Last week, we broke the story of how some medical records, particularly those stored on off-shore servers, are likely not protected by HIPAA's privacy reg's. I reached out to Dr Rob Lamberts (whom we've previously interviewed) for his thoughts on this as a provider:
Very troubling issues here. The question of “who has the record” is the most important one. There needs to be a certainty of who has access to the records unless the patient is made aware of that insecurity and gives consent. An example of insecurity is the use of Google Spreadsheets for monitoring blood pressure, etc which people sometimes share with their doctors. They should be aware that there is an insecurity of these records, and their consent to use them can be seen as acceptable in a narrow usage. Similarly, the tendency of patients in my practice to communicate via email must be covered by some sort of agreement in which the patient agrees that their use of email is “at their own risk” and that our practice will make every effort to only communicate securely.
The storage of records in an off-site setting where the actual location and potential access to them is unknown to both physician and patient is troubling. If the vendor is selling the doctor something that claims to “meet HIPAA security requirements” (which many 3rd party vendors do), then the onus is on the vendor.
I told Rob that I wasn't sure I agreed with that last part: It seems to me that, if I'm coming to you as a patient, I'm presuming that you have my records under lock-and-key, or at least in-house. Why is it my obligation to ask if that's the case? Rob replied:
The contract between a provider and an IT vendor is one where they take on the task of IT security (among others) in exchange for payment. Legally, the physician has gone into that agreement in good faith, and so the vendor would be liable should there be a breach. That is the same thing the patient does with the physician, overall. They assume the doctor is acting in a way that is responsible with the medical records. While I agree that there is a certain right of knowing where the records are stored, in some way we must trust that those making the sausage are being overseen by others who will make sure only reasonable things are being put into that sausage. There is a reasonable degree of trust we must all have (which is no excuse for naiveté or gullibility).
Okay, that makes good sense from the provider's POV. I'm still not convinced that a doc using a vendor with off-shore servers isn't obligated to notify his patients of such. Now, one might argue "well, Henry, how's the doc to know?" To which I'd reply "simple: ask."
Why not?
And a Special IB Thank You to Dr Rob for his insights and willingness to share them!
Very troubling issues here. The question of “who has the record” is the most important one. There needs to be a certainty of who has access to the records unless the patient is made aware of that insecurity and gives consent. An example of insecurity is the use of Google Spreadsheets for monitoring blood pressure, etc which people sometimes share with their doctors. They should be aware that there is an insecurity of these records, and their consent to use them can be seen as acceptable in a narrow usage. Similarly, the tendency of patients in my practice to communicate via email must be covered by some sort of agreement in which the patient agrees that their use of email is “at their own risk” and that our practice will make every effort to only communicate securely.
The storage of records in an off-site setting where the actual location and potential access to them is unknown to both physician and patient is troubling. If the vendor is selling the doctor something that claims to “meet HIPAA security requirements” (which many 3rd party vendors do), then the onus is on the vendor.
I told Rob that I wasn't sure I agreed with that last part: It seems to me that, if I'm coming to you as a patient, I'm presuming that you have my records under lock-and-key, or at least in-house. Why is it my obligation to ask if that's the case? Rob replied:
The contract between a provider and an IT vendor is one where they take on the task of IT security (among others) in exchange for payment. Legally, the physician has gone into that agreement in good faith, and so the vendor would be liable should there be a breach. That is the same thing the patient does with the physician, overall. They assume the doctor is acting in a way that is responsible with the medical records. While I agree that there is a certain right of knowing where the records are stored, in some way we must trust that those making the sausage are being overseen by others who will make sure only reasonable things are being put into that sausage. There is a reasonable degree of trust we must all have (which is no excuse for naiveté or gullibility).
Okay, that makes good sense from the provider's POV. I'm still not convinced that a doc using a vendor with off-shore servers isn't obligated to notify his patients of such. Now, one might argue "well, Henry, how's the doc to know?" To which I'd reply "simple: ask."
Why not?
And a Special IB Thank You to Dr Rob for his insights and willingness to share them!
Posts
