Get 20M+ Full-Text Papers For Less Than $1.50/day. Start a 14-Day Trial for You or Your Team.

Learn More →

Confidentiality and Privacy of Electronic Medical Records

Confidentiality and Privacy of Electronic Medical Records New Orleans—Starting with a birth date, sex, and ZIP code, computer privacy expert Latanya Sweeney, PhD, retrieved health data of William Weld, former governor of Massachusetts, from an allegedly anonymous database of state employee health insurance claims. Knowing Weld lived in Cambridge, Mass, she cross-linked her data with that community's publicly available voter registration records. Only six people shared Weld's birth date. Only three were men. Of these, Weld was the only man in his five-digit ZIP code. Sensitive information can be obtained with standard office computer software, without resorting to hacking, said Sweeney, founder and director of the Laboratory for International Data Privacy at Carnegie Mellon University, Pittsburgh. Removing names and social security numbers doesn't ensure privacy, she said. Birth date, sex, and ZIP code alone uniquely identify 87% of the US population. Sweeney and others explored confidentiality and medical record privacy in the 21st century in a forum at the annual meeting of the American Psychiatric Association (APA) here in May. People who see psychiatrists must feel secure that their revelations will remain private, said outgoing APA president Daniel Borenstein, MD, session chair. "In the Internet age," he said, "some wonder if privacy exists." Borenstein, a private practitioner in Los Angeles, is clinical professor of psychiatry and biobehavioral sciences at the University of California, Los Angeles, School of Medicine. New privacy regulations The first federal standards to protect the privacy of individually identifiable health information go into effect in April 2003. The new rules apply to physicians, hospitals, and other health care providers; health plans; and health care clearinghouses that transmit health information by electronic, paper, and oral means. The rules, finalized in April 2001, were crafted by the US Department of Health and Human Services (DHHS) under the 1996 Health Insurance Portability and Accountability Act (HIPAA). They reflect more than 52 000 comments on the proposed rules from the public and concerned groups. For details, see http://www.hhs.gov/ocr/hipaa/. The new rules differentiate between "the general medical record" and "psychotherapy notes." The latter must be kept separate from the general record and may not be released without the patient's voluntary written authorization, said Richard Harding, MD, who took office as the APA's 130th president at the annual meeting. Harding is professor of clinical psychiatry and pediatrics and vice chair for clinical affairs at the University of South Carolina School of Medicine, Columbia. He also serves as vice chair of the subcommittee on privacy and confidentiality of the DHHS national committee on vital and health statistics. The law gives patients the right to inspect and copy information in their general medical record, request amendments, know to whom a physician sends their records, request restrictions on use and disclosure of information (except for emergencies or disclosures required by law), and receive written notice of information practices in a physician's office. Psychotherapists are not required to show patients their psychotherapy notes. The law also permits physicians to deny access to records to patients they believe may endanger themselves or others, and to disclose to others only the minimum amount of information necessary to accomplish the intended purpose. The DHHS will spell out details for handling such tasks in the next 2 years, Harding said. The DHHS estimates the cost of implementing the new regulations will be $17.6 billion from 2003 through 2012, with the annual cost to develop privacy policies and procedures in the average physician's office running about $3700. While the new regulations will add administrative burdens to a physician's practice, Harding said, they likely also will foster a more trusting relationship between patient and physician. Privacy vs research Confidentiality is essential to quality care, said Margo Goldman, MD, chair of the APA's committee on confidentiality. Yet research use of records may benefit public health and combat stigmatization. "Workable policy for research use of records," Goldman asserted, "must incorporate, not compete with, patient privacy." The psychiatric research community generally advocates prospectively obtaining patients' consent, she said, for later research use of records. There is less consensus about whether or when investigators might use existing records. In the past, she said, researchers have been allowed to do that without patients' knowledge and consent. Patients worry about this possibility, said Goldman, who is in private practice in Wakefield, Mass, and is clinical instructor of psychiatry at Harvard Medical School. In a 1999 survey of 2100 American adults, the California HealthCare Foundation, Oakland, Calif, found that about one in six respondents had taken steps to protect their privacy. Patients reported that they withheld or gave inaccurate information, did not seek care or delayed the care, paid out of pocket (when insured), saw another physician, or