[Sigmed-l] The Electronic Medical Record & Privacy - WSJ article & response.

Leonard Davolio ldavolio at mii.ucla.edu
Tue Jan 2 12:44:57 EST 2007 

Below is a response to a recent WSJ article by Drexel's Dr. Scot
Silverstein. Both the article and his response are interesting commentaries
on growing conflict between the interests of patient privacy and the
potential benefits of shared clinical data. I thought it might be of
interest to some of the folks on this list. 


-------
On Dec. 26, 2006, the Wall Street Journal published a front-page story on an
unfortunate patient who was denied coverage by insurers after detailed
information about her psychotherapy that she thought was confidential was
divulged to an insurance company. The story is "Spread of Records Stirs
Patient Fears of Privacy Erosion", Theo Francis (subscription needed for
full text).? Here is a brief summary from this link:

Medical Dilemma:? Spread of Records Stirs Patient Fears Of Privacy Erosion
Dec 26, 2006 By Theo Francis, WSJ.com  After
her fianc? died suddenly, Patricia Galvin left New York for San Francisco in
1996 and took a job as a tax lawyer for a large law firm.
A few years later, she began confiding to a psychologist at Stanford
Hospital & Clinics about her relationships with family, friends and
co-workers.  Then, in 2001, she was rear-ended at a red light. When she
later sought disability benefits for chronic back pain, her insurer turned
her down, citing information contained in her psychologist's notes. The
notes, her insurer maintained, showed she wasn't too injured to work.  Ms.
Galvin, 51 years old, was appalled. It wasn't just that she believed her
insurer misinterpreted the notes. Her therapist, she says, had assured her
the records from her sessions would remain confidential.  As the health-care
industry embraces electronic record-keeping, millions of pages of old
documents are being scanned into computers across the country. The goal is
to make patient records more complete and readily available for diagnosis,
treatment and claims-payment purposes. But the move has kindled patient
concern about who might gain access to sensitive medical files -- data that
now can be transmitted with the click of a computer mouse.  The U.S.
Department of Health and Human Services implemented standards in 2003 for
guarding patient privacy, supplementing a patchwork of state laws. The
federal standards, which grew out of the 1996 Health Insurance Portability
and Accountability Act, single out psychotherapy notes for extra protection.
Critics claim that loopholes in the rules have left patient privacy under
threat. Ms. Galvin, for example, discovered that when psychotherapy notes
are mixed in with general medical records, the federal rules afford them no
special protection. That is precisely what happened with
her records at Stanford, she says.   
The
WSJ article points out that complaints to HHS about breaches of medical
privacy have exceeded 23,000 and that HHS presently receives about 700 new
complaints monthy, while enforcement of "guarantees" such as in the HIPAA
act are basically non-existent.? 

An edited version of a letter to the editor I sent was published in the
Saturday, 12/30/06, print edition of the WSJ.? The text of the letter I
submitted is below.? Edited out for brevity were mention of the UK's
difficulties, explicit mention of psychology information as inappropriate in
an EMR, and unfortunately, mention of the HCRENEWAL blog I write for.

However, the letter
was otherwise intact:


To:  wsj.ltrs at wsj.com
cc:   theo at theowire.com
Date:   Tuesday, December 26, 2006
Subject:   Re: Spread of Records Stirs Patient Fears of Privacy Erosion


Dear Wall Street Journal,

Ms.
Galvin’s fears that her most private thoughts and secrets are
“mere data of a transaction, like a grocery receipt” are
well-founded and truly give life to an observation I made several years ago
while leading electronic medical records (EMR) implementation at a large
hospital.  I observed that clinical computing and business computing are
entirely different specialties of computing.  I felt that the dominance of
EMR efforts by information systems personnel would lead to devaluation of
doctor-patient confidentiality and of the doctor-patient relationship
itself.

As Drucker wrote in 1999,
information systems personnel have taken a somewhat peculiar view of the
world, namely that the entire world operates on the principles of 19th
century accounting theorem, and computerized it in a form where events are
deconstructed to “transactions.”  Unfortunately, as Ms. Galvin
discovered to her horror, good things do not come from treating twenty-first
century medical “transactions” as nineteenth century accounting
data.


