Patient Privacy and EHR

As we learned from my previous post, EHR system potentially brings multiple benefits to hospitals. EHR allows health providers to instantly store, retrieve, access, and exchange patient information from virtually anywhere. However, patient privacy remains one of the main concerns regarding EHR system. Therefore, I decided to talk more about it in this post.

EHRs are more than just a bank of data. They are eventually about people and can tell stories of a person. As it is nicely put by HealthIT.gov in this video: My EHR is Me. In that sense, only people who need to know should have an access on the records. There are several cases of data breach happened in the hospital. One of them is the case when employees of UCLA health system were found to access celebrities’ records although they did not have a proper authorization to do so. At the end, UCLA health system agreed to pay a settlement of $865,000 with the U.S. Department of Health and Human Services Office for Civil Rights. Lucky these employees were “just” accessing the records. Imagine if the confidential records end up in the wrong hands, the consequences could lead to identity theft, which can destroy a patient's finances, credit and reputation.

It is important to understand that EHR breach’s victims have a right to seek litigation against the hospital in which the breach occurred. Because the nature of EHRs as a bank of information, it is highly possible that a breach would affect multiple patients simultaneously, something that is less probable in the case of hospitals using paper records system. The more patients affected, the more serious legal problem facing the hospital is. The bottom line: hospitals are responsible to keep the EHRs safe and secure.

So what are some key challenges that make a perfect patient privacy difficult to attain? I came across this article by Shahid Shah, which I find it really interesting. He concluded there are seven causes of digital privacy loss in EHRs. However, I would summarize them per stakeholder so they can be understood easier. I have also made the following diagram to support my explanations.

Stakeholder Analysis

1.      EHR system vendors / designers

Hospitals sometimes develop their own EHR system in-house. More often though, they outsource it from a vendor. In both scenarios, EHR system (and other IT solutions) with less than sophisticated privacy-aware system are faster and easier to develop, not to mention that they are considerably cheaper than those with privacy aware system. My previous post talked about how expensive EHR’s implementation could be. Therefore, leaving out or choosing just mediocre privacy functionality in the system is one of the solutions that the vendors take so they can offer their product with more competitive price to the hospitals. If the hospitals develop the system in-house, this can be seen as a cost cutting opportunity.

 

2.      Patients

Shah argued that most patients themselves do not really understand the concept of digital privacy. They made a wrong assumption that by storing their medical records electronically, nobody can touch them but people who are authorized. As a result, patients usually do not really demand privacy as strong as they demand other things. As illustration, when choosing physicians, hospitals, and other health providers, have you ever considered and sorted out your choices based on their privacy views? I don’t. Applying a basic economic concept here, less demand means less supply.

 

3.      Government

If you read my previous posts about how the government incentivize hospitals to implement an EHR system, you would be aware that they are focusing on the “meaningful use” aspects. These aspects focus more on functionality and do not put much emphasis on data-centric privacy capabilities. Shah stated that “privacy is difficult to define and even more difficult to implement so the testing process doesn’t focus on it at this time.” Relating back to the cost issues, it is natural then for hospitals that heavily rely on government’s incentives not to focus heavily on patients’ privacy.

 

4.      Hospitals

As stated in my previous post, EHR will improve hospitals’ operation by allowing sharing and aggregating patient information easier than ever. Enhanced privacy system can add a friction in the sense that it discourages data sharing and potentially leads to productivity lost in the hospital. Therefore, hospitals may opt to develop EHR system with less than desirable privacy features.

In conclusion, EHR is a powerful system which can help hospital operations tremendously. But, “with great power, comes great responsibility”.  Implementing the system means hospitals have to be ready to not only take the benefits but also fulfill the responsibilities to preserve patients’ privacy by storing all the information safely.

That's it for now. Stay tuned!!