asked their physician not to record information or to misrepresent it in their record (National Survey: Confidentiality of Medical Records; 1999. Available at http://www.chcf.org/press/view.cfm?itemID=362). Information in existing records other than psychotherapy notes may be available to researchers without patients' consent, she said, under a waiver from an institutional review board or privacy board. The mere possibility that researchers may gain access to patient information without patients' voluntary informed consent, Goldman said, "undermines patients' trust in treatment, the treatment relationship, and psychiatry itself. It ignores a key ethical principal," she said, "that respect for individual autonomy should exceed societal goals." The new DHHS rules require patients to sign a consent form at the outset of treatment, agreeing to routine disclosure of information necessary for treatment, payment, and customary activities such as internal data gathering. If patients refuse to sign, providers can deny care. Goldman would like to let patients opt out of releasing their records for research or delegate their consent to an institutional or other review board that would provide oversight. That additional step would will allow research to proceed, she said, while respecting patients' privacy. She maintained it also would encourage honesty and openness with clinicians. Why special protection? In passing HIPAA, said Paul Mosher, MD, a psychoanalyst in private practice in Albany, NY, Congress disappointed those hoping for special protection for sensitive information on HIV/AIDS, genetic disorders, and mental health care in general. Its rationale for providing special protection only for psychotherapy notes, Mosher said, stems from the US Supreme Court's 1996 Jaffee-Redmond ruling. The case concerned Mary Lu Redmond, a police officer who, while on duty, shot and killed a man involved in an altercation. Redmond received counseling from a licensed clinical social worker. The dead man's family sought access to her therapist's notes. The court refused to allow this access, placing protection of psychotherapy information on equal footing in federal court with protection of attorney-client communications and extending this privilege to social workers. "This is the highest expression of societal consensus that psychotherapy information needs and deserves the strongest possible protection," Mosher said. "The court ruled this protection so solid that it trumps the legal system's revered goal of truth seeking." (For details, see http://www.Jaffee-Redmond.org.) Internet benefits and risks Researchers at the Johns Hopkins University School of Medicine, Baltimore, adapted a community depression screening questionnaire for online use. They placed their 20-item self-test on InteliHealth, a large health information portal, for an 8-month study, reported Marsha Goin, MD, vice president of the APA and clinical professor of psychiatry at the University of Southern California, Los Angeles, School of Medicine. Scores of 58% of the nearly 24 500 people completing the test indicated a high probability of depression. These people were advised to seek treatment from a health care professional. They also received a questionnaire to assess past treatment, attitudes toward treatment, and treatment preferences, with a suggestion that they print this form and take it to their health care provider. Nearly half the high scorers said they had never received treatment for depression (Psychiatr Serv. 2001;52:362-367). The program proved more effective in identifying one demographic group—young adults with depression—than previous community screening programs, Hopkins epidemiologist Daniel Ford, MD, MPH, said in an interview. The researchers asked participants' sex, age (in a range), ethnicity, and ZIP code. They did not collect personally identifying information. The test is still online at http://www.intelihealth.com. As of May 2001, Ford said, more than 200 000 people had taken it. It is a valuable public health service, Goin said, to discover people with depression and direct them to care. However, such studies may have a sinister side, she said. Data available on the Internet might interest life insurance companies, health insurance companies, third-party payers, employers, marketing firms, and pharmaceutical companies. Limits of technology "There's a lot of data out there," agreed Carnegie Mellon's Sweeney, "and data means money." Current trends, she said, point toward gathering more information, particularly specific information, whenever possible. About 40 years ago, the typical birth certificate included only 15 items. Today, she said, it has 216 data fields. Birth certificates in some states are available via the Internet. Hospital discharge data often are publicly available. Job applications increasingly go beyond education and professional training to ask, for example, if a person has ever reneged on child support. The new HIPAA rules target the first few parties who get data, she said, but don't regulate those to whom these parties give data. Business software ensures that credit information can be transmitted securely on the Internet, she said. The same strategies can be used to protect medical records. http://www.deepdyve.com/assets/images/DeepDyve-Logo-lg.png JAMA American Medical Association

