BYOD Policies Could Threaten Healthcare Privacy

By GabbyPA Latest Reply 2013-05-07 17:41:07 -0500
Started 2013-04-26 08:45:31 -0500

By Diabetes Health

As technology puts smartphones into almost every hand, those technological advances may be putting your personal healthcare information at risk, according to a new study.

In a survey of 1,000 healthcare workers conducted by the marketing firm Cisco, 89 percent of healthcare workers in the United States used a personal smartphone for work purposes within the last year.

Read the entire article here:

In my doctor's office they use computers, but they are in the rooms and not things like smart phones. But this article does give one reason to pause. Do you know where your personal and very private information might be going? Just a little scary.

11 replies

Graylin Bee
Graylin Bee 2013-04-29 19:13:13 -0500 Report

After living way too many years in a small town I learned that word of mouth can spread info about as fast as the internet. Many of those years there was no internet, but phone lines would get your info throughout the city limits. People will be people, unfortunately

Nick1962 2013-04-27 18:20:58 -0500 Report

I really think this article was published as alarmist hype. This week I had the opportunity to see the system in action for a few days and I was impressed. First, the hospital I was in was not BYOD, but provided smart phones (or a monetary donation to purchase your own) to be used at work only. Second, patient information was only fed to a device based on a need to know basis/security clearance level. Doctors had higher clearance than nurse’s aides for example, and in many cases connectivity was lost when the phone left the floor. To my understanding, in no case did any one single person ever have full and complete access to all of my medical files at one time. Even if a phone/device were lost, as soon as it was reported, access was eliminated altogether. This transition to device based file sharing has just recently occurred, so I think now that 89% of people reporting have gone down considerably and use policies have tightened. Plus the article doesn’t really specify what “for work purposes” really encompasses. It could be as innocuous as simply phoning in scripts to a patient’s pharmacy.

I doubt any reputable health care provider is going to skirt the HIPPA regulations by allowing free access to patient files on personal or unsecured devices. In fact, under the old paper system, the possibility of “leakage” was far greater considering how many people handled that paper during the course of care simply from a data input perspective.

Right now, the new device based system is far more efficient and secure than the old paper system ever could be. Any system can be hacked or abused. I’m not really sure what good my medical records would be to someone, but yes, I can see that there are instances that sensitive information may not want to be exposed.

I’m not by far a “techie”, but I personally feel a lot more comfortable with the new device based system than I did with the old “chart at the foot of the bed” that even the janitor could read if I happened to be sleeping.

GabbyPA 2013-04-28 18:26:35 -0500 Report

This is probably true. I just know that so many things change and even with a piece of paper, at least it's not floating outside the facility. Bad people will get a hold of things if they want no matter the medium it's in. I have to be honest, I am not a techie. Technology is something I use because I often have no other choice. I guess I'm turning into one of those old people who fights change.

Nick1962 2013-04-29 11:24:37 -0500 Report

Well actually Gabby, in some cases your information was “floating” around outside the facility. Any time you needed records transferred, they were sent either via a courier (along with hundreds others), or often via an unsecured fax line where unless the intended recipient was right there, was passed on and delivered through a series humans by a cart (or car) twice daily that was often parked unattended outside an office where anyone could get a hold of them. I know in several cases records that were to be destroyed sat in boxes in the hospital recycling/trash room until an amount sufficient to warrant a medical records employee’s half day stint in front of the shredder was justified. In large cities like mine we have dedicated companies who do nothing more than house and distribute paper files between medical facilities. However, many people think these records are all “master” copies that contain every bit of patient info, when in reality, it’s just bits and pieces pertinent to what the next physician needs. Even though this seems archaic, getting any sufficient “dirt” on someone would take some real work.

Mind you there are going to be privacy issues, but I think in some cases those breaches might be justified no matter how much we believe in the “principal” of privacy. For example, would you favor medical record disclosure to determine someone’s mental fitness to own a weapon? Would you favor medical disclosure into someone’s pharmaceutical records to determine potential abuse or risk for insurance coverage? And even closer to home, to determine “non-compliant” diabetics for coverages? Under the paper system, this could all be done given some time and phone work, now it’s just a few clicks and the ethical question of just who’s allowed to make them.

