To answer this question, let’s start by saying that, depending on how the data is used, it can be either. So the question is, to what extent can we garner the benefits of an electronic health record (EHR) while maintaining data privacy? Most of us are aware that the risk to privacy of any information increases exponentially with each additional person whom we tell. This is especially true for electronic communication. Social networking members, who have shared what they thought was private information with “friends,” have too often found that the information is now accessible far beyond what they ever imagined; now it is permanently engraved in cyberworld. These observations rightly raise concerns when information in a medical record is involved.
People are asking whether any kind of electronic records can be made safe. If one is looking for a 100% privacy guarantee, the answer is no. But then, paper records are not 100% secure either. There have been cases where paper medical records, especially parts of them, have disappeared. There was a case where boxes of patient records from a doctor’s office were found in a garbage dumpster (Preventing Medical Identity Theft, 2008) and a case in which stolen medical records were recently found washed up on a Maine shore (Associated Press, 2008b). Additionally, disposing of paper records can be a privacy breach as a teacher in Salt Lake City, who had purchased medical records from 28 Florida hospitals to use as scrap paper for her students, learned (Associated Press, 2008a).
On a hospital unit, a patient’s paper record (chart) is often available to anyone with a white coat, a badge that looks like the identification badge of the agency, and the courage to pick up the chart. With an electronic record, it is more difficult for an unauthorized person to gain access to a healthcare record. To do so a person needs more than a white coat and a badge; the person also needs a login name and a password. Additionally, electronic record systems maintain an audit trail, required by the privacy rules of the Health Insurance Portability and Accountability Act (HIPAA), that records who has accessed what record, as well as what part of the record was viewed. In contrast, in a paper record, neither the person who has accessed a record, nor what the person accessed is known.
Given the relative ease of access of electronic records for those with the appropriate login, and the fact that login audit trails only work when they are routinely examined, it is possible for an unauthorized person to access a record, resulting in a concern about the privacy of information in healthcare records. This possibility takes on a new note of concern in a facility in which one is both a patient and an employee. This fear was expressed by a reader who responded to an earlier OJIN Informatics Column about the electronic health record (Thede, 2008, August 18). Because it is possible for decisions about firing and hiring to be made based on healthcare information found in an employee’s, or a potential employee’s record, access to a person’s healthcare record is a legitimate concern for everyone. The question then becomes “Will administrative personnel have access to an individual employee’s records?” The answer is legally “no.” Yet in reality, unless the audit trails are examined by individuals independent of any administrative oversight, this access could remain secret. Keep in mind, however, that a paper record is also fair game for a “snooping-minded” individual, and in this case there is no record of any access.
Fortunately, today there are more protections against this type of snooping, as well as other risks to privacy breaches, than in the past. HIPAA, although it’s primary purpose was to insure the portability of healthcare information, recognized that data in an electronic format can be easily shared. To protect this data, rules were promulgated to set a national standard for the privacy of health information. These rules took effect April 14, 2003. Although these rules were an excellent start, they fell “...far short of providing adequate protection either in the traditional healthcare arena or for the rapidly evolving e-health environment”(Center for Democracy and Technology, 2009).
Under the original HIPAA Privacy Rules individuals had the right to request an "accounting of disclosures" of one's identifiable health information for a period of six years prior to the date of the request. The right, however, was limited because it excluded disclosures for treatment, payment, and business operations. The American Recovery and Reinvestment Act of 2009 (ARRA), signed into law by President Obama in February 2009, contained the Health Information Technology for Economic and Clinical Health Act (HITECH) which extends these rules (HIPPA.com, 2009). The rules now require that a covered entity that maintains electronic health records has to account for disclosures for purposes of treatment, payment, and business operations for three years prior to the date of the request (Section 13405). However, unless a person requests this information, the individual will not be told that the record has been accessed. Thus, if nurses think that their healthcare record has been improperly accessed to prevent them from being hired or promoted, they can find out if this is true. The same is not true, for a paper record.
One of the main problems under the original HIPAA rules was that they were not clear on the responsibilities of “business associates.” A business associate is an individual or group that contracts with healthcare providers to perform specific services, such as billing or developing electronic healthcare records. Business entities were obligated to comply with privacy rules only to the extent required in their contracts (Center for Democracy and Technology, 2009). Thus, if a contract with a healthcare agency for an electronic medical record did not specify that the agency owned the data, it was possible for the vendor to misuse this data. ARRA specifies that now "...business associates must abide by nearly all of the HIPAA regulations on data security (Section 13401); must directly comply with all of the new privacy provisions enacted in ARRA (Section 13404); and can be held directly accountable for failure to comply with any HIPAA Privacy Rule provisions in their work with covered entities (Section 13404) (Center for Democracy and Technology, 2009).” For more information about these regulations see Majority Staff of the Committees (2009). Privacy rules apply to healthcare records whether they are electronic medical records (EMR), or electronic health records (EHR). An EMR is an electronic healthcare record under the ownership of a single entity, such as a private healthcare practitioner or a healthcare institution. An electronic healthcare record (EHR) is an individual’s healthcare record from different healthcare agencies from which, when requested by the patient, selected portions can be shared with other agencies (National Alliance for Health Information Technology, 2008). The new rules also apply to regional healthcare data-sharing organizations, such as the Regional Health Information Organization (RHIO) in Boston that shares information in medical records for the purpose of improving healthcare.
Although Americans are concerned about the privacy of medical records, survey data shows that despite this concern, the majority of Americans are aware of the benefits of electronic records and believe that they outweigh privacy concerns (Bright, 2007). They are eager to benefit from them for a number of reasons including the belief that use of electronic medical records can improve the quality of care by reducing the number of redundant or unnecessary tests and procedures they receive as well as reduce medical errors and healthcare costs. Additionally, the survey showed that people believe that the ability to share information can result in better care. As patients age it also becomes more difficult for them to remember all the information that might be pertinent for a given provider. Actually anyone who has struggled to locate, for referral purposes, medical records located in a variety of different provider offices finds the thought of a full EHR very appealing.
To answer the question posed by the title, despite opposition from those who have a vested interest in not having an EHR, or even an EMR, such as drug companies whose drugs are creating previously uncovered side effects, or agencies that make money by repeating lab tests, electronic health records are a plus. This does not mean that efforts to protect healthcare data should be lessened. It does mean that we need to acknowledge the considerable progress already made in protecting healthcare data and the progress that will continue to be made. No, the records will never be 100% safe; but the benefits outweigh the risks, and no information, once shared, is ever 100% safe from disclosure.
Linda Thede, PhD, RN-BC
lqthede@roadrunner.com
Article published March 30, 2010