By Melanie Platten
Most people don’t know that doctors don’t actually need your consent to obtain access to your medical records. In 2002, the Department of Health and Human Services (HSS) amended an earlier privacy rule, eliminating patients’ “right to consent.” Compounding the issue, for patient privacy rights activists, is the fact that over half of U.S. doctors have begun making the switch to electronic health records (EHRs) as reported recently by HSS. These combined issues have activists more concerned than ever about the safety of patients’ health information.
“Me and my colleagues never learned about these new issues [with EHRs] in medical school. In the paper days, it was always understood that a patient had to sign something for consent,” said Dr. Debbie Peel, founder of non-profit advocacy group, Patient Privacy Rights. Peel added that “patients understood that once they gave their consent, the health records where locked up in a file cabinet.”
Additionally, it’s not just physicians affected by changing legislation. More than 4 million businesses, including, billing firms, insurance and pharmaceutical companies, and government agencies can use and access your health information according to a recent Patient Privacy Rights report.
“HIPAA is a massive disclosure rule. It puts all our health information into the hands of institutional data holders,” said Peel.
As heath care reform encourages hospitals to adopt Electronic Health Records (EHRs), legislators are being forced to address privacy concerns that come with the changing technologies. “As the Affordable Care Act encourages the move to electronic medical records, the health care industry has an opportunity to improve public health and combat medical identity theft with forward-looking policies and the strategic use of technology,” said California Attorney General, Kamala D. Harris, in a recent press release.
But for some industry insiders, the move towards more fluid access to information is a positive step.
“When someone comes into the emergency room, it’s important for us to have access to their records in order to save their life,” said Dr. Adam Feintisch, a senior resident in reconstructive surgery at New Jersey Medical and Dental Hospital in New Jersey, who believes change helps physicians do their jobs.
In addition to easy access for doctors and physicians, some argue that the issue requires a more comprehensive perspective. “For the most part,” said Ed Park, chief operating officer of athenahealth, “the health care community is only using health records with the aim to cure diseases and improve patient care.”
For Dr. Dick Johanness, head of clinical research at CareFusion, the problem is about a lack of clarity around health data ownership in legislation. “Right now there is a lot of confusion about who owns what. Some would argue hospitals own [the patients health data]. Some would argue the systems administrators own it. The issue is still very much being decided.” Peel agreed, saying “right now some states have more strict legislation outlining ownership than others.”
But even with more clearly defined federal legislation surrounding patient privacy and health record ownership, patient privacy advocates identify other ways health information is at risk.
For example, data breaches in health care organizations are on the rise according to a 2011 Poneman Institute report. Accordingly, 96 percent of all health providers said they experienced at least one data breach violation in the last two years.[See Figure 1 for details on increase of patient records data breaches]
Even though some regulations have been put in place to protect patient privacy, for example, provisions of the Affordable Care Act make it illegal for companies to use your health information to discriminate against you for hiring purposes, not all of the firewalls are set up in the right place, says Park. For example, federal legislation like HIPAA and the HITECH Act aim to safeguard access to health records, which some physicians argue, can interfere with their ability to treat patients.
Unfortunately the way the system is set up now, the responsibility is on the patient to take an active role in their protection by reading respective state legislation and company privacy policies, said Johannes, “I wish it were the case that national standards were sufficiently rigorous so that if everyone adhered to them, you’d know what [information was used and what] was going to happen, but I’m afraid that’s not the current situation.”
But not everyone is as willing to accept the current systems’ limitations and hope for the best. Peel and her colleagues at Patient Privacy Rights, continue working on research and surveys to understand the dangers of a society where citizens accept health information insecurity as a part of their psychological paradigm.
“The consequences are grave,” said Peel, “40 to 50 million people a year take actions that can put their health in jeopardy because they fear their health records aren’t safe. We found 600,000 people a year delay cancer treatment and another 2 million avoided treatment for depression for similar reasons.”
For Peel, helping a nation understand the dangers of diminishing patient privacy rights, is her life’s work. “I can’t understand why more people aren’t interested in finding out about who has access to their information. But I will keep working to make sure that when they are ready to listen, the information is there.”
Steady increase in reported data breach incidents since 2005