With no fanfare and public notice, many Vermonters' personal medical records have already been put into electronic databases controlled by the state and soon to be accessible to physicians and others working in hospitals and medical offices. While your consent is necessary for your records to be viewed legally, there is no electronic "lock" preventing unauthorized access -- just the threat of what have, in the past, often been weak sanctions meekly administered.
The possibility of unauthorized access to Vermonters’ personal medical records will assume much larger dimensions if a proposal coming before the Green Mountain Care Board Feb. 13 is approved. The proposal would change the current system of a patient controlling which providers may access her records. Instead, there’d be a “global opt-in” system, in which a patient must agree to let all providers see her records, or no providers see anything (other than your own doctor and others in the same practice).
Further, if you give “global” consent, only those doctors and workers treating you are supposed to access your records. However, the state’s complex medical records system allows any provider to call up someone’s record and view it. If a doctor or lab technician views the record of someone they’re not treating, the unauthorized access is called a “breach.” Someone who’s not supposed to see your medical records has taken a peek.
Only if an audit of the records were done, however, would the breach be found. If the breach were found and the violator identified, penalties could be imposed by the federal Office of Civil Rights, the state Attorney General’s Office, the person’s employer, the licensing agency overseeing the profession in which the violator works, or the agency credentialing the institution, if a hospital.
Supporters of e-medical records systems point to the possible penalties these agencies can impose as effective deterrents to breaches and as strong protection of your privacy.
In reality, the system of sanctions doesn’t always work the way it’s supposed to, raising the question of how secure patients’ records are in big electronic databases when access to the records is ubiquitous.
An example of weak sanctions: The federal Office of Civil Rights didn’t issue its first monetary penalty for a medical records privacy violation until 2012, 16 years after federal privacy protections were put in place through HIPAA, the federal Health Insurance Portability and Accountability Act. And now, the go-get-‘em enforcer (Leon Rodriguez) brought on the scene in 2011 to improve this track record has just been nominated for another position within the Obama administration.
There are Vermont stories to illustrate the problem of weak sanctions. Take, for example, the story of a Bennington woman who had her e-medical records viewed more than 100 times, over a period of 12 years, by someone with no authorization to do so (her sons’ records, additionally, were viewed 200 times).
The woman contacted the Office of Civil Rights and filed a HIPAA complaint; the OCR substantiated that the breaches had indeed occurred at Southwestern Vermont Medical Center. The woman also contacted state agencies; the Licensing and Protection Division of the Vermont Agency of Human Services found that the hospital had failed to meet three key standards for medical records privacy and security. The woman also contacted the FBI, her local legislators, and the Bennington Police Department.
After months of reviews and investigations, in November 2012 the violator plead guilty to four misdemeanor counts of unauthorized access of computer records. She was given a suspended sentence, fined $2,000, and made to perform 160 hours of community service. She continued to work in a hospital – although not the one where she had spied on others’ records. The hospital where the breaches occurred faced no reported sanction; it was only told it had to take corrective action so patients’ medical information was better protected.
The ACLU is not opposed to the digitization of patient medical records and the building of patient record databases. We understand access to a patient’s medical records can improve medical care, avoid duplication of services, and save money. But adequate safeguards protecting privacy must be in place. And we do not believe Vermont’s safeguards are adequate for the kind of system being built.
We are urging the state not to approve a “global opt-in” system before four things are done:
- Patients must have a right to request and receive an audit at least once a year showing who has accessed their medical records.
- Law enforcement must be prohibited access to medical records without a warrant.
- Stiff civil and criminal statutory penalties must be put in place that can be imposed on any person or institution accessing a patient’s records without authorization or need to do so.
- A private right of action for patients to sue for damages for unauthorized access to records must be created.
The Green Mountain Care Board is expected to take up the proposal to change the patient consent policy on Thursday, Feb. 13, at 1 p.m.
- Before then, comments on the proposal can be submitted by 9 a.m. on Feb. 3 to the office of the Secretary of Administration, who will make a recommendation to the Green Mountain Care Board on whether the proposal should be approved, modified, or rejected.
- After the Green Mountain Care Board’s Feb. 13 hearing, comments will also be accepted by the board, which is expected to make its decision by Feb. 27. Information on submitting comments should be available on the board’s Web site following the Feb. 13 hearing; the deadline for submitting comments will likely be very tight.
- Proposal from Vermont Information Technology Leaders (VITL) to change the Vermont Health Information Exchange patient consent policy.
- Current patient consent policy, with proposed changes noted.
- Comments by ACLU-VT on the proposed changes.
- Read the Rutland Herald story on the sentencing of Kathy Tatro in Superior Court in Bennington in November 2012 for unauthorized access of a patient’s medical records.