by Andrea Meyer, Legislative Director/Counsel, ACLU of Oregon

Presentation before the Department of Medical Informatics and Clinical Epidemiology, Oregon Health & Science University (January 13, 2011) and before the Health Information Exchange Conference, HIMSS Oregon (January 20, 2011)

Thank you for opportunity to present the ACLU of Oregon’s perspective regarding the creation of electronic health records. This issue raises many questions as well as challenges and I will attempt only to superficially cover some of the many substantive issues. Overall, the question is: how do we as a society use technology to improve medical practices and care, while at the same time understanding and addressing, in a meaningful way, the new and different risks that are created as a result of the use of technology.

Many of you know about the 4th Amendment prohibition against unreasonable search and seizure. And from that as well as through other sources, arises our concerns about privacy. While the constitution refers to limitations against government actions, the ACLU looks not only at what the constitution and laws allow but what should be the best policies and practices in our society, regardless of whether they are done by the government or the private sector.

Q.    What is Health IT?

Generally, Health Information Technology (HIT or Health IT) refers to the practice of medicine through the electronic collecting and sharing of information. Most discussions center around the creation and use of personal health records (PHRs), electronic health records (EHRs), and databases of these records. This talk will only cover issues around electronic health records and not personal health records, although clearly there is cross-over. Proponents of Health IT believe that everyone will benefit from the use of EHRs. Patients could have better access to records of their treatments and tests, providers could easily learn a patient’s relevant medical history, and researchers could access data about what treatments work best.

But along with the promise of more efficient and effective medicine, Health IT also raises serious concerns about personal privacy. Health records often contain very sensitive personal information like treatment for mental health issues, depression or alcoholism, fertility treatments or abortions, sexually-transmitted and other communicable diseases, and genetic disease screenings. A violation of medical privacy might result in the disclosure of this information to family, neighbors, community, employers, marketers, or identity and data thieves. Given the high stakes in protecting this sensitive information, it is essential that medical privacy form a cornerstone of any Health IT initiative.

It’s fair to say that both doctors and patients worry that their personally identifiable medical data will not be adequately protected. Past experiences and studies show that if the confidentiality of electronic medical records is not guaranteed, a number of unfortunate consequences might occur, such as:

● An employer, after inappropriately reviewing electronic medical records, deciding not to hire a candidate for a job because either the candidate or his or her family is relatively expensive to insure (before amended privacy rules, thirty five percent of Fortune 500 companies admitted to reviewing job candidate health records before making hiring decisions. 2006: 65 Fed. Reg. 82,467.)
● Data brokers buying up pharmaceutical and medical records of millions of patients and selling them to any willing buyer (See, e.g., IMS v. Ayotte, 550 F.3d 42 (1st Cir. 2008), upholding New Hampshire’s law prohibiting the sale of certain pharmacy records of patients).
● Pharmaceutical companies sending invasive marketing solicitations to induce patients to switch to the companies’ prescription medicines instead of those prescribed by their doctor;
● Persons in small communities or someone in a prominent position may face consequences, both socially and professionally;
● Employees snooping on neighbors’, friends’ and former love interests’ medical records; and
● Uninsured individuals committing medical identity theft by impersonating insured patients whose records they have snooped on in order to obtain treatment.

Health information technology and health information exchange can help improve health care quality and efficiency, while also empowering consumers to play a greater role in their own care. However, Health IT initiatives pose heightened risks to privacy. Recent breaches of health information underscore that the risks are real. At the same time, there is widespread confusion and misinterpretation about the scope of current health privacy laws. Some are pushing for quick “fixes” to try to address the public’s privacy concerns, but fully resolving these issues requires a comprehensive, thoughtful and flexible approach.

I want to quote a bit from the Center for Democracy & Technology paper published in May 2008 (“Comprehensive Privacy and Security: Critical for Health Information Technology”). Rather than treating “privacy” and “security” being an obstacle, they look at those concerns as a means of ensuring success.

“While some persist in positioning privacy as an obstacle to achieving the advances that greater use of health IT can bring, it is clear that the opposite is true: enhanced privacy and security built into health IT systems will bolster consumer trust and confidence and spur more rapid adoption of health IT and realization of its potential benefits.”

