Certified electronic medical records threaten patient privacy

During my 2+ decade tenure as a physician I have always believed that a physician’s promise of confidentiality was a pre-requisite to obtaining accurate information from a patient. With the enactment of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) the rules which stipulate when a physician must disclose confidential medical information (protected health information, PHI) without the prior consent of the patient were codified into law.

In today’s medical world, and likely unbeknownst to many patients, physicians are legally obligated to disclose confidential medical information to third parties on a regular basis. Several times a week I am required to release medical information to a patient’s insurance company, pharmacy or a durable medical goods supply company for the purpose of claims verification, “quality” assessment or to assess the appropriateness of my orders. I am certain that my experience is not unique.

As a result of a recent ruling issued by the federal government, the list of persons/companies who may legally view a patient’s confidential medical information, without the patient’s prior consent, has just increased.

In 2010 the federal government created the Office of the National Coordinator (ONC), the entity which created the regulations that incentivized physicians and hospitals to purchase a federally “certified” electronic medical record (EMR) program. The ONC designated a few private companies (called ONC-ACB) to perform the “certification” process and ensures that the certified EMR meets all ONC’s technical requirements. Until now, the ONC-ACB have conducted their evaluation of EMRs by remotely connecting to an EMR vendor’s office and evaluating the EMR’s functionality by examining the data in the chart of a dummy patient.

Recently, the ONC exempted ONC-ACB employees from HIPAA privacy regulations so that an ONC-ACB employee is now allowed to see live, confidential medical information stored in a physician’s “certified” EMR when the ONC-ACB employee is doing EMR “surveillance.” Neither the physician nor the ONC-ACB are required to obtain patient consent before an ONC-ACB employee looks at a patient’s medical records.

The ONC issues its rules in the form of a question and answer:

#45 Question [12-13-045-1]
Is a health care provider permitted by the HIPAA Privacy Rule to allow an ONC-ACB to conduct “in the field” surveillance on an EHR technology previously certified by the ONC-ACB, when protected health information (PHI) may be accessible to the ONC-ACB during the surveillance?

Answer: Yes. … An ONC-ACB is also required … to perform surveillance on the EHR technology it certifies … in the field. In this capacity, ONC-ACBs meet the definition of a “health oversight agency” in the HIPAA Privacy Rule, and a health care provider is permitted to disclose PHI (protect health information) (without patient authorization and without a business associate agreement) to an ONC-ACB during the limited time and as necessary for the ONC-ACB to perform the required on-site surveillance of the certified EHR technology.

Regardless of the ONC’s ruling, I believe it would be ethically inappropriate for me to disclose my patients’ medical information to an ONC-ACB employee. I am equally certain that most of my patients would refuse to voluntarily disclose their PHI to an ONC-ACB employee. Clearly, there are less intrusive ways for the ONC to ensure that a federally “certified” EMRs are performing up to the ONC’s standards.

If this ONC ruling is allowed to stand, I think physicians who use a federally “certified” EMR are ethically obligated to inform their patients that their physician may be required to expose the patient’s PHI to an ONC-ACB employee, without the patient’s prior consent. If the patient objects, I believe the physician has an ethical duty to remove the patient’s medical records (PHI) from the “certified” EMR and drop the data to paper or to a non-certified EMR.

What makes this ONC ruling all the more outlandish is that the ONC has promulgated many health information technology regulations which are designed specifically to protect patient privacy. Apparently, the hypocrisy of ONC’s latest ruling has been lost on the ONC itself.

Hayward Zwerling is president, ComChart Medical Software, LLC.