Give Patients EHR Control, Says Civil Liberties Union - InformationWeek
Healthcare // Patient Tools
09:29 AM

Give Patients EHR Control, Says Civil Liberties Union

A New York Civil Liberties Union report urges New York State health officials to provide patients with greater control over their health records.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
A report from the New York Civil Liberties Union (NYCLU) says there are significant flaws in New York State's current privacy and security policies and procedures governing computer networks that share electronic medical records. Those flaws limit a patient's ability to control the dissemination of their health records.

The new report – Protecting Patient Privacy: Strategies for Regulating Electronic Health Records Exchange – is a 34-page document that acknowledges the benefits of sharing patients' health records electronically, but also laments the current policies and procedures in New York State that allow providers to upload patient records without a patient's consent.

Furthermore, the report said New York State, which has already invested more than $840 million in developing electronic information sharing networks for medical records, is building a health information exchange infrastructure that represents an all-or-nothing approach for providers to access medical records. The problem here, the report says, is doctors who obtain a patient's medical records can see that patient's entire medical history, including information they may not need for the specific condition they are treating.

[ Learn about how one hospital is using biometric technology to beef up the security of patient records. See Biometrics Shore up Patient Data Security. ]

"New York State has erred on the side of providers and not on the side of patient privacy," Corinne Carey, NYCLU's assistant legislative director, told InformationWeek Healthcare. "What I think is problematic is that patients are not able to control which kinds of providers access which kinds of data. For example, a podiatrist does not need to see the details of a sexually transmitted disease that occurred 10 years ago or a substance abuse disorder that the patient dealt with 15 years ago."

The report focuses on patients who may have a heightened concern regarding the privacy of their information, such as those with a history of substance abuse, patients who have been raped, and patients who have had an abortion. These patients deserve to have an electronic health data exchange system that can sort and segregate information by data type (blood test, diagnosis, or procedure), by provider (gynecologist, psychologist, internist), or by time (a procedure that occurred five years ago).

"Allowing patients to retain a measure of control over their medical records will increase confidence in the system's ability to safeguard confidentiality," the report states.

The NYCLU also urged New York State health officials to revisit policy choices that empower patients to control the dissemination of their medical records, but not before giving a few recommendations of their own.

Among the NYCLU's recommendations:

-- Require the electronic systems employed by HIEs to have the capability to sort and segregate medical information in order to comply with guaranteed privacy protections of New York and federal law. Presently, they do not.

-- Offer patients the right to opt out of the systems altogether. The state should revisit its decision to upload patient information to the system without patient consent. Barring that, the state must adopt a policy that would allow patients to affirmatively opt out of the system so that their medical information is not included in the network.

-- Prohibit health information exchanges from selling data. The New York State Legislature should pass legislation prohibiting HIEs from selling patients' private health information.

-- Carefully regulate the use of commercially available personal health records (PHRs). A number of commercial vendors, such as Microsoft HealthVault, currently offer patients the ability to collect, store, and manage their own medical information online. Under existing law, it is unclear to what extent these commercial entities are bound by Health Insurance Portability and Accountability (HIPAA) Act or New York State confidentiality laws. State law should extend confidentiality obligations and protections to private entities that offer PHRs.

In response to the report, Peter Constantakes, spokesman for the New York State Department of Health, said the department "believes that our current policies comply fully with federal and state laws and that patient information is well protected under the current set of policies, but we are always looking for ways to improve the system."

Constantakes also told InformationWeek Healthcare that New York has an annual review process of the policies and procedures that guide the state's patient data privacy and security rules.

"A new policy committee will be reviewing comments submitted as part of the annual review process last year and making recommendations on changes to the current version of the privacy and security policies and procedures. All comments will be discussed, including comments submitted by the NYCLU," Constantakes said.

Healthcare providers must collect all sorts of performance data to meet emerging standards. The new Pay For Performance issue of InformationWeek Healthcare delves into the huge task ahead. Also in this issue: Why personal health records have flopped. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/22/2012 | 2:54:08 PM
re: Give Patients EHR Control, Says Civil Liberties Union
The patient should not have only rights they should be able to consolidate and manage their own records and make them available to their providers.
It should not be the reverse. The records belong to the patient.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll