There was an anonymous comment on my post, E-Rx Update and Review (thanks, BTW), that linked to a concerning article in Forbes about Practice Fusion.
For those who haven't been following, Practice Fusion is a free electronic medical record system. I signed up for it because it allows me to e-prescribe, which I and every other doctor in the country will be required to do starting in March of 2015,and I don't want a last minute scramble-the I-STOP deadline had to be postponed because many prescribers didn't have an HCS account, although I'm not sure how they were getting their rx pads before that. I don't use Practice Fusion for patient records, mainly because the data is stored in the cloud and it's not clear who owns it.
However, the Forbes article is not about storage of patient data, or even security of patient data. At least, not through the health record maintained by the doctor. According to the article, Practice Fusion has set up a Yelp-like site, Patient Fusion, where patients can have access to their health records, if they agree to this with their doctors. They can also schedule appointments, and read and write reviews about doctors. The writing reviews is where the problem came in.
Apparently, patients were writing reviews and including personal information about themselves, sometimes very intimate information (the article calls them, "Burning Sensation [Down There]' Reviews"). And these patients were not aware that their comments, and sometimes names, would be posted publicly.
This is a screenshot of what I could find of the review page:
It's not clear to me if this is the same form that these patients filled out, or if it's been revised since the company realized personal information was being presented publicly. The fine print under "please leave a review for your provider" reads: for your protection, do not include any personal information.
And the fine print under "Patient Authorization" reads:
I authorize my provider and Practice Fusion, Inc. to publish my review on the Practice Fusion website, together with my first name (subject to my unchecking of the "Keep this Review Anonymous" box above). The purpose of publishing my review is to make it available to patients and prospective patients of my provider, and other members of the public. I understand that my provider and Practice fusion will not publish any personal information about me, except my first name (subject to my unchecking of the "Keep this Review...
That's where the screenshot ends. I tried to find myself as a provider so I could set up a Patient Fusion account and get more information, but I wasn't listed. I guess I have to fill out or set up something special to be listed as a doctor.
Here's the thing. Practice Fusion clearly needs to take some responsibility in this. There should be a popup window with a reminder: Please be sure not to include personal information. Or something like that.
But in the age of Facebook, and the era of complete absence of privacy that it ushered in, don't the people who wrote the reviews need to have some responsibility? Everything was filled out online, so you can't say they're not tech-savvy at all. Do people really not know what it means to write a review? Don't people buy stuff from Amazon?
I don't mean to "blame the victim" here. And the Forbes article was waving around some sensationalism to get read. But I'm very uncomfortable with the whole paternalistic approach, like where government tries to dictate how much soda a person can drink, or how much salt a chef can cook with (this was proposed but thank goodness shot down several years ago).
Maybe the whole idea is that people want to believe a greater power or authority figure is taking care of them and making decisions for them, so they don't need to think and feel responsible, and so they can feel protected. And maybe the price of this protection is privacy. If you want mommy and daddy to make sure you're safe, then they have to know everything you're up to.
Is that a good thing?