Some Thoughts on Privacy

Imagine that the following is true:

  1. There is no social stigma attached to any disease or health condition. You have what you have, and no one cares but you and your physician.
  2. You are not denied coverage, care, or a job because you have any particular disease or health condition.

How would that change things?

For one thing, there would be much less incentive to know things about each other in order to benefit from that knowledge. Our efforts to ensure privacy would focus on personal respect and professional behavior. Today however, we make and enforce rules and regulations (HIPAA, breach notification, etc.) and we create technology (encryption, disclosure tracking and reporting, etc.) to reduce the risks. Despite huge expenditures to reduce that risk, we’re learning that it’s not so easy. In fact, the HITECH legislation passed last year in the US makes an interesting assumption: by including breach notification requirements, legislators assume that breaches of protected health information (PHI) will continue. And how can they not?

Just last week there were two stories of health information falling outside of the control of providers. Wellpoint’s website glitch revealed information on thousands of customers to anyone who knew how to modify the URL; meanwhile FedEX apparently lost a package destined for Lincoln Medical and Mental Health Center in New York. The package contained CDs filled with PHI from one of its vendors. In the Wellpoint case, it is believed that a third-party vendor responsible for system upgrades and security did not make all of the necessary changes during an upgrade. In both of these instances, the breach occurred not because of a failure of technology, but due to a failure in the way it was integrated into the organizational information flow and related processes. The reality is that people make mistakes. As systems evolve and become ever more complex, the quality control process is more likely to include lots of crossed fingers.

Again, this is part of the larger question of just how we manage the process of coming to first trust, then rely upon our technology solutions. As of today, there are 107 posted notifications of breaches involving 500 or more individuals on the US Health and Human Services (HHS) website. That’s just between late September, 2009 and today. This is going to be a huge challenge. It will be interesting to see if we continue to settle for breach notification and free credit monitoring, or if we solve this another way.

While I don’t expect that the scenario imagined above could come about without massive cultural changes, it is a different way to look at the problem. And even if we could change numbers 1 and 2 above, there is a 3rd piece that would require change as well: as long as identity theft is accepted as a cost of doing business, it remains a profitable enterprise. And that means someone will be looking for our data.

-Rod Piechowski

Copyright © 2010, Rod Piechowski, Inc., Consulting

Leave a Comment

You must be logged in to post a comment.