Patient Privacy and High Technology: Data Control

Given the increase in the use of technology and the ubiquity of various devices available from which data can be shared, federal laws were introduced to help protect patient confidentiality.

The Health Insurance Portability and Accountability Act (HIPAA), has been in effect since 1996, and intended to protect a patient's privacy and prevent releasing (whether intentionally or accidentally) personal medical information. FYI -- The ethics behind physicians securing patient privacy were first instituted by Hippocrates. The newest regulations, entitled, The Health Information Technology for Economic and Clinical Health Act (HITECH) took effect on March 26, 2013, and was introduced alongside HIPAA. This more recent act requires healthcare providers to take measures, further tighten security, and improve patient access to their confidential medical records. The 563 pages of the HITECH Act affect patient requests and approvals, breach reporting, and the role of business associates. Penalties for noncompliance have increased accordingly.

Key details of HITECH are:

• Patients can request copies of their electronic medical information in electronic format, and offices have 30 days to send the information. The 30-day extension for records that are inaccessible or kept off site has been eliminated.
• When patients pay for services personally and in full, they can require that information about treatment not be shared with their health plans.
• Breach reporting to the government has changed as well. Until now, reporting has been based on the harm standard, which indicated that a breach was reportable only if it posed a significant risk of harm to the patient's finances or reputation. The new regulations say that any loss or inappropriate disclosure of data is presumed to be a breach, unless the office can show that there is a low probability the information will be used improperly.
• Fines have increased and are dependent on the level of negligence. The previous $25,000 per violation is now $50,000, with an annual limit of $1.5 million.
• There are new restrictions on patient authorizations for the use of personal information for marketing and fundraising, as well as permissions to sell personal information.
• The process for receiving patient authorization to use health data for research is actually simpler.

So what about the radiology community?

From the radiologists' perspective, not much will change on a day-to-day basis. For the physicians who spend their days interpreting studies and consulting with other physicians and patients, however, this act has important components for radiology administrators. Physician offices and hospitals will be increasing security measures over their data, which includes not only administrative team members, but also technologists, registration staff, radiologists, assistants, etc.

With so much data streaming around physician offices, paying careful attention to data security is the key element associated with this act.

However, there is no doubt that medical information data -- even when protected and seemingly secure -- can be compromised. Internal rules and regulations will need to be reviewed along with those of its data partners, to ensure that systems are secure, and that they have adequate contingency plans in place.

Data and technology can be a blessing and a curse. More data, more transparency, more oversight, more regulations. It is a brave new digital world.