One thing I learned as a guardian of military secrets that I can tell you with confidence, and something the Department of Defense has known since it was the War Department, is the only way to keep something secret, while sharing it with those that need to know, is to encrypt it. But encryption is not foolproof. What a solid encryption strategy will definitely accomplish is make healthcare records even more valuable. Currently, according to Dr. Deborah Peel, founder of the advocacy group Patient Privacy Rights, they fetch about $50. online – while just a social security number can be purchased for $5.00 (or less). MU, EHR, HIE – are all about sharing data making HIPAA seem an afterthought. After all, the government isn’t paying providers to be HIPAA compliant only MU certified. There’s always privacy forms to be filled out at each doctors visit creating, to some, this illusion that your privacy is even more important than your health. Many may disagree and say HIPAA works – and as far as it works that’s true. But then you read the following: 1. The government categorizes meaningful use of EHR’s, in part, as “ensuring adequateprivacy and security.” 2. Under the HITECH Act the HIPAA release now makes patient information records available to over “700,000 entities” and “one million to two million” business associates – without patient consent. Seems “adequate” is the key word here. Of course it’s not made clear what “adequate” is, exactly, as this is definitely an area for ambiguity. What’s the definition of an “entity” or a “business associate”? My healthcare records are available to millions of people without my consent or knowledge. Why not just post them on a billboard? And with all this sharing comes greater breaches. Not “may come” – will come. Without encryption strategies far beyond what we now have in place we can’t protect this data – and it’s unlikely we ever will, as criminals always seem to stay in-step, if not ahead, of whatever society comes up with to try and stop them. If that premise is correct then we need to mitigate the value of this data. As long as there’s value someone will want it and there will always be someone to get it for whoever is willing to pay. Is there room for change in what private data is collected? Why are both sides of the aisle, in Congress, so ready to, in my opinion, sell us out (again) by undervaluing our privacy (again) even to the point of paying providers, with our tax dollars (of course) to ensure our records are online? There are positives to be sure but from a privacy/security standpoint – what’s the hurry? And in this ill-conceived rush we see hundreds of millions – with real numbers I’m sure in the billions – of wasteful government spending. Couple that number with an implementation failure rate, for EHR systems, hovering near 40% and the numbers become enough to make you need your doctor. For those that happen to believe that these EHR systems will be entirely secure, or a forceful deterrent to medical record theft, think about Windows XP for a moment. While XP has been around for more than 15 years – including alpha/beta testing – why all the hubbub about it being no longer updated? Because 15 years and its still being breached regularly enough that, according to Microsoft, it’s still vulnerable. Granted, new technologies make it easier to exploit an antiquated system but there will always be new technologies being developed to make finding, and exploiting, weaknesses in systems a reality. Even the most secure EHR systems – and I’m sure many are extremely secure – are still susceptible to human error, judgement, and greed. Obviously any breach can not only be embarrassing to some, even if just routine medical ailments come to light a private person wouldn’t appreciate that, and then there are ailments that are anything but routine, but can be financially ruinous to you if your healthcare data is used to fraudulently obtain medical services or used in a billing scam. That my data could be changed at the hands of cyber-terrorists, or population control fringe group, is, to me, much more frightening than someone exposing my health history or causing me financial problems. A hack into an HIE, a simple script to change everyone’s allergies listed as “yes” to a “no” – now we’re talking about potential life-taking, on a massive scale, rather than simply record taking. For more, see the Patient Privacy Rights website And here’s a good interview with Dr. Deborah C. Peel By Rob Gurganious, HealthITLink.com April 14th, 2014