Battle for hearts, minds and data heats up

Two weeks ago, I wrote about the negative public perception that EMRs continue to have, then asked readers how to convince people that EMRs are indeed safe.

One regular commenter suggested keeping records not online, but instead on portable, encrypted USB drives. That's an interesting thought, but it requires people to carry their records with them every time they go to the doctor. That's a lot to ask. What if they forget? Does the doctor or hospital have to rebuild the patient's information from scratch? And what of security on the provider side? More than a few facilities would be wary of plugging in a USB device from outside the organization for fear of unleashing a virus.

Another commenter said that the country needs a national patient identifier, like the kind called for in the 1996 HIPAA statute, but then blocked by 1999 legislation in which Congress refused to fund development of such an ID system. In FierceHealthIT, I've recently discussed the importance of a master patient index or other reliable identifier as a prerequisite for successful health information exchange. A national patient ID certainly would fit the bill, but if you thought the anti-government rhetoric was strong in health insurance reform, just wait until you hear the cries of "Big Brother" if someone tries to resurrect this idea.

I also received some feedback via email. Two messages suggested that the privacy lobby was winning the battle for the hearts, minds and information of the public. I think there's something to this.

Wouldn't you know, just two days ago, healthcare privacy advocate Dr. Deborah Peel had an op-ed in the Wall Street Journal under the provocative headline, "Your Medical Records Aren't Secure: The president says electronic systems will reduce costs and improve quality, but they could undermine good care if people are afraid to confide in their doctors."

Peel has long railed against 2002 modifications to the HIPAA privacy rule that created the "treatment, payment and healthcare operations" exception to sharing of patient records without consent. Though the 2009 American Recovery and Reinvestment Act requires HHS to close that loophole--and HIPAA regulatory changes are in the works--third-party data mining continues to thrive. And, of course, hacking remains a constant threat.

"Electronic record systems that don't put patients in control of data or have inadequate security create huge opportunities for the theft, misuse and sale of personal health information," Peel writes. "The privacy of an electronic health record cannot be restored once the contents are sold or otherwise disclosed. Every person and family is only one expensive diagnosis, one prescription, or one lab test away from generations of discrimination."

Peel also announces that her organization, the Patient Privacy Rights Foundation, will circulate a "Do Not Disclose" petition, similar to the popular, federally sanctioned "Do Not Call" list for telemarketers. "We believe Congress should pass a law to build an online registry where individuals can express their preferences for sharing their health information or keeping it private. Such a registry, plus safety technologies for online records, will mean Americans can trust electronic health systems," Peel says.

Something like that would pretty much kill EMRs as we know them today. It's a radical step, but it places the battleground squarely in the privacy arena and shows how difficult winning over a skeptical public really will be.

EMR community, it's your move. - Neil