Lessons on EHR Privacy from EuropeNew Report Highlights What U.S. Could Learn
In an interview (transcript below), Baumer calls for the United States to follow Europe's lead in:
- Making it much more clear that everyone has a fundamental right to privacy;
- Holding medical records to a higher level of protection than financial records;
- Setting tougher penalties for privacy violations and devoting more resources to enforcement, going far beyond the measures called for in the HITECH Act.
"Despite the benefits of widespread EHR adoption, its acceptance and implementation will not be achieved unless its risks are mitigated," the new report states. "A significant obstacle to public acceptance of EHRs is the concern over the privacy and security of personal health information."
The report, "Privacy and Security in the Implementation of Health Information Technology (Electronic Health Records): U.S. And EU Compared," soon will be available from the Boston University Journal of Science and Technology Law. A summary is available from North Carolina State University.
Co-authors of the report are Janine Hiller, professor of business law at Virginia Tech; Matthew McMullen, program director, office of international research, education and development, Virginia Tech, and Wade Chumney, professor of business ethics and law at Georgia Institute of Technology.
Baumer, who holds a doctorate in economics and a law degree, is professor of law and technology at North Carolina State University, where he has been on the faculty since 1979. He has written extensively on privacy and security issues.
HOWARD ANDERSON: You are one of the co-authors of a new report on electronic health records that concludes that insufficient privacy protections are hindering public acceptance of EHRs in the US. Can you explain that conclusion for us?
DAVID BAUMER: There historically has been a substantially greater privacy concern in Europe relative to the United States. The EU explicitly has as one of its principles that citizens are entitled to a right of privacy. That had not been the case in the United States up until HIPAA was passed, which is the Health Insurance Portability and Accountability Act in 1996. Until then, you had essentially state control of privacy, and every state had their own laws and they often conflicted. So once HIPAA was passed, at least we had a nationally uniform law. It was not as strong as what is present in Europe, but we have advanced toward at least national uniformity on the issue of privacy of medical records.
So to summarize, the EU has had a longer and stronger history of protecting privacy. All medical records in the EU are deemed sensitive information, which is a higher level of protection than, say, bank records or things of that nature. And as a result, I would say there is greater public acceptance of electronic health records.
EHR SecurityANDERSON: Your report states that the full benefits of EHRs will not be realized until they are used by all or nearly all healthcare providers. Can you tell us why that is the case, and do you believe that EHRs will not be pervasive unless Americans become more confident that their information will be secure?
BAUMER: Answering the second question first, I would say yes that electronic health records will not become prevalent until we have greater public acceptance of them. And the benefits of EHRs are very similar to any kind of network: The benefits take place if all or nearly all of the participants use compatible technology. EHRs are envisioned by many healthcare professionals to be a system where doctors can easily look up medical records and they will not have to interpret handwritten letters. And they'll have access to the latest techniques and data. All this will result in lower cost or potential savings under any kind of healthcare system.
At this point in Europe, in several countries, there is virtually universal use of electronic health records. They have at least as good of a healthcare system as we do, and the costs per patient are far less.
Tougher PenaltiesANDERSON: Now you call for the U.S. to emulate some of the electronic health record privacy protections now commonly used in the European Union. What are the most important lessons that the U.S. could learn from Europe?
BAUMER: I think that there are clear disparities between the United States and Europe, and because of these disparities there is much greater acceptance of electronic healthcare records in Europe. We need to take specific steps to ensure better protection of privacy in the United States. One of the steps that certainly could be taken is to increase the penalties and enforcement for those that steal medical records and make use of them.
EHR StandardsANDERSON: Are there particular other laws or regulations in Europe that you would like to see in the U.S. emulate?
BAUMER: In Europe, in 1996, they passed the information directive, which basically required all European countries to abide by various standards of privacy for medical records. And one of the things that they required is that any country in Europe or company operating in Europe cannot transmit those records to any other country that doesn't have equal standards -- the United States was one of the countries that they were most concerned about. It took a lot of maneuvering on part of the United States just to be able to share medical records with European firms because again, they have standards and they say, "not only do we have these standards but we're not going to transmit any information to other countries who don't abide by our standards." ... When somebody's medical records are accessed inappropriately, word gets around and has a very detrimental effect. So the United States healthcare organizations that have access to these records need to do a better job.
Right to PrivacyANDERSON: Finally, is there a particular lesson to be learned from the Europeans that you would like to leave people with?
BAUMER: I don't want to sound like a broken record, but in Europe they do start off with the principle that there is a right of privacy. In the United States, we don't have an explicit right of privacy, so I think that is one substantial distinction. Any company that collects records in Europe has to have a reason for collecting the records and must have a superintendent of information. ...
Certainly information is collected on people in the United States without a valid purpose. ... It appears to work in Europe to have a clear indication that you do have a right of privacy. You don't have to claim it. It's not based on consent, even though they have many more protections in terms of consent. Even if you signed over access to your records, you can withdraw that access to your records, and the companies that have access to your medical records have to respect that.
I guess, fundamentally, what we're talking about is starting at ground zero with an agreement that there is a right of privacy and that any derogations, as they call them, from that are strictly an exception. ... And there are far fewer exceptions to the right of privacy and medical records in Europe than there are in the United States.