They quote survey data that shows Americans are aware of both the benefits and the risks of health IT. “A large majority of the public wants electronic access to their personal health information – both for themselves and for their health care providers – because they believe such access is likely to increase their quality of care. At the same time, people have significant concerns about the privacy of their medical records.”

While they quote a national surveys conducted in 2005 and 2006, it’s difficult to imagine that the concerns expressed have significantly changed in the past few years. In 2005, 67% of respondents were “somewhat” or “very concerned” about the privacy of their personal medical records. In a 2006 survey, when Americans were asked about the benefits of and concerns about online health information:

• 80% said they are very concerned about identity theft or fraud;
• 77% reported being very concerned about their medical information being used for marketing purposes;
• 56% were concerned about employers having access to their health information; and
• 53% were concerned about insurers gaining access to this information.

They conclude that: “Appropriate privacy protections must be incorporated from the outset in the design of new health IT systems and policies. It is often difficult or impossible to establish effective privacy protections retroactively, and restoring public trust that has been significantly undermined is much more difficult than building it at the start.”

Q.    How can health IT be structured to protect personal privacy?

Given these serious concerns about personal privacy, it is essential that policy makers, experts, and designers involved in health IT keep privacy at the center of discussion and implementation. Here are some important questions related to patient privacy within any health IT system:

● How do we explain to patients the benefits and risks in a way that can best be understood for individual choice?
● Can patients opt-out of the system and still receive medical services?
● What method do we use for whether patients participate: opt-in, opt-out; exceptions – granularity?
● Is there a way to minimize data sharing or allow sharing of only part of the data (a patient may not want one provider to see their past psychiatric records, and an adolescent may not want a parent to see that they have been treated for a sexually transmitted infection for example) ?
● Who decides what is Specially Protected Health Information? State law? The medical community? Patients? Isn’t it different for everyone?
● Can patients access their own data at no cost?
● Is there a way for patients to add information or raise concerns about the facts in the report (I just finishing reading Pain Chronicles by Melanie Thernstrom and when she received copies of her records the first doctor she saw had basic facts about what triggered the onset of her pain completely wrong). If records can’t be “corrected” how can they be “clarified” from a patient’s perspective?
● How will patients control who has access to their information?
● How is the data secured?
● Will patients know when their data has been disclosed?
● Under what circumstances do patients receive notice of a data breach?
● How is medical identity theft handled?
● Are there remedies available to a patient if their data has been breached?
● How anonymous is data that has been “aggregated” or “de-identified”?
● What type of auditing system is in place to ensure proper use?
● What means are taken for patients to meaningfully understand their rights?

Clearly, there are many issues and challenges when we begin to talk about health IT. I will try to touch on many from this list.

Patient choice and the issue of opt-in/opt-out and segregating records based on the sensitivity of the information.

First, while this issue is very important, I think the Center for Democracy & Technology makes an interesting point. They state “If health privacy rules fail to address the range of privacy and security issues through concrete policies [and I might add meaningful remedies, which I will discuss below], and instead rely only (or significantly) on giving individuals the right to consent to multiple uses and disclosures of their personal health information, the result is likely to be a system that is less protective of privacy and confidentiality. Among other reasons, a consent-based system places most of the burden on privacy protection on patients at a time where they may be least able to make complicated decisions about use of their health data. Most don’t read the details of a consent form and those that do often do not understand the terms. Many wrongly assume that the existence of a “privacy policy” means that their personal information will not be shared, even when the policy and the accompanying consent form say just the opposite…If reliance on consent by an individual for any particular use of his or her information is treated by policymakers as the key to privacy protections, the healthcare industry will have fewer incentives to design systems with stronger privacy and security protections.”

