October / December 2004
Electronic Records, Patient Confidentiality, and the Impact of HIPAA
Healthcare providers need quick access to patient medical information whenever and wherever patients present for care. A system to standardize electronic medical records (EMRs), such as the National Health Information Infrastructure, would provide quick access to patient information. According to Dr. Carolyn M. Clancy, director of the Agency for Healthcare Research and Quality, a national health information network is an essential tool for improving healthcare safety and quality (Silverman, 2004). If a patient were injured far from home, an emergency room physician would have immediate access to the patient's history and list of medications and treat the patient accordingly. But if used incorrectly, a patient's privacy could be violated.
Violations of the privacy of medical records have made the headlines. Kobe Bryant attempted to have his accuser's medical records brought into court, and Rush Limbaugh's medical records were subpoenaed. In February 2004, Attorney General John Ashcroft subpoenaed the medical records from at least six hospitals in a sweeping search for documentation of the "medical necessity" for partial-birth abortions. The Justice Department said, "The subpoenas did not intrude on any significant privacy interest of the hospital's patients because the names and other identifiable information would be deleted." But Kelly Sullivan, a spokeswoman for Northwestern Hospital, said, "There still is enough identifiable information in these records to identify these people." The department cited federal case law that "There is no federal common law protecting the physician-patient privilege (Lichtblau, 2004)."
According to the American Medical Informatics Association, "In light of 'modern medical practice' and the growth of third-party insurers, individuals no longer possess a reasonable expectation that their histories will remain completely confidential (Lichtblau, 2004)." In a 1993 survey, 80% of respondents believed that consumers had lost control over information about themselves. There are numerous other polls that reveal the same fear, even among the homeless (Barrows, 1996). The medical community, the primary user of identifiable health information, has a strong history of protecting medical records, but patients worry that banks, drug companies, employers, computer hackers, and the government can access their most intimate information if it is stored electronically. Patients' permanent medical records are already routinely reviewed by insurance companies processing claims for payment. A banking or pharmaceutical company could target marketing efforts towards specific patients, or a potential employer or insurer could review one's genetic predisposition to disease. These secondary users have no obligation to respect the doctor-patient relationship characterized by trust and confidentiality, and have both the potential to profit and the resources to access electronic information.
According to the American Medical Association's (AMA) Council on Ethical and Judicial Affairs, "The purpose of a physician's ethical duty to maintain patient confidentiality is to allow the patient to feel free to make a full and frank disclosure of information to the physician with the knowledge that the physician will protect the confidential nature of the information disclosed (AMA, 2003)." But physicians cannot completely control access to electronic records. If patients fear their records will not be private, they might tell their doctors less, or even refuse to seek care. The Health Privacy Project study of the homeless revealed that homeless patients would not go for care if certain information were requested (AMA, 2003).
The U.S. Department of Health and Human Services (HHS) has attempted to protect the privacy of medical records by enacting a Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA). The Privacy Rule took effect in April 2003. The regulations were designed to protect patients' identifiable health information provided to health plans, doctors, hospitals, and other healthcare providers. According to HHS, "These new standards provide patients with access to their medical records and more control over how their personal health information is used and disclosed. They represent a uniform, federal floor of privacy protections for consumers across the country (CMS, 2004)." But HIPAA leaves too many loopholes. The Department of Homeland Security and the Patriot Act have the power to bypass the law to access records for national security reasons. HIPAA doesn't succeed in protecting patients' privacy or confidentiality because insurers, researchers, and pharmaceutical companies can still access information.
The goal of patient information privacy conflicts with the goal of improved healthcare that can be achieved with EMRs. Provisions in HIPAA provide some confidentiality protection, but not enough.
History and Background
During the administration of George H. W. Bush, HHS consulted with various segments of the healthcare industry to create an electronic data interchange (EDI). In 1991, HHS teamed up with two insurance companies to form a work group for EDI called the Work Group for Electronic Data Interchange (WEDI). That work group and the Associates for Electronic Health Care Transactions had a part in the eventual formation of The Health Insurance Portability and Accountability Act of 1996. Groups such as the Privacy Protection Study Commission, the Office of Technology Assessment, the General Accounting Office, the Institute of Medicine, and WEDI have studied the issue of privacy protection for EMR and clinical data management systems.
