The Wall Street Journal had a great piece and blog item yesterday about Health IT and privacy breaches — we would have blogged about it then had we not, coincidentally, been out much of the day with some other think-tankers and foundation folks educating ourselves about that very topic. Among other things, the Journal article made the key point that privacy breaches are rarely prosecuted. That's not the right way to build public confidence in electronic health records.
Some 35,000 reports of privacy violations have been reported to the Department of Health and Human Services under HIPAA (Health Insurance Portability and Accountabilty Act) since 2003, but not a single civil fine has been levied, WSJ reported. HHS says several hundred reports of violations have been referred to the Department of Justice for criminal prosecution; about 200 cases have been filed although it's not clear how many of them were under HIPAA.
So we were pleased to see the LA Times report today (Charlie Ornstein's done a lot of good work on this whole phenomenon of Hollywood sneaky peeky) that an alleged celebrity snoop at UCLA Medical Center had been indicted for allegedly selling information from medical records of celebrities to the media (apparently the National Enquirer).
The paper reported that Lawanda Jackson, 49, could face up to 10 years in prison if convicted of the charge of obtaining individually identifiable health information for commercial advantage. The paper had earlier reported that Jackson had allegedly pried into the private medical records of California First Lady Maria Shriver, Farrah Fawcett, and 60 others. In an April 8 interview with the newspaper, Jackson denied that she had leaked the information or otherwise profited from it.
Hospitals can (and should) take multiple steps to make records more secure; for instance, walling off parts of the computerized records so that people can access only what they need to know. But the feds (or state governments) have responsibilities too. Getting electronic records right, from technical, economic, and privacy standpoints, is hard enough. If all the public hears about is breach after breach, snooping, spying, and carelessness (medical records left on a laptop in someone's car trunk...) they aren't going to buy into Health IT. And we need them to; Health IT may not save as much as quickly politicians are promising but it is essential for quality, for coordinated care, for efficiency and for research. So when there's a crime, let's see some punishment.