Many Americans’ electronically stored medical data is likely unsecured and inaccurate, according to panelists at the Health Datapalooza on Tuesday.

“There are real-world consequences to medical data sharing,” said privacy and medical attorney Neal Eggeson. “This is happening every day; I am getting these phone calls every day.”

Eggeson argued that access to personal medical data is not only easy for those working in or able to hack the health care industry, but that there is very little people can do about their own medical data being exposed.

“HIPAA [Health Insurance Portability and Accountability Act] has a specific provision that prevents you from suing anyone over your medical data,” he said. “Ninety percent of those who call me, I can’t help.”

He noted that few employees are fired when it is discovered that they improperly gained access to private medical data, and that health care companies have no incentive to increase scrutiny or punishment.

Len Lichtenfeld, deputy chief medical officer at American Cancer Society, supports increased data sharing such as a cancer registry, but said that there are still policies that irresponsibly expose personal medical data at hospitals and health care organizations.

“If we do not have trust in the system we probably will fail,” said Lichtenfeld. He described his own recent surgery, in which the consent forms stated that anyone in the United States could have access to his personal information and medical history. This information included HIV status, whether the patient had received an abortion, and other medical statuses.

“None of this applied to me, but that didn’t make any difference,” Lichtenfeld said. When he refused to sign that section of the forms, he was told that nobody would then have access to his records.

“I wanted my medical care team to have access to that information, and I was told that under no circumstances was that permitted,” he said.

Ideally, medical information, when stored and shared in open-data initiatives, are “de-identified” so that personal identifications are removed from the file. But some have argued that the ability to re-identify individuals based on the available information is too high.

“We can’t have it both ways in terms of perfect information and perfect protection,” said Daniel Barth-Jones, assistant professor of clinical epidemiology at Colombia University. “Perfect de-identification is not possible.”

Yet even when medical records remain secure, they are often not accurate.

“Electronic charts lend themselves to more inaccuracies and, more problematically, the propagation of inaccuracies,” said Dhruv Khullar, a resident physician at Massachusetts General Hospital. “When I finally get to interview patients, I find their medical records to be littered with inaccuracies.”

Khullar noted that only approximately 5 percent of medical files have agreement between listed medications that a patient is taking and actual medications taken by the patient.

The panelists addressed solutions to these problems, both on a personal and policy level.

“One way we can help is to encourage patients to read their medical records,” said Khullar. He found that only 40 percent of patients are offered their records and only half of that number actually choose to read them.

“Don’t wait to be offered,” agreed HHS director of the Office for Civil Rights Jocelyn Samuels. “Demand your medical records.”

Samuels’ office works to enforce Federal laws to protect privacy and security in medical data.

“We also have a robust enforcement arm and we will take steps to hold entities accountable,” Samuels said.

Many of the other panelists agreed that there needed to be more stringent punishments for exposing or gaining access to private data without authorization.

“We need comprehensive legislation to prohibit re-identification,” Barth-Jones said.

“I would make the penalties harder,” Eggeson agreed.

Read More About
More Topics
Jessie Bur
Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.