Electronic Health Records: The Threat to Privacy
Eli Finkelstein MD PhD
There is a major bipartisan congressional push to make electronic medical record systems mandatory. Its advocates cite cost savings to the government, the use of EMR data in implementing pay for performance, and reductions in medical errors. The potential for invasion of privacy of both patients and doctors by commercial EMR systems is huge and has been largely overlooked. Currently the sale of patients’ personal health information is a multibillion dollar business. It is happening without patients’ knowledge or consent. The main source of this privacy breech is currently pharmacy prescription records which are freely sold. Misinformation in one’s health record can be used to raise insurance rates, deny health or life insurance, or deny someone a job without them knowing it. In the US we have far greater legal protection of financial information than health information. The Fair Credit Reporting Act provides consumers the ability to view, correct, contest, and limit the uses of credit reports. Unfortunately there is no equivalent law for health related data. As pointed out by Dr Deborah Peel on her Patient Privacy Rights website, the current HIPAA law has loopholes which enable the commercial use of personal health data without the consumer’s knowledge or consent HIPAA: Intent Versus Reality. Data mining companies have successfully argued in two state courts that they have a constitutional right to compile and sell confidential patient prescription information, based on the first amendment right of free speech.
It is worthwhile to examine how well patient privacy has been protected in other nations with electronic health record systems. In the UK, and Europe, many nations have a head start on EMR compared the US. Britain has centralized patient data in its NHS. Security breaches have been a regular embarrassment to the British government. It should be noted that the level of legal privacy protection is far greater in Europe than the US. Privacy Laws in EU and US. European companies have been aggressively becoming involved in data mining in the US, both because of the lax protection that US law offers, and the financial reward of selling US consumers data. For example, the company behind the electronic prescription initiative, Allscripts, recently merged with the British software giant, Misys, with Misys retaining a controlling interest. Time.com Another company behind the electronic prescribing initiative is Dutch information brokerage giant, Wolters Kluwer. This company successfully obtained an injunction, and then overturned Maine’s Prescription Restraint law. WK Injunction This law would have protected the privacy of doctors and patients alike by banning the use of confidential patient drug prescription information for marketing purposes. Wolters Kluwer successfully argued that such a ban would have violated their first amendment rights to free speech. An explicit right to privacy does not exist within the US constitution. It is an implied right. Thus the first amendment rights of a commercial interest, trumps the right to privacy of the individual. A similar privacy bill was recently overturned in New Hampshire.
Almost all of the companies behind the Electronic Prescribing Initiative have a vested interest in selling patients health information. It is already estimated to be a $20 billion dollar business. The personal data available in health records is extensive. Hospitals collect patients’ social security numbers, employment information, addresses, phone numbers, contact info, religion, medical diagnosis, in addition to the patient’s health insurance information. Physicians routinely collect patients’ personal habit information, illicit drug use, smoking, alcohol use, psychiatric history, sexually transmitted diseases, employment history and occupational exposure, all as factors which relate to a patients current health. Obviously this information can be readily abused if it reached the wrong hands. For example Blue Cross of California sent out a letter to physicians demanding information that could be used to deny coverage for patients submitting claims LA Times. It’s fortunate that this information wasn’t already available to Blue Cross in digital form. The only thing that has protected the public so far is that most of their information is stored in paper charts and is not available in centralized databases. The downside of centralized databases was dramatically demonstrated recently in the UK, where records of 25 million people were compromised, with an estimated value to criminals of 3 billion dollars BBC News. A impressive list of privacy breaches that have occurred in the US is given at the privacy rights website, many of these breaches involved theft or misplacement of healthcare information and records. Thus the push to centralized electronic records is misguided.
So if the Insurance companies, drug companies, data mining companies, and software companies can’t be trusted with our personal health data, who can? As pointed out above, US law is woefully inadequate in protecting our privacy. Indeed, the first amendment has been used as a reason to overturn health privacy laws as discussed above. The answer lies in the Hippocratic Oath which we physicians take. It sets a higher ethical standard than US law. According to the Hippocratic Oath “All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal. “ Physicians and patients currently are the main keepers of health records. It should stay that way. This doesn’t mean that health records shouldn’t be electronically stored. They should. But the only people with access should be patients and their personal physicians.