Recent Data Breaches Spark Criticism of Medical Privacy Laws

From iHealthBeat

April 09, 2008

Recent Data Breaches Spark Criticism of Medical Privacy Laws

Recently disclosed data breaches at University of California-Los Angeles Medical Center have led some critics of federal and state medical privacy laws to question whether the laws are strict enough, the Los Angeles Times reports.

The federal Health Insurance Portability and Accountability Act of 1996 includes rules that govern medical privacy, but a recent legal opinion by the Justice Department concluded that the rules apply primarily to organizations -- hospitals, health plans and physician offices -- and only secondarily to individuals, who typically are implicated in privacy violations.

Some privacy advocates have called for the law to be revised to permit individuals to specifically designate who may access their medical records, but some health care industry stakeholders argue that such a law would be difficult to enforce.

Investigation

The California Department of Public Health has launched an investigation into the recent data breaches at UCLA Medical Center. If the probe finds privacy deficiencies at UCLA, the department can force the facility to create a plan of correction.

California would then review the plan and revisit the hospital to ensure the plan has been implemented, the Times reports (Alonso-Zaldivar, Los Angeles Times, 4/9).

UCLA Employee Revealed

The UCLA Medical Center employee, Lawanda Jackson, who allegedly breached nearly 60 patients' medical records said on Tuesday, it was "just me being nosy," the Times reports.

Jackson, an administrative specialist, could face criminal charges for violating HIPAA medical privacy rules (Ornstein, Los Angeles Times, 4/9).

Letter to the Editor

Deborah Peel, founder of Patient Privacy Rights, in a Healthcare IT News letter to the editor writes, "The abysmal security measure and non-existent consumer access control over personal data at the UCLA Medical Center and by the NIH are currently standard operating procedure for the entire health care industry."

She adds, "The nation's electronic health systems are neither safe nor secure, and consumers cannot stop their very valuable data from being snooped in, shared, misused, sold or stolen.

According to Peel, the TRUST Act (HR 5442) "will do most of what is needed to restore our centuries-old legal and ethical standards to health privacy and control over personal health information" (Peel, Healthcare IT News, 4/9).