Records Exchange Raises Privacy WorriesExperts Suggest Methods to Bolster Patient Trust
A new survey shows that many consumers are concerned about whether their healthcare information will remain private once electronic records are routinely exchanged among providers. But experts say a good way to address those concerns is for organizations to be transparent with patients about who's accessing their data and why.
Devore Culver, executive director and CEO of HealthInfoNet, Maine's statewide health information exchange organization, says that HIEs and healthcare providers should take key steps to earn patients' trust that their records will remain private.
"Acknowledge their concerns," Culver says. "Be clear and transparent about how data will be used and by whom. Confirm that the organization adheres to current data security practices and standards. ... Provide the option for consumers to access audit reports of who is looking at their data."
The new survey, published this month in the Journal of the American Medical Informatics Association, found that more than half of California consumers believe that EHRs worsen information privacy and nearly 43 percent believe they worsen security.
When it comes to the impact of health information exchange, 40 percent of consumers surveyed say it worsens privacy and 43 percent say it worsens security.
The report was based on a phone survey of 800 consumers in California conducted by researchers at the University of California's Sacramento and San Diego campuses.
"While consumers show willingness to share health information electronically, they value individual control and privacy," the researchers wrote. "Responsiveness to these needs, rather than mere reliance on HIPAA may improve support of data networks."
Consumer confidence in EHRs and HIEs could be boosted if patients are given the opportunity to get reports on who accesses their records, says David Whitlinger, executive director of the New York eHealth Collaborative. The group coordinates activities for the Statewide Health Information Network of New York, which is the state's health information exchange.
SHIN-NY plans to provide consumers will such access reports through the HIE's patient portal, he says.
"They'll be able to look to see who accessed their records via SHIN-NY," he says. Providing patients with access reports about their health records is akin to credit bureaus providing consumers with reports about who accessed their credit reports, he says. "If patients ask who has accessed their records, and can get a report, that will go a long way to alleviate concerns."
In fact, federal regulators have been working on a proposals regarding an accounting of health information disclosures and EHR access reports for patients.
The HITECH Act mandated the Department of Health and Human Services update HIPAA requirements for an accounting of disclosures of protected health information. In May 2011, HHS' Office for Civil Rights issued a notice of proposed rulemaking for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial new "access report" provision.
As proposed, the access report would need to contain the date and time of access, name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. That access report would include EHR disclosures for treatment, operations and payment, which are categories of disclosures exempt from the current HIPAA accounting of disclosures rule.
Many of the public comments that HHS received on the access report proposal claimed that it would prove to be technically unfeasible for EHR vendors to implement, and complex and expensive for healthcare organizations.
But Whitlinger doesn't buy those arguments. "The provider community realizes that they will get challenged about who accessed [a patient's] record, and they don't want to deal with that," he says. And he believes that some EHR vendors "don't want to have to go down the path of how to make these access reports representative and valuable" for patients.
OCR Director Jocelyn Samuels said in January that the agency was considering a possible request for additional public input on HHS' proposed accounting of disclosures rule making. OCR is still evaluating the comments it received on the proposed accounting of disclosures rule it issued in 2011, as well as recommendations from the HIT Policy Committee about refining the rule, she said.
An executive at EHR vendor Athenahealth says that patients will become more confident in the security and privacy of their health records if they have more control over that information.
"Too often, patient data and its sharing is controlled not by the patient but by large care organizations and their health IT vendors," says Dan Healy, Athenahealth's vice president of government and regulatory affairs. "Our vision is of a system of patient-centered information exchange, putting control back in the hands of the patient. That will do more than anything else to increase confidence."