Confidentiality and Privacy of Electronic Medical Records

Lamberg, Lynne
JAMA , Volume 285 (24) – Jun 27, 2001
Download PDF
5 pages

Loading next page...
 
/lp/american-medical-association/confidentiality-and-privacy-of-electronic-medical-records-HO0R9FIqU0

References (0)

References for this paper are not available at this time. We will be adding them shortly, thank you for your patience.

Publisher
American Medical Association
Copyright
Copyright © 2001 American Medical Association. All Rights Reserved.
ISSN
0098-7484
eISSN
1538-3598
DOI
10.1001/jama.285.24.3075
Publisher site
See Article on Publisher Site

Abstract

New Orleans—Starting with a birth date, sex, and ZIP code, computer privacy expert Latanya Sweeney, PhD, retrieved health data of William Weld, former governor of Massachusetts, from an allegedly anonymous database of state employee health insurance claims. Knowing Weld lived in Cambridge, Mass, she cross-linked her data with that community's publicly available voter registration records. Only six people shared Weld's birth date. Only three were men. Of these, Weld was the only man in his five-digit ZIP code. Sensitive information can be obtained with standard office computer software, without resorting to hacking, said Sweeney, founder and director of the Laboratory for International Data Privacy at Carnegie Mellon University, Pittsburgh. Removing names and social security numbers doesn't ensure privacy, she said. Birth date, sex, and ZIP code alone uniquely identify 87% of the US population. Sweeney and others explored confidentiality and medical record privacy in the 21st century in a forum at the annual meeting of the American Psychiatric Association (APA) here in May. People who see psychiatrists must feel secure that their revelations will remain private, said outgoing APA president Daniel Borenstein, MD, session chair. "In the Internet age," he said, "some wonder if privacy exists." Borenstein, a private practitioner in Los Angeles, is clinical professor of psychiatry and biobehavioral sciences at the University of California, Los Angeles, School of Medicine. New privacy regulations The first federal standards to protect the privacy of individually identifiable health information go into effect in April 2003. The new rules apply to physicians, hospitals, and other health care providers; health plans; and health care clearinghouses that transmit health information by electronic, paper, and oral means. The rules, finalized in April 2001, were crafted by the US Department of Health and Human Services (DHHS) under the 1996 Health Insurance Portability and Accountability Act (HIPAA). They reflect more than 52 000 comments on the proposed rules from the public and concerned groups. For details, see http://www.hhs.gov/ocr/hipaa/. The new rules differentiate between "the general medical record" and "psychotherapy notes." The latter must be kept separate from the general record and may not be released without the patient's voluntary written authorization, said Richard Harding, MD, who took office as the APA's 130th president at the annual meeting. Harding is professor of clinical psychiatry and pediatrics and vice chair for clinical affairs at the University of South Carolina School of Medicine, Columbia. He also serves as vice chair of the subcommittee on privacy and confidentiality of the DHHS national committee on vital and health statistics. The law gives patients the right to inspect and copy information in their general medical record, request amendments, know to whom a physician sends their records, request restrictions on use and disclosure of information (except for emergencies or disclosures required by law), and receive written notice of information practices in a physician's office. Psychotherapists are not required to show patients their psychotherapy notes. The law also permits physicians to deny access to records to patients they believe may endanger themselves or others, and to disclose to others only the minimum amount of information necessary to accomplish the intended purpose. The DHHS will spell out details for handling such tasks in the next 2 years, Harding said. The DHHS estimates the cost of implementing the new regulations will be $17.6 billion from 2003 through 2012, with the annual cost to develop privacy policies and procedures in the average physician's office running about $3700. While the new regulations will add administrative burdens to a physician's practice, Harding said, they likely also will foster a more trusting relationship between patient and physician. Privacy vs research Confidentiality is essential to quality care, said Margo Goldman, MD, chair of the APA's committee on confidentiality. Yet research use of records may benefit public health and combat stigmatization. "Workable policy for research use of records," Goldman asserted, "must incorporate, not compete with, patient privacy." The psychiatric research community generally advocates prospectively obtaining patients' consent, she said, for later research use of records. There is less consensus about whether or when investigators might use existing records. In the past, she said, researchers have been allowed to do that without patients' knowledge and consent. Patients worry about this possibility, said Goldman, who is in private practice in Wakefield, Mass, and is clinical instructor of psychiatry at Harvard Medical School. In a 1999 survey of 2100 American adults, the California HealthCare Foundation, Oakland, Calif, found that about one in six respondents had taken steps to protect their privacy. Patients