Tuesday, December 26, 2006

Another Electronic Medical Record Horror Story

The Wall Street Journal today published a story on a patient, Patricia Galvin, who was screwed by insurers after medical information she thought was confidential (about her psychotherapy) was divulged to an insurance company. The story is "Spread of Records Stirs Patient Fears of Privacy Erosion", Theo Francis, Dec. 26, 2006 (subscription needed; I will post a public link if it becomes available).

Here is a brief summary from this link:

Medical Dilemma: Spread of Records Stirs Patient Fears Of Privacy Erosion

Dec 26, 2006 By Theo Francis, WSJ.com

After her fiancé died suddenly, Patricia Galvin left New York for San Francisco in 1996 and took a job as a tax lawyer for a large law firm. A few years later, she began confiding to a psychologist at Stanford Hospital & Clinics about her relationships with family, friends and co-workers.

Then, in 2001, she was rear-ended at a red light. When she later sought disability benefits for chronic back pain, her insurer turned her down, citing information contained in her psychologist's notes. The notes, her insurer maintained, showed she wasn't too injured to work.

Ms. Galvin, 51 years old, was appalled. It wasn't just that she believed her insurer misinterpreted the notes. Her therapist, she says, had assured her the records from her sessions would remain confidential.

As the health-care industry embraces electronic record-keeping, millions of pages of old documents are being scanned into computers across the country. The goal is to make patient records more complete and readily available for diagnosis, treatment and claims-payment purposes. But the move has kindled patient concern about who might gain access to sensitive medical files -- data that now can be transmitted with the click of a computer mouse.

The U.S. Department of Health and Human Services implemented standards in 2003 for guarding patient privacy, supplementing a patchwork of state laws. The federal standards, which grew out of the 1996 Health Insurance Portability and Accountability Act, single out psychotherapy notes for extra protection.

Critics claim that loopholes in the rules have left patient privacy under threat. Ms. Galvin, for example, discovered that when psychotherapy notes are mixed in with general medical records, the federal rules afford them no special protection. That is precisely what happened with her records at Stanford, she says.

The article points out that complaints to HHS about breaches of medical privacy have exceeded 23,000 and that HHS presently receives about 700 new complaints monthy, while enforcement of "guarantees" such as in the HIPAA act are basically non-existent. I'd bet a large proportion of these breaches were facilitated by electronic legerdemain.

Here is my Letter to the Editor in response. I do not know if it will be published:

(Update: An edited version of the letter below was indeed published as a Letter to the Editor in the Wall Street Journal, Saturday, 12/30/06, print edition. Edited out for brevity were mention of the UK's difficulties, explicit mention of psychology information as inappropriate in an EMR, and unfortunately, mention of the HCRENEWAL blog. However, the letter was otherwise intact.)

To: wsj.ltrs@wsj.com
cc: theo@theowire.com
Date: Tuesday, December 26, 2006
Subject: Re: Spread of Records Stirs Patient Fears of Privacy Erosion

Dear Wall Street Journal,

Ms. Galvin’s fears that her most private thoughts and secrets are “mere data of a transaction, like a grocery receipt” are well-founded and truly give life to an observation I made several years ago while leading electronic medical records (EMR) implementation at a large hospital. I observed that clinical computing and business computing are entirely different specialties of computing. I felt that the dominance of EMR efforts by information systems personnel would lead to devaluation of doctor-patient confidentiality and of the doctor-patient relationship itself.

As Drucker wrote in 1999, information systems personnel have taken a somewhat peculiar view of the world, namely that the entire world operates on the principles of 19th century accounting theorem, and computerized it in a form where events are deconstructed to “transactions.” Unfortunately, as Ms. Galvin discovered to her horror, good things do not come from treating twenty-first century medical “transactions” as nineteenth century accounting data.

We’re not alone in the United States. In the UK, the ambitious Connecting for Health (CfH) national EMR project and plans for a central clinical database have been met with stiff resistance from patient advocacy groups. Plans to upload medical records onto the central clinical database will put patient confidentiality at risk, the UK program has been told by its own consultants [1]. Professor Ross Anderson, Professor of Security Engineering at Cambridge University and one of the founder members of privacy advocacy group http://TheBigOptOut.org made the telling point that people should opt out of inclusion in the national database, if only to wait and see if their government delivers the ‘protections’ that it is promising - and if it does, to see if they are sufficient and effective [2]. HIPAA must have been on Prof. Anderson’s mind.

A similar advocacy movement is needed in the U.S., for there has been an idealistic and almost reckless push in the US to put any and all healthcare information into EMR’s and other electronic databases, even when the financial and clinical benefits are unproven.

A critical issue in the Journal story that needs consideration is why detailed notes of psychotherapy sessions, of all things, were available in electronic form. This makes little sense and is entirely unnecessary. For instance, data on Ms. Galvin’s feelings and private affairs would not be needed – or even useful – to other doctors in a medical emergency. Indeed, even if Ms. Galvin switched doctors, her history would best be redone by a new psychologist in building an effective doctor-patient relationship.

In a decade when conflict of interest and mismanagement in healthcare is common [3], break-ins to supposedly secure databases appear in the news almost weekly, and dominant computer operating systems are barely able to keep ahead of hackers’ attempts to circumvent security, the dream of patient confidentiality is increasingly utopian. The reality is that the HIPAA act lacks teeth, enforcement initiatives non-existent (as the Journal reports), and stated exceptions to the HIPAA rules are prone to misuse by the powerful and those with financial incentives. These factors make it likely that the HIPAA “guarantees” are not worth the weight of the paper they’re written on.

In reality, if you want to keep information secure, don’t put it on a computer; and if you have to put it on a computer, and the computer is to be put on a network, then the information by definition is no longer secure.

These harsh realities call for a critical rethinking of the types of clinical data that should be put into electronic databases, and on governance of privacy, security and confidentiality. In the U.S. there is an office with a mandate to consider such issues, the Office of the National Coordinator for Health IT (ONCHIT) in the Department of Health and Human Services [4]. I call on ONCHIT to lead this needed rethinking in our national strategy for electronic healthcare information.


[1] “CfH report confirms confidentiality risk,” The Register, Nov. 27, 2006, http://www.theregister.co.uk/2006/11/27/care_record_conf/

[2] http://www.nhsconfidentiality.org/?p=37

[3] Foundation for Integrity and Responsibility in Medicine, http://hcrenewal.blogspot.com

[4] Office of the National Coordinator for Health IT (ONCHIT), Department of Health and Human Services (HHS), http://www.hhs.gov/healthit/rfi.html

-- SS


Team Brit'naire said...

I am also sick of it as the information on internet is not secured. Is there any way out?

InformaticsMD said...

Yes, through slowing down a bit. We want to achieve Apollo 11, not Apollo 13 (or Apollo 1).

Anonymous said...

EMR is expensive, and even Stanford, has experienced Epic backslash due to poor implementation. However, new and better systems and implementation are not far away.

EMR Medical said...

EMRs will not just change the way medical providers work in hospitals and doctors’ offices, they will improve the quality of care and reduce costs.