Sunday, July 30, 2006

Decentralization for Federal Health Privacy? (June 26, 2006)

Electronic medical records, affectionately known as EMRs, are the way of the future. There are reports that “prove” they help reduce errors in healthcare, while other reports “prove” they introduce or magnify errors, and still other repots that “prove” evidence belongs to neither side of the fence. Clearly, there are many factors that play a role in the effect that EMRs have, including organization size, training of workers, type of treatment a provider specializes, etc.

In the midst of the debate, however, it is clear that we are in an information society and just about every aspect of our lives, including our medical records are moving toward electronic documentation. And, as with any personal information system, there are privacy issues abound. Concerns over privacy in healthcare are not new. In fact, health-related information is considered to be some of the most sensitive types of information about an individual. This sentiment has helped to introduce various state and federal regulations regarding the control and distribution of person-specific health records. Yet, in light of current events, i.e. recent concerns over the NSA’s snooping of phone records, AT&T’s recent amendment to their privacy policy to claim further ownership of data over their network, and financial record monitoring by the federal government, of course the American populace is on high-alert and is sincerely concerned about privacy issues.

Back to the story at hand. . . As some of you may (not) know, the the US is heading towards a national electronic medical record system. And in a recent story published in the LA Times it is reported that decentralization of medical records systems is the privacy protection policy that is being adopted. Kudos to the policy architects for foresight and forethought. Personally, I agree that decentralized control and access of patient medical records helps protect from a direct privacy invasion based on curiosity and nosiness.

However, I offer congratulations with reserve and trepidation. There is still much to do and policy only gets us part of the way there. A decentralization policy alone is not sufficient to prevent true concerted privacy attacks, many of which are nontrivial and difficult to legally achieve. I encourage the continued efforts of the government to embed privacy in their solutions and encourage them to open up the design to public review, evaluation, and subsequent comments.

Then again, who knows? Until we see the architecture of the protection, I can only speculate.


Post a Comment

<< Home