Privacy of Medical Records

Study Guide

Catalyst

Most people require a certain amount of privacy. Everyone holds a certain information about themselves to be personal and to be shared with only people whom they trust. This is the major cause of medical privacy issues. Because doctors’ offices and hospitals keep records on each of their clients, the issue becomes, who has a right to access these records? The widespread use of databases and other technology to maintain this data has caused the medical privacy issue to blow up at an even greater rate. Now, not only do insurance companies and billing agencies have access to your medical records, but hackers can now access them also.

Content of Medical Records

Medical Records may include your medical history, details about your lifestyle such as smoking or involvement in high-risk sports, and family medical history. In addition, your medical records contain laboratory test results, medications prescribed, and reports that indicate the results of operations and other medical procedures. Your records could also include the results of genetic testing used to predict your future health. And they might include information about your participation in research projects. Information you provide on applications for disability, life or accidental insurance with private insurers or government programs can also become part of your medical file. So, it is easy to see why people consider information about their health to be highly sensitive.

Accessibility

Medical records are shared by people both in and out of the health care industry. These include:

Insurance companies
Government agencies
Medical Information Bureau(MIB)
Employers
Subpoenaed for court

Generally, access to your records is obtained when you agree to let others see them. In reality, some situations offer no choice but to agree to the sharing of your health information in exchange for care and to qualify for insurance. Other places where identity may or may not be disclosed are:

Health care operations, or the evaluations of hospitals or individual physicians
Public health agencies for health research
Direct marketers when you participate in informal health screenings

Electronic Medical Records/Electronic Health Records

An electronic medical record (EMR) is a medical record in digital format. In health informatics an Electronic Medical Records(EMR) are considered by some to be one of several types of EHRs (electronic health records), but in general usage EMR and EHR are synonymous.

Adoption of EMRs and other health information technology, such as computer physician order entry (CPOE), has been minimal in the United States. Less than 10% of American hospitals have implemented health information technology, while a mere 16% of primary care physicians use EHRs. The vast majority of healthcare transactions in the United States still take place on paper, a system that has remained unchanged since the 1950s. The healthcare industry spends only 2% of gross revenues on health information technology, which is meager compared to other information intensive industries such as finance, which spend upwards of 10%. The following issues are behind the slow rate of adoption:

A major concern is adequate confidentiality of the individual records being managed electronically. According to the LA Times, roughly 150 people (from doctors and nurses to technicians and billing clerks) have access to at least part of a patient's records during a hospitalization, and 600,000 payers, providers and other entities that handle providers' billing data have some access. Multiple access points over an open network like the Internet increases possible patient data interception. In the United States, this class of information is referred to as Protected Health Information (PHI) and its management is addressed under the Health Insurance Portability and Accountability Act (HIPAA) as well as many local laws. In the European Union (EU), several Directives of the European Parliament and of the Council protect the processing and free movement of personal data, including for purposes of health care. The organizations and individuals charged with the management of this information are required to ensure adequate protection is provided and that access to the information is only by authorized parties. The growth of EHR creates new issues, since electronic data may be physically much more difficult to secure, as lapses in data security are increasingly being reported. Information security practices have been established for computer networks, but technologies like wireless computer networks offer new challenges as well.

Technology limitations

Limitations in software, hardware and networking technologies has made EMR difficult to affordably implement in small, budget conscious, multiple location healthcare organizations. Until recently most EMR systems were developed using older programming languages such as Visual Basic and C++; however with many systems now being developed using Microsoft .NET Framework and Java technology EMRs can be securely implemented across multiple locations with greater performance and interoperability. Prior to the recent introduction of IEEE 802.11 g and n wireless technology access to large files such as MRI and X-Ray images was slow. With these new wireless technologies data can be securely transferred at speeds of up to 108 Mbit/s, across extended distances and in older buildings built with brick or concrete walls. Tablet PC technology has significantly improved over the recent years, Li-Ion/polymer batteries for battery life of up to 8 hours, biometric security, low-voltage processors and lighter weight solutions.

Preservation

Under data protection legislation and the law generally responsibility for patient records (irrespective of the form they are kept in) is always on the creator and custodian of the record, usually a health care practice or facility. The physical medical records are the property of the medical provider (or facility) that prepares them. This includes films and tracings from diagnostic imaging procedures such as X-ray, CT, PET, MRI, ultrasound, etc. The patient, however, according to HIPAA, owns the information contained within the record and has a right to view the originals, and to obtain copies under law. Additionally, those responsible for the management of the EMR are responsible to see the hardware, software and media used to manage the information remain usable and not degraded. This requires backup of the data and protection being provided to copies. It will also require the planned periodic migration of information to address concerns of media degradation from use.

Legal status

Medical records, such as physician orders, exam and test reports are legal documents, which must be kept in unaltered form and authenticated by the creator.

Digital signatures Most national and international standards accept electronic signatures. According to the American Bar Association, "A signature authenticates a writing by identifying the signer with the signed document. When the signer makes a mark in a distinctive manner, the writing becomes attributable to the signer." With proper security software, electronic authentication is more difficult to falsify than the handwritten doctor's signature. However, as the recent rise in identity theft demonstrates, no security method can totally prevent fraud, so auditing information security will continue to be prudent when using EMR.
Digital records such as EHR create difficulties ensuring that the content, context and structure are preserved when the records do not have a physical existence. As of 2006, national and state archives authorities are still developing open, non-proprietary technical standards for electronic records management (ERM).

Laws

Medical laws have been put into place for patient privacy protection. Under the Clinton Administration, the Health Insurance Portability and Accountability Act of 1996 was administered. Since then, there have been man amendments to the act, the most noteable being one of Clinton’s last actions as president. On Dec. 28, 2000, Clinton administered changes to the HIPAA of 1996. These changes gave patients unprecedented rights to track their medical files. It implemented new criminal and civil sactions for improper disclosure of medical records and it protects against unