Privacy Issues Loom in
Push for Electronic Medical Records
By Judy Foreman
06/12/2006
Patients of the land, unite! You have nothing to
lose but your privacy.
There's a growing national effort to bring medical
records into the 21st century by converting the
paper records now scattered in doctors’ file
cabinets to electronic records by 2014. It’s a grand
idea -– in many ways.
If medical records were electronic, prescriptions
would be more legible and could be filled more
accurately. Public health officials could spot
disease outbreaks quickly and track their spread.
Doctors could speedily check a patient’s record,
helping to avoid wasteful repetition of tests and
minimize harmful drug interactions and other errors,
which currently kill an estimated 98,000 people a
year in the United States. Scientists would have
access to a gold mine of data about diseases.
There could be other direct benefits, too. If I had
a car accident in San Francisco, say, an emergency
room doctor there could check my records in Boston
to treat me correctly.
WELL, CALL ME PARANOID. CALL ME OLD-FASHIONED.
CALL ME AN ELECTRONIC DUMMY. BUT THE WHOLE IDEA
SCARES ME – AND NOT JUST ME.
“I have spent 30 years seeing nothing but how people
are harmed [in their] reputation or livelihoods when
sensitive medical records are seen by anyone...
outside of the few people you trust to actually take
care of you,” said Dr. Deborah Peel, a Freudian
psychoanalyst in Austin, TX and founder of the
Patient Privacy Rights Foundation
(www.patientprivacyrights.org),
a nonprofit group. "If privacy is not fully
protected we won’t be building anything except the
most valuable motherlode of information for data
mining on Earth.”
To be sure, paper records aren’t all that secure,
either. Anyone in a white coat can peruse paper
records and no one would ever know. At least with
electronic records, there can be “audit trails,” to
show who has peeked at what. Still, do we really
want to make it easier for more AND MORE people to
see sensitive medical data?
We know now that that personal electronic
information on 26.5 million military veterans,
including their Social Security numbers and birth
dates -- and in some cases, disability codes -- was
stolen from the residence of a Department of
Veterans Affairs employee who had taken the data
home without authorization. In another example of
the vulnerability of electronic records, we know
that the National Security Agency has secretly been
collecting the phone call records of tens of
millions of Americans. And we know that credit card
information is vulnerable to hacking and accidental
release.
“If the Veterans Administration can’t prevent the
theft of 26 million names and Social Security
numbers from an electronic file, why would any
patient believe their personal, sensitive health
data is safe online?” said Peel.
Already, roughly 150 people, from nursing staff to
X-ray technicians to billing clerks, have access to
at least part of a patient’s records during a
hospitalization, according to the US Department of
Health and Human Services. And 600,000 payers,
providers, and other entities that convert
providers’ raw data into billing data, have some
access, too.
The national Health Information Technology effort,
authorized by the Bush administration in 2004, is
now being hammered out by four groups working
through the Department of Health and Human Services.
One group is standardizing the way records are kept
–- nitty-gritty stuff like whether the patient’s
name or something else comes first on forms, said
Dr. John Halamka , chief information officer for
Harvard Medical School and chairman of this group,
called the Health Information Technology Standards
Panel.
Another group is working on the “architecture” of
the system –- who gets to see which pieces of data
and how the data can be secured. A third is working
on privacy policy, sorting through privacy
protections from each of the 50 states, whose laws
often offer better privacy protection than federal
rules called HIPAA, WHICH have been in effect since
2003. (Last week, the Washington Post reported that
the federal government has been fairly lax in
enforcing HIPAA, receiving nearly 20,000 allegations
of privacy violations, but imposing no fines and
prosecuting only two criminal cases.)
The fourth group is working on certification -– to
see that electronic products offered by vendors have
all the features they are supposed to have.
At first glance, all this sounds reassuring. But
there is only one consumer representative on the
advisory panel, called the American Health
Information Community, that is overseeing the work
of the other four
groups. The other 16 members come from federal
agencies, hospital or doctor groups, industry
(Intel), an employer (Pepsi) and a state health
department
(Indiana).
And while part of the health information community's
stated mission is “consumer empowerment” even in
this effort, most of the members of the consumer
work group are not explicitly patient advocates.
To ensure that patients have adequate privacy and
control over their own records, “more could be done
to increase consumer participation in the e-health
records process,” said privacy advocate Ray
Campbell, executive director of the Massachusetts
Health Data Consortium, a nonprofit group that uses
information technology to improve health care. The
Massachusetts group is now working with the privacy
committee of the health information community.
One of the major issues is how centralized health
information databanks should be.
What has worked well so far, said Halamka of
Harvard, is a “very decentralized approach” like the
one he has put in place at Beth Israel Deaconess
Medical Center. “The data live in the doctor’s
office or in the hospital. It never gets put into
any central data base where it could be hacked. I
would be worried if there were a central data base
in the basement of the White House that could be
hacked, but we are not building
that.”
Stephanie Reel, chief information officer for Johns
Hopkins Medicine, said she has confidence in the
privacy efforts of top-notch hospitals, but worries
about sharing information across a larger audience.
“Our hospitals do a good job of protecting patient
information," she said, "but people’s concerns are
legitimate when you are sharing information across a
larger audience.”
How well privacy can be safeguarded in a national,
electronic system is “the $64,000 question,” said
Carole Klove, chief compliance and privacy officer
for UCLA Medical Sciences.
It was valuable during Hurricane Katrina that New
Orleans pharmacies had electronic records so
patients could still get prescriptions filled, she
said. “But certainly there are risks in having all
your records electronic. Risks can result in
inappropriate access.”
The good news is that the push to make medical
records electronic is still a work in progress. It’s
not too late for more consumer voices. If you’re
concerned, you can monitor the workings of the
health information technology effort at
http://www.hhs.gov/healthit/ahic.html.
Judy Foreman’s column runs every other week. Past
columns are available on
www.myhealthsense.com.
Listen to her live
call-in webcast radio show every Wednesday night
from 8:30 to 9:30 EST on
http://www.healthtalk.com.
Note: the picture
is courtesy of
Jack Gallagher Ueland Illustration Co.
www.uelandillustration.com
To Latest News