Nevertheless, patient control and meaningful decision making is still a critical piece. And it raises important policy questions: should patients be allowed to consent at the front end to participate? While this may be considered burdensome, if patients understand and choose to have their information shared electronically, one can make the argument that it helps establish an important level of trust. Because while there are benefits to health IT, there are also risks, including possible breach or misuse of private medical information. And when there is a breach of some kind (and there will be, it’s just a question of when, not if), does the fact that a patient was informed about this risk and had some understanding of both the benefits and risks, lessen the potential long-term damage of a breach, such as patients refusing to participate in electronic health care exchange or limiting the medical information they share with a doctor?

Let’s look at it from the opposite: if a patient isn’t given the option to consent (and instead is automatically enrolled or barely informed about how to “opt-out”) and there is a breach, what does that do for patient trust? Patients, a community or everyone in a state, who did not understand that there was electronic sharing of their medical information but now have their information released in some unacceptable manner, may never trust the system again. And that may exacerbate the following problem already noted by the Center for Democracy & Technology which they refer to as “privacy-protective” behaviors. According to the 2005 national consumer survey I mentioned above, one in six adults (17%) – representing 38 million persons – say they withhold information from their health providers due to worries about how the medical data might be disclosed. “Persons who report that they are in fair or poor health and racial and ethnic minorities report even higher levels of concern about the privacy of their personal medical records and are more likely than average to practice privacy-protective behaviors.”

They note that we already have a problem of patients who attempt to shield themselves from stigma or discrimination by paying out-of-pocket, asking doctors to fudge a diagnosis, switching doctors frequently to avoid having all their records in one location, lying or even avoiding seeking care altogether.

In may take work, but we would suggest it’s important work to explain to patients the benefits and risks if only to ensure that patients are sharing the necessary information you need to make medical health care decisions.

And that raises another issue: what level of control does a patient have over the who, what, where and when of his or her medical information. In the debate around this, the term often used is “granularity” which has different applications but in general allows the segregation of health information, sometimes based on specially protected health information but not always. It refers to segregating data to: 1) allow patients to exert some control over the type and level of information that can be shared; 2) restrict information access electronically to a set of individuals or entities; 3) establish preferences for time frame and/or duration for what information can be electronically exchanged; and 4) specify the various purposes for which information access electronically can be used.

Again, this is a complicated area. But a person’s rationale for desiring this level of control may stem from concern or fear for how the information available through electronic exchange could be perceived or used, a personal preference for privacy, or his/her individual values. Whatever the reason, it is important to acknowledge and respect those concerns upfront so appropriate steps can be taken to advance the goal of health information exchange while still respecting fundamental autonomy and values. The challenge, however, is that in the context of electronic health care record exchange, there is no easy solution to the challenges raised by these issues.

To add another wrinkle, while Oregon has laws that define as Specially Protected Health Information (SPHI), which require specific consent for sharing this information, those laws only covers mental health treatment, HIV/AIDS, genetic information and a minor’s reproductive care. That’s a start, but for many of us, what we consider SPHI may not be on this list. What about reproductive health care, including abortion, for adults? That’s not SPHI under Oregon law. But you can imagine patients not wanting it released throughout various health care systems by electronic transmission of their records. And what about anti-depression drugs used for non-mental health purposes? Some of those drugs are used for other conditions that may not fall under Oregon’s SPHI. But patients may not want that information released to every health care provider if they worry about whether a breach would lead to the perception that they have a mental health condition. As much as we want to move away from the stigmatization in our society related to mental health issues, we aren’t there yet.

As mentioned above sensitive information may have significant personal, employment, or political consequences including loss of employment, public shaming, discrimination, and disruption of personal and familial relationships.

There are important policy reasons to allow for a granular approach, especially information that has been used to stigmatize patients in the past such as psychiatric or other mental health treatment and counseling, use of birth control or testing for sexually transmitted diseases, and other conditions or genetic predispositions that have no bearing on a doctor’s evaluation, diagnosis and treatment for a wholly unrelated condition.

Another area to consider -- can patients opt-out of the system and still receive medical services?

At issue is whether there should be anti-discrimination protections as part of Health IT. Do we allow someone to opt-out of the system without creating a barrier to care? Choosing not to participate can only be a choice if a patient can still obtain care regardless of their decision not to participate in electronic health exchange.

And what about data security and meaningful remedies?

