This article was originally published in the November 2012 edition of the International Association of Privacy Professionals member newsletter, The Privacy Advisor (https://www.privacyassociation.org/publications/privacy_advisor/), and is republished here with permission.
Does your dermatologist need access to your reproductive health history?
Can you limit access to the psychiatric notes in your chart once they have been entered into your provider’s new electronic health record (EHR) system?
It sounds absurd, but the adoption of EHRs and health information exchanges could enable this level of access in the future. The goal with these initiatives is to provide access to each American’s medical records in order for physicians to better provide treatment.
With the rapid rollout of EHRs, serious issues in patient privacy rights need to be addressed: lack of trust in the system, human error, lack of patient control over their electronic data and legislative gaps.
A lack of trust
Maintaining patient trust is the cornerstone to a successful healthcare system. The Office of the National Coordinator for Health Information Technology has indicated that a lack of this trust “may affect willingness to disclose necessary health information and could have life-threatening consequences.”
Dr. Deborah Peel, founder of Patient Privacy Rights, agrees. “The lack of privacy causes bad health outcomes. Millions of people every year avoid treatment because they know health data is not private,” she says. She cites several cases where privacy concerns affected the quality of healthcare:
- The HHS estimated that 586,000 Americans did not seek earlier cancer treatment.
- HHS estimated that 2,000,000 Americans did not seek treatment for mental illness.
- Millions of young Americans suffering from sexually transmitted diseases do not seek treatment.
- The Rand Corporation found that 150,000 soldiers suffering from PTSD do not seek treatment because of privacy concerns.
- The lack of privacy contributes to the highest rate of suicide among active duty soldiers in 30 years.
At the recent International Summit on the Future of Health Privacy, an attorney in Boston, MA, who suffers from bipolar disorder described how her mental health records were digitized for thousands of doctors and nurses to see—without her permission. “Personal details that took me years to disclose during therapy are being shared throughout my medical network, against my will,” she said. “It’s destroyed my trust with my doctors.”
41 percent of healthcare organizations surveyed for the 2011 Benchmark Study on Patient Privacy and Data Security said that data breaches involving PHI are caused by sloppy employee mistakes. A single oversight can affect the privacy of hundreds of thousands of people, as happened in Utah in March, when hackers broke into an unprotected server, stealing the personal information of 780,000 people.
"The Utah data breach is an example of human error because, as reported, the server did not have a secure password," Lisa Gallagher, senior director of privacy and security for HIMSS, stated in an eWEEK article. “Human error in healthcare delivery has impactful consequences when it comes to security. Training employees on security measures and implementing the proper security protocols are basic steps to take, but also, are often overlooked."
The problem grows exponentially when you consider how electronic data are sprawled across the healthcare ecosystem. Third-party mistakes, including those of business associates (BAs), account for 46 percent of data breaches reported in the Ponemon study.
A lack of patient control
With the adoption of electronic health records and health information exchanges, we wondered who owns patient data. The patient? The physician? The hospital? The health plan? Logically, the owner would be responsible for the privacy of this data. But legally, it’s unclear who owns the data, and in fact, it becomes more an issue of control.
So what control does the patient or other member of the healthcare ecosystem have when it comes to accessing, modifying and transmitting any medical data? We asked an attorney who specializes in patient privacy to clarify the issue.
“Few federal or state laws talk about ownership of health information,” says Adam H. Greene, a partner with the law firm of Davis Wright Tremaine LLP in Washington, DC. “Rather, we have a confusing tapestry of federal and state laws governing the level of control that patients have over the sharing of their health information.”
At the core of this privacy debate is the assertion that physicians need access to a patient’s records to provide optimal treatment. In his paper “Debate over patient privacy control in electronic health records,” Mark A. Rothstein, chair of law and medicine at the Louis D. Brandeis School of Law at the University of Louisville, notes that “many physicians assert that patients should not be able to control the content of their health records because doing so would fundamentally change medical practice.” This perspective is fundamentally at odds with that of patient privacy advocates.
Federal legislation such as HIPAA and the HITECH Act seek to safeguard protected health information (PHI). In addition, according to the National Conference of State Legislatures, 46 states have data breach notification laws. President Barack Obama’s Consumer Privacy Bill of Rights affords some level of privacy rights to patients.
HIPAA and the Consumer Privacy Bill of Rights, however, create an odd legislative gap. In his Health Information Privacy Bill of Rights, James C. Pyles, an attorney specializing in patient privacy rights, notes that the Consumer Privacy Bill of Rights excludes patients to the extent their health information is covered by HIPAA while offering greater privacy rights with respect to health information not covered by HIPAA. He cites a year-long study by ANSI and others that uncovered the “inadequacies” of HIPAA, including the fact that the HIPAA Privacy Rule was not even intended by the Department of Health and Human Services to serve as a “best practices” standard for privacy protection. This means that HIPAA-protected PHI does not benefit from the Consumer Privacy Bill of Rights and is subject to the same privacy pitfalls as before.
What we can do
Patient privacy is a fundamental right that is being challenged as patient records are digitized and access to those records increases exponentially. Our nation can’t afford to keep building out an electronic healthcare system without addressing these issues.
Pyles’ Health Information Privacy Bill of Rights, developed with the American Psychoanalytic Association, seeks to “protect the fundamental right to privacy of all Americans and the health information privacy that is essential for quality health care,” with prescriptions for patient control, security, accountability and other rights.
We support Pyles’ Bill of Rights. We also believe the answer lies in the private sector, specifically a consortium of EHR vendors, software developers and privacy/security professionals. Together, these experts can bring a holistic view of the issue of patient privacy and data control in a way that no governing body can. And we must act now.