A survey published by the American Medical Association (AMA) last year reveals that patients are very concerned about the privacy of their medical information, perhaps more concerned than most physicians and practices are aware. As health care clinicians using the latest medical technology, we tend to view the ability to share information electronically with other clinicians and payers (and the ability to view and obtain records from care delivered elsewhere) as a good thing. Overall, I agree, but it is important that we understand our patients’ view of this sharing and privacy of their records.
The AMA survey of 1,000 patients delineates the comfort level of patients concerning the use of their medical records. Most tellingly, 92% of those surveyed believe privacy is a right and should not be available for purchase. While three quarters of people are “most comfortable” with data records being shared with their clinician/doctor’s office, a similar percentage are “least comfortable” with their data being made accessible/shared with social media sites, big tech, or prospective employers.
I can attest to this latter point. Recently, I went to a new doctor who gave me a list of medications he thought I was taking during his intake. He had obtained these, I believe, through “medication history” functionality available in his EHR, which uses both pharmacy fill data and information from insurance company pharmacy benefit management plans to see what medications patients are on. However, there was a medication on the list that I paid cash for and had specifically told my pharmacy not to put through my insurance. Now, this wasn’t an embarrassing medication (think antibiotic, not Viagra), but I was surprised that my data was made available to my doctor — and presented back to me for review — without my consent. When I asked where he’d gotten the list, he didn’t seem sure and said something like, “It just appears in the computer for me.”
To avoid scenarios like this — or ones that are more severe — I offer the following points to consider. Utilizing these strategies can help us all avoid a big backlash over medical privacy from patients.
1) Understand where data in your EHR system comes from.
It is unlikely these days that the data was all entered by someone from your practice into your EHR. Did you convert from another system, and if so what does that data look like? Are you connected to a “medication history” service, to a Health Information Exchange (HIE), or to Carequality or CommonWell? Do you import data directly from these sources, and how does that data appear in your system? Do you get electronic data directly from other clinicians or from your state? Could you recognize the “provenance” of the data if a patient asks, “How do you know that? Where’d you get that?”
You require that your patients sign that you have provided this HIPAA statement to them annually, but does the statement include all the places you might be sending your patients’ medical information? Do you even know all the ways that medication information leaves your practice? Consider faxes to other clinicians, lawyers, insurance companies, direct messages, sharing with local or state HIEs or immunization registries, sharing with public health registries, connections to national networks like the eHealth Exchange, etc. Privacy laws vary by state and not all of these need to be explicit on the privacy practices statement, but it is worth an annual review of the document and a conversation at the practice level to ensure everyone knows the ways data might be shared externally.
3) Be aware of what happens to patients’ data.
If a patient asks, “I’d like a list of all the places you have sent or shared my medical records,” can your practice provide it? This is the spirit behind HIPAA, but are you using your EHR correctly to log these events and does your staff know how to review this log if a patient asks? Speaking of HIPAA, do you have policies in place and a way to police them for inappropriate access of patients’ medical records by staff? Could you answer a related patient request: “Tell me if [your employee] has ever looked at my medical records”?
Just as you have prepared for years to have conversations with patients about medical as well as mental and social health topics, be ready to address their concerns about the privacy of their medical records at your practice.
Remember: trust is key. If the medical community wants to keep the trust that patients have in us to protect their sensitive information, we need to ensure that we stay informed, proactive, and worthy of such trust.
How is your practice keeping patients' data safe? Share your approach in the comments.
Robert Murry is chief medical officer, NextGen® Healthcare. He brings to this position more than 20 years of extensive clinical experience and background in health IT. Previously, Dr. Murry served as the company’s chief medical information officer (CMIO) since May 2017. During his time as CMIO, he was the “voice of the physician” across specialties, product safety, and government/regulatory affairs. Before becoming CMIO, he was the company’s vice president of clinical product management, responsible for clinical oversight and workflow design.
Image by Getty Images