Life Support for Confidentiality in the Electronic Database

August 1, 1997

Many of us have heard the horror stories and seen them reported on the national news wire services: publicly known persons or their family members have their medical records published, names of HIV-positive persons are released, clerks are bribed to deliver the names of patients and their diagnoses, physicians are given free software in return for their lists of patients' names and addresses. It is not that these breaches of confidentiality could not and did not take place with hard copy medical records, it is just that they are so much easier to accomplish now, and can be done in great number and from remote locations, anonymously.

Many of us have heard the horror stories and seen them reported on the national news wire services: publicly known persons or their family members have their medical records published, names of HIV-positive persons are released, clerks are bribed to deliver the names of patients and their diagnoses, physicians are given free software in return for their lists of patients' names and addresses.

It is not that these breaches of confidentiality could not and did not take place with hard copy medical records, it is just that they are so much easier to accomplish now, and can be done in great number and from remote locations, anonymously. The National Research Council notes "...the primary threats to the confidentiality of patient information originate from the lack of controls over the legal (and generally legitimate) demands for data made by organizations not directly involved in the provision of care, such as managed care organizations, insurers, public health agencies, and self-insured employers." Mergers between various parts of the health care chain-providers, insurers, pharmaceutical companies, employers-make the acquisition of information very tempting, though unethical.

The deciding judgment must be the need to know. Decisions must continue to be made in support of the patient's right to confidentiality, unless there will be harm to patient or others.The ability to construct secondary data bases that hold compiled information on individuals increases the risk of destructive breaches of confidentiality exponentially. The legal existence of information banks, often unknown to patient and provider, allow the accumulation of data without consent of the patient. This information is personal and it may also be inaccurate. If the banking and insurance industries, government and court systems or employers could tap into a patient's personal data, havoc could be wreaked.

Patients need to be informed about methods of recording and storing of their medical data as well as how it will be used. Insurers need to institute procedures to inform their subscribers of the information required from their medical record and how it will be obtained, handled and stored. Maintenance of medical data by nonproviders (insurers, researchers) should be time- and purpose-limited.

Patients must know of the existence of databanks holding their personally identifiable information and be given the opportunity to correct inaccuracies. Access by the patient might have some limitations, as occurs now: the physician would continue to limit the release to that information judged to cause no harm to the patient or others.

Computer experts seem to agree: as with hard copy records, if you do not want something to be known, do not record it. There is no foolproof way of protecting records from malicious or inadvertent access or alteration. Psychiatrists must be allowed to maintain a personal workfile, also secure, in which to record particularly sensitive information. This may be necessary if an electronic record is unacceptable to the patient.

In spite of the problems that are encountered with the use of electronic storage and transfer of medical data, there is much that can be done to solve and ultimately prevent such egregious breaches. The solutions must occur on every level, individual to federal. They include a change in the ethic of confidentiality itself. No longer can that ethic reside only in the medical provider, it must move with the information itself. Therefore, anyone who manufactures, transfers, compiles, or in any way works with medical data must be held to the ethic of confidentiality, as was recommended by the Institute of Medicine in 1994. The Health Insurance Portability and Accountability Act of 1996 provides for sanction of anyone who breaches the confidentiality of a patient.

Our Individual Responsibilities

As psychiatrists, we must work to be aware of the new ways that information can be accessed or misused. Most breaches of confidentiality in electronic systems are by insiders. Electronic records can be assembled and levels of authorized access granted to have information available only to those with a need to know. These are important protections to build into our office and hospital systems. Policies and procedures must be established to protect the patient's confidentiality in the electronic data base. Security measures, to protect from misuse and also from alteration, must be established and used. Sanctions for breaches of confidentiality must be implemented.

The National Research Council has called for a national debate to determine balance between the accumulation and communication of health care data in the service of the patient and the public protection of patient confidentiality. Personal awareness of privacy rights and potential abuses are the best prevention of abuses and probably necessary for passage of strong legislation. These issues are discussed and security measures that may be implemented are available from the American Psychiatric Association in two resource documents approved by the Board of Trustees in December 1996.

State Efforts

Some states' legislatures have been working on this issue. Maryland statutes require substantial reporting to the state of medical visits. North Carolina legislators have been developing a bill addressing electronic data collection. A bill has been introduced to the Massachusetts legislature limiting and defining the amount of information provided companies for the purpose of utilization review of the services provided by licensed mental health professionals. This bill limits who may see much of the information, provides for the removal of personal identifiers and requires that the time this data can be held is limited.

