 |
 |
|
|
In a serious security breach that raises troubling questions about the reliability of safeguards to protect the confidentiality of computer-stored health records, a Florida state health official distributed the names of AIDS patients in the Tampa Bay area to his friends so they could check potential dates against the list of infected individuals.
The confidential computer disks containing about 4,000 names also found their way to the offices of two local newspapers, the St. Petersburg Times and Tampa Tribune, along with an anonymous note stating that a state health worker was circulating them in a bar. While the newspapers declined to publish the list of HIV-infected Floridians, they did report about the confidentiality violation and the status of security protections used by the Florida Department of Health and Rehabilitative Services (HRS). This agency was responsible for the HIV data and employed William Calvert III, the alleged leaker of the names, as an investigator.
Illustrating the potential minefield that security breaches pose for those entrusted with confidential records, the purloined computer disks contained not only the names of AIDS and HIV-infected patients, but also their addresses, phone numbers, the method by which they became infected with the AIDS virus, and other health-related information.
"The likelihood that such an enormous breach of confidentiality can occur has increased substantially in the computer age compared with when records were in hard-copy formats," said Grace O. Young, M.D., chair of APA's Committee on Confidentiality. "This egregious incident underscores how important it is for psychiatrists and other physicians to use their best judgment about what information beyond that required by public health authorities should be included in patients' medical records."
"It serves as a clear example that the electronic age brings as many burdens as benefits," added APA AIDS Commission Chair Marshall Forstein, M.D.
Richard Hosking, the Florida HRS's health services administrator, insisted that his agency's system for protecting the privacy of medical records was not at fault. Calvert, he said, despite training in confidentiality procedures and signing his name to a confidentiality pledge, chose to ignore or bypass the protections HRS has instituted. The agency is, however, further tightening its security measures, Hosking acknowledged.
The Florida Department of Law Enforcement has begun a criminal investigation into the security breach, and Calvert was placed on paid administrative leave while the agency investigates the incident further.
Commenting on the serious harm that would be inflicted on the nation's health system if recipients of care lose faith in its ability to guard the privacy of their records, Linda Stone, president of the Florida chapter of the American Health Information Management Association (AHIMA), stressed that patients could be the ultimate losers.
"If they don't have confidence in how their information is being handled, patients may withhold critical information that could affect the quality and outcome of their care."
The AHIMA is the trade association representing professionals involved in managing health information and medical records. It was so concerned about the consequences of such data leaks that soon after this episode came to light, its board passed a resolution to step up its efforts to educate health care providers, public health organizations, insurance companies, and others with access to medical information databases about the types of protections that can prevent security breaches such as the one in Florida. The task of securing these sensitive records becomes more daunting, however, as advances in technology increase the number and complexity of computerized systems and with that the number of people with access to them.
The prospect of public disclosure of their identities is particularly disturbing for people with illnesses that continue to be stigmatized_AIDS and psychiatric illnesses, for example_and raises a "grave concern that people will not seek help when they need it," Young emphasized.
"There is no good reason" for state health departments even to be collecting such detailed and revealing data about HIV-infected persons, Forstein told Psychiatric News. The Centers for Disease Control and Prevention is able to track the epidemic's spread by assigning each infected person an identifier that includes a minimal amount of information. "This fiasco shows why amassing such large amounts of data is not in the patients' best interest and will just end up frightening people away from being tested or treated for HIV," he noted.
"We have to find some way to extend ethical requirements concerning confidentiality to people not currently bound by them, but who have access to sensitive and confidential information," Young said.
(Psychiatric News, November 1, 1996)