Complain about a product or service

GAO Cites Medical Privacy Issues

Electronic Data-Sharing Puts Patients at Risk

By Martin H. Bosworth
ConsumerAffairs.com

February 5, 2007

• TSA Site Left Passenger Data Exposed To ID Theft • Connecticut Governor Wants 'Opt Out' For Online Directories • Verizon Gave Customer Data To Government Without Court Orders • House Democrats Probe Warrantless Surveillance • Many Facebook Users Compromise Own Identities • Spy Court Tells White House To Fess Up • FBI Uses Data Brokers, "Risk Scores" To Hunt Terrorists • GAO: "Critical" Weaknesses In FBI Security Network • How Safe Is That Free Wi-Fi Connection? • Businesses Back Off Spy Chips • Insurer Unlawfully Poached Consumers' Credit Reports • GAO Cites Medical Privacy Issues • Google Anti-Phishing Feature Accidentally Reveals Too Much • Bush Spy Program Placed Under Court Review • "National Security Letters" Used To Examine Americans' Financial Records • Bush Gives Himself Authority to Search the Mail • Court Shuts Down "Media Motor" Spyware Operation • Consumerists Want FTC Probe of Online Advertising • Firefox/Google Team Up To Fight Phishing • Schwarzenegger Terminates Spychip Bill • For Sale: Your Health Care Records • Xanga.com Fined for Children's Privacy Violations • Facebook Does an About Face • Chase Trashes Tapes Containing Circuit City Customers' Data --- • More Privacy News ...

In another blow to the federal government's crusade for a nationwide infrastructure for sharing of medical records, the Government Accountability Office (GAO) has said that efforts to coordinate privacy at the federal level don't pass muster.

In a report, the GAO criticized the Department of Health and Human Services (HHS) for issuing contracts to develop initiatives for health information technology (IT) records-sharing without setting up adequate privacy guidelines.

Although HHS won credit for championing the initiative to share health care records across different systems, the GAO found that it was still in the "early phases of identifying solutions ... and has therefore not yet defined an approach for integrating its various efforts or for fully addressing key privacy principles."

"Until HHS defines an integration approach and milestones for completing these steps, its overall approach for ensuring the privacy and protection of personal health information exchanged throughout a nationwide network will remain unclear," the report said.

HHS disagreed with some of GAO's conclusions, specifically the need for benchmarks to measure progress.

Assistant Secretary Vincent Ventimiglia said that "tightly scripted milestones" would impede HHS' ability to conduct dialogue with stakeholders involved in the initiative.

Among the GAO's findings:

• HHS needs to craft adequate security and policy measures for the interaction of contracting companies and subcontractors that handle medical and personal records. Under the Health Insurance Portability and Accountability Act (HIPAA), "covered entities" are governed by strict disclosure rules about what information they can share and gather, but business partners they share information with may not be.

• 70 percent of Americans are concerned about the potential for a data breach in any system that shared such a large amount of health and personal data.

• HHS' chief "privacy and security solutions contractor," which was not identified in the GAO report, was tasked to provide a report detailing privacy and security guidelines for health organizations in all 50 states, as well as addressing compatibility issues and offering solutions.

The Right To Medical Privacy

Concern over the safety of medical records and personal information has been on the rise in recent years, due in part to the continuing cases of data breaches and thefts of equipment that contain personal data.

Recent cases such as the Emory Healthcare laptop theft continue to illustrate the dangers of sharing information without adequate privacy controls.

The GAO published another report last year that found 40 percent of health insurance contractors and state Medicare/Medicaid agencies had violated customers' privacy in some fashion, and that many health technology vendors outsourced their works to still other vendors, increasing the risk of privacy violations.

Also on the rise is medical identity theft, in which fraudsters steal patients' financial information and use it to charge expensive treatments for themselves, leaving the victims holding the bag.

Lack of laws protecting medical information can mean that medical identity theft victims have thousands of dollars' worth of debt in their name for procedures they never authorized or went through with.

The wildly varying state laws regarding data privacy and breach notification have prompted calls for Congress to pass laws that mandate federal standards for data breaches, but critics have been unimpressed with the efforts so far, saying that they do too much for business and too little for the consumer.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Back to the top |