, it has manifestly failed in its primary purpose: HHS has reported a total of 30,000 separate security breaches involving over 8 million records to Congress (as required by the new HITECH law).


This is partly because security breaches are magnified by modern technology, partly because of human nature, and partly because the act has no real teeth. Despite the existence of civil and criminal penalties, the Department of Health and Human Services doesn’t have much in the way of police powers. It responds to failure when it is notified (sometimes with quite expensive fines), but the failures keep coming. 


One hospital system, Providence Health, had four security breaches in seven months (lost computers, lost backup tapes). And one recent survey of IT and security administrators from the Ponemon Institute reported that 77% of businesses (not just medical; all businesses) had lost data in the past year. As Goethe tells us, “Against stupidity the Gods themselves wage in vain.”


HIPAA has been pretty successful in some regards: it has been great at damaging the medical research enterprise by interfering with retrospective chart-based research. It has increased the transaction costs of healthcare by increasing paperwork and time load and adding its own expensive bureaucracy to every hospital in the land. And, in the words of a GAO report, healthcare providers were “uncertain about their legal privacy responsibilities and often responded with an overly guarded approach to disclosing information...than necessary to ensure compliance with the Privacy rule." In other words, it may have harmed patients by interfering with the free flow of important information.


I also suspect that, as with generals fighting the last war, the privacy police are always in the bad position of anticipating last year’s problems. They cannot guess where next year’s technology will take us.  And so, like that state cop, they (we) are always being caught with our pants down on privacy matters.


Think back to the year the law was written.  As a citizen of 1996, answer the following questions: What is a thumb drive? What does “in the cloud” mean? What’s a Google? How many gigs of memory does your laptop have? What are WikiLeaks? Yet each of these questions has distinct privacy concerns attached to it. Flash forward 15 years and a new set of technologies will raise new privacy concerns.


It is even uncertain what the old concepts of privacy mean. It certainly isn’t clear that the Facebook generation understands privacy the same way my generation did when we were in our teens and twenties. The willingness to tell all, and show all, to the entire world, is not something we would have done. And I’m talking about my late '60s/early '70s generation, with its “let it all hang out” ethos.


Maybe this is just the sensible recognition that privacy -- old style privacy -- no longer exists in an era when everyone in the bar has a camera embedded in a smartphone. They no longer believe in privacy because privacy is no longer believable.


But if that is the case, what of HIPAA, and of medical privacy in general?  Will a generation used to seeing their friends undressed and drunk on Facebook, or bragging about their latest conquest on Twitter, care about the release of medical information? Is medical privacy, HIPAA notwithstanding, about to be redefined into nonexistence?


I hope not.  I find HIPAA to be a pain in the neck, as do most of the healthcare professionals I know. At the same time I believe we all have parts of our lives that should remain private. Medical data is certainly right at the top of that list, along with personal finances. I would have added “and one’s sex life” to the list, but that is apparently now off. At least in New Mexico.


The Indianapolis Colts’ quarterback Peyton Manning has also been having a lot of neck problems lately, culminating in surgery.  Asked about his health concerns, he told our local reporters “I don’t know what HIPAA stands for, but I believe in it and I practice it.” Me too. Go Colts!