This document discusses the risks to patient privacy posed by electronic health records and health information exchanges given existing legislation and regulations. While laws like HIPAA provide some protections, they were created before widespread use of EHRs and do little to protect electronically stored data. Additionally, patients have little control over their health information under current policies. Attempts to balance privacy with the goals of improving population health through data sharing and EHR use have been challenging, with no clear resolution. Compromise is needed to define what information can be shared while maintaining patient anonymity.

1. Katie Wittman<br />7/19/2010<br />Patient Privacy Risks Related to EHR and HIE Security<br />With the plethora of legislation being passed to reform the health care industry, electronic health records are slowly increasing in prevalence in medical practices across the United States. EHRs, as well as the networking of individual record systems into health information exchanges or HIEs, have been highly touted for their potential to save money, lives, and time; however, critics fear that the rush to make health information accessible anywhere in the country has caused legislators and industry professionals to overlook a Constitutionally protected freedom. The right to privacy implicit in the Bill of Rights and subsequent Constitutional Amendments was upheld by the Supreme Court as early as the 1920s. With the advent of the Health Insurance Portability and Accountability Act of 1996, more commonly known as HIPAA, the U.S. government began to address the right to privacy and confidentiality specifically in the health care industry. The privacy protections for health information set forth by HIPAA, while necessary and proper, were created in a predominantly non-EHR world and do little more than provide a framework for those patients victimized by violations to take legal action. The heart of the problem lies in the relatively weak “security” measures directed at covered entities outlined in the legislation which include limiting physical access to facilities and a vague requirement for organizational policies regarding the use of workstations. Requiring a lock on the door to a chart storage room might be moderately effective in deterring information theft in an office using paper records but does nothing to protect electronically stored data. Further adding to these concerns, the HIPAA “Privacy Rule” was amended in 2002 removing a mandate for health care providers to obtain consent from the patient before using or disclosing protected health information for treatment, payment, or operations purposes. A provider has the option to offer consent procedures to patients before services are rendered and billed, but are no longer legally required to do so. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 attempted to elevate the protection of electronic health information by requiring such things as data encryption, security breach notifications, and audits listing all users accessing a medical record. HITECH also addressed the issue of health care business associates and secondary use of information by making anyone who receives protected health information, including billing service providers and law firms, a HIPAA-covered entity. They are therefore subject to the same HIPAA regulations and penalties as health care providers, insurers, and clearinghouses. These additions have furthered legal privacy protections at an institutional level.<br />One significant stakeholder is conspicuously disenfranchised in all of this legislation: the patient. The very entity policy makers are tasked to protect has virtually no control over what can or cannot be done with his protected information. Tyranny of the majority, a hallmark problem in representative democracies, appears to be rearing its head again – this time in health care delivery. It is clear that rigorous security guidelines and privacy protections should be available to shield patients from potential negative outcomes such as discriminatory practices and stigmatization, but the patient himself ought to have some control over the use and disclosure of his personal information. Under the current amended version of HIPAA, it is the provider, not the patient, who makes decisions regarding consent. HITECH has addressed the need for electronic patient consent technologies, which would allow individuals to set their own defaults for use and disclosure of protected health information to various parties or for different purposes, but delayed the development of such tools for several years. This restraining of the patient’s right to choose is one of the risks of intricate universal privacy and security regulations.<br />At a higher level, supporters of health information exchanges and other advancements fear that implementing meticulous privacy policies will defeat the purpose of the technologies. Some argue that a trade-off must occur – reducing security requirements to increase usability and therefore reap all potential benefits. One of the goals of HIEs is to improve population health through the compilation and use of information related to the prevalence of diseases, effectiveness of treatments, and other documented medical data. The exchange would act as a census of sorts for health care statistics. If a patient has the ability to “opt-out” of having his de-identified medical information included in such a compilation by refusing consent, the data set becomes skewed. As is the case in any sort of research, distorted information makes the accuracy of the data questionable and any conclusions drawn from it difficult to generalize to a larger population. <br />Another problem associated with increasingly thorough privacy and security policies involves liability. If a patient is able to select which parts of his medical record are disclosed to a provider, many harmful situations might arise including misdiagnosis or contraindicated prescribing. This problem currently exists if a patient omits information in a medical history or examination, but it is amplified when health care providers begin relying on electronically acquired histories in emergency situations. At the present time, there is no legal protection for providers who make medical decisions based on patient information obtained in this manner. While legal precedents exist in some states for accessing information in so-called “break-the-glass” emergency situations, liability and privacy torts have not been explicitly addressed in relation to electronic health records and health information exchanges. <br />The benefits of patient-centered privacy and security regulations are self-evident, and allowing the individual patient the freedom to control his own protected health information is a policy consistent with fundamental principles of the United States as communicated in the Constitution. Promoting the health and welfare of the country’s population is also aligned with the nation’s core philosophies. The dilemma emerging as technology evolves between population- and individual-focused medical efforts follows a template already created by previous entries in the chapters on democracy in history books. Attempting to balance personal liberties with the “greater good” is a divisive act often left to Supreme Court rulings and revisited multiple times thereafter. The factious and immortal nature of such conflicts creates a grim forecast for finding an equitable resolution. In the case of patient privacy as it relates to health information technology, further compromising efforts are needed from both sides. The key to such a compromise lies in defining what information is vital for improving population health and determining how that information can be shared and accessed in a way that maintains individual anonymity.<br />Materials Referenced:<br />Laura Dunlop, Electronic Health Records: Interoperability Challenges Patients’ Right to Privacy , 3 Shidler J. L. Com. & Tech. 16 (Apr. 6, 2007), <http://www.lctjournal.washington.edu/Vol3/a016Dunlop.html><br />\"
Health Information Privacy\"
. U.S. Department of Health and Human Services. 7/15/2010 <http://www.hhs.gov/ocr/privacy/>.<br />Bentley, Lora. \"
HITECH Act Ramps up HIPAA Compliance Requirements\"
. IT Business Edge. 7/15/2010 <http://www.itbusinessedge.com/cm/community/features/articles/blog/hitech-act-ramps-up-hipaa-compliance-requirements/?cs=31575>.<br />