20 LAWYER MONTHLY AUGUST 2023 Now, with technological advances, electronic information can be transmitted anywhere and everywhere with a click of a button. Moreover, health information and medical records are often stored on virtual servers on the internet instead of in physical cabinets. As the healthcare industry marches rapidly forward to allowing more ‘open’ APIs with EMRs, provider custodians will lose even more control over who is gaining access to confidential health information and where it is going. While privacy laws and security frameworks continue to offer guardrails to try and prevent misuse and breaches of health information, the cold, hard truth is that its increased prevalence in an electronic medium and being shared more openly and easily makes it inherently more vulnerable. In your experience, what are the most common ways in which a person’s right to health information privacy might be compromised? The most common way that an individual’s privacy might be compromised is through data for other purposes, including potentially selling such data, and the customer agrees to such terms of use, the vendor would generally be permitted to do so. The Federal Trade Commission (FTC) has been very active over the last few months in an attempt to hold vendors of mobile heath data Apps accountable for “unfair or deceptive acts or practices”. Several such vendors have been subjected to FTC enforcement actions this year. In addition, many states are individually passing privacy laws which would further regulate such mobile app vendors in their collection and reuse of individually identifiable information. Last, I would be remiss if I did not mention how pixels, cookies and other online tracking technologies have recently led to finding a massive amount of patients’ individually identifiable data being ‘scraped’ up and shared with or even sold to third parties like Google and Meta. What consequences can there be for those whose when healthcare information is compromised in these ways? The consequences to the healthcare organisations are substantial. When health information is compromised due to violation of HIPAA, this can lead to significant civil monetary penalties. It can also lead to lawsuits, as is recently the case with the online tracking fiasco. Currently, dozens of hospitals have been named in class action lawsuits where plaintiffs are alleging that enabled tracking pixels impermissibly ‘scooped up’ their personal information from the hospital’s online website and disclosed it to third parties for unauthorised purposes. When such incidents happen, reputational damage to the organisation is also unavoidable. There are also consequences to the affected individuals. Data breaches can result in a person’s sensitive and highly confidential information ‘floating around’ in the public domain. The impact of this can include embarrassment breaches. This can happen in a few different ways. Hacking incidents occur when criminals purposefully target and gain access to electronic health information. Hacking incidents can lead to medical and other sensitive information of thousands of individuals being obtained by the hacker and potentially ‘sold’ to other third parties. Data breaches can also occur because of unintentional security lapses. For example, if during a technology upgrade a health care organisation does not adequately evaluate the impact on security, a gap might cause health information to become inadvertently exposed on the internet. With the more recent push to open APIs and adopt FHIR standards for certified EMRs, I think we are unfortunately going to see mobile apps becoming a new point of risk to electronic health information. With this new model, the burden will shift from the provider custodian to the patient to adequately vet all mobile apps that he/she intends to use and fully understand how their health information may be reused once it is downloaded from a source EMR. Many people do not realize that, for the most part, mobile app vendors are not subject to HIPAA. Such vendors are generally only required to abide by their own privacy policies and terms of use. Therefore, if the mobile app vendor notifies its customers that it may reuse any information downloaded into the app It cannot be denied that when medical records were maintained predominantly on paper, it was more certain that the privacy of health information contained in such records could be protected.
RkJQdWJsaXNoZXIy Mjk3Mzkz