We’re not alone in the United   States.  In
the UK, the ambitious Connecting for Health (CfH) national EMR project and
plans for a central clinical database have been met with stiff resistance
from patient advocacy groups.  Plans to upload medical records onto the
central clinical database will put patient confidentiality at risk, the UK
program has been told by its own consultants [1].  Professor Ross Anderson,
Professor of Security Engineering at Cambridge University and one of the
founder members of privacy advocacy group http://TheBigOptOut.org made the
telling point that people should opt out of inclusion in the national
database, if only to wait and see if their government delivers the
‘protections’ that it is promising - and if it does, to see if
they are sufficient and effective [2].  HIPAA must have been on Prof.
Anderson’s mind.

A similar advocacy movement is needed in the U.S., for there has been an
idealistic and almost reckless push in the US to put any and all healthcare
information into EMR’s and other electronic databases, even when the
financial and clinical benefits are unproven.

A critical issue in
the Journal story that needs consideration is why detailed notes of
psychotherapy sessions, of all things, were available in electronic
form.  This makes little sense and is entirely unnecessary.   For
instance, data on Ms. Galvin’s feelings and private affairs would not
be needed – or even useful – to other doctors in a medical
emergency.   Indeed,
even if Ms. Galvin switched doctors, her history would best be redone by a
new psychologist in building an effective doctor-patient relationship.

In a decade when conflict of interest and mismanagement in healthcare is
common [3], break-ins to supposedly secure databases appear in the news
almost weekly, and dominant computer operating systems are barely able to
keep ahead of hackers’ attempts to circumvent security, the dream of
patient confidentiality is increasingly utopian.  The reality is that the
HIPAA act lacks teeth, enforcement initiatives non-existent (as the Journal
reports), and stated exceptions to the HIPAA rules are prone to misuse by
the powerful and those with financial incentives.  These factors make it
likely that the HIPAA “guarantees” are not worth the weight of
the paper they’re written on.

In
reality, if you want to keep information secure, don’t put it on a
computer; and if you have to put it on a computer, and the computer is to be
put on a network, then the information by definition is no longer secure.

These harsh realities call for a critical rethinking of the types of
clinical data that should be put into electronic databases, and on
governance of privacy, security and confidentiality.  In the U.S.
there is an office with a mandate to consider such issues, the Office of the
National Coordinator for Health IT (ONCHIT) in the Department of Health and
Human Services [4].  I call on ONCHIT to lead this needed rethinking in our
national strategy for electronic healthcare information.

Notes:

[1] “CfH report confirms confidentiality risk,” The Register,
Nov. 27, 2006, http://www.theregister.co.uk/2006/11/27/care_record_conf/

[2] http://www.nhsconfidentiality.org/?p=37

[3] Foundation for Integrity and Responsibility in Medicine,
http://hcrenewal.blogspot.com

[4] Office of the National Coordinator for Health IT (ONCHIT), Department of
Health and Human Services (HHS), http://www.hhs.gov/healthit/rfi.html


--------------------------------?
Scot?M.?Silverstein,?MD?
Assistant?Professor?of?Healthcare?Informatics?and?IT?
Director,?Institute?for?Healthcare?Informatics?
College?of?Information?Science?and?Technology?
(Co-appointments,?School?of?Public?Health,?and?College?of?Nursing?&?Health?P
rofessions)
Drexel?University?
3141?Chestnut?St.?
Philadelphia,?PA?19104-2875?

(215)895-1085?
scot.silverstein at ischool.drexel.edu
www.ischool.drexel.edu/faculty/ssilverstein/biography.htm?
ARS?KU3E,?member?www.arrl.org

Leonard D'Avolio
Ph.D. Candidate
NLM Medical Informatics Fellow
Dept. of Information Studies
Dept. of Medical Informatics
University of California, Los Angeles
http://polaris.gseis.ucla.edu/ldavolio

More information about the Sighlth-l mailing list