INTRODUCTION

Once health data are computerized, they become more vulnerable to data breaches. Computer systems can be hacked, computer equipment containing thousands of records can be stolen or misplaced, e-mail can be sent to the wrong recipient, medical employees can view charts that they should not be accessing from the privacy of their office computers, and many other electronic mishaps can occur. This chapter is dedicated to analysis of electronic health record (EHR) data security threats and the regulations that the federal government has implemented to address them.

I pause here for a brief introductory discussion of privacy terminology. The concept of privacy was first articulated in the legal literature in a 1890 Harvard Law Review article written by Samuel Warren and Louis Brandeis. The two scholars proposed that privacy is “the right to be let alone.” Thereafter, the Supreme Court found that the Constitution embodies the right to privacy even though the word appears nowhere in the document. For example, in the 1965 contraception case Griswold v. Connecticut, the Court declared that “the First Amendment has a penumbra where privacy is protected from governmental intrusion.” Similarly, in the now-famous 1973 case Roe v. Wade, the Court determined that the right to privacy encompasses a woman's decision to terminate her pregnancy, with some limitations.

Today, three separate terms relate to what are commonly known as privacy concerns. In the EHR context, the term “privacy” refers to the collection, storage, and use of patients’ health information. Thus privacy has to do with whether information can be acquired and used, by whom, and under what circumstances. “Confidentiality” is the principle that clinicians must maintain secrecy concerning patient information and should not disclose data without patient authorization. The “security” of medical records, which is the subject of this chapter, relates to technical measures and procedures that protect records from being inappropriately accessed or disclosed by hacking or other means.

The risks associated with the electronic storage and transmission of personal information in general and health data in particular are grave.