Over the past decade, an enormous wave of innovation in information technology has rapidly transformed health care services, including those for psychiatry. The most prominent example of this is the adoption of electronic medical record (EMR) systems in medical and mental health practice. One of the most desirable features of this technology is the ability to share and exchange information between health care providers and patients.
Although the risk of confidentiality breaches and security has always existed with conventional psychiatric records, the automation and speed of electronic communication may increase this risk. As health care organizations scramble to comply with aggressive timetables of federal incentive programs for using EMRs, they may overlook the special sensitivity of psychiatric records and thereby increase the risk of violating patient privacy.
As with paper records, information from a patient’s EMR can be transmitted to an external party or shared through joint use of the EMR by associates of the patient’s provider. Transmitting the information electronically is akin to sending a copy of the paper record, and this type of release is subject to state and federal laws. Although HIPAA permits disclosure of health information to other providers for the purpose of coordination of care without express patient consent, states have the right to override this permission. Accordingly, many states have enacted statutes that do require patient consent.
EMR sharing may extend across thousands of employees within large medical groups and health care systems. It is largely unregulated and the patient is considered a member of the organization rather than “belonging” to an individual provider. Such widespread access to psychiatric information without a formal release process is unprecedented and undermines ordinary assumptions regarding confidentiality among patients and providers.
Strategies to maintain patient confidentiality
Because of issues related to securing patient information, some organizations have chosen to exclude psychiatric records from the EMR. Others have secured psychiatric information in a restricted area that is only accessible by the psychiatrist and his or her immediate colleagues. These solutions minimize the risk of confidentiality violations but may hinder the promise of improved coordination and safety in patient care afforded by EMRs. More practical solutions include allowing shared access within a health care system of a limited subset of psychiatric information, such as diagnosis, medications, identification of psychiatric providers, and basic information about treatment.
Other strategies include detailed advance disclosure to patients regarding the scope of shared access, and provisions that allow another treating provider and immediate-covering clinicians limited access to specific, or “granular,” elements of evaluation and therapy notes (ie, detailed family history, psychotherapy process notes, and highly sensitive elements of social history). Some systems contain warning messages, also known as “break-the-glass” alerts, that discourage providers from attempting to view psychiatric information unless they have a specific need for this information.
Most EMR systems allow compliance officers to review the history of who accessed a record and when it was accessed, to investigate any concerns regarding the possibility of unauthorized access. This deterrent is not possible with paper records.
It is essential for psychiatrists to learn about the design characteristics of their EMR systems relating to shared access, transmission of information to other providers, and patient portals. Psychiatrists must fulfill their ethical and legal obligations to safeguard the confidentiality of their patients’ psychiatric information as well as accurately inform patients regarding the extent to which their information is accessible to colleagues within a system. The following case vignettes illustrate some of the challenges psychiatrists might face in balancing the need to protect confidentiality with the importance of sharing information with providers involved in caring for their patients.
A psychiatrist treats a 25-year-old man for anxiety, depression, and polysubstance abuse. Part of the treatment involves prescribing medication for withdrawal. During the course of treatment, the psychiatrist receives a signed release of information from the patient’s primary care physician (PCP), who is requesting a copy of the medical record. The release does not specify substance abuse records, and regulations in the psychiatrist’s state require a specific authorization for their release. The psychiatrist inadvertently releases the patient’s record to the PCP, including the substance abuse treatment information, which the patient did not authorize him to release.
In this case, it appears that the psychiatrist violated a state law in releasing the substance abuse information without the patient’s consent. If the patient opposes the release of this information to the PCP, the reasonable course of action could have been to negotiate a compromise with the patient regarding releasing a subset of the most pertinent elements of the substance abuse history and treatment in relation to the patient’s medical care. Once a compromise is reached, the EMR needs to be able to generate a custom document with a compilation of the agreed-on elements of the psychiatric treatment record. If the patient refused to compromise, then the psychiatrist would be obligated to keep the PCP in the “dark”—a potentially untenable situation for both the psychiatrist and the PCP.
There may be general agreement on sharing some benign aspects of the record, such as dates on which the patient was seen; vital signs; diagnoses; and medications prescribed, with dates, doses, and response. However, deciding what information to share beyond this—and with whom—can be more challenging. Some have advocated for bringing the patient into the decision. While it may seem perfectly reasonable for patients to have the right to decide on release of their confidential information, it may be legally permissible under HIPAA to override the patient’s preference in disclosing health information between concurrently treating health professionals for the purpose of coordination of care.
