During the Super Bowl two years ago, a commercial aired featuring a doctor questioning his patient, a man in boxer shorts sitting on an exam table, about whether he’d been tested for cortical spreading depression. The patient begins to say he doesn’t remember, and suddenly flood lights go up. The patient is surrounded by doctors in white coats sitting in a theatre round. One by one, the doctors stand up and recite entries from the patient’s medical records. When they finish, the mortified patient looks at his doctor and says, “Um, can I put my pants back on, please?” The commercial was for GE’s electronic health records system, and I remember thinking: “Was this an ad FOR electronic health records, or AGAINST them?”
At the time the commercial aired, states across the country were grappling with the logistics of getting networked systems of medical records up and running so that providers could share information about their patients over the Internet—in much the same way the providers in the GE commercial shared information about the patient’s medical history to help inform his current provider about how best to diagnose and treat his patient’s symptoms.
As an attorney with the reproductive rights project at the New York Civil Liberties Union (NYCLU) at the time, with little experience in technology and privacy, I was tasked with identifying the privacy implications for reproductive health care in this new paradigm, but I realized quickly that the system posed serious threats to patient privacy writ large. Eventually, after an intense two-year learning curve, I ended up with a seat on New York State’s privacy policy working group, and authored a report that NYCLU published in March identifying privacy concerns and recommending strategies for protecting patient privacy.
Today I’m presenting those recommendations to technology and privacy experts gathered at the 2nd International Summit on the Future of Health Privacy at Georgetown Law Center in Washington, D.C. to discuss the urgent privacy issues raised by electronic health information exchange.
At stake in the battles over this issue now underway in states across the country is who will have control over information about patients: the patients themselves, or doctors and institutions?
For example, does a foot doctor need to see a patient’s records showing that she was a rape victim, had an abortion, underwent counseling, and took anti-depressants? Should the decision about that rest with the patient, or should it be shared automatically?
Until now, patients have always controlled their medical records: what went into their records and whether one doctor even knew that her patient was seeing another doctor depended entirely on what the patient chose to share. But that may no longer be the case as health information exchanges are created.
Proposals to develop electronic medical records systems date back at least to the 1970s, but efforts by the federal government and the states to create a network of shared electronic health records began in earnest in April 2004. An executive order issued by the Bush administration that month set a national goal of widespread adoption of interoperable electronic health records by 2014.
Rapid sharing of information between and among health care providers promises significant benefits to doctors and patients, including greater coordination and efficiency in service delivery, and reductions in medical errors and misdiagnoses—not to mention convenience. These benefits also promise to improve the efficiency and effectiveness of the health care system more broadly.
But it is critical that patients retain control over the dissemination of their health information.
In New York State, hard-copy documents and electronic records stored in office computers are now being linked to networks run by regional health information organizations (RHIOs). RHIOs are already allowing health care providers to share patient information among participating providers within certain regions of the country. Eventually, these networks will be linked statewide. At the same time, the federal government is developing networks that will allow records to be shared across the nation.
In designing the technological architecture for health information exchange, policymakers must decide whether to grant greater or lesser degrees of patient control. For example, systems can allow for relatively weak or robust consumer consent mechanisms: some systems upload (or "push") patient information into an electronic network without consent; others "pull" information from providers only after consent is obtained from the patient.
Likewise, systems can either allow patients to determine which providers can see what kinds of information about them, or they can be designed to give providers who have permission to access patient data access to all of the data available on a particular patient.
Patients and providers need to have the ability to exercise granular control over health data—the ability to specify which pieces of data from a patient’s medical record to include or block when that record is conveyed to a third party. In systems capable of granularization, personal health information ideally can be sorted by:
• Data type (e.g., a blood test, a diagnosis, a procedure)
• Provider (e.g., a gynecologist, a psychologist, an internist; or medical providers vs. office staff)
• Time range (e.g., between x date and x date, within five years, or for a 24-hour period for emergency treatment)
• Purpose (e.g., payment, care delivery, quality improvement, clinical research or health services research)
Many states have chosen systems that are incapable of giving patients and providers granular control over data: Once a patient consents to allow a provider to gain access to his or her medical records, the provider gains access to everything in that patient's record—there is no way to ensure that the provider only sees information that is relevant to current treatment.
This "all or nothing" approach to data sharing forces patients to choose between giving a current provider access to their medical records and maintaining future control over sensitive health information. This can have serious ramifications. Consider these examples:
• A patient who was raped in her 20s and briefly took antidepressants to cope with trauma. An all-or-nothing system does not allow her to restrict access to this sensitive information to those providers for whom it is medically relevant. If she were to seek treatment for a skin condition, she could not share current medical information with her dermatologist without that provider learning about this traumatic incident in her past. Each time the need for medical care arises, she must determine whether or not to provide access to her medical records because her assent means informing the provider that she has been the victim of rape.
• A woman who terminates a pregnancy may be concerned about making that information available to anyone with access to an electronic network that contains her medical information. She may want her current medical providers to have access to any information in her medical history that may be relevant to her treatment. But she cannot do so without losing the power to shield information about her abortion from future providers 10 years hence.
• A patient treated for substance abuse may have concerns about the inclusion of that information in an electronic system that is available to all of his providers for all time. The level of stigma that attaches to those who have struggled with substance abuse is profound. For this reason, information about substance abuse treatment is accorded the most stringent confidentiality protection by law. While information about his treatment may be relevant for a period of time, it becomes irrelevant for the medical provider treating him for a wholly unrelated condition ten sober years later. The indiscriminate release of that medical history could undermine both personal and professional relationships, and the potential harm is not limited to social stigma. Including information about past treatment opens the door to misuse of medical information. A provider may refrain from prescribing medically appropriate pain relief to a patient who has been treated for substance abuse many years in the past based upon an assumption that the patient is exhibiting “drug-seeking” behavior.
Providers and public health advocates may demand unfettered access to individual medical records that technology now makes possible. However, well-established law and policy at both the state and the federal level have recognized the importance of allowing patients the right to control access to their private medical information.
If policymakers, in their zeal to implement health information exchange networks, disregard patient privacy laws and norms, serious consequences are likely. Patients who fear a loss of control over their private medical information may lose faith in their doctor—and in the health care system. They may fail to share critical information with their treating providers, or they may avoid treatment altogether. Confidential communication between doctor and patient is critical to ensure that patients seek out care, and that they are open and honest with their providers. Fully informed by the totality of a patient's circumstances, providers can render the best care possible.
Electronic health information exchange has the potential to enhance patient care, improve public health outcomes, and reduce the skyrocketing cost of medical care. But this will only happen if patients, with confidence that they will not lose control of their medical information, agree to participate. Designing systems that allow patients to control when their medical information is entered into a shareable electronic database, and which providers see what kind of information about them is critical to establishing that confidence.