Skip to content Skip to navigation

Let the punishment match the offense

February 1, 2009
by James Feldbaum
| Reprints

Today’s New York Times printed an editorial entitled “Your E-Health records.” As could be expected, the chief issue is one of privacy. The potential for abuse is described as “as vast as the internet.” A letter to Congress from the American Civil Liberty Union did a good job enumerating the nefarious abuse potential of the EMR when in the wrong hands. Still, the “opinion” was pretty even-handed and borderline optimistic.

By frequently auditing the trail of information, inappropriate access can be discovered and prosecuted. A few well publicized criminal prosecutions could go a long way to reducing the temptation to misuse the information we need so desperately to improve the care of our patients.

Let the punishment match the offense.

Cicero (106 BC- 43 BC)

Topics

Comments

Jim,
Thanks for link and summary in your second paragraph.

Respecting confidentiality and privacy has always been a balance between access restriction and policy. Clearly, there are hazards on either side of that balance.

I struggle with 'let the punishment match the offense" title of your post. Privacy seems like one of those situations where there is a fundamental asymmetry between violations and remedy. What do you think? (See my post on Privacy Joy for more asymmetric threats and life post 9/11, which elaborates Bill Joy's observations for healthcare data.)

Joe,
First, I have a bias as, I confessed in my 1/12/09 blog entry:

"Personally, I worry much less about privacy and the present imperfect state of our technology than I do about our inaction. Let's focus on getting every American safer more affordable healthcare."

Have no fear of perfection - you'll never reach it.
Salvador Dali (1904-1989)

In this blog entry I wanted to draw the distinction between the prying eyes of an unauthorized employee at a celebrity's chart and the sophisticated electronic attack on patient files for the purpose of discrimination or criminal use of information. Clearly, any unauthorized invasion of a chart is unacceptable. The punishment for the "curious" employee might be the loss of job and a fine whereas the punishment for the same employee who sold that information would reach a new level of criminal behavior and require more severe punishment.

Please excuse this oversimplification, but I view this like I view 'convenience stores". Convenience stores are far too frequently the site of criminal activity. There is a criminal distinction drawn between the activity of shoplifting, sale of cigarettes to a minor, robbery, and robbery with a handgun. In any case, we don't advocate closing all convenience stores in order to eliminate a possible source of illicit activity.

In my November 24th entry I expressed my fear that "no harm" offenses expose treating physicians to a risk that could further derail their desire to implement an EMR.

That a new California law that takes effect January 1, 2009 will significantly increase fines not only for the illegal use of the medical record but also for unauthorized access of records. The law also opens the doors for patients to sue doctors when their records are accessed even if there is no damage. It is expected that other states will follow suit.

We must build appropriate safeguards into the design of the EHR/EMR. We must create thoughtful punishment for offenders. We just can't allow ourselves to be derailed from a worthwhile endeavor by the fear (reasonable as it is) that it can be "hacked."

Thanks Jim. That makes sense.

I agree with the bias for thoughtful action.

James Feldbaum

Jim Feldbaum is a physician consultant specializing in clinical transformation, CPOE, and...