Patricia Galvin was the subject of a Wall Street Journal story five years ago detailing her medical records horror story.
Galvin began psychotherapy at Stanford Hospital & Clinics in San Francisco to cope with her fiancé’s suicide. Following a serious car accident, she was denied disability compensation for severe chronic back pain on the basis of her therapist’s notes.
Galvin felt a confidentiality agreement was breached, but her case was more complex. Although HIPAA restricts the disclosure of psychological records, her therapist merged case notes with her EHR’s general medical record, which is less regulated.
According to the Journal, the HHS doesn’t act on complaints under HIPAA, and even mental health records can be released with court orders in legal actions like accident claims.
Unable to separate her therapist’s notes from her general medical record, Galvin’s case tapped into an overarching debate over how much control patients should have over their EHRs.
Patient vs. Provider Control
Ethically speaking, EHRs should grant patients some degree of autonomy. With 80% of Americans concerned about EHR privacy, it’s no surprise patients sometimes want to control and claim ownership of intimate information housed in their electronic records.
Likewise, hospitals, practices, and other healthcare providers may do the same, which creates conflicts between economic and personal value, as well as a struggle between professional and patient autonomy.
There are several approaches to the EHR-privacy issue. First, a number of physicians and other industry professionals believe patients should have zero control over the content in EHRs because it would change the nature of the medical practice.
In other words, cases like Galvin’s would run rampant, although her situation feels inherently unethical. Not to mention, Galvin may feel less compelled to trust a therapist in the future, and her mental health could deteriorate as a consequence.
The likelihood of this view spreading is low, however, seeing as it underestimates decreases in patient privacy if EHRs were adopted sans patient controls.
Conversely, another approach entails absolute patient control. This view is impractical, namely because patients with little to no medical training would need to review all records and select specific items they’d want to unveil or hide, as well as aligning disclosures with patient instructions.
Furthermore, a drug-addled patient may restrict sensitive information about the frequency of his/her vice that could be crucial to know before treating a severe health complication.
Finding a Middle Ground
In a separate Wall Street Journal piece, founder of Patient Privacy Rights Deborah Peel, MD, insists the push for nationwide EHR implementation will fail if patients are not allowed to place some restrictions on their EHRs to ensure sensitive data is secure.
While not advocating an absolutist approach, Peel believes the interoperability of EHRs frightens patients, making them less likely to discuss issues like sexual and substance abuse history and other oft-stigmatized symptoms.
Patients may also lie, albeit not always purposely. Hypothetically speaking, Galvin could’ve told her therapist her back was fine while under mental duress, yet a thorough physical examination might suggest otherwise.
On that note, the third approach to the patient control discussion is the product of a National Committee on Vital and Health Statistics (NCVHS) proposal, and probably the closest thing to a middle ground between zero patient privacy controls and item-by-item power.
Based on public hearings held over the last five years, the NCVHS suggests patients be given the option to isolate some sensitive health information in a number of predetermined categories, namely mental health, substance abuse, domestic violence, and reproductive health.
Patients like Galvin would have the right to flag information within these categories, preventing disclosure without additional consent and possible misinterpretation of a physical condition based on mental health observations.
Mark Rothstein, JD, of the Institute for Bioethics, Health Policy, and Law at the University of Louisville School of Medicine outlines six requirements for a sound policy on patient privacy controls, claiming they should:
1. Have low costs.
2. Be clear to both patients and providers.
3. Not require undue effort in making decisions.
4. Not cause patients to avoid obtaining information.
5. Not impart surplus administrative burdens on providers.
6. Be careful to not disturb sound clinical care.
Along these lines are initiatives like the Virtual Lifetime Electronic Record Community (VLER) project, a joint proposal presented at a hearing held at the ONC’s office last year by the departments of Defense and Veterans Affairs.
The project clusters sensitive health records data, including medication lists and lab results, so patients can manage various aspects of their records via one consent control.
The ONC hearing also featured a newly formed Privacy and Security Tiger Team, which made suggestions on obtaining patient consent to exchange their EHRs but stopped short of granting granular consent.
Concerned with the faulty implementation of more selective patient consent, the Tiger Team instead recommended the ONC promote innovation in granular consent technology via pilot programs. The ONC has not yet included any of the team’s consent suggestions in any authorized guidelines.
How much control should patients have over their EHRs? Do you agree with any of the three approaches, or can you think of a fourth?
Do you know what you need when setting up a new medical practice?