Could Big Brother — or garden-variety snoopers — soon get their hands on your medical data? The Senior Citizens League, a group that boasts 1.2 million members and is affiliated with the Retired Enlisted Association, recently sent out a mailing saying it was possible.
According to a copy obtained by the Huffington Post, the group sent a four-page letter, along with a questionnaire and a cover letter signed by former Rep. David Funderburk, R-N.C., to seniors, expressing two related concerns about Democratic health care reform plans being debated on Capitol Hill. One is that they could lead to the rationing of care. The other is that the government is assembling a "national government computer network" that will contain Americans' medical files.
We've already addressed the question of rationing , so we'll focus here on the plans for a computer network.
Here's what the Senior Citizens League letter said:
"The key to these changes is a massive national government computer network, which is now being created. When it is complete, your complete medical record will be available 24 hours a day to health care workers at computer terminals in pharmacies, doctors' offices and hospitals across the country and to government workers. ... To ensure that all doctors, hospitals and pharmacies participate and place their records in the new system, a portion of the economic stimulus legislation passed in February includes stiff penalties for doctors and hospitals which do not participate. The complete lack of privacy or confidentiality that comes when millions of people can see your records and the virtual certainty of computer errors has raised concern among many Medicare beneficiaries."
First, a little background on health information technology, or HIT for short.
Computerizing medical records has long been a goal of policymakers across the ideological spectrum. The idea is to shift from paper-based records to electronic ones, so that doctors can access information about their patients more quickly and easily and make better clinical decisions as a result. Supporters hope that HIT will reduce the frequency of medical errors, unnecessary diagnostic tests and inappropriate treatments.
While the biggest impact would likely be felt within a patient's small circle of physicians, nurses and pharmacists, planners also envision scenarios in which an emergency room doctor treating a patient traveling far from home would be able to quickly receive medical records about that patient. Officials also hope that, in the longer term, streamlining record-keeping could bring down the rapidly escalating cost of health care.
In 2004, President George W. Bush issued an executive order creating incentives for the use of health information technology, to be spearheaded by a new federal official, the national coordinator for Health Information Technology. President Barack Obama went further when Congress passed his economic stimulus package in February 2009. The stimulus included several items designed to promote HIT, including $19 billion over four years to fund electronic infrastructure improvements and the widespread adoption of electronic health records by providers. The goal under both presidents has been to create electronic health records for each person in the United States by 2014.
The Office of the National Coordinator for Health Information Technology describes the Nationwide Health Information Network as a "network of networks." All the experts we spoke to, including the Department of Health and Human Services, emphasized that it is not a single database residing at, say, a federal agency. It's more accurately viewed as a network to link many separate databases where records already exist, such as regional databases or medical offices, along with efforts to establish common technical standards so that these far-flung repositories of data can exchange information as needed.
"While providers will eventually be required to actively exchange patient information between electronic health records, there is no law or regulation calling for the development of a national patient information database," said Brian Wagner, the senior director of policy and public affairs with the eHealth Initiative, a group that represents companies and professional organizations with a stake in HIT.
The Senior Citizens League excerpt raises two main questions about HIT.
— Who would have access to the network? Could it be as many as "millions" of people?
Our experts agreed that such loose access is certainly not the goal of the program, and they added that intensive efforts are being taken to prevent that from happening.
On its Web site, the Office of the National Coordinator for Health Information Technology says it understands that a lack of trust in the system would be a serious problem. "Coordinated attention at the federal and state levels is needed both to develop and implement appropriate privacy and security policies," the office says.
Portions of the stimulus bill stiffened existing privacy protections from the Health Information Portability and Accountability Act, which governs how medical records can be used. The stimulus extended the list of mandatory protections and penalties to business associates of medical providers who were already covered by them. In the case of privacy breaches, patients now must be notified, and the penalties for violations were increased.
Most important, providers and associates covered by HIPAA must limit disclosure of private health information to the minimum number of people necessary to accomplish a valid purpose. Those purposes generally involve treatment, payment or medical administration.
"It's not going to be available at Kinko's for all the world to see," said Len Nichols, director of the health policy program at the centrist-to-liberal New America Foundation.
Wagner said that the network won't be structured in a way that allows any medical professional to fish around for data on anyone they like. Users would still have to request specific information from another doctor, and provide a good reason why they need it. The main difference under a functioning system of HIT would be that that record would be sent electronically rather than faxed or mailed, potentially saving hours or days.
One upside is that, unlike paper-based systems, electronic health records create audit trails every time they're accessed, meaning that HIT systems can actually afford greater privacy protections for patients.
"The level of access to this information will also be limited based on each person’s role in the provision of care," said HHS spokeswoman Nancy Szemraj. "Depending upon the type of violation, fines can reach up to $1.5 million per privacy violation." The notion that there will be "unauthorized, limitless access to patient health information in an electronic health record is absolutely incorrect," she said.
Still, everyone agrees that vigilance is needed. Deven McGraw, director of the health privacy project at the Center for Democracy & Technology, calls it "absolutely critical to have policies to say who can access information and for what purposes. Are they in place today? No. Are there active efforts going on today to change that? Absolutely."
— How stiff are the penalties for noncompliance? They're not immediate, and providers will have many opportunities to benefit from carrots before they face any sticks.
Between 2011 and 2014, the stimulus provides bonus payments to encourage health care providers to implement "meaningful" usage of HIT for Medicare and Medicaid. In 2015, the penalties begin. Providers who haven't instituted meaningful use of HIT would see their Medicare reimbursements (though not their Medicaid payments) reduced by 1 percent in 2015, 2 percent in 2016 and 3 percent in 2017. The secretary of Health and Human Services can increase these penalties by an additional point or two if implementation significantly lags.
So let's summarize. The Senior Citizens League has a point that HIT presents unprecedented challenges in privacy and security, and that strategies to keep up with these threats continue to evolve. However, the group significantly overstates the degree to which HIT is intended to collect medical data in one place and the extent to which users will be able to poke around records that they don't have a legitimate need to access. It's inaccurate to say that there will be a "complete lack of privacy or confidentiality;" laws against unauthorized use are already in place, and federal officials have explicitly made privacy a high priority. Finally, the penalties against nonparticipation that the group cites begin in 2015 — after several years in which providers can receive financial bonuses for participating. On balance, we find the group's claims Barely True.
Editor's note: This statement was rated Barely True when it was published. On July 27, 2011, we changed the name for the rating to Mostly False.