A 35-year-old woman is a patient of both a PCP and a psychiatrist. The PCP is part of a group that uses an EMR system. The psychiatrist uses a paper and dictation system and does not have access to the same EMR system as the PCP. The psychiatrist prescribes a medication for the patient for treatment of bipolar disorder. The patient discloses that she is also taking a drug prescribed by her PCP that is known to interact with the agent being prescribed by the psychiatrist.
The psychiatrist informs the patient that he will need to advise the PCP of the potential for medication interaction. To provide comprehensive, collaborative treatment, the psychiatrist also indicates that he wishes to discuss the patient’s psychotherapy treatment with the PCP. The patient refuses to allow the psychiatrist to communicate with the PCP. After a thorough discussion with the patient, the psychiatrist documents the patient’s informed refusal and indicates to the patient that he cannot continue to prescribe medications unless he coordinates with the PCP. However, on the basis of the patient’s express wishes, he will not forward any information about the psychotherapy treatment. The patient is agreeable to this. The psychiatrist then obtains written informed consent specifying that he can discuss with the PCP medications prescribed and provide information.
This is an example of successful negotiation resulting in a reasonable decision regarding elements of psychiatric records that are acceptable to the patient to be shared “internally” with a PCP. Many systems have an “all or none” approach regarding access to psychiatric information among providers in different clinical programs. Ideally, systems allow providers to make nuanced decisions about which elements to include in shared record systems, after considering individual patient preferences, safety concerns, and clinical quality. Psychiatrists may advocate for this EMR characteristic as purchasers of systems for their private practice or if employed in an administrative role within an organization.
Psychiatric records commonly include references to other family members. Some of this may not be complimentary to those family members. However, the information is an important element of a psychiatric evaluation, especially for children and adolescents. Access to this type of information within EMR systems should ideally be limited to those who are providing the psychiatric treatment. This is another example of the utility of a feature that allows control of access privileges for specific, selected elements of the psychiatric record—“granular control.” This may be a particularly important consideration in treating a minor, since many EMR systems allow a patient access to his or her records and, by extension, usually to a minor’s parent(s)/guardian(s) with legal authority.
Notably, adolescents often have a strong interest in maintaining some degree of privacy in the relationship with their psychiatrist. In other words, they may not wish to disclose some treatment issues to their parents. To support this interest, systems should have provisions to comply with legal requirements regarding confidentiality for adolescents. This is especially important in the implementation of patient portals. It is also another example of the utility of granular controls that allow providers to apply more stringent access rules for certain types of notes or specific fields within notes.
Sally and Tom are currently going through a divorce and a custody battle. The court temporarily gives Sally sole legal custody of their son, Jim, and orders that he remain with her. Jim is being treated by a psychiatrist, and Tom’s attorney sends a record request with signed consent to the psychiatrist requesting release of the records. Absent court order or Sally’s consent, as the parent with legal authority, the psychiatrist incorrectly complies with the request and releases the complete record, including information about Sally. Tom’s attorney then uses this information in court against Sally.
This is an example of an unauthorized transmission of psychiatric information. As with paper records, any transmission of EMR information is subject to federal and state legal guidelines. The efficiency of the process of transmitting EMRs may allow providers to do so too quickly without additional staff involvement, thus creating a potential breach of confidentiality.
HIPAA regulations require that information release without patient consent be limited to the “minimum necessary” for coordination of care, payment, or health care operations but leaves the interpretation of that to the physician or the institution that designs or adapts the EMR for their purposes. However, in an emergency department admission of an unconscious patient, how much is “minimum necessary?” There, the adolescent’s dalliance with drugs or alcohol that he wanted to keep from his parents may be the critical piece of information to assist treatment. Unfortunately, because EMRs are computer systems, they cannot make judgments about what information to release in what situation.
The use of mobile devices
Mobile devices may be extremely helpful to physicians, because they are frequently used for communication with patients and colleagues outside of regular business hours. Some devices allow full access to EMRs. The following vignette illustrates security vulnerabilities inherent in mobile devices.
A psychiatrist has been treating Beth who has been married to Mark for 5 years. Mark will not allow Beth to have friends or to interact regularly with her extended family or coworkers. Beth maintains some outside contact through text and e-mail without Mark’s knowledge. Because Mark often becomes jealous and confrontational, Beth keeps her smart phone in her purse so that Mark does not have access to it. The psychiatrist has encouraged Beth’s decision to leave her husband. Responding to one of Beth’s calls, the psychiatrist leaves her a text message with the contact information for the local battered women’s shelter. When Beth returns from a run, she discovers that Mark has accessed her cell phone along with her e-mails and text messages. He becomes agitated and assaults her.
