New Risks to Confidentiality in the Modern Era
New Risks to Confidentiality in the Modern Era
Over the past decade, an enormous wave of innovation in information technology has rapidly transformed health care services, including those for psychiatry. The most prominent example of this is the adoption of electronic medical record (EMR) systems in medical and mental health practice. One of the most desirable features of this technology is the ability to share and exchange information between health care providers and patients.
Although the risk of confidentiality breaches and security has always existed with conventional psychiatric records, the automation and speed of electronic communication may increase this risk. As health care organizations scramble to comply with aggressive timetables of federal incentive programs for using EMRs, they may overlook the special sensitivity of psychiatric records and thereby increase the risk of violating patient privacy.
As with paper records, information from a patient’s EMR can be transmitted to an external party or shared through joint use of the EMR by associates of the patient’s provider. Transmitting the information electronically is akin to sending a copy of the paper record, and this type of release is subject to state and federal laws. Although HIPAA permits disclosure of health information to other providers for the purpose of coordination of care without express patient consent, states have the right to override this permission. Accordingly, many states have enacted statutes that do require patient consent.
EMR sharing may extend across thousands of employees within large medical groups and health care systems. It is largely unregulated and the patient is considered a member of the organization rather than “belonging” to an individual provider. Such widespread access to psychiatric information without a formal release process is unprecedented and undermines ordinary assumptions regarding confidentiality among patients and providers.
It provides information about types of electronic connectivity and electronic medical records that can be used in psychiatry as well as case examples to illustrate and strategies to mitigate risk for practitioners considering their use.
If psychiatrists are considering using various types of electronic communication, they should do so thoughtfully and carefully to ensure that they safeguard patient confidentiality.
Strategies to maintain patient confidentiality
Because of issues related to securing patient information, some organizations have chosen to exclude psychiatric records from the EMR. Others have secured psychiatric information in a restricted area that is only accessible by the psychiatrist and his or her immediate colleagues. These solutions minimize the risk of confidentiality violations but may hinder the promise of improved coordination and safety in patient care afforded by EMRs. More practical solutions include allowing shared access within a health care system of a limited subset of psychiatric information, such as diagnosis, medications, identification of psychiatric providers, and basic information about treatment.
Other strategies include detailed advance disclosure to patients regarding the scope of shared access, and provisions that allow another treating provider and immediate-covering clinicians limited access to specific, or “granular,” elements of evaluation and therapy notes (ie, detailed family history, psychotherapy process notes, and highly sensitive elements of social history). Some systems contain warning messages, also known as “break-the-glass” alerts, that discourage providers from attempting to view psychiatric information unless they have a specific need for this information.
Most EMR systems allow compliance officers to review the history of who accessed a record and when it was accessed, to investigate any concerns regarding the possibility of unauthorized access. This deterrent is not possible with paper records.
It is essential for psychiatrists to learn about the design characteristics of their EMR systems relating to shared access, transmission of information to other providers, and patient portals. Psychiatrists must fulfill their ethical and legal obligations to safeguard the confidentiality of their patients’ psychiatric information as well as accurately inform patients regarding the extent to which their information is accessible to colleagues within a system. The following case vignettes illustrate some of the challenges psychiatrists might face in balancing the need to protect confidentiality with the importance of sharing information with providers involved in caring for their patients.