Your EMR privacy policy, first and foremost, should be practical

It's not hard to find recent examples of privacy and security at odds with electronic medical records (EMRs). Just this week, for instance, a federal grand jury indicted a former employee of University of Maryland Medical Center with stealing patient identities. Wake Forest Baptist Health in North Carolina, meanwhile, notified 357 people (including employees and patients) that a former employee was hoarding their medical records at home.

Headlines such as these can be scary. What may be even more frightening, however, is that many providers or healthcare organizations unwittingly are violating the trust of their patients every day--without consciously trying.

Look at the recent example at Tufts Medical Center in Boston, where a patient filed a lawsuit after the hospital faxed her medical records containing information on a hysterectomy to her workplace without her consent--causing personal embarrassment. The patient said she had asked the hospital to send a form addressing a disability claim.

"I feel like I might have walked in [the office] naked," the patient told the Boston Globe. "I can't go back there."

I, myself, even encountered this issue on a recent visit to a local hospital emergency room. The nurse keying information into my medical record asked if I experience fear or abuse in my home environment. My answer was no, but I thought it was an odd question to ask in front of my family, who happened to be sitting with me. The nurse appeared so wrapped up in keying in answers that she failed to make a connection of how such a question might raise an uncomfortable privacy issue.

Again, these are day-to-day examples of what can happen--but they can add up. Just ask Alan Westin, a professor of public law and government emeritus at Columbia University, who has conducted two decades of surveys about privacy and health information technology (HIT).

Speaking last month at a health privacy summit in Washington, Westin said his surveys unveiled many concerns among consumers regarding privacy issues. "HIT programs will not earn the trust and cooperation of many--if not most patients--if these concerns are not successfully addressed," he said.

Using his surveys, Westin divided healthcare consumers (and their responses to privacy issues) into three segments:

"Privacy intense" consumers (about 35 to 40 percent of consumers in the healthcare arena) make up the first segment. They generally have a distrustful attitude toward business and government collection and use of personal data.

"They are very worried about the secondary uses of their personally identified medical records and health information by health and life insurers, employers, government programs," Westin said. They especially are concerned about discrimination against persons with various potentially stigmatizing conditions--such as chronic diseases, use of mental-based services, sexually based conditions.

About 50 to 55 percent of consumers are "privacy pragmatists," the second segment. According to Westin, they are individuals who first ask "what's the benefit to [us] as patients or the use of health data.

"They want to know what privacy and security risks are encountered when used in this way, and what does the organization promise to do to minimize or eliminate these risks," he continues. When privacy pragmatists get a positive response to these questions, they're content and will support the use of health data, Westin added.

The third segment, the "privacy unconcerned" (about 10 to 15 percent of consumers), tend to be trustful of the actions of business and government. "They have an 'I-have-nothing-to-hide' outlook when it comes to the use of personal information in a digital society," Westin said.

Keeping these groups in mind--and using them to understand how majority public policy likely will be made, it appears important to address the hearts and minds of the privacy pragmatists. "Which way they go will determine where majority support is for various alternative policies in health information," Westin said.

Privacy and security of electronic data is not an abstract idea that's just the responsibility of the federal government or healthcare organizations. It's something that every provider and every consumer needs to take responsibility for--every single day.- Janice