Patient Access to Electronic Medical Records: The Jury is Out

August 2, 2007

Modifications to the HIPAA privacy rule, published by HHS in August 2002, give patients the right to "inspect, copy and, in some cases, amend their medical records" if information is incorrect...

Modifications to the HIPAA privacy rule, published by HHS in August 2002, give patients the right to “inspect, copy and, in some cases, amend their medical records” if information is incorrect or incomplete. Although the health privacy rule requires covered entities to have in place “reasonable safeguards to protect the privacy of patient information and limit the information used or disclosed to the minimum amount necessary to accomplish the intended purpose of the use or disclosure” and does not override more protective state laws, the increasing use of electronic medical records (EMRs), and patient access to them, has raised privacy concerns. This article will explore these concerns in light of the actual and potential benefits of patient access to EMRs.

Call it what you like—electronic health record (EHR), electronic healthcare record (EHCR), electronic patient record (EPR), or computerized patient record (CPR) —the EMR has migrated in the past few years from use on the desktop to the Internet, allowing any professional involved in a given patient’s medical care, and—more importantly for our purposes—the patient himself, immediate access to some or all of the included information. Such systems improve patient—physician communication, produce confidence in the patient that the information in his or her record is accurate and up-to-date, empower the patient, and ultimately allow for the patient to be more involved in his or her own medical care. However, anyone who has access to the data system and the relevant passwords can also access and alter the information. Further, “Although a paper record can be photocopied and faxed, it is less easy to distribute widely, and requires physical possession for accessibility,” says Maxwell J. Mehlman, JD, author of Emerging Issues: The Privacy of Medical Records.

Overall, public opinion is split down the middle in regards to the privacy risks of patients being able to access EMRs, according to Dr. Alan F. Westin, who gave testimony on February 23, 2005, before the National Committee on Vital and Health Statistics of the Department of Health and Human Services. According to Dr. Westin, a national Harris Interactive survey fielded February 8-13, 2005, found that 48% of adult Americans said “the benefits to patients and society of a patient [EMR] system outweighs risks to privacy,” while 47% said the opposite and 4% weren’t sure.

A study published in November 2004 that explored the perceptions of 693 patients age 20 and older found that not only were respondents to the study questionnaire aware that they had the right to see their records, they felt the advantages of EHRs (potential benefits to healthcare and relationship with healthcare professional) outweigh the disadvantages (concerns about security, confidentiality, and the ability tounderstand their records).

In an article published in May 2004, Stephen Ross, MD, and associates found that 54 patients with heart failure who used the SPPARO (System Providing Access to Records Online) software—which included a Web-based EMR, an educational guide, and an electronic messaging system—were not superior at 12 months in self-efficacy compared to controls but showed better general adherence and satisfaction with patient physician communication. And though no adverse effects were seen from using the system, no effect on health status could be determined. When Warren J. Winkelman MD, MBA, FRCPC, and fellow investigators studied the value of Internet-based patient access to EMRs in persons with chronic inflammatory bowel disease (IBD), their results —published in the January 31, 2005 issue of the Journal of the American Medical Informatics Association—showed that simply providing patients with IBD access to their EMRs had little usefulness on its own. The journal published study results in its November/ December 2004 issue that revealed a majority of 1,421 users of an application that allowed them to view selected portions of their EMR indicated that the application was easy to use and that the information in the EMR was complete, accurate, and understandable. Few were concerned about confidentiality and privacy.

Perhaps more important to you, our reader, is how your colleagues feel about their patients accessing their EMRs. Results from a 2003 study reported in the proceedings of the American Medical Informatics Association annual symposium indicated that physicians had positive attitudes about patient access; those with negative views were mostly those who didn’t view patients as partners in their own care.

While it is apparent from these studies that not everyone agrees about the benefits of patient access to EMRs, it is certain that patients have strong views on what they consider acceptable. “Working in partnership with pa-tients to develop systems is essential to their success,” writes Cecelia Pyper in the British Journal of General Practice.

The Conviction

So, what can be done to ensure confidence in the safety, confidentiality, and importance of patient access to EMR information, and ultimately convince the public that the benefits outweigh the negatives? For starters, patients and their caregivers should be aware that HIPAA — Section 164.524 (a)(3) states that “a patient’s access to his/her own records may be, but does not need to be, denied if a licensed health care professional reasonably determines one of the following:

1. Access is reasonably likely to endanger the life or physical safety of the patient or another person.

2. The [information] refers to another person and access to the information regarding that person is reasonably likely to cause substantial harm to such other person.

3. Access to the requested information, when the request is made by a personal representative of the patient, is reasonably likely to cause substantial harm to the patient or another person.”

Patients need to be confident that when access is permitted to an EMR, it is only permitted to those with the right to see it, say Pyper et al, as opposed to anyone who has obtained their password or anyone working at the IT company that hosts the database where their EMR is stored.

The experts agree that including patients in the development of systems that allow them to view their own EMRs is key to the ultimate success of the system. “Giving patients control over permission to view their record—as well as over its creation, collation, annotation, modification, dissemination, use, and deletion—is key to ensuring patients’ access to their own medical information while protecting their privacy,” say Mandl et al. Pyper writes that “it is essential that patient involvement takes place at every stage of the development of EPRs and that their views are taken into account.” According to Dr. Westin, the public agrees; 82% of respondents to the national Harris Interactive survey said that it was important to be able to track their own personal medical information and to assert their privacy rights.