Dawson 1 Pledged Kellen Dawson Dr. DeRouen Transfer Seminar 21 April 2011 Privacy and the Proposed National Electronic Medical Record In an effort to decrease the rapidly expanding healthcare costs in the United States, the federal government has been searching for innovative methods of cost savings. One such way is the implementation of an electronic medical record encompassing the medical records of all Americans. Accordingly, with the passage of the Patient Protection and Affordable Care Act in 2010, there is major emphasis on the development of a national online electronic medical record. Concerns about electronic medical records have widened with the idea of having a national electronic medical record database because it poses substantial privacy and security concerns. Analysis of the pertinent literature shows the increased risk of privacy breaches associated with such a large, national database as compared to smaller databases localized at the healthcare provider level. One of the main tenets of The Patient Protection and Affordable Care Act is the implementation of an electronic medical record for all Americans. The economic stimulus package passed in 2010 includes billions of dollars for electronic medical records. In essence, the federal government has instituted financial inducements and incentives for healthcare providers to aid them in their implementation of electronic medical records. In the early stages, individual electronic medical record systems with common language and interconnectivity will be acceptable. However, in the future, the government envisions a national electronic medical record database aptly named the National Health Information Network. This system would contain one centralized data bank, or several large depositories all linked together, containing all
Dawson 2 medical records of all citizens in our country. Additionally, private companies have begun offering electronic depositories such as MyChart, where subscribers can place their medical data files. Alternatively, patients can have their medical providers place such information into the MyChart system with accessibility available to the patients themselves (Kornblum). From the patient s perspective, the advantages of electronic medical records are manifold. With all their medical information available in an electronic format with its associated education materials, patients should be better informed about their own health. Patients could provide pertinent data to healthcare providers that would update, amend, and clarify their medical history. Emergency room personnel could have instant access to the records of incoming patients. Additionally, when children reach adulthood, they would not have to rely on the memory of aging parents in respect to medical information such as childhood immunizations, childhood illnesses, and previous surgeries. Such information would be readily available in their personalized electronic medical record. Theoretically, the implementation of electronic medical records would lead to significant cost savings. Results of medical tests would be available to all healthcare providers seeing an individual patient. Tests would not have to be repeated when a patient is referred from a primary care physician to a specialist. Coordination of care between hospitals and other providers would improve and create cost reductions. The efficacy versus cost data of pharmaceuticals would be more quickly available than it is today, leading to lower drug costs. The United States government sees the implementation of a national electronic medical records database as a major way to control spiraling healthcare costs. The annual national costs of medical errors are significant. According to Kenneth Rhea, medical director for the Louisiana Medical Mutual Insurance Company, a physician-led mutual insurance company, it is estimated that medical errors occur in 24% of all outpatient visits
Dawson 3 (Rhea). While some errors are through medical neglect and carelessness, many are due to transcribing errors because the records are in handwritten form. Such errors include incorrect doses of medications due to inability to read the prescription or orders written by the physician, missed doses of medications or unwanted repeated doses of medications due to carelessness on the part of healthcare providers, poor communication between healthcare providers and patients, medications given to the wrong patient, and even wrong side surgeries due to lack of communication between operating room personnel and surgeons. While the incidence of adverse events will never be zero, the implementation of electronic medical records could significantly decrease the occurrence from the frightening 24% mentioned in the data above. The potential for medical research using large databases is important. As explained by Sharyl Nass and her fellow researchers of the Institute of Medicine of the National Academies, today a significant portion of health research is information based. It is common for researchers to analyze data and samples obtained in previous research projects. In the field of epidemiology, the use of existing data is common practice. Researchers can study patterns of disease occurrence, drug safety surveillance, the results of healthcare interventions, and many other parameters of public health. Such studies provide much value to society with minimal additional costs, since the data is readily available from previous studies. However, the researchers do not have to ask permission from patients in order to use their medical data such as test results or even preserved blood and tissue samples as long as informed consent was undertaken for the initial study. This causes serious privacy concerns among patients, even though their personalizing demographic data has been removed. A national electronic medical record system would be fertile ground for medical researchers, but the privacy concerns are real, especially with one federal database with millions of users (Nass).
