Petition Demands Privacy for Electronic Health Records

M.L. Baker Avatar

Updated on:

Health information technology legislation is swirling around Capitol Hill this week, and there’s no shortage of recommendations of how it should be done.

Privacy advocacy groups began circulating a petition Thursday to bar employers from viewing patients’ health information and giving patients control over who can see what medical information.

The heads of the two advocacy groups who wrote the petition say that, designed properly, electronic health records can protect privacy better than their paper counterparts.

That’s because, unlike paper files, electronic systems can show varying levels of information to different people as well as track who tries to access what information.

But such controls must be mandated from the start, said Deborah Peel, head of the Patient Privacy Rights Foundation.

Click here to read about how providers have come up short on HIPAA privacy compliance.

“If health IT is built without protections, then every American is exposed to the same kind of damaging practices that Wal-Mart is seeking to implement,” she said, referring to a recently leaked memo in which department store executives planned how to hire and retain employees likely to have the lowest health costs.

The petition being circulated by the Patient Privacy Rights Foundation and the Electronic Privacy Information Center states that patients should be able to choose who can view medical records, explicitly bars employers from viewing employees’ medical records and states that sharing private information should not be a precondition of receiving care.

Also this week, the Commission for Systemic Operability released 14 recommendations to ease the creation of systems that could instantly supply a patient’s health information when necessary.

The Commission, a bipartisan group created explicitly to advise Congress, recommended that anyone who knowingly attempts to obtain restricted information face criminal prosecution and that the Department of Health and Human Services figure out how to protect patients from the consequences of unauthorized access.

Though more explicit, these provisions are not so different from HIPAA, which states that employers will generally not be able to view information and lays out criminal sanctions and huge fees for harmful use of medical information.

Peel, however, said that the notion of who is authorized should be determined by patients. To avoid mountains of bureaucracy, the exchange of medical information for “routine use” need not be approved by or disclosed to patients. Peel said that this creates a loophole that thwarts HIPAA’s intentions.

Health IT could restore protections without crippling paperwork, she said. “Consent is a data field. People that design the system could easily put consent in.”

When he read the petition, Scott Wallace, head of the Commission, said that all the positions were reasonable and that none conflicted with the Commission’s recommendations, Ending the Document Game.

The Commission recommended that the government, employers, and health care payors should all offer providers incentives to connect information.

It also urged that policy makers and IT vendors stop squabbling about details and adopt national, consistent standards on issues like assuring patient identity.

However, Marc Rotenberg, head of the Electronic Privacy Information Center, took issue with the Commission’s recommendation that a national privacy policy should preempt state privacy laws.

“There’s a real risk that Washington can get it completely wrong. A bad bill that preempts the states could become an anti-privacy law.”

In that case, he said, individual states could provide a smorgasbord of possible solutions.

Wallace said that groups focusing on patient confidentiality can overlook the need to connect information, saying that actions required by some states are prohibited by others.

“Conflicting laws between those states stop my medical information from crossing the border. It is far more important that we have access to medical information than that we have states individually defining privacy needs.”

Rotenberg said information technology could be readily designed to adapt to different state policies. For example, appropriate codes and tags could be attached to data so that both data, and privacy protections, could travel with the patient.

But John Halamka, CIO and associate dean for educational technology at Harvard Medical School, said consistent privacy and security policies are essential to connect information, and such policies often extend beyond certain classes of data.

State laws that were reasonable before electronic systems now impede patient care, Halamka wrote in an opinion piece.

The ultimate privacy argument against RFID. Click here to read more.

“In Massachusetts, doctors can’t retrieve a complete electronic medical list from an insurance company, even with patient consent, if a medication related to mental health, substance abuse or HIV treatment is present.

“In Ohio, doctors must use a cryptographic electronic signature to prescribe medications electronically. In California, only paper forms are considered a valid patient consent.”

Peel did not see separate state privacy laws as essential, providing that current national privacy policies were strengthened. She warned that patients worried that their health information could be used to harm them would find ways to keep that information out of the system, even if it meant forgoing care.

In that sense, she said, the ability to protect information is a prerequisite for the ability to connect it.

“Information technology can bring us the best of both worlds. It’s not an either/or proposition, and it shouldn’t even be framed that way.”