Are Your Medical Records Vulnerable To Theft?

A decade ago almost all doctors kept paper charts on every patient. That is changing quickly as laptops become as common as stethoscopes in exam rooms. Recent hacking attacks have raised questions about how safe that data may be.  Here are some frequently asked questions about this evolution underway in American medicine and the government programs sparking the change.

Are my medical records stored electronically?

At least some of the information you share with your doctor or any hospital or clinic where you’ve been treated is probably stored on a computer. It’s pretty common for most hospitals, clinics and doctors’ offices to digitally store your basic information including your name, address and insurance company, the same way many retailers do.

Are Your Medical Records Vulnerable To Theft?

It’s also likely that at least some information about your specific medical conditions is linked to that data. Health care providers have been using computers to help them get paid for decades. That means many computer-generated bills sent to you and/or your insurance company contain medical details like the conditions you were treated for, prescriptions and referrals to specialists.

Where things are really changing quickly is in the use of electronic records for day-to-day patient care. Until recently, most doctors used paper charts to record information generated during patient visits. But the 2009 economic stimulus package offered doctors and hospitals tens of thousands of dollars each to help buy computers and software designed to replace paper charts. Adoption was slow at first, but as of June most hospitals and close to half of all doctors in America report that they are using systems that qualify for those payments. Some are aggressively digitizing older records stored on paper, others are not.

Does the Affordable Care Act require doctors and hospitals to use electronic medical records?

No. The stimulus package, which pre-dates Obamacare, offers doctors, hospitals and some other health providers money to help them upgrade from paper to digital records, but the Affordable Care Act does not.  Nor does it require digital record use.

But the health law does offer bonus payments to health care providers that can prove they’re more efficient and not unnecessarily duplicating tests and procedures. Electronic records make that easier. The ACA also includes penalties for those who fail to meet performance measures such as keeping people from returning to hospitals because they weren’t treated properly the first time. More hospitals are starting to use electronic records to track patients, coordinate inpatient and post-hospital care and to record how well they’re performing in an effort to win bonuses and avoid penalties put in place by the ACA.

If electronic medical records are so common, why can’t I email my doctor?

Some patients can. But concerns about privacy and payment mean many doctors would rather communicate with patients on the phone or face to face.

Standard email isn’t secure enough to meet the standards of America’s umbrella medical privacy law, known as HIPAA. That’s why many doctors don’t communicate with patients via email, and continue to send prescriptions and referrals via fax.

Some electronic records systems offer secure “patient portals” that allow patients and doctors to communicate electronically. More doctors and hospitals will have to start offering this service if they want to qualify for the maximum amount of stimulus act payments for going digital. But not all insurance companies will pay doctors for the time they spend communicating electronically, so many require patients to schedule an office visit instead.

How secure are my electronic medical records?

As more doctors and hospitals go digital with medical records, the size and frequency of data breaches are alarming privacy advocates and public health officials. Although health care providers face serious penalties if they allow patients’ electronic records to be breached, thieves also have tremendous incentives to get around protections because health records contain so much valuable information.

Privacy experts argue the health industry has been slow to respond to such incidents by adopting the encryption techniques used for years by financial companies.

In the recent breach of Community Health System, a hospital chain based in Franklin, Tenn., Chinese hackers bypassed the hospitals’ security systems and stole personal data, including names, Social Security numbers and addresses of 4.5 million patients. Community Health said it would offer identity theft protection to affected patients and carried cyber insurance to mitigate some of its losses.

This video from the federal Health and Human Services department’s Office of Civil Rights explains some of the protections currently in place, as does as this fact sheet. The Federal Trade Commission offers this advice on preventing identity theft and protecting digital personal information.

Can emergency room doctors call up my electronic medical records if I’m in an accident and unable to give them basic information?

Probably not.  A major criticism of electronic medical records in America is that the companies that make them have financial incentives to keep them from being easily shared. It’s kind of like Windows versus Mac operating systems. Many companies are trying to win market share by creating software that doesn’t “talk” to that made by other companies, so if a big hospital uses software from company X, then all the doctors that work with that hospital will have an incentive to buy that software, too.

If you’re unconscious and an ambulance takes you to a hospital you’ve been to before, they can probably call up their records for you if you’re carrying some kind of identification. But they may not be able to access pertinent information stored on other doctors or hospitals’ computers.

Some states have good clearinghouses that allow health care providers to pull in all of a patient’s digital health files, but they’re still the exception at this point.