In the 1990s, legislation to simplify medical paperwork was proposed as a way to control healthcare costs. A common technique used to accomplish the goal of administrative simplification was the use of standardized forms and electronic records. Increased use of EMR created the need for better confidentiality protections, but early legislative attempts to protect the confidentiality of medical records were not successful. The Medical Records Confidentiality Act of 1995 (S. 1360), "a bill to ensure personal privacy with respect to medical records and healthcare-related information," did not pass.
HIPAA '96 included provisions designed to encourage electronic transactions, and also required new safeguards to protect the security and confidentiality of health information. According to Lance Gable, JD, MPH, an Alfred P. Sloan Fellow in Bioterrorism Law and Policy at the Center for Law and the Public's Health, Congress did not pass privacy regulations in time to meet a statutorily imposed deadline, so the mandate to create the regulations passed to HHS (personal communication November 25, 2003, April 1 9, 2004). HIPAA eventually included several rules designed to protect privacy, including the Transaction Rule and the Administrative Simplification Regulations. These provisions (Sections 261 264) seek to facilitate both efficiencies and cost savings for the healthcare industry via electronic technology, but also address the importance of the confidentiality and security of personal medical information (Federal Register, 2000).
The latest, the Privacy Rule, is structured to provide strong protection without compromising access to quality healthcare. The rule requires the government to establish national standards for electronic transactions and to protect the privacy and security of electronic health information. Analysts estimate the cost of compliance to healthcare industry at up to $25 billion (Gesensway, 2003).
In an attempt to reduce the total cost of HIPAA, HHS proposed final amendments to the Privacy Rules (Federal Register, 2002). According to Michael Best & Friedrich (2002), "These rules make 'consent' optional, simplify the authorization process, allow disclosure for the treatment, payment, and certain healthcare operations of other covered entities, reduce accountable disclosures (disclosures that have to be tracked), and permit an extra year to achieve compliance for pre-existing business associate contracts. The most significant changes from the original rules are in the regulation of marketing and the addition of a 'limited data set' of protected health information that may be disclosed for research, public health, or healthcare." The amendments reduce standards of privacy protection in marketing, limited data set, consent, disclosure for another covered entity's treatment, payment, incidental use and disclosure, and enrollment data sharing with plan sponsors and organized healthcare arrangements.
Numerous exemptions from need (by law) authorize release of patient information and medical records, including utilization review, insurance payment, business operations, research, public security, public health needs, and information needed by coroners and the legal system. HHS oversees many of these organizations as well as HIPAA a potential conflict of interest (HHS, 2003).
According to the Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure, levels of threats to privacy fall into the following categories:
- Insiders who make innocent mistakes and cause accidental disclosures
- Insiders who abuse their record access privileges
- Insiders who knowingly access information for spite or for profit
- The unauthorized physical intruder
- Vengeful employees and outsiders who attack to access unauthorized information, damage systems, and disrupt operations (1997)
The committee lists two basic countering/protective measures: deterrence and imposition of obstacles. Deterrence attempts to prevent the violations by imposing sanctions and/or punishment. Obstacles are placed to prevent violations, such as physical locks and alarms. According to Kirk French of Unisys (personal communication February 2004), encryption techniques are state-of-the-art. Hackers get in either prior to the encryption process or after de-encryption at the other end. Therefore, it is vital to have an airtight system from start to finish.
Problems have developed in the human chain of control. In late 2002, computer equipment and files were stolen from the Arizona office of a military healthcare contractor. Among the data embedded within the equipment were sensitive patient information and identifiers of the patients (Gilmore, 2003). In August 2002, the Indianapolis VA Medical Center gave away 139 old computers without following security rules to purge information. Significant sensitive personal medical information remained on the hard drives. No answers regarding encryption systems used or in place were forthcoming from the Department of Defense.
Another possible privacy breach lies within the system of primary or secondary users. The types of users that collect, process, and store health information include primary users, such as healthcare providers (doctors, nurses, lab technicians, and pharmacists), and secondary users, such as insurance companies, third-party payers, utilization and outcome assessment groups, public health groups, research groups, and the health information services industry. Policies these groups have regarding protection of information may be as varied as their needs and uses of the information.