GabbyPA 2013-04-29 13:27:44 -0500 Report

Yes, I agree. There is no protection that is 100%. Paper, files, virtual anything like that. Once it is in a medium that another person can read, it's not private anymore. I do understand that. Carelessness happens in a shredding room, a fax transmission or on an i-phone. It all creeps me out.

Here is what I would prefer. I would rather have a patient who goes for help with their mental illness be treated BEFORE they hurt themselves or someone else. Typically it is not that procedure.
I would prefer that we not live in a "Minority Report" mentality in that we try to prevent a possible breach of some unforeseen problem. People are innocent until proven otherwise. I cannot judge someone on what they might possibly do. Only on what they have done, and even more so, only on what I know they have done to me.

Perhaps this is the kicker...who determines what is their business and what is mine? I am a very staunch protector of my privacy. I try hard to keep my stuff in my pocket. But I know that as long as something is outside of my own mind it it vulnerable. When we begin to take away the privacy of those who are weak or cannot stand for themselves, the slope begins the steep decline. In the name of protection, we do a lot of very wrong things as a nation. I don't want to get too deep, as this is not the site for that.

Just remember that a "non-compliant" diabetic is not always non compliant by choice. We must use great wisdom in those choices of who to single out, because eventually, it could be you. And we are either foolish or naive to think it would not be the case.

Nick1962 2013-04-29 16:27:41 -0500 Report

I agree, there is a fine line between privacy and protection. And yes, the "minority report" mentality is a different discussion for a different place, but we've been on that slope for some time now.

To me the term "non-compliant" (no matter what condition it's attatched to) means non-willing. I am a non-compliant driver (not unable), so no question about that term here.

I think you're absolutely right about who determines the difference between personal privacy and information for the common good. Do we need to catagorize our own personal information when we provide it (which we somewhat do already) and refine the existing HIPAA laws? I'd be all for having a master list that each person could select, either on their own or with trusted assistance, what information is given to who. Maybe this should be reviewed yearly along with your life insurance? I know your views on the subject, would this be something you would actively participate in?

GabbyPA 2013-05-01 13:26:35 -0500 Report

That is an interesting way to consider it. That would work for those who carry life insurance, but what about those who don't? I have life insurance, but not health insurance, how would it work? I do like that we would have some personal control over who gets what. I just know when we keep trying the "One size fits all" it doesn't work. Streamlining life is just not how it happens. Life is complicated. People are complicated. When I even see what my doctor puts on my "visit sheet" makes me angry, because he might tell me I need to loose weight, he puts on my record that he reviewed a diet plan with me, discussed possible solutions to the issue. I was shocked at what is in my record that is not true...and that is what gets shared. It's just a hard topic and there is no easy solution.

Nick1962 2013-05-01 17:07:02 -0500 Report

I have given this thought for exactly the reason you stated. My weight has always been an issue and to look at my doctor’s comments you’d think he’d been hounding me to tears. “Of course your weight isn’t helping” was his most stern comment. This scenario is changing though. My doctor now codes everything, and each code triggers a boilerplate response. If he feels I’m overweight, it’s coded as an issue at my visit and a nearby printer prints out a standard sheet of weight loss information which is given to me with little or no discussion. I walk away with paper every visit. His commentary only includes “information on ………. provided to patient.” Right now I could basically stand on the scale when I come in, punch in “physical”, get wired up and checked and have it all printed out like a vending machine. But then i live in a city of half a million people.

You do have a right to review all your medical information. Trouble is it’s in bits and pieces. Insurance only records procedures and visits, not physician commentary (which is usually only shared between physicians).
One of the things I would have liked to see with the health care reform is centralized medical reporting. Life or health insurance wouldn’t matter, because anything you had done would be reported to a main agency like your credit score is. Here again, the issue of privacy comes up and how comfortable you are in having all that info in one place, and again, would the convenience be worth it to you to be able to review and dispute things like you can with your credit score. Of course like your credit score, depending on the nature of the procedure/information needed, only certain amounts of that are allowed out (which is current practice already). Of course you’d be charged for a review and any appeals, and it would cost money to maintain such a database. I guess I’m hearing from you that it’s not so much you mind your records being available, just that the information in them is not 100% accurate. That I understand, and it may be worth your time to do a records review with your doctor.

