A survey published by the American Medical Association (AMA) last year reveals that patients are very concerned about the privacy of their medical information, perhaps more concerned than most physicians and practices are aware. As health care providers using the latest medical technology, we tend to view the ability to share information electronically with other providers and payers (and the ability to view and obtain records from care delivered elsewhere) as a good thing. Overall, I agree, but it is important that we understand our patients’ view of this sharing and privacy of their records.
The AMA survey of 1,000 patients delineates the comfort level of patients concerning the use of their medical records. Most tellingly, 92 percent of those surveyed believe privacy is a right and should not be available for purchase. While three-quarters of people are “most comfortable” with data records shared with their provider/doctor’s office, a similar percentage are “least comfortable” with their data made accessible/shared with social media sites, big tech, or prospective employers.
Transparency and control
I recently went to a new doctor who gave me a list of medications he thought I was taking during his intake. I believe he obtained these through the “medication history” functionality in his EHR, which uses pharmacy fill data and information from insurance company pharmacy benefit management plans to see patients’ medications. However, there was a medication on the list that I paid cash for and had specifically told my pharmacy not to put through my insurance. This wasn’t an embarrassing medication (think antibiotic, not Viagra), but I was surprised that my data was made available to my doctor—and presented back to me for review—without my consent. When I asked where he’d gotten the list, he seemed unsure and said, “It just appears in the computer for me.”
So what should physicians and practices do?
Here are some points to consider to help us all avoid a big backlash over medical privacy from patients:
Understand where data in your EHR system comes from. It is unlikely these days that it was all entered by someone from your practice into your EHR. Did you convert from another system, and if so what does that data look like? Are you connected to a “medication history” service, to a health information exchange (HIE), or Carequality or CommonWell—if so, do you import data from these sources, and how does that appear in your system? Do you get electronic data directly from other providers or your state? Could you recognize the “provenance” of the data if a patient asks, “How do you know that? Where’d you get that?”
Review your practice’s HIPAA (Health Insurance Portability and Accountability Act) privacy policy statement. You require that your patients sign that you have provided this to them annually, but does it include all the places you might be sending their medical information? Do you even know all the ways that medication information leaves your practice? Consider faxes to other providers, lawyers, insurance companies, direct messages, sharing with local or state HIEs or immunization registries, sharing with public health registries, connections to national networks like the eHealth Exchange, etc. Privacy laws vary by state; not all of these necessarily need to be explicit in the privacy practices statement. Still, it is worth an annual review of the document and a conversation at the practice level to ensure everyone knows how data might be shared externally.
If a patient asks, “I’d like a list of all the places you have sent or shared my medical records,” can your practice provide it? This is the spirit behind HIPAA, but are you using your EHR correctly to log these events, and does your staff know how to review this log if a patient asks? Speaking of HIPAA, do you have policies and a way to police them for inappropriate staff access to patients’ medical records? Could you answer a related patient request: “Tell me if [your employee] has ever looked at my medical records”?
Just as you have prepared for years to have conversations with patients about medical and mental, and social health topics, be ready to address their concerns about the privacy of their medical records at your practice.
Trust is key
If the medical community wants to keep patients’ trust in us to protect their sensitive information, we need to ensure that we stay informed, proactive, and worthy of that trust.
Robert Murry is chief medical officer, NextGen Healthcare. He brings to this position more than 20 years of extensive clinical experience and background in health IT. Previously, Dr. Murry served as the company’s chief medical information officer (CMIO) since May 2017. During his time as CMIO, he was the “voice of the physician” across specialties, product safety, and government/regulatory affairs. Before becoming CMIO, he was the company’s vice president of clinical product management, responsible for clinical oversight and workflow design.