Give Patients EHR Control, Says Civil Liberties Union

Health Data Security: Tips And Tools

A report from the New York Civil Liberties Union (NYCLU) says there are significant flaws in New York State's current privacy and security policies and procedures governing computer networks that share electronic medical records. Those flaws limit a patient's ability to control the dissemination of their health records.

The new report – Protecting Patient Privacy: Strategies for Regulating Electronic Health Records Exchange – is a 34-page document that acknowledges the benefits of sharing patients' health records electronically, but also laments the current policies and procedures in New York State that allow providers to upload patient records without a patient's consent.

Furthermore, the report said New York State, which has already invested more than $840 million in developing electronic information sharing networks for medical records, is building a health information exchange infrastructure that represents an all-or-nothing approach for providers to access medical records. The problem here, the report says, is doctors who obtain a patient's medical records can see that patient's entire medical history, including information they may not need for the specific condition they are treating.

[ Learn about how one hospital is using biometric technology to beef up the security of patient records. See Biometrics Shore up Patient Data Security. ]

"New York State has erred on the side of providers and not on the side of patient privacy," Corinne Carey, NYCLU's assistant legislative director, told InformationWeek Healthcare. "What I think is problematic is that patients are not able to control which kinds of providers access which kinds of data. For example, a podiatrist does not need to see the details of a sexually transmitted disease that occurred 10 years ago or a substance abuse disorder that the patient dealt with 15 years ago."

The report focuses on patients who may have a heightened concern regarding the privacy of their information, such as those with a history of substance abuse, patients who have been raped, and patients who have had an abortion. These patients deserve to have an electronic health data exchange system that can sort and segregate information by data type (blood test, diagnosis, or procedure), by provider (gynecologist, psychologist, internist), or by time (a procedure that occurred five years ago).

"Allowing patients to retain a measure of control over their medical records will increase confidence in the system's ability to safeguard confidentiality," the report states.

The NYCLU also urged New York State health officials to revisit policy choices that empower patients to control the dissemination of their medical records, but not before giving a few recommendations of their own.

Among the NYCLU's recommendations:

-- Require the electronic systems employed by HIEs to have the capability to sort and segregate medical information in order to comply with guaranteed privacy protections of New York and federal law. Presently, they do not.

-- Offer patients the right to opt out of the systems altogether. The state should revisit its decision to upload patient information to the system without patient consent. Barring that, the state must adopt a policy that would allow patients to affirmatively opt out of the system so that their medical information is not included in the network.

-- Prohibit health information exchanges from selling data. The New York State Legislature should pass legislation prohibiting HIEs from selling patients' private health information.

-- Carefully regulate the use of commercially available personal health records (PHRs). A number of commercial vendors, such as Microsoft HealthVault, currently offer patients the ability to collect, store, and manage their own medical information online. Under existing law, it is unclear to what extent these commercial entities are bound by Health Insurance Portability and Accountability (HIPAA) Act or New York State confidentiality laws. State law should extend confidentiality obligations and protections to private entities that offer PHRs.

In response to the report, Peter Constantakes, spokesman for the New York State Department of Health, said the department "believes that our current policies comply fully with federal and state laws and that patient information is well protected under the current set of policies, but we are always looking for ways to improve the system."

Constantakes also told InformationWeek Healthcare that New York has an annual review process of the policies and procedures that guide the state's patient data privacy and security rules.

"A new policy committee will be reviewing comments submitted as part of the annual review process last year and making recommendations on changes to the current version of the privacy and security policies and procedures. All comments will be discussed, including comments submitted by the NYCLU," Constantakes said.

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)