GabbyPA 2013-05-05 14:45:08 -0500 Report

Well, yes and no. I don't want inaccurate information out there for sure because so many other things can be done to someone based on medical records. For instance, I spoke to a woman whose husband is a veteran. He is on medicines for his depression. Unfortunately at the VA if he has to have his meds tweaked in the past he has had to backer act himself in, to get that done. Even though he is not in need of a mental facility. on his record is that he has baker acted himself and now he will not be allowed to own a gun under the proposed new gun laws. He just had to do it to get in to see a doctor or he'd have to wait for weeks to get in.

What is happening is that we have to work our way around so much crap in the medical system, that we often have to do something that is not 100% on target, just to get something we need.

I would not really care if it was just shared with the medical professions. I totally think that information sharing between my team of doctors would be great. But they don't do that either, I have to bring my primary any updates I get from other doctors, and to be honest, he really doesn't seem to care. What I don't like is the non-medical things that can be done based on these records that so many of us don't even know what is in them.

Yes, that is our responsibility. But some times, just like your credit score, you don't know there is something wrong in there until it's too late or it takes an act of god to fix it.

An example is that my diabetes educator once had a B deficiency listed in her records. It was just one test, and it was treated and is fine now. BUT, she was denied health insurance for certain coverage because of that being on her records as untreated.

I would love it to be able to just have a doctor who cared more about me than having to follow rules he hates anyway. I would rather have a conversation with him that is helpful than a print out that tells lies. My health is not a code. My health is very personal. It's unique and we don't have that kind of treatment anymore. The more technical we get, the less humane we are treated.

Nick1962 2013-05-06 16:44:32 -0500 Report

Well, we always hear about the stories about where things fall between the cracks, and let’s be honest; the VA is nothing short of cracks. We don’t hear about the other 95% of the system that actually works well and moves a lot of patients through with quality care on a daily basis. I suspect that in the case of your DB educator, that little glitch was a case of poor records and follow up.

I’m not really sure why you have to do the legwork of updating your primary with every little thing, unless you’re not working within a group health care system. With the exception of what my chiropractor does, everything gets reported to my PCP because he is basically the gatekeeper of my overall health. Now, that doesn’t mean every single x-ray and test is shared with him, but he knows that the referral he gave me to see a physiologist for my back issues resulted in several different escalations and so on right through to the surgery. Did I feel like cattle? You bet. Did I hate the absolute coldness and impersonality of the whole thing? Yes (the nurses at the hospital did make up for some of that though), but in our “drive-up” society now, getting folks in and out is pretty much the only way to keep costs down.

Yes, in the big picture I am cattle and codes, and every dollar of medical care that is given to me is a code. Personalized care went away with the country doctor or the private practice physician who didn’t have to answer to anybody but his/her own wallet. Again, our litigious, drive-through society pretty much did that in. On the other hand, if you have “subjective” information in your files, anything that looks like a loose end, you need to get that cleared up. Just how to do that is on at least one piece of paper you leave any medical professional’s office with. Plus, I’d make sure I didn’t leave the office unless I was sure of what was going into my file, and looking at my bill to determine that if I was being charged for “education”, I was receiving it. If this were being charged to your insurance company, this would be coded as a deliverable, and would show up on your explanation of benefits for you to dispute. This is where the new crack-down on coding comes in handy. It isn’t subjective, and unless you know just what those codes are, it’s pretty darned secure. However, as this thread has developed, I’m hearing a little bit of not so much that it’s shared, but how the government is going to be allowed access to it (and possibly misinterpret it) and for what purposes. If that’s the case, it may be well worth your time and preparedness to go through a full-blown review.