This week, the Connecticut Attorney General, Richard Blumenthal, sued Health Net of Connecticut for a data breach and their subsequent handling of the incident. As he notes, this lawsuit is historic, in that it is the very first enforcement action under HIPAA since the law was extended and enhanced with the HITECH (Healthcare Information Technology for Economic and Clinical Health) Act.

“Sadly, this lawsuit is historic — involving an unparalleled health care privacy breach and an unprecedented state enforcement of HIPAA,” Blumenthal said. “Protected private medical records and financial information on almost a half million Health Net enrollees in Connecticut were exposed for at least six months — most likely by thieves — before Health Net notified appropriate authorities and consumers. These missing medical records included some of the most personal, intimate patient information — exposing individuals to grave embarrassment and emotional distress, as well as financial harm and identity theft. The staggering scope of the data loss, and deliberate delay in disclosure, are legally actionable and ethically unacceptable. Even more alarming than the breach, Health Net downplayed and dismissed the danger to patients and consumers. Failing to protect patient privacy blatantly violates federal law and Health Net’s public trust. We are seeking a preliminary order to protect patients and consumers, and will fight for civil penalties.”

It is likely this while this is a first, that it is the beginning of a new era for healthcare organizations and the expectation that they will take the privacy obligations of their patients seriously.  While unfortunate, this situation illustrates that some healthcare organizations require stronger motivation to both protect patient information as well as to follow good sense and legal requirements to promptly notify individuals if there has been a breach of their information that may put them at risk.

One of the panels at the Consumer Electronics Show Digital Health Summit is asking a really interesting question: Who will you trust with your health data? As described in an article in Healthcare IT News on healthcare data privacy and security, there have been numerous data breach incidents over recent years who sensitive patient information has been inappropriately disclosed.

“In 2009, PrivacyRights.org reports that there were 46 breaches of PHI representing nearly 80M records.  Note that 76M of those records were from the VA that inadvertently sent one of its RAID drives out for repair without cleansing it of those 76M records of veterans.  If you can’t trust the government to keep your PHI safe, who can you trust?”

Now I must admit, I would never have suggested that it is reasonable to assume that the government is good at maintaining privacy of personal information that they collect on American citizens. But it is reasonable to assume that as more protected health information (PHI) is collected, stored, shared and manipulated in computer systems at healthcare providers and payors, that the risk of exposure, and the subsequent number of data breach incidents, will rise.

So it really does make for an interesting thought, do I trust my doctor and hospital with my health data? Do I trust my health insurer with my health data? How about my pharmacy? Like it or not, I don’t have much choice but to provide them with or allow them to access my PHI.

But I do have a choice as to whether I should entrust Microsoft or Google with this sensitive information. Both companies have built systems “in the cloud” that allow consumers to centralize their personal health history. Microsoft HealthVault is designed to let us “collect, store, and share health information critical to our family’s well-being” and Google Health allows us to “organize our health information all in one place, gather our medical records from doctors, hospitals, and pharmacies, and share our information securely with a family member, doctors or caregiver.”

Microsoft has made HealthVault quite “open”,enabling organizations such as providers, payors, pharmacies and others to create applications for individuals to import information that they hold on us into our HealthVault account. I setup a HealthVault account, to see how this worked. Unfortunately, neither my national pharmacy chain nor my health insurer were on the list of those who make such information “exportable” to HealthVault.

Assuming that my trusted providers, insurer and pharmacy do provide such export capabilities in the future, it still leaves me with a nagging concern: do I really trust Microsoft to hold my entire medical life history? While I’d love to have all of this information in one place, and to be able to make it available to healthcare providers that I may wantto see in the future, the thought of entrusting this to anyone is daunting, not the least of which a company who’s software is a constant target for viruses, worms and malware of all kinds.

So for now, I probably won’t start trusting my medical history to either Microsoft or Google.  My health data will be remain somewhat safe with doctors, an insurer and a pharmacy, and numerous business associates of their that I don’t even know by name, that I hope I can trust. But given the number and scope of data breaches the last year or so in healthcare, I’m not really feeling very confident about my healthcare data privacy at this moment.

As this comic strip illustrates, we can be our own worst enemy when it comes to exposing ourselves to risks of identity theft and crime. Increasingly, scammers will provide you with significant valid information such as your name, credit card number and issuing bank in order to gain your trust and solicit additional information such as the 3 digit card security code (CSC) with which they can more easily perpetrate various types of financial fraud.

An article today in iHealthbeat titled “Innovation Inspired by Economics: 2010 Health IT Forecast” discusses trends and expectations for growth in healthcare information technologies despite the financial issues faced by many US healthcare providers currently.

“Necessity being the mother of invention, a constrained economic environment will lead to health IT innovations in two ways. First, lower cost technologies are emerging in health IT, such as open-source software, software as a service, and cloud computing, all of which will be priced lower than traditional health IT offerings. Cloud computing (the use of the Internet to store, manipulate and deliver data already existing on the Web) is seen by some health IT consultants as a useful tool in health, especially for small medical practices.”

The growth in adoption of electronic health record (EHR) systems, combined with the noted trends towards the use of open source software and cloud computing, combined with a new privacy legislation with steep penalties for breaches in security, creates a “perfect storm” for healthcare with respect to data breach incidents.

iHealthbeat article further notes the evolution of risks and new legal requirements now associated with HIPAA business associates.

“We can expect tougher privacy and security enforcement in health care in 2010 because of new and heftier privacy and security penalties written into the American Recovery and Reinvestment Act. The civil penalty cap will be raised from $25,000 to $1.5 million. This is a major issue for 2010 because nearly 60% of business associates interviewed in a HIMSS Analytics survey in November 2009 were unaware that changes to HIPAA will go into effect in 2010. That’s when consumers are guaranteed ‘prompt access’ to an electronic copy of their health records.”

Everything points toward 2010 being a very interesting year when it comes to patient privacy and data security.