One thing we really do know for sure is that breaches happen. And the health care community is not immune. Every time I’ve reviewed the Privacy Rights Clearinghouse website on breaches recorded across the country, I find that on average there’s one a day and there seems to be a significantly high number related to health care.

There are of course risks to inappropriate access to paper health care records. And with the use of technology, comes the ability to create strong user authentication and audit trails to limit and track access to electronic health information. Encryption can help to ensure that sensitive data is not accessed when a system has been breached.

I’ve been told by those who work in the IT medical area that most breaches are not from the outside hacker but by those who are authorized users of the system but are engaged in improper access and use. Also the absence of strong privacy and security safeguards magnifies the unique risks to electronic health care records. Unlike paper records, tens of thousands of electronic health records can be accessed or disclosed through a single breach. And the result of the documented breaches across the state and here in Oregon, not only creates real risk to individuals but it also has the cumulative effect to deepen consumer distrust in the ability of health care providers to provide adequate privacy and security protections.

Patients need to know when and how their data has been breached. We are getting better about requiring notices related to breach but notice of any breach, internal or external, should be mandatory and timely. And meaningful security also means meaningful remedies and enforcement mechanisms. Failure to take the appropriate and reasonable steps to secure data should subject the entity to exposure to damages. Here, I’m talking about the negligent or irresponsible entity that has little or no incentive to ensure strong data security systems because there’s no real punishment for their failure or the punishment is so modest, it’s just considered the cost of doing business. They need an incentive so that we avoid creating situations where data is being inappropriately accessed. And one way is to have exposure to appropriate level of liability if they fail to take reasonable steps.

Finally, how do we handle the issues related to medical identity theft?

Medical identity theft refers to the fraudulent use of someone else’s personal information to obtain medical services or to make false claims for medical services. In addition to the complications that arise from straightening out other forms of identity theft (such as clearing up bills for expensive services actually received by someone else), medical identity theft can lead to inaccurate information in the victim’s electronic health record, with possible dire results. For example, an identity thief could obtain treatment under a victim’s name, leading to false information about blood type, drug allergies, treatments, or existing conditions, which could then later lead to unnecessary or dangerous treatments for the victim. As more personal health information is centralized under health IT, medical identity theft becomes more likely and the consequences more worrisome.

The victims of identity theft must have a mechanism to remove information from their medical record that may adversely affect their treatment. And if medical information is transmitted to various entities, there has to be a way to correct this information beyond contacting the originator of the information. This reinforces the need for any Health IT system to include robust data security measures, as well as provisions for patients to discover and correct errors.

Conclusion

No doubt, this is a complicated area but one thing I have observed in the last few years as Oregon begins to grapple with this issue, is the continued disconnect between the issues of electronic health care records and privacy. It’s as if privacy is a separate, often, final issue on a long check list. Instead, “privacy” needs to be fully integrated into every aspect, discussion and decision-point related to the development of electronic health care records.

I’ve testified before the various bodies involved in this. Indeed, prior to the creation of the Oregon HITOC (Health Information Technology Oversight Council), I was informally asked to serve on the subcommittee related to privacy of the previous commission. I attended all the meetings, on behalf of the ACLU of Oregon, and I was the only non-member who was asked to participate in this way. And while I appreciated the opportunity, it raised concern because it would be our hope that the ACLU would not be the lone or one of the few voices raising privacy issues and certainly, that perspective needs to be brought in at the beginning, not mid-way through the process.

Obviously, those who are involved at this stage are those most affected by these systems, in other words those in the health care community. And I appreciate the efforts made by those attempting to inform the process to reach out to consumers as well as to various communities who, historically, are less involved in state decision making processes. However, I continue to be troubled by the conversation and how there is, from our perspective, not enough recognition, let alone meaningful discussion, by well-intentioned people, about privacy from the consumer perspective.

So, I urge all of you to be mindful of these issues. And to be sure, nationally the ACLU is not the only voice to raise these important policy issues. I quoted from a few sources but I urge all of you, if you get involved in this to review some of the papers that tackle and discuss these issues from a privacy and patient perspective.