This example illustrates the potential of unauthorized access to treatment information when communicating with mobile devices. Psychiatrists must consider that when using mobile devices, information can be accessed by unintended parties. Moreover, psychiatrists should be attuned to their specific patient’s clinical needs and that use of certain technology may not be appropriate in all clinical situations.
Risk management tips
Psychiatrists can take steps to safeguard patient confidentiality when using various technologies.1 Computer security risks usually occur in 3 areas: access to records by unauthorized readers; information transmission problems when using phone lines/networks; and transfer of data to nonmedical users, such as insurers.1 Safeguards to prevent a data breach may include:
• Individual passwords for authorized users
• Automated audit trails identifying specific users
• Restrictions on copying/downloading patient files
• Using secure systems when accessing patient files remotely
• Routinely backing up data
Whether saving on a desktop or laptop computer, patient’s records should be properly stored. The portability of laptops makes them a higher risk for being lost or stolen. As such, particular attention should be paid to password protection and encryption.
Psychotherapy notes, if computerized, should be kept in a separate and secure file that is inaccessible to other users or other computers, unless the patient specifically authorizes disclosure to others.2 Furthermore, as an additional safeguard, if your EMR system has the capability, link access levels with specific roles (eg, “attending physician,” “medical assistant”).3
Currently, there is little case law concerning use of e-mail with patients. If you elect to use e-mail with patients, it is strongly recommended that you use a HIPAA-compliant secure messaging platform. Such services have end-to-end encryption, ensuring that information transmitted across the Internet cannot be intercepted. Some EMRs have integrated secure messaging functionality, which allows users to receive and send encrypted messages without manually logging on to a separate messaging server. When patients receive a reply from their provider, they receive an e-mail notifying them that there is a secure message waiting for them; after entering their login credentials, they follow a link to view the message.
In the absence of a secure messaging system, e-mail exchanges between you and your patient should never be about clinical issues, but rather they should be limited to brief administrative issues, such as appointment changes.4 If you are e-mailing a patient at work, remember that the employer can access the e-mail, since it is the employer’s property. Thus, always ensure that you send e-mails to the patient’s personal rather than work account.
Communicating via cell phones, smart phones, and other wireless devices can increase the risk of inadvertent breaches of confidentiality because communications may be intercepted and overheard. If you are using such devices, inform the patient that you are and that there is a risk that the conversation may be overheard. In addition, to continue the conversation, get the patient’s consent and log the call into the medical record when completed.4
Mobile devices used for e-mail, accessing a patient’s EMR, communicating with patients, scheduling appointments, and task management (including patient names or other patient identifying information) must have robust security features. Some of these include screen-locks after several minutes of inactivity, password protection on start-up and unlocking the screen, screen filters that limit visibility from an oblique angle, and the ability to remotely wipe data in the event that the device is lost or stolen.
The confidential nature of the relationship should be protected when leaving messages for patients.1 Using voicemail and answering machines to transmit confidential information may increase the risk of inadvertent disclosure because it is not always possible to know who may hear the message or is able to access the system. Thus, these systems should be set to low volume or soundproofed.
While this article highlights some of the modern-era risks to confidentiality that psychiatrists may experience, it does not constitute an exhaustive list of issues to consider and is not a substitute for legal advice. Modern technology is a moving target that evolves on a daily basis. As such, it is important to be aware of applicable state and federal regulations as well as principles of medical ethics.
1. Appelbaum PS, Gutheil TG. Clinical Handbook of Psychiatry and Law. 4th ed. Philadelphia: Lippincott Williams & Wilkins; 2007.
2. APA Document Reference No. 200202, Appendix B. Documentation of Psychotherapy by Psychiatrists. http://www.americanmentalhealth.com/media/pdf/200202apaonnotes.pdf. Accessed October 30, 2012.
3. HealthIT.gov. Health information privacy and security: a 10 step plan. http://www.healthit.gov/providers-professionals/ehr-privacy-security/10-step-plan. Accessed October 30, 2012.
4. Kassaw K, Gabbard GO. The ethics of e-mail communication in psychiatry. Psychiatr Clin North Am. 2002;25:665-674, ix.