1. Can We Have EHRs and Privacy Too?��Dr. Alan F. Westin� ��Professor of Public Law and Government Emeritus, Columbia University; Principal, Privacy Consulting Group ���At the Fall Conference of the HIPAA Collaborative of Wisconsin, 9-11-09�
2. US Entering the EHR Era Computerization of medical records goes back to
1960s
Current push for universal EHRs came with Bush
in 2003
Endorsed by Obama in 2008 campaign electronic
health records, with privacy
Stimulus legislation assigns $19-30 billion to adoption
and implementation of health IT
And so, a transformation of US healthcare operations
and administration is under way
3. Advocates See Major Benefits Better coordination of patient care
Reduce duplications of tests and procedures
Reduce medical errors
Enhance medical research
Strengthen public health monitoring
Reduce administrative costs in the paper world
4. But Important Issues Raised by Critics Conflicting EHR software, outmoded systems
Lack of best practicing-medicine design features in
many EHR systems
Likelihood of electronic-system errors
Worries about compulsory participation
Concerns about weakened privacy and confidentiality
Concerns about information security
Concerns about costs and practice-disruption in small-
medium sized practices
5. So How Does the Public Feel -- 1 Over 75 national surveys on healthcare information
issues since 1990, 20 since 2007 explore EHR
General majority views on health care and privacy:
-- High concerns over privacy and confidentiality of
medical records
-- Worries over medical data breaches and medical-
information security
-- Consider existing health-privacy laws and
administration inadequate
6. How Does the Public Feel -- 2 Overall public views
-- Trust healthcare providers to protect confidentiality
-- But worried about secondary users -- health
insurers, life insurers, employers, marketers, and
for government social programs
-- Worries are over discrimination in all these contexts
-- Concerns highest among persons with adverse
health conditions, minorities
7. Public Views on EHR Systems Majorities basically ambivalent on EHRs
Accept and support the assumed benefits two-thirds
of public believes these benefits could happen
But also see EHR systems as assembling more sensitive
medical information in patient electronic records
and making these more accessible
Apply existing data security worries to EHRs
And some believe participation in new EHR systems
by their providers should be voluntary, not
automatic and compulsory
8. Privacy and Trust Already a Battleground Widespread recognition by healthcare leaders that
winning trust of patients in EHR systems will be
critical to their success
Studies document that lack of trust leads such patients
not to seek care, adhere to regimens, etc.
Trust challenges highest among those with chronic
conditions, genetic issues, minorities
No studies as yet on trust levels of members of EHR
systems, especially compared to patients in
traditional systems
9. Good Start From ARRA This Year - 1 Key provisions re privacy and security in ARRA
-- Stronger audit trail for patients
-- Right to get electronic copy of own record
-- Limits uses for marketing; authorization needed
-- Required notification if data breach
-- State Attorneys General may enforce
-- Stronger penalties and enforcement provisions
-- Applies to business associates, including RHIOs and
HIEs, with civil and criminal enforcement
10. But Key EHR Privacy Issues Remain - 1 Recent California Healthcare Foundation Issue Brief by
Deven McGraw (CDT) concluded:
ARRA still falls short of the comprehensive
framework needed to build public trust in the
health care systems information privacy and
security, and particularly in electronic health
information exchanges.
11. Areas Needing Attention Coverage of activities not included (including PHR
vendors like Google and Microsoft)
Apply better marketing-use controls
Provide for Individual legal redress
Issue strong regulatory rules, including data security
standards
Apply audit and survey methods for enforcement
Provide guidance for privacy and patient-rights notices
12. How To Pursue Earned Trust Develop model patient satisfaction and trust surveys, to map trends over time nationally and for individual EHR systems
Conduct in-depth empirical studies of EHR systems in
action; develop Best Practices guidelines
Apply new patient-control software and systems to
assure patient control for research and other uses
beyond care, treatment, and assurance (e.g. new
switch but not store patient empowerment
systems)
13. A Fundamental Question
Some privacy and consumer groups call for patients to
have right not to have their records computerized
favor a voluntary EHR approach
Seems impractical to me, keeping some records in
paper and having to administer two sets of
information systems
Would also be destructive to the improved overall
health care that EHR systems intended to achieve
Better approach would be to assure a clear opt out
for record uses beyond care and administration
14. In Summary
Implementing EHR systems will be the work of a
decade, with much trial and error
Earning patient/member trust will be critical for EHRs
The new ARRA provisions for privacy, confidentiality,
access, and security are a welcome improvement
over HIPAA and state health privacy laws
The next stage will be good implementing regulations
and active enforcement and identification of
areas that may need additional legislative action