President George W. Bush has set a goal of establishing an EMR for all patients by 2014 and has established a new coordinator position in HHS to develop technical specifications for standardization of EMR. In May, Dr. David Brailer was appointed to fill this national health information technology coordinator position (HHS, 2004).
Many groups advocate the use of electronic medical records. The Electronic Health Record Collaborative (EHRC), comprised of Healthcare Information and Management Systems Society, American Medical Informatics Association (AMIA), College of Healthcare Information Management Executives, eHealth Initiative, and National Alliance for Health Information Technology, supports EMRs, particularly a universal, standardized format (Calacanis, 2004). The Code of Ethics of the American Medical Association (AMA), an EHRC member, states, "The utmost care must be taken to protect the confidentiality of all medical records, including computerized medical records (AMA, 2002)." The American Osteopathic Association's (AOA) position paper Confidentiality of Patient Records (2003, pg. 101) addresses HIPAA and transference of information across electronic lines. The AOA opposes invasion of privacy of the patient record and endorses programs that seek to protect patient/physician relationships and to guarantee confidentiality of patient records.
Patient Record Institute advocates the use of EMR, as does the Leapfrog Group, a collection of Fortune 500 companies that insures over 34 million employees (Leapfrog, 2004). As of May 8, 2004, the group Health Level Seven has had its model for EMR approved for a two-year trial (Health Data Management, 2004).
Various makers of encryption systems and vendors such as Zixit Corporation, a company that sells security and privacy software to users of electronic communications, support the use of EMR systems. Zixit CEO John Ryan states, "HIPAA is an opportunity; it very much was a reason for the company's focus. We know healthcare has more than 11 million workers who use email (Health Data Management, 2004)."
The HHS Office of the Assistant Secretary for Planning and Evaluation stated in 2000, "We learned that stakeholders in the system have different ideas about the extent and nature of the privacy protections that exist today, and very different ideas about appropriate uses of health information (Federal Register, 2000)." Americans are concerned about breaches of privacy and security of information in many areas of life, not just medicine. Louis Harris & Associates have done serial polls from 1978 to 1999 that reveal a steady rise in the percentage of Americans who fear loss of control over their personal information. A 1994 ACLU poll reveals that the public is concerned about insurers and employers gaining access to their private medical information, and in a 1998 Privacy Concerns & Consumer Choice Survey, 88% said they were concerned by the amount of information being requested (Electronic Privacy Information Center, 1998).
Kansas State Senator William Kassebaum expressed his concern over medical record confidentiality and particularly electronic transmission of information. In 1995, he discussed the gaping holes in the patchwork of current state privacy laws and the threat to confidentiality of medical records, as well as the possible risks associated with personal medical information getting into the hands of those who would use them for other than intended purposes. Senator Patrick Leahy (D-VT), in the same discussion, refers to public concern over the issue: "The American public demonstrated their concern in an ACLU benchmark survey on privacy titled Live and Let Live, wherein three of four people expressed particular concern about computerized medical records held in databases used without the individual's consent." Going further, he stated, "A poll sponsored by Equifax and conducted by Louis Harris indicated that 85% of those surveyed agreed that protecting confidentiality of medical records is extremely important in national healthcare reform."
Senator Hillary Clinton (D-NY) is both in favor of a national IT system and the protection of patient privacy (Goldman, 2004; Clinton, 2004).
The Joint Commission on Accreditation of Health Organizations (JCAHO) would also add further protections to HIPAA by demanding that patients' rights, security policies, and information-management standards be addressed in more explicit ways.
In the Journal of American Medical Informatics Association, the ACLU laid out a set of guidelines to protect patient privacy, including a system that would allow consumers to give or withhold "e-Consent" to those who wish to access their electronic health information (Barrows, 1996).
Attorney William G. Schiffbauer, in an article for the Bureau of National Affairs' E-Health Law & Policy Report, postulates that the HIPAA regulations are unconstitutional, citing that Congress cannot give away its legislative authority, but did so to HHS (Privacilla, 2001).
