Surveys have shown that the majority of Americans are “very concerned” about identity theft or fraud (80 percent), the use of their medical information for marketing purposes (77 percent), and that their data might become available to employers or insurance companies (56 and 55 percent, respectively).  At the same time, 89 percent of respondents say that they want their physicians to be able to communicate with one another, while the majority support the development of Health Information Technology as a whole and believe that it will improve care and reduce costs1.

According to a current listing on, four of the ten major data security breaches on the list involved medical records getting into the wrong hands.  The VA experienced one of the top ten data security breaches of all time (over 26 million records).  Patient records contain information that can be used to steal a person’s identity or help criminals pinpoint vulnerable targets. Medical information can be used to discriminate unfairly because it is often beyond what the payors and others are allowed to know. Employers and insurance companies can discriminate based on past health issues if given access to these records.

Initiatives for a standardized Electronic Health Record (EHR) are gaining acceptance. As these standards are developed, the government and industry should look to the Purchase Card Industry Data Security Standard (PCI DSS) standard for eCommerce security. Under PCI DSS, compliant systems require sensitive information to be separated from non-sensitive data within the system and to be encrypted both in transit and at rest. This prevents hackers from reading the information even if they manage to break into the system or steal a computer. While PCI DSS compliance has helped prevent security breaches in the eCommerce world, the thing about standards is that they have to actually be ADOPTED to be effective. The eCommerce world is making progress, but not everyone has adopted the standard or even knows that they should.

As citizens, our privacy should be a top priority. The Health Insurance Portability and Accountability Act (HIPAA) was supposed to protect privacy but it has become simply another form where patients sign away their rights to take action against misappropriation in exchange for treatment. As EHRs become more prevalent within the Health Care World, strict security standards should be developed and made mandatory.

1Consumer Consent Options for Electronic Health Information Exchange: Policy Considerations and Analysis, Goldstein and Reins, March 2010