Close Server: KOPWWW05 | Not logged in


Privacy and Patient Control

Should patients have the final say?

(Editor's note: Be sure to read our print article on this subject, "A Stimulating Debate.")

The Health Information Technology for Economic and Clinical Health (HITECH) Act includes several changes to HIPAA that leave privacy up to the patient. Health care consumers can now decide which third parties can see their EHRs and have the right to anonymous care. At the same time, health information exchanges (HIEs) are offering patients the chance to opt in or out of sharing their records. But when the decision's left to the patient, will they welcome care in or shut providers out?

A Personal Choice
Privacy controls have long been mandated by the government, but increasing patient consumerism is changing the dynamic. "Many people expect to control privacy as their health information is shared electronically," said Kel Callahan, vice president of business development, HIPAAT, a health care IT vendor that provides consent management and access control solutions.

Stakeholders agree privacy is a personal value, but the question is, given the choice, how much access will patients grant to physicians?

A recent study conducted by researchers at Beth Israel Deaconess Medical Center found patients are willing to make some concessions on privacy in return for better care. Respondents in six patient focus groups said they'd want physicians to be able to access their EHRs in the event of an emergency.

"Privacy and security are always a matter of risk management," said Dixie Baker, PhD, chief technology officer, health solutions, SAIC. "You have to make the trade according to your individual values."

Privacy norms can also change over time, Dr. Baker noted. She points to social networking sites like Facebook and MySpace, which are popular among younger generations, as evidence that privacy may not be as tightly guarded in the future. "People are becoming much more comfortable sharing personal information," Dr. Baker said.

At the same time, Facebook users are accustomed to having privacy controls, and many select more stringent options as they get older. "The reality is that out of that generation, getting further and deeper into the work force, they find themselves divesting of past ways," Callahan said.

Older individuals tend to have more health issues, Callahan added, so they're likely to value privacy controls that keep medical information under wraps.

While there's evidence of a general divide, it's hard to generalize about privacy preferences. In the end, Callahan noted, it's up to the individual.

"Some have no expectation of privacy or want of privacy; others are very guarded," he said.

When Privacy's Too Much
Health care stakeholders recognize a patient's right to privacy, but too much control can be detrimental to care and foil HIE.

There's a tension between "privacy wonks," who want extensive protection, and those on the operational end, who note the hampering effects of privacy controls, explained John Parmigiani, a consultant and former director of enterprise standards at the Centers for Medicare and Medicaid Services.

 "If you're a doctor or caregiver, you don't want to necessarily have to jump through a lot of hoops," Parmigiani said. "Patient safety and efficacy of outcomes are more important to caregivers than confidentiality issues. It becomes a balancing act to provide the right level of protection without impeding the delivery of care."

As patients assume a more active role in health care, they'll need to work with providers to reach a level of privacy that makes them comfortable and still allows physicians to do their job.

To help strike that balance, third party consent management companies like HIPAAT let patients dictate privacy controls but give providers a "break the glass" option to access records in an emergency. An audit feature logs any time the files are viewed and why, so patients can confirm the doctor had their best interest in mind. The tracking tool also helps health care organizations comply with HIPAA changes that require them to account for disclosures when patients ask.

The tricky part, however, is when doctors link up to HIEs. A physician may be willing to share files, but patients may decide to block access. The "break the glass" option can still apply in critical moments, but on a daily basis the strict privacy controls can obstruct the exchange.

Some HIEs are letting patients opt in or out of the system to ensure privacy preferences are honored. But such practices call into question whether patients should have such say. The Connecticut Health Policy Project and eHealth Connecticut have asked for public input on whether their pilot HIE for Medicaid patients should be opt in, meaning patients would have to mail in a form to participate, or opt out, meaning patients would be automatically entered in the program but have the right to withdraw.

The call for comments notes there are advantages and disadvantages to each system. Opt-in guarantees patients want to be a part of the program, but people may not take the initiative to complete the necessary forms. With opt-out systems, participants may decide to withhold much of their information. Either way, without enough records, the hope for effective HIE wanes.

Even if patients opt in, privacy issues can still throw a kink in the exchange. A provision in the HITECH Act gives patients the legal right to get anonymous care; if they pay cash for a test or treatment, patients can elect to withhold that medical information from insurers. It's a win for people who want to get care without putting a bad mark on their record, according to Pam Dixon, executive director, World Privacy Forum. "It's a very positive provision and it enshrines something that's already being done," she said.

What's unclear is how any withheld information will play out in HIE, according to Dr. Baker. When information is not disclosed to an insurer, will it also be left off any records transferred through HIE? Would that affect quality of care?

Dixon said patients who get anonymous care should be responsible enough to go on the record with any significant findings. If a test comes back negative, it's fine to stay anonymous, Dixon said. "[But] if the test comes back positive, that's a whole other ball game. You do need to disclose because you have a condition."

Putting privacy in the patient's hands may be a bit risky, but it's a necessary move. "In an electronic environment where these records can flow so quickly and in such large numbers, we've got to be assured, as patients, that there are appropriate checks and balances in place to keep our records safe," Dixon said.

Cheryl McEvoy is an editorial assistant with ADVANCE.

Articles Archives


Email: *

Email, first name, comment and security code are required fields; all other fields are optional. With the exception of email, any information you provide will be displayed with your comment.

First * Last
Title Field Facility
City State

Comments: *
To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the below image, reload the page to generate a new one.

Enter the security code below: *

Fields marked with an * are required.

View New Jobs, Events and More


Back to Top

© 2017 ADVANCE Healthcare, an Elite CE company