Legislative Action to Protect Privacy*
Stop Taking Our Health Privacy (STOHP) Act of 2003, H.R. 1709 would:
- Restore standards to protect the privacy of individually identifiable health information that were weakened by the August 2002 modifications;
- Permit a healthcare provider to use or disclose an individual's protected health information without prior consent under specified circumstances;
- Ensure that consent forms meet specified criteria, including a description of the specific marketing uses and disclosures authorized;
- Forbid disclosures for public health activities.
The Patient Privacy Act, H.R. 1699 would:
- Amend the Administrative Simplification section of the Social Security Act to repeal the requirement of unique health identifiers and penalties for wrongful disclosure of unique health identifiers;
- Amend the Health Insurance Portability and Accountability Act of 1996 to repeal provisions for regulations for standards with respect to the privacy of individually identifiable health information;
- Prohibit the expenditure of federal funds to develop or implement any database or other system of records containing personal medical information of any U.S. citizen, or to collect medical records for the purpose of storing them in a database or other system of records, with specified exceptions.
The Medical Independence, Privacy, and Innovation Act of 2003, H.R. 2196 would forbid the use of Social Security numbers in medical records to identify patients.
Our country has a heritage of the right to privacy based on the Fourth Amendment to the United States Constitution: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated." The Supreme Court upheld the constitutional privacy protection of personal health information in Whalen v. Roe, 429 U.S. 589 (1977). While there is no effective federal statute of protection, the osteopathic doctrines promise to protect doctor-patient confidentiality. In our code of ethics, Section One discusses our duty to "...keep in confidence whatever she/he may learn about a patient." In our oath, physicians promise "...to retain (patient's) confidence and respect both as a physician and friend who will guard their secrets with scrupulous honor and fidelity..." The vulnerability of electronic medical records and the inadequacy of HIPAA regulations to protect the privacy of those records make it difficult to comply with our oath and our code of ethics.
As the AMIA points out, "The days of paper records locked in a file cabinet are numbered, and the increased use of electronic medical information is inevitable, as is increased potential for breaches of privacy (Barrows, 1996)." A survey done by Princeton Survey Research Associates revealed that Americans trust their doctors and hospitals, but fear disclosure of information handled by secondary users (1999).
Electronic medical records need comprehensive protection at the federal level. There is certainly a need for access to medical information, yet we must protect our patients' information from secondary users. HIPAA must eliminate the ability of the secondary users and the government from accessing our patients' information. HIPAA attempts to accomplish this, but by providing access to other users, it falls short of this goal. There should be an amendment to HIPAA eliminating access by secondary users. In addition, patients should be given the option to place a disclosure restriction on their records, which would include the government. H.R. 1709 attempts to prevent secondary users from access by narrowing the scope of privilege of the consent forms and restoring standards to protect privacy. H.R. 1699 and H.R. 2196 would prevent the use of Social Security numbers as unique identifiers.
Federal legislation or an amendment to HIPAA protecting the doctor-patient relationship would improve access and quality of care because without the assurance of privacy, patients may avoid medical care. Banning access to EMRs by secondary users would eliminate a group of readers who are not intimately involved in the patient's care, who would exploit confidential information for financial gain. In addition to tightening regulations, physicians must optimize the use of encryption technology and security and ensure the integrity of healthcare data by preventing modification of information.
HIPAA attempts to protect privacy, yet allows access to numerous entities that have no responsibility to protect what should be a confidential doctor-patient interaction. Regulations must be tightened to prevent breaches of privacy. We should prohibit the expenditure of federal funds to develop or implement any database or other system of records containing personal medical information of any U.S. citizen, or to collect medical records for the purpose of storing them in a database or other system of records, with specified exceptions.
Gail Dudley is division chair for primary care at the Edward Via Virginia College of Medicine in Blacksburg, Virginia. She received her DO degree from the West Virginia School of Osteopathic Medicine and certification in family practice from the American Osteopathic Board of Family Physicians. Dudley is certified in quality assurance/utilization review with subspecialty in risk management by the American Board of Quality Assurance and Utilization Review Physicians, and in neuromuscular skeletal medicine by the American Osteopathic Board of Neuromusculoskeletal Medicine. In September 2004, Dudley completed an AOA Heritage Health Policy Fellowship and delivered this material as a presentation to the AOA Council on Federal Health Programs. She may be contacted at [email protected].