Privacy at Stake: Patients, Clinics and Electronic Medical Records

Privacy at Stake: Patients, Clinics and Electronic Medical Records

by Corinne A. Carey

Our nation’s health care system is in a period of rapid and dramatic change, and the way that our health information is stored and shared is a big part of that transformation. Many healthcare providers are already using electronic health records to store patients’ medical information. If your doctor isn’t doing it now, she soon will.

Rapid sharing of information between and among health care providers promises significant benefits to doctors and patients, including greater coordination and efficiency in service delivery, and reductions in medical errors and misdiagnoses — not to mention convenience. These benefits also promise to improve the efficiency and effectiveness of the health care system more broadly.

But electronic health information exchange raises significant privacy concerns. Despite the benefits to patients, easily shareable electronic records can lead to threats to patient privacy, including the potential for security breach, misuse of information and loss of patient control over confidential and sensitive health information. Given these risks, it is critical that patients retain control over the dissemination of their health information.

Electronic Networks Are Gearing Up

Hard-copy documents and electronic records stored in office computers are now being linked to networks run by regional health information organizations (RHIOs). RHIOs are already allowing health care providers to share patient information among participating providers within certain regions of the country. Eventually, these networks will be linked statewide. At the same time, the federal government is developing networks that will allow records to be shared across the nation.

In designing the technological architecture for health information exchange, policymakers must pay attention to choices that allow for greater or lesser degrees of patient control. For example, systems can allow for relatively weak or robust consumer consent mechanisms: some systems upload (or “push”) patient information into an electronic network without consent; others “pull” information from providers only after consent is obtained from the patient.

“A woman who
terminates a
pregnancy may
be concerned”

Likewise, systems can either allow patients to determine which providers can see what kinds of information about them, or they can be designed to give providers who have permission to access patient data access to all of the data available on a particular patient.

The level of control patients will have to determine what information can be seen (or not seen) by a particular provider is perhaps the most complex issue facing policymakers.

Many states have chosen systems that work in the following way: Once a patient consents to allow a provider to gain access to his or her medical records, the provider gains access to everything in that patient’s record — there is no way to ensure that the provider only sees information that is relevant to current treatment. This “all or nothing” approach to data sharing forces patients to choose between giving a current provider access to their medical records and maintaining future control over sensitive health information.

When patients are unable to exercise granular control over information in their health records, there are serious ramifications. Consider, for example, a patient who was raped in her 20s and briefly took antidepressants to cope with trauma. An all-or-nothing system does not allow her to restrict access to this sensitive information to those providers for whom it is medically relevant. If she were to seek treatment for a skin condition, she cannot share current medical information with her dermatologist without that provider learning about this traumatic incident in her past. Each time the need for medical care arises, she must determine whether or not to provide access to her medical records because her assent means informing the provider that she had been the victim of rape.

Patients and Control of Abortion Info

A woman who terminates a pregnancy may be concerned about making that information available to anyone with access to an electronic network that contains her medical information. She may want her current medical providers to have access to any information in her medical history that may be relevant to her treatment. But she cannot do so without losing the power to shield information about her abortion from future providers 10 years hence.

For adolescents and their care providers, the failure to allow for patient control of sensitive medical information poses an insurmountable obstacle to the delivery of essential medical care. In many states, minors can consent to specific types of health care, including reproductive health and certain mental health treatment, without parental involvement (sometimes referred to as “minor-consented services”). While parents have a right to access their children’s medical records generally, parents and future providers may not obtain information about such minor-consented services, and doctors may not share such information without the minor’s permission. Ideally, a system should allow access only by health care providers who have received the minor’s consent, while shielding that information from parents who routinely access their child’s other medical records.

In the case of a 15-year-old seeking testing and treatment for a sexually transmitted infection, for example, her pediatrician would like to enter this information in her chart. But the doctor has no way to prevent his patient’s parents from gaining access to this information when they request copies of their daughter’s medical records. In a world of paper records, the pediatrician could record this information on separate pages in the file, but not release the confidential portion of her patient’s records when she provides a copy of the records to a parent. In an electronic information-sharing system, the only way to protect this young person’s confidentiality is to exclude the patient from the electronic-records system altogether; however, excluding only those minors who have exercised their right to consent on their own to certain types of medical care would signa — to providers, parents and others — that the minor has exercised that right, which then compromises the right.

A system that allows for granular control of medical information would allow all minors to fully benefit from participation in health information exchange, while ensuring that those who need it are assured confidentiality when they receive medical care of a sensitive nature.

Strengthen the Law Now

Even linking a patient’s medical records to an electronic network may provoke fear of unauthorized access or breach that could allow a hacker to gain access to patient identities or entire medical histories — either as a wholesale medical records theft or in pursuit of information about a specific patient. And this fear may be well founded. The mere inclusion of demographic information in a directory of existing records, regardless of whether complete medical records are made accessible, can pose an unacceptable risk to patients. Take, for example, those patients at risk of domestic violence, harassment, stalking or with other special concerns about confidentiality, such as public figures or crime victims. The ability to glean an address or, indeed, any information that may reveal a patient’s location, may cause such patients irreparable harm.

Providers and public health advocates may demand unfettered access to individual medical records that technology now makes possible. However, well-established law and policy have recognized the importance of allowing patients the right to control access to their private medical information. And indeed, patients have always controlled their medical records: what went into their records and whether one doctor even knew that her patient was seeing another doctor depended entirely on what the patient chose to share. Ensuring that patients are able to control who has access to what parts of their medical histories is vital to the success of our nation’s transition to electronic health information exchange.

“Disregard of
patient privacy
laws and norms
has serious

Fortunately, lawmakers can take action to explicitly extend the strong privacy protections that attach to traditional medical records to these new systems.

For example, in New York, the legislature could require the Department of Health to ensure that any electronic records exchange network employed by the state or linked to a state registry has the capability to allow patients to shield information that they consider sensitive from certain providers. The legislature could also require the state to stop uploading patient medical information to electronic records exchanges without patient consent. And, the legislature could require the state to undertake a meaningful public education campaign to ensure that patients understand both the risks and the benefits of electronic health information exchange BEFORE they have to decide whether to give a health care provider access to their records.

If policymakers, in their zeal to make health information exchange networks operational, disregard patient privacy laws and norms, serious consequences are likely. Confidential communication between doctor and patient is critical to ensure that patients seek out care, and that they are open and honest with their providers. Fully informed by the totality of a patient’s circumstances, providers can render the best care possible.

Patients who fear a loss of control over their private medical information may lose faith in their doctor — and in the health care system. They may fail to share critical information with their treating providers, or they may avoid treatment altogether.

Electronic health information exchange has the potential to enhance patient care, improve public health outcomes and reduce the skyrocketing cost of medical care. This will only happen if patients, with confidence that they will not lose control of their medical information, agree to participate. Designing systems that allow patients to control when their medical information is entered into a shareable electronic database, and which providers see what kind of information about them is critical to establishing that confidence.

Corinne A. Carey is the Assistant Legislative Director at the New York Civil Liberties Union (NYCLU). This article was drawn from forthcoming NYCLU policy brief co-authored with Gillian Stern.

Also see: Redefining Chutzpah: More Bad Ideas to Burden Women by Aram A. Schvey in this edition of On The Issues Magazine

Also see: Before “Roe”: Legal Battles, Involuntary Servitude, My Mom by Justine Goodman in this edition of On The Issues Magazine

Read the Cafe for new and updated stories.