When identity thieves come lurking, it’s not just your name, address and Social Security number that might be vulnerable: Increasingly, it’s your private health information as well.
In the past, your medical information was in a paper file that was tucked away in a doctor’s office or hospital. You weren’t in control of it, but the potential that your information might be abused if someone swiped your file was limited by the fact that it couldn’t be easily spread about. That’s changed. Now, you can compile electronically, and theoretically control, a personal health record (PHR), which typically is the collection of all of your medical conditions, illnesses, surgical procedures, treatments, medications and doctors’ notes.
Information that is kept by your doctor and hospital now might be stored electronically, which, of course, exposes it to data breaches and snooping. But that’s not the only peril: If you store your PHR online through one of dozens of online service providers, your data could be exposed to people who might use your information without your knowledge to, say, obtain medical treatment. They might even sell your information to others. American Health Information Management Association counts at least 84 online PHR providers. Experts tell us that there likely are hundreds, and more on the way, because of the aging population and the trend toward using Web-based services for finance, health care and social networking.
The appeal of having your PHR online is easy to understand, because it serves as a central repository for all of your health information to be available for you to monitor and, through a few keystrokes, quickly share with health-care providers.
But the potential for that information to be stolen is troubling: Privacy Rights Clearinghouse, which is a consumer-privacy watchdog, has cataloged more than 300 incidents of medical-data breaches since 2005, both from stolen devices and from websites that store your PHR. The problem actually is much larger: Department of Health and Human Services’ (HHS) Office for Civil Rights reports that since September 2009, at least 50,000 people have experienced a breach of unsecured electronic health information.
The number of people whose health information has been exposed probably is much higher, because Federal Trade Commission is obligated to post on its website only breaches that affect 500 or more individuals in a single incident, says Chris Apgar of Apgar & Associates, which specializes in electronic-health-information privacy and security. Apgar predicts that the number of breaches will rise, because some online PHR sites don’t encrypt their data, and notebook computers and other portable devices that store PHRs are tempting targets for thieves.
Do Your Own PHR Diagnosis
The Health Insurance Portability and Accountability Act (HIPAA), which is the federal law that mandates health privacy, sets standards that companies that store your PHR must follow. But you should know that HIPAA doesn’t apply to all PHR suppliers. You can set up a PHR online through a hospital, doctor’s office, employer or health insurer, as well as through advertising-based websites. The good news is that the majority of those online PHR sites let you store your information for free. Less cheery is the fact that because not all entities that store PHRs have to follow HIPAA guidelines, they can’t guarantee that only you or those whom you designate will see your private medical information.
GET PERSONAL. The use of online PHRs remains relatively low. Only 7 percent of the 1,849 participants in an April 2010 survey said they retrieved, stored and updated their health information through online PHR suppliers. (The survey was conducted by California HealthCare Foundation [CHCF], which supports health-care innovation and technology.) However, if that percentage were applied nationwide, it represents a big jump since 2008, when 2.7 percent of Americans had online PHRs, according to Markle Foundation, which promotes the use of health-care technology.