Dawson 4 With progress comes risk, and the risk of loss of privacy with electronic medical records is very significant. Furthermore, such risk would rise exponentially with the implementation of one national database. Multiple portals of data entry into such a large system would equate to multiple portals of data exit. A system that would allow any emergency room to view the medical chart on any potential patient would not be secure, especially in regards to privacy. Any healthcare provider with access to the system could download seemingly protected data and use it in devious ways. Any data stripped of personal identifiers such as name and social security number would be useless in emergency situations. In order for a national database to work effectively, personal identifying data must be present, and therefore, such a system would be accessible to a multitude of people, not just a few who could lay their hands on a paper chart, as Dr. Bernadine Healy, former head of the National Institutes of Health, points out (Healy). This idea of an electronic medical record really began with the passage of the Health Insurance Portability and Accountability Act Privacy Rule in 1996, also referred to as HIPAA. This HIPAA Privacy Rule protects the privacy of individually identifiable information held by entities covered by the statute. It regulates the types of uses and disclosures of protected health information that is held or transmitted by health plans, healthcare clearing houses, and healthcare providers who transmit such information in an electronic format (HIPAA Privacy Rule). Protected health information is defined as any information, whether oral or recorded in any form or medium (HIPAA). However, the privacy rules of HIPAA are not adequate to address the privacy concerns of a national electronic medical record. In a report entitled Beyond the HIPAA Privacy Rule, the Institute of Medicine of the National Academies, a nongovernmental organization that provides national, un-biased, evidence-based advice on issues relating to medicine and health, concluded that the HIPAA Privacy Rule does not protect privacy as well as it should, and, in fact, impedes important health research. The committee determined
Dawson 5 that the Privacy Rule is not uniformly applicable to all health research, that informed consent is often lacking, and that different institutions interpret the rule differently. In their report, the Institute of Medicine made clear distinctions between privacy and security. The authors defined privacy as the collection, storage, and use of personal information and who has access to personal information and under what conditions (Nass 16-17). Security was described as procedures and technical measures used to prevent the access and dissemination of electronic data by unauthorized persons, first coined by computer scientists Turn and Ware in their revolutionary 1976 article Privacy and Security Issues in Information Systems (Nass 18). As the Institute of Medicine s committee on health research and the privacy of health information explained, privacy is content specific and depends on the individuals involved. What is considered private to one individual may not be by another. Security, on the other hand, should be uniform across groups and should be adequate for all types of data storage. The Institute of Medicine did emphasize the need for standards to protect individual privacy, while at the same time facilitating information flow among authorized parties. Why is privacy so important? It is important because it promotes the fundamental values of personal autonomy and self-respect. As discussed by Adam Moore, professor of philosophy at the University of Washington and distinguished scholar on the issue of privacy, in Privacy: Its Meaning and Value, while privacy is culturally dependent with different norms being found in different societies, privacy, in general, promotes the ideals of personhood. Moore writes the ability to regulate access to our bodies, capacities, and powers and to sensitive personal information is an essential part of human flourishing or well-being (Moore 223). Respect for the privacy of other individuals is an essential element for the culture in which we live. While the loss of privacy and potential for identity theft is certainly possible with paper medical charts and individual electronic medical record systems, such risks would rise to
Dawson 6 intolerable levels with the proposed national electronic medical record system. Writer and editor Henry Henderson, in Privacy in the Information Age explains the existence of a single central database would put all a person s privacy eggs in a single potentially vulnerable basket (Henderson 28). Interestingly, this same idea was proposed by the Clinton Administration but withdrawn due to privacy concerns. With technological advances since Clinton s presidency, privacy concerns have only heightened, making Obama s proposal even more worrisome. While HIPAA requires minimal privacy and security for access and disclosure of protected health information, it only applies to the covered entities which are defined as healthcare providers, private insurers, billing services, and healthcare clearinghouses. A glaring weakness in this law is the fact that the actual medical record and the companies that provide electronic medical records, including private database companies such as MyChart, are not considered to be covered entities. Theoretically, if implemented, the entire National Health Information Network would not be considered a covered entity, and, therefore, exempt from HIPAA regulations. If identity theft included not only a person s demographic data such as name, address, social security number, and the like, but also included their electronic medical record, the results could be disastrous. As stated by Byron Hollis, managing director of the Blue Cross and Blue Shield Association National Anti-Fraud Department, in Identity Theft Handbook, The danger and impact of ID theft, especially medical ID theft, is not generally understood, can be devastating to an individual, and is a drain on our financial and healthcare systems (Biegelman 106). One of the chief dangers of medical identity theft is the situation where a victim s medical history is intertwined with that of the identity thief. Any new information entered into the system that was given by the identify thief while using the original patient s data would be incorrect. A person could find herself labeled with diseases she does not suffer from, medication
