There are three key take-aways from a recent survey on the scope of the healthcare data-security problem.
Only one of them is about its size, which is to say, huge.
Another is that the level of public awareness about the problem is surprisingly high compared with public familiarity about other civic issues, according to an expert who collaborated with the polling firm in putting the survey together.
Finally, substantially more people think electronic health-record systems are riskier than paper-based records.
Alan Westin is a principal with the Privacy Consulting Group, Teaneck, N.J., and a professor emeritus of public law and government at Columbia University. Westin worked with Harris Interactive on the survey instrument used to poll 2,454 adults online between June 9 and June 16. Harris Interactive did not include a "margin of error" estimate with the poll results.
Asked, "To the best of your knowledge, have your medical records or health information, or those of a family member, ever been lost or stolen from an organization that had those records?" about 4% of respondents answered "yes," with about 3% reporting it was their own records that had been lost or stolen.
Projecting 4% against a U.S. Census Bureau population estimate of 228 million adults in 2007, the math works out to an estimate of about 9 million citizens who, at some time either had their records lost or stolen, or know a family member who did.
Respondents were also asked whether, "(I)n the past year have you read or heard anything about medical records with personal health information being lost or stolen from doctors' offices, clinics, hospitals, health insurers, employers or government agencies?" A substantial majority, 69%, responded "yes."
It has oft been asserted by proponents of EHR systems that they are safer than paper records because, among other things, EHRs have an audit trail. The public, however, may not be buying it, according to the Harris survey.
The adult sample also was asked, "Whether or not you have read or heard about medical records or information being lost or stolen, which form of medical records do you think is lost or stolen most often?"
Of all respondents, 47% indicated they thought electronic records were more apt to be lost or purloined. By comparison, 23% indicated electronic and paper records were almost equally vulnerable, while 16% thought paper records were more likely to be lost or stolen and 14% were unsure.
For individuals who said they'd had their own medical records lost or stolen, however, 54% indicated electronic records were more likely to be involved in a data loss or theft, 26% reported electronic and paper records were equally at risk, and 12% thought paper records were less secure and 8% were not sure.
Westin said that the millions of victims of records security breaches in healthcare seem to parallel what the San Diego-based Identity Theft Resource Center found when it recently released a midyear report on 342 reported data breaches across all industries involving almost 17 million people.
Westin said the estimate of 9 million healthcare victims seems credible as a subset of that larger number, particularly because the Harris Interactive poll did not limit respondents to incidents that occurred only this year.
"People could be going back two, three, four years or more and say, 'Yes, it has happened to me,' " Westin said. "I think it is a credible number."
Westin described the level of public awareness about healthcare breaches as "unusually high."
"When you ask about public-affairs issues, you're lucky to get 30% to 40%," he said. "I think that what you've got there is an increasing amount of episodes that people have read or heard about it. They're paying attention because of apprehension, I suppose."
Last month, the Office of the National Coordinator for Health Information Technology awarded a $450,000 contract to healthcare, management and intelligence community consultant Booz Allen Hamilton, McLean, Va., to look into the problem of medical identity theft.
The Beltway contractor is supposed to do an "environmental scan" to get its arms around the problem, then convene a meeting to gather ideas on how medical identity theft should be addressed, and then to write up an action plan recommending ways to deal with the problem. Medical identity theft is commonly defined as the use of a person's identifiable health information without their consent by another to improperly obtain medical goods or services or to submit false claims for medical services, a narrower description of activity than the one Westin used in the recent Harris survey.
"The term we used aimed at identifying the loss or theft of medical records or health information from health-information keepers whether or not medical identity theft took place," Westin said in an e-mail. "Our situation captures the feelings by patients of violation and potential misuse or publication of sensitive medical information, whether or not it was or might be used in" medical identity theft.
Still, Westin said, the Booz Allen contractors "can see my survey as a pointer to them as to the dimension of the problem."
In addition, Westin said, "I would think our survey is a wake-up call to two groups, the keepers of the medical recordsthat they have to put more resources into keeping and retaining medical records if they're going to maintain trustand there is a whole industry out there that helps maintain security and can help them with it, so you don't have to keep reinventing the wheel."
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.