We need to be aware of pending legislation in our own states. It is crucial that we inform our legislators of the risk of loss of trust in the doctor-patient relationship. This loss of trust is inevitable if we cannot protect the confidentiality of the patient's health care data. That loss will result in poorer health care due to incomplete or inaccurate information given us by patients in an effort to preserve their own privacy. It will also render the data bases of deidentified information used for legitimate purposes, such as research or economic planning, inaccurate and misleading. The Massachusetts Medical Society has addressed these problems and their policy statement, "Patient Privacy and Confidentiality," can be used as a model for other groups.

Federal Initiatives

The steps necessary to protect patient confidentiality are more than we as clinicians can provide. Federal legislation is also important. The Health Insurance Portability and Accountability Act of (August) 1996 requires the Secretary of Health and Human Services to propose measures for the protection of patient confidentiality within 18 months of the institution of the law. Many in Washington are now working to assist the secretary, including members of the mental health community who are giving testimony on Capitol Hill. In this act, the secretary is directed to "adopt standards for a standard unique health identifier for each individual, employer, health plan, and health care provider for use in the health care system."

The social security number is already widely used. Although it was initiated with the idea it would be used for social security purposes only, it becomes easy to identify persons through the construction of secondary data bases. It is imperative to protect against such a development with unique health care identifiers.

The secretary shall publish in the Federal Register any recommendation of the National Committee on Vital and Health Statistics regarding the adoption of a standard. The Leahy bill, which responds to some of the requirements of the Health Insurance Portability and Accountability Act of 1996, as of this writing, is very protective of patient confidentiality. It will require vigilance and hard work to maintain it in this form throughout the legislative process.

Other Protections

Many protections are necessary. It is important that the physician continue to be the guardian of the patient's record. In this role, physicians have controlled access to the record, let patients know when others are seeking access, and served as advisors to patients as to the consequences of releasing the information. We are able to resist pressures that patients find difficult to resist alone. Confidentiality also requires that release of the information in the record only be allowed with informed patient consent; that secondary release without patient consent be prohibited, unless the medical information is completely deidentified.

Deidentification is best accomplished in the physician's office before the release of the record. The practice of having patients sign blanket releases for insurance or other purposes should be discontinued. Physicians should not be requested to send copies of their records as a requirement for insurance payment. Researchers should have access only to deidentified records, unless patient consent is given in addition to the approval of an institutional review board.

Increasingly, data bases are being constructed for outcomes research. At least some involved in this research recognize the imperative of protecting patient confidentiality and that the ability to deidentify data and still have valuable aggregate data enables the protection of confidentiality and quality of research.

Law enforcement authorities should still be required to have access only through court order. The courts have recognized the importance of the patient's right to confidentiality as a necessary ingredient in successful medical treatment. The Supreme Court, in Jaffee v. Redmond, upheld the importance of confidentiality to treatment.

Audit trails need to be a part of every medical electronic data base and the audit trails should be reviewed. Patients should be able to review them to see who is accessing their records.The electronic medical record offers numerous benefits to good patient care. It also presents serious threats to the right of patient confidentiality. Our responsibilities to our patients of helping them maintain this right and of being the guardian of the medical record require that we inform ourselves and then others of these potential benefits and threats. A "team" of health care providers, patients and others can be very effective in ensuring the confidentiality of electronic medical records.

References:

References


1.

American Psychiatric Association Committee on Confidentiality. Resource Document on Computerized Records:

A Guide to Security

. Washington: American Psychiatric Press Inc.; 1996.

2.

American Psychiatric Association Committee on Confidentiality. Resource Document on Preserving Patient Confidentiality in the Era of Information Technology. Washington: American Psychiatric Press Inc.; 1996.

3.

Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure, National Research Council. For the Record: Protecting Electronic Health Information. Washington: National Academy Press; 1997.

4.

Institute of Medicine. Health Data in the Information Age: Use, Disclosure, and Privacy. Washington: National Academy Press; 1994.

5.

Task Force on Patient Privacy and Confidentiality. Patient Privacy and Confidentiality: as adopted by the Massachusetts Medical Society House of Delegates, November 8, 1996.