Informatics: Electronic Health Records: A Boon or Privacy Nightmare?

Article excerpt

To answer this question, let's start by saying that, depending on how the data is used, it can be either. So the question is, to what extent can we garner the benefits of an electronic health record (EHR) while maintaining data privacy? Most of us are aware that the risk to privacy of any information increases exponentially with each additional person whom we tell. This is especially true for electronic communication. Social networking members, who have shared what they thought was private information with "friends," have too often found that the information is now accessible far beyond what they ever imagined; now it is permanently engraved in cyberworld. These observations rightly raise concerns when information in a medical record is involved.

People are asking whether any kind of electronic records can be made safe. If one is looking for a 100% privacy guarantee, the answer is no. But then, paper records are not 100% secure either. There have been cases where paper medical records, especially parts of them, have disappeared. There was a case where boxes of patient records from a doctor's office were found in a garbage dumpster (Preventing Medical Identity Theft, 2008) and a case in which stolen medical records were recently found washed up on a Maine shore (Associated Press. 2008b). Additionally, disposing of paper records can be a privacy breach as a teacher in Salt Lake City, who had purchased medical records from 28 Florida hospitals to use as scrap paper for her students, learned (Associated Press, 2008a).

On a hospital unit, a patient's paper record (chart) is often available to anyone with a white coat, a badge that looks like the identification badge of the agency, and the courage to pick up the chart. With an electronic record, it is more difficult for an unauthorized person to gain access to a healthcare record. To do so a person needs more than a white coat and a badge; the person also needs a login name and a password. Additionally, electronic record systems maintain an audit trail, required by the privacy rules of the Health Insurance Portability and Accountability Act (HIPAA), that records who has accessed what record, as well as what part of the record was viewed. In contrast, in a paper record, neither the person who has accessed a record, nor what the person accessed is known.

Given the relative ease of access of electronic records for those with the appropriate login, and the fact that login audit trails only work when they are routinely examined, it is possible for an unauthorized person to access a record, resulting in a concern about the privacy of information in healthcare records. This possibility takes on a new note of concern in a facility in which one is both a patient and an employee. This fear was expressed by a reader who responded to an earlier OJIN Informatics Column about the electronic health record CThede. 2008. August 18). Because it is possible for decisions about firing and hiring to be made based on healthcare information found in an employee's, or a potential employee's record, access to a person's healthcare record is a legitimate concern for everyone. The question then becomes "Will administrative personnel have access to an individual employee's records?" The answer is legally "no." Yet in reality, unless the audit trails are examined by individuals independent of any administrative oversight, this access could remain secret. Keep in mind, however, that a paper record is also fair game for a "snooping-minded" individual, and in this case there is no record of any access.

Fortunately, today there are more protections against this type of snooping, as well as other risks to privacy breaches, than in the past. HIPAA, although it's primary purpose was to insure the portability of healthcare information, recognized that data in an electronic format can be easily shared. To protect this data, rules were promulgated to set a national standard for the privacy of health information. …