Kaiser Health News (an editorially independent program of the Henry J. Kaiser Family Foundation, a non-profit, non-partisan health policy research and communication organization) reports that hospitals are searching the medical data of patients to figure out ways to advertise health services to them:

When the oversized postcard arrived last August from Provena St. Joseph Medical Center promoting a lung cancer screening for current or former smokers over 55, Steven Boyd wondered how the hospital had found him. [...]

Provena didn’t send the mailing to everyone who lived near the hospital, just those who had a stronger likelihood of having smoked based on their age, income, insurance status and other demographic criteria.

The non-profit facility is one of a growing number of hospitals using their patients’ health and financial records to help pitch their most lucrative services, such as cancer, heart and orthopedic care. As part of these direct mail campaigns, they are also buying detailed information about local residents compiled by consumer marketing firms — everything from age, income and marital status to shopping habits and whether residents have children or pets at home. Read more »

HealthLeaders Media has an interview with Farzad Mostashari, the national coordinator for health information technology at the Department of Health and Human Services, about the use of and privacy protection of patient medical data:

HLM:  What are three toughest challenges you plan to tackle in 2012?

Mostashari: Adoption of meaningful use, information exchange and interoperability, and maintaining privacy and security. We want 2012 to be a huge year for meaningful use. I think doctors, hospitals, and vendors are geared up. It will be an enormous year for providers who qualify for the incentive, but more importantly to start to establish the information foundation for delivering care that is inconceivably better in all ways—higher quality, safer, more patient-centered, and more coordinated.

It is fantastic to have the records in an electronic format in the doctor’s offices and to have those records used to take better care not just of individual patients, but of the entire population of patients.

It is just as important that those records be shared across the different settings when the patient moves from outpatient to inpatient care, then back home or to a long-term care facility, and back to the primary care doctor’s office and then to specialist. We’re really pushing in major way on information exchange and interoperability. Read more »

At the Wall Street Journal, two experts answer the question: “Should Every Patient Have a Unique ID Number for All Medical Records?” “Proponents say universal patient identifiers, or UPIs, deserve a serious look because they are the most efficient way to connect patients to their medical data. [...] Privacy activists aren’t buying it. They say that information from medical records already is routinely collected and sold for commercial gain without patient consent and that a health-care ID system would only encourage more of the same.”

First, Michael F. Collins, a board-certified physician in internal medicine and chancellor of the University of Massachusetts Medical School in Worcester, Mass., argues that universal patient IDs are needed:

A UPI system, using one number that seamlessly connects a person to all of his or her records, could be the safest and most efficient way to manage health-care data. It would guard against misidentification and make it much easier to pull together a patient’s records from disparate providers. Using today’s best technologies and practices, UPIs could help dramatically improve the quality of health care, lower costs, accelerate medical discovery and better preserve privacy. [...]

Currently, health-care providers and administrators struggle daily to match patients to records organized by disparate systems that rely on names, addresses, birth dates and sometimes Social Security numbers. Names can be presented in numerous formats, leading to duplicative records that cost money and lead to errors. As our population grows, the number of people with the same name and other similar personal data multiplies. Research cited by RAND Corp. indicates patients are misidentified at a rate of about 7% to more than 10% during record searches. As databases grow, the problem will only worsen. UPIs can correct this situation.

What about data security? It is difficult—especially without being able to study UPIs—to know what the safest approach is. Admittedly, no IT system is immune to breaches. Read more »

The Associated Press reports on a lawsuit concerning patient privacy in Minnesota:

Attorney General Lori Swanson sued a debt collection agency that works with two Minnesota hospitals on Thursday, saying it failed to keep health care records for tens of thousands of patients confidential and did not tell patients just how much it was involved in their health care.

The lawsuit against Accretive Health Inc., a Chicago-based company that works with hospitals to maximize revenue, comes after an Accretive employee had a laptop stolen in July that contained the data of 23,500 patients of Fairview Health Services and North Memorial Health Care.

As authorities were investigating, they discovered Accretive had access to patient data through contracts with the hospitals, and used that data to assess patients’ “frailty” or risk of becoming hospitalized. Swanson said the agency shared its activities with investors on Wall Street “without the knowledge or consent of patients who have the right to know how their information is being used and to have it kept confidential.” [...]

The lawsuit claims Accretive violated state and federal health privacy laws, and state debt collection and consumer protection laws. It seeks an order that would require Accretive to tell patients what information it has on them, what information it lost, where it sent the information, and why it has the information in the first place. Read more »

InformationWeek reports that a man hacked into a medical database to steal patient information:

Eric McNeal, a 38-year-old information technology specialist from Atlanta, Ga., has been sentenced for hacking into the patient database of a former employer, stealing patient information, and then deleting the information from the system.

For his crime, McNeal was sentenced on Jan. 10 to serve 13 months in prison with three years of supervision after his release. McNeal also was ordered to perform 120 hours of community service. [...]

According to court documents, McNeal, who pleaded guilty to the charge on Sept. 28, worked as an information technology specialist for APA, a perinatal medical practice in Atlanta. He left APA in November 2009, and subsequently joined a competing perinatal medical practice, which was located in the same building as APA.  Read more »

The Washington Post reports on possible privacy questions surrounding new technology featured at the Consumer Electronics Show in Las Vegas:

The thousands of devices debuting Tuesday at the Consumer Electronics Show here demonstrate how tech companies are poised to gather unprecedented insights into consumers’ lives — how much they eat, whether they exercise, when they are home and who they count as friends. [...]

Coming soon are Internet connected refrigerators, washing machines and other appliances that may be able to deliver information to third parties, such as utilities.

All that has some tech experts and lawmakers concerned that consumers, in their rush to snap up the latest gadgets, may be sacrificing privacy. Read more »