By Scott Snyder

Earlier this month, the 11th Circuit Court of Appeals ruled in favor of greater privacy protection for the medical data of deceased nursing home patients.  The issue arose when family members of a deceased patient in Florida sought medical records and were denied access.  According to the Health Insurance Portability and Accountability Act of 1996, a federal law, medical records may be released only to a designated “personal representative.”  This conflicted with a less restrictive Florida state law that required nursing homes to release records of deceased residents to spouses, guardians, surrogates, or attorneys.  According to the 11th Circuit, the more restrictive federal law preempts.

However, while privacy advocates can celebrate this small victory, they face growing challenges from new technologies that spread medical information across more devices and media.  One such medium is health social networking websites, on which users can share information and connect with individuals with similar afflictions.  This creates a significant privacy concern, especially as users frequently do not understand the privacy settings on these websites.  There is also uncertain accountability for third-parties who may wish to access and use data from the sites.

In addition, the growing prevalence of Bring Your Own Device policies raises concerns that sensitive medical information could be gleaned from lost or stolen devices.  These policies can cut costs for businesses that would otherwise have to provide electronic accessories to their employees, but they create vulnerabilities even as they reduce expenses.  A Cisco survey of healthcare workers found that 89% of U.S. healthcare workers use their personal smartphones for work purposes.  Another survey of hospitals found that 85% of physicians and staff use personal devices at work; this usage includes reviewing medical records and transferring files, including radiology images and lab results.  These findings juxtapose starkly with a sample White House BYOD policy that would require users to refrain from downloading or transferring sensitive business data to their personal devices.

While the decision in Florida demonstrates the availability of legal protection for private medical information, gaps clearly remain.  More widespread use of technology is rapidly exacerbating the problem; policymakers will need to work quickly to ensure that the law keeps pace.