reported that they withheld or gave inaccurate information, did not seek care or delayed the care, paid out of pocket (when insured), saw another physician, or asked their physician not to record information or to misrepresent it in their record (National Survey: Confidentiality of Medical Records; 1999. Available at http://www.chcf.org/press/view.cfm?itemID=362). Information in existing records other than psychotherapy notes may be available to researchers without patients' consent, she said, under a waiver from an institutional review board or privacy board. The mere possibility that researchers may gain access to patient information without patients' voluntary informed consent, Goldman said, "undermines patients' trust in treatment, the treatment relationship, and psychiatry itself. It ignores a key ethical principal," she said, "that respect for individual autonomy should exceed societal goals." The new DHHS rules require patients to sign a consent form at the outset of treatment, agreeing to routine disclosure of information necessary for treatment, payment, and customary activities such as internal data gathering. If patients refuse to sign, providers can deny care. Goldman would like to let patients opt out of releasing their records for research or delegate their consent to an institutional or other review board that would provide oversight. That additional step would will allow research to proceed, she said, while respecting patients' privacy. She maintained it also would encourage honesty and openness with clinicians. Why special protection? In passing HIPAA, said Paul Mosher, MD, a psychoanalyst in private practice in Albany, NY, Congress disappointed those hoping for special protection for sensitive information on HIV/AIDS, genetic disorders, and mental health care in general. Its rationale for providing special protection only for psychotherapy notes, Mosher said, stems from the US Supreme Court's 1996 Jaffee-Redmond ruling. The case concerned Mary Lu Redmond, a police officer who, while on duty, shot and killed a man involved in an altercation. Redmond received counseling from a licensed clinical social worker. The dead man's family sought access to her therapist's notes. The court refused to allow this access, placing protection of psychotherapy information on equal footing in federal court with protection of attorney-client communications and extending this privilege to social workers. "This is the highest expression of societal consensus that psychotherapy information needs and deserves the strongest possible protection," Mosher said. "The court ruled this protection so solid that it trumps the legal system's revered goal of truth seeking." (For details, see http://www.Jaffee-Redmond.org.) Internet benefits and risks Researchers at the Johns Hopkins University School of Medicine, Baltimore, adapted a community depression screening questionnaire for online use. They placed their 20-item self-test on InteliHealth, a large health information portal, for an 8-month study, reported Marsha Goin, MD, vice president of the APA and clinical professor of psychiatry at the University of Southern California, Los Angeles, School of Medicine. Scores of 58% of the nearly 24 500 people completing the test indicated a high probability of depression. These people were advised to seek treatment from a health care professional. They also received a questionnaire to assess past treatment, attitudes toward treatment, and treatment preferences, with a suggestion that they print this form and take it to their health care provider. Nearly half the high scorers said they had never received treatment for depression (Psychiatr Serv. 2001;52:362-367). The program proved more effective in identifying one demographic group—young adults with depression—than previous community screening programs, Hopkins epidemiologist Daniel Ford, MD, MPH, said in an interview. The researchers asked participants' sex, age (in a range), ethnicity, and ZIP code. They did not collect personally identifying information. The test is still online at http://www.intelihealth.com. As of May 2001, Ford said, more than 200 000 people had taken it. It is a valuable public health service, Goin said, to discover people with depression and direct them to care. However, such studies may have a sinister side, she said. Data available on the Internet might interest life insurance companies, health insurance companies, third-party payers, employers, marketing firms, and pharmaceutical companies. Limits of technology "There's a lot of data out there," agreed Carnegie Mellon's Sweeney, "and data means money." Current trends, she said, point toward gathering more information, particularly specific information, whenever possible. About 40 years ago, the typical birth certificate included only 15 items. Today, she said, it has 216 data fields. Birth certificates in some states are available via the Internet. Hospital discharge data often are publicly available. Job applications increasingly go beyond education and professional training to ask, for example, if a person has ever reneged on child support. The new HIPAA rules target the first few parties who get data, she said, but don't regulate those to whom these parties give data. Business software ensures that credit information can be transmitted securely on the Internet, she said. The same strategies can be used to protect medical records.

Journal

JAMAAmerican Medical Association

Published: Jun 27, 2001

Keywords: confidentiality,privacy,electronic medical records

There are no references for this article.