Privacy in Electronic Medical Records


The speakers explained what privacy issues arise with the use of health IT, especially in the mental health arena.

Privacy in Electronic Medical Records

Zebulon Taintor, MD, Laura Fochtmann, MD, Edward Pontius, MD, Glenn Martin, MD, Edward Foulks, MD, PhD, Deven McGraw, JD, M.PH

The first presentation in this session was “Privacy Violations and Consequences” by Dr. Taintor.“Privacy violations are reported weekly in the press,” he began. “Typically, data on hundreds or thousands of patients was on a stolen laptop. Usually there has been no prosecution, because of the evident lack of criminal intent, and consequences are rarely reported.” And although there are but a few reports of medical identity theft in the press, the Federal Trade Commission estimated 250,000 such cases in 2006. Part of the reason, explained Taintor, is that identity theft laws typically exist at the state, not federal, level.

Thus, “despite hundreds of complaints of HIPAA violations since medical privacy rules went into effect in 2003, only the fourth criminal case was brought in August 2008,” stated Taintor.” In the case, a clinic nurse “pled guilty to wrongfully accessing a patient’s protected health information to share with her husband to use in a legal proceeding against the patient.”

Further, although “law enforcement has used other laws (eg, fraud) instead of HIPAA to prosecute those who used protected health information for personal gain, the HHS Inspector General reported in October 2008 that enforcement was lax and that delegation of enforcement to CMS was ineffective in that CMS had not conducted compliance reviews and had no effective mechanism for verifying that protected health information was actually protected,” explained the speaker.

Taintor concluded, noting that “HIPAA enforcement changes in the economic stimulus package included prosecution by state attorneys’ general and other tightening of provisions, but efficacy has yet to be determined.”

Dr. Martin continued the session with “Privacy and Control in Health Information Exchanges, More than an Illusion?”

“It has become a touchstone of plans to improve healthcare in the Unites States that individuals’ health information must become available to healthcare providers and patients in an easily accessible, real-time, electronic format,” he started. “To that end health care organizations have established Regional Health Information Organizations (RHIOs) to build and govern Health Information Exchanges (HIEs). These exchanges usually link information obtained from individual physicians, large group practices, and hospitals, as well as pharmacy benefit managers, laboratories, imaging centers, and some insurance carriers, including Medicaid. Information is shared among these providers, public health authorities, and eventually with the patients themselves through Internet portals or personal health records.”

Challenges in privacy occur at numerous levels, including technology, usability, law, and expectations, Martin noted. For example, although law states that psychiatric records are considered sensitive, they are not readily available in the paper world to all providers, and sharing these records is always done with the explicit consent of the patient, this sensitive information has “already left the silo and the doctor’s direct oversight” in the digital world.

It might be the case that one’s psychiatric visit may not appear directly in an HIE, but it is probable that purchased medication or ordered labs would, with no practical means currently to assure segregation and special handling, noted Martin. “Consent to disclose information has been de facto replaced by consent to access, at best,” he stated.

Dr. Foulks followed Dr. Martin with a presentation of “The Perspective of Family Members on Privacy in Electronic Medical Records.”

“Families are very clear that they want: a) necessary information available on their loved ones in emergencies, b) psychiatric care integrated with medical care, c) no privacy violations, and d) no unnecessary spreading about of information that can lead to stigmatization,” Foulks began.

To achieve “a)” above, data needs to be available through clinicians, not at the level of an HIE or RHIO, he stated, “but families will encourage their loved ones to examine the participants in HIEs and RHIOs and determine if they don’t want data going to certain entities and would want ‘break the glass’ use only.”

For “b)” to be a reality, “it is essential that all subscribers know what medication a patient may be receiving from all sources, why it has been ordered, doses modified, and why medication may have been discontinued,” Martin noted.

In regards to “c),” Martin says that “families are daunted by the casual and sloppy way most violations have occurred and have pushed for stricter penalties. We welcome the new HIPPA privacy enforcement provisions of the stimulus package.”

Finally, for “d),” Martin favors “granularity,” along with “full access to all physical health data and restricted access to mental health data.” The patient should control who gets access to what, followed by decisions made by the family if necessary.

For years, the speaker notes, electronic systems have been in place for state public mental health systems, “starting with statistical counts and reports from hospitals and clinics,” he continued. “Admission-discharge-transfer systems allowed retrieval of previous treatment and diagnoses. Now, many have patient-centered file structures. Their main uses have been medication ordering and tracking and maintaining assessments, treatment plans, progress notes, and discharge summaries. These provide very useful longitudinal views of patients over time.”

“Health IT and Privacy — Critical Pathways to Improving Mental Healthcare” was next on the agenda, presented by McGraw.

“Health information technology (health IT) has enormous potential to improve the quality of physical and mental healthcare,” he stated, “both in terms of care provided to individuals, as well as population health. But until very recently, little progress had been made to advance widespread adoption of health IT and electronic health information exchange to improve health.”

The obstacles to this progress were lack of funding to support adoption, lack of interoperability between disparate systems, and a failure “to effectively address the complex privacy and security issues raised by the e-health technologies.”

But that all changed last February, when “Congress broke the ‘logjam’ and enacted significant provisions supporting health IT as part of the economic stimulus legislation,” said McGraw. The legislation, he feels, achieved the following: “a) strengthened the federal infrastructure leading national efforts to promote health IT; b) dedicated significant funds to support health IT adoption through payments to individual providers and grants for health information exchange infrastructure; and c) strengthened privacy and security protections for health information by filling significant gaps in the privacy and security regulations under HIPAA.”

And although the legislation offered unprecedented opportunities to achieve the true potential of health IT, implementation challenges are enormous, according to McGraw.

Pulling up the rear was Fochtmann with “General Medical Views of Electronic Medical Record Privacy.”

A major goal of nationwide implementation of electronic health records has been to reduce the fragmentation of patient’s health information across settings of care, facilities, and geographical regions, with the aim of improving the quality of delivered care,” the speaker noted.

However, by its very nature, protecting privacy of healthcare information restricts access to that information by others, limits its availability for medical decision making, and can also limit the value of such decision support areas and drug interaction checking.

Privacy protection also raises concerns over potential difficulties and costs in modifying software “to support granular controls on accessing portions of the electronic medical record as well as time and cost involved in entering patients’ individual privacy preferences into the electronic system,” explained Fochtmann.

For additional information, the speakers directed attendees to:

  1. Health IT: Protecting Americans’ Privacy in the Digital Age.
  2. Privacy, Security and the Regional Health Information Organization.

Related Videos
Connective Tissue Disease Brings Dermatology & Rheumatology Together
What Makes JAK Inhibitors Safe in Dermatology
Potential JAK Inhibitor Combination Regimens in Dermatology
© 2024 MJH Life Sciences

All rights reserved.