Patients getting short shrift in EHR privacy and access

Healthcare providers and health information exchanges must do a better job of protecting patients' privacy, allowing them to access their own healthcare data, and developing consistent "rules of the road" to safeguard information, according to studies published by the New York Civil Liberties Union and Consumers Union.

The Consumers Union study, conducted by University of California-San Francisco professor Robert H. Miller, examined the performance of five California-based provider organizations in meeting nine principles--intended to simultaneously increase provider access to data and protect patients' privacy--adopted by state patient and consumer groups in 2010.

"For organizations to comply with all nine principles, clear 'rules of the road' for information sharing must be defined, and patient education in health information exchange and control over personal data must be increased," Miller concluded in his study, published this week in the journal Health Affairs.

Miller found that while the organizations he studied had adopted numerous privacy and security policies to demonstrate their seriousness about protecting data, none of them did much to educate patients about controlling or monitoring access to their data. For example, he said, the provider organizations were not transparent about providers' use of patient data. Although they maintained audit trails and provided them to patients on request, they did not tell patients what audit trails are or that they even existed. When patients did ask, the organizations provided the information in byzantine formats that had to be interpreted by staff members. 

The authors of the NYCLU report also noted a lack of patient control over their data under New York law. The law says that a one-time "opt-in" consent at any HIE-participating provider results in "blanket permission to release all medical information."

The NYCLU report concludes that the state should revisit its policy on uploading individual medical information to a shared network and adopt a requirement that such information cannot be uploaded without affirmative patient consent--or, at the very least, allow patients to opt out of the system at any time.

NYCLU contends that giving patients the ultimate authority in deciding who accesses their data, to a much more granular degree than the law currently allows, is consistent with positions taken by both the National Committee on Vital and Health Statistics and the Office of the National Coordinator for Health IT and should be adopted in New York.

The reports differ to some extent in the recommended course of action the respective states should take to improve patient trust and participation. The NYCLU calls for an outreach component in its 10-point position but emphasizes explicit legislative action. Miller makes more general recommendations, calling for policies that set timetables for organizations to offer patient portals that give consumers more control and access.

However, both studies make clear the idea that, in order to realize the public health benefit of comprehensive data exchange, individual patients must be assured of their ultimate control over who sees and moves their data. The greater public interest and that of the individual, the NYCLU asserts, "are not irreconcilable; they must be balanced."

To learn more:
- here's the NYCLU study (.pdf)
- read the Consumers Union study in Health Affairs (registration required)

Suggested Articles

Nearly 10,000 patients involved in research studies were impacted by a third-party privacy breach that may have exposed their medical diagnoses.

Veterans Health Administration medical facilities currently have a paper medical record backlog that if stacked up would be 5.15 miles high, according to the…

The Department of Health and Human Services announced proposed changes to privacy restrictions on patients' substance use treatment records.