Dawson 7 allergies she doesn t have, and potentially, a list of medications that she does not take. To make matters worse, existing HIPAA regulations make it much more difficult to remove false information from medical records (Biegelman). Thus, the existing rules that protect our privacy inhibit correction of misinformation should it occur. The public s perception of the federal government s ability to protect the privacy of its citizens and the security of its records is not favorable and for good reason. The Institute of Medicine reveals instances where federal computers containing the personal data of many private citizens have been stolen, boxes of documents containing personal information have been left in garbage dumpsters, and federal researchers have posted online the personal information of many members of our armed services without their permission. The resulting negative public perceptions are evident in many polls concerning the federal government and privacy and security issues. A 2007 poll performed for the Institute of Medicine by Alan Westin, professor of public law at Columbia University showed that fifty-eight percent of all polled feel that the privacy of medical records and health information is not protected well enough today by federal and state laws and organizational practices (Westin). Forty-two percent of those polled felt that the privacy risks outweigh potential electronic health record benefits (Westin). The public s lack of confidence concerning privacy issues involving their medical data has the potential to erode the confidentiality of the physician-patient relationship. When patients are concerned that confidential information could be unsafe, they become less likely to speak frankly to their healthcare provider concerning confidential matters. Patients under such circumstances could withhold important information from their physicians, and this could potentially be catastrophic. Westin s data concerning medical research and electronic medical records is even more alarming. When asked if health researchers can generally be trusted to protect the privacy and
Dawson 8 confidentiality of their records obtained about research subjects, thirty-one percent responded negatively. Thirty-eight percent of those polled would require their written consent before any of their medical or health information could be used. Finally, thirteen percent of those polled stated that they would refuse to allow researchers to use their data under all circumstances. Clearly, the practice of using healthcare data without permission, which is commonly done today, is contrary to the wishes of the populace. The disadvantages of the proposed National Health Information Network clearly outweigh the advantages. A centralized electronic network containing all the medical files of all Americans with the potential to distribute this information to millions of people seems to be too risky for the benefits that could be gained. Too many people, many with less than honorable intent, would have access to the data. Certainly, firewalls, passwords, audit trails that list all who opened a record, and other security measures could be instituted, but the risks of massive breaches of security with the accompanying lack of privacy would still be considerable. A better system would be to institute electronic medical records in all healthcare facilities, but keep the information at the local level. For this to be successful, there would need to be a uniform code of computer language with its resulting interconnectivity between two systems. If two systems could transfer data to each other, such as between a physician s office and a hospital, the costs savings would be the same as one could obtain using a national database. After all, healthcare is local and the resulting costs and potential savings are also local. The potential for research would be less, since there would not be a large database from which to draw data, but Americans seem to resent the existing lack of privacy that exists in research today. The proposed National Health Information Network with its centralized database is too risky to be implemented in America. The potential for lack of privacy and outright identity theft, including medical identity theft, is too great. Americans value their privacy and are not willing to
Dawson 9 entrust such privileges to the federal government. Many of the benefits espoused by proponents of the federalized system could be obtained by having local versions of electronic medical record. Patient privacy is paramount and should not be ignored.
Dawson 10 Works Cited Biegelman, Martin T. Identity Theft Handbook: Detection, Prevention, and Security. Hoboken: John Wiley & Sons, 2009. Print. Healy, M.D., Bernadine. "Electronic Medical Records: Will Your Privacy Be Safe." US News and World Report. 17 Feb. 2009. Web. 30 Mar. 2011. <http://health.usnews.com/healthnews/blogs/heart-to-heart/2009/02/17/electronic-medical-records-will-your-privacy-besafe>. Henderson, Harry. Privacy in the Information Age. New York: Facts On File, 2006. Print. Kornblum, Janet. "Online Medical Records Offer Convenience, May Limit Privacy." USA Today. 12 June 2008. Web. 01 Apr. 2011. <http://www.usatoday.com/news/health/2008-06-11-online-medical-records_n.htm>. Moore, Adam D. "Privacy: Its Meaning and Value." American Philosophical Quarterly 40.3 (2003): 215-27. Academic Search Premier. Web. 28 Feb. 2011. Nass, Sharyl J., Laura A. Levit, and Lawrence O. Gostin, eds. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Institute of Medicine of the National Academies. The National Academies Press. Web. 27 Mar. 2011. <http://www.nap.edu/catalog/12458.html>. "The Privacy Rule." HHS.gov: Improving the Health, Safety, and Well-Being of America. United States Department of Health and Human Services. Web. 01 Apr. 2011. <http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html>. Rhea, Kenneth E. Patient Safety and Claims. Metairie: The Louisiana Medical Mutual Insurance Company, 2011. Print.
Dawson 11 Westin, Alan F. "How The Public Sees Health Research and Privacy Issues." Lecture. IOM Workshop. Washington, DC. 28 Feb. 2008. Web. 31 Mar. 2011. <http://patientprivacyrights.org/media-center/polls/>.