The dismissal of a lawsuit earlier this week against University Health Care after last summer's theft of 1.5 million patient records comes at the same time the national Institute of Medicine is calling for better security regarding personal medical information.
David Entwistle, CEO of University of Utah Hospitals and Clinics, told the Deseret News Wednesday that one of two lawsuits filed against the U. after patient information was stolen from a courier's car in June — putting sensitive information including billing records, medical procedure codes and some Social Security numbers at risk — has been dismissed "without prejudice," meaning if any harm from the incident is alleged in the future, the case can be re-opened.
He said the FBI's investigation of the eight recovered data tapes found "there's no way to ever definitively tell" whether information on them had been accessed because they had been "written and re-written over so many different times. But I'd say they were 99 percent sure … the data hadn't been accessed."
Though police recovered the data tapes less than a month after they were stolen, the U. was sued in two different filings on behalf of former patients whose information was compromised. A second suit is still pending, according to University Health Care spokesman Chris Nelson. Both men noted the U. is constantly updating its encryption of medical records to thwart future attempts to access them.
The lawsuit's dismissal comes the same week national health care officials are advocating a new approach to protect patient privacy.
Federal rules designed to provide greater privacy for patients' medical records don't adequately protect private health information, and limit the scope of medical research, officials said in a national report released Wednesday.
A new report released by the Institute of Medicine, which is chartered by the National Academy of Sciences, urges "all institutions conducting health research to strengthen their data protection," noting "security breaches are a growing problem for health information databases."
The report recommends either a new federal privacy and security policy to replace the 1996 Health Insurance Portability and Accountability Act (HIPAA), or changes to HIPAA that would require "encryption for all laptops, flash drives and other portable media" containing medical records, as well as smoothing the way for medical research.
During a teleconference press briefing Wednesday, Marc Rotenberg, president of the Electronic Privacy Information Center in Washington, D.C., told the Deseret News that the institute commissioned a survey by a privacy expert, who found "high levels of concern" about privacy.
A privacy study reported in 2005 found that 48 percent of American adults believe the benefits of digital patient records outweigh the risks to privacy, but about the same percentage say privacy risks outweigh potential benefits.
Entwistle was not involved in the teleconference, but said he doesn't believe HIPAA has necessarily made patient information safer, yet the policy has cost the U. "several million dollars" to implement. Medical accrediting organizations "are very strict" about privacy and security, he said, "They're probably much harder on us from a compliance standpoint," than HIPAA is.
HIPAA also poses challenges for medical researchers, who find patients less willing to participate in research studies, depriving the public of potential advances in medical research. The institute's report said HIPAA makes it too difficult for patients to give their consent, and that their consent can only be obtained for one study at a time, so researchers can't access information obtained in previous studies to further their work.
That leaves Americans without access to information that could impact their treatment for a variety of medical conditions, the report said.
The report describes the impact on a study of acute coronary syndrome at the University of Michigan, where 96 percent of patients consented to participate before HIPAA was instituted, but only 34 percent agreed to participate once the federal ruling was in place.
It also describes how HIPAA's provisions are implemented so differently among various medical providers, that large studies involving different hospitals are often thwarted because of concerns about institutional risk.
Bernard Lo, director of medical ethics at the University of California, San Francisco, said the report doesn't make specific recommendations regarding medical privacy legislation currently pending in Congress, but the timing of the report's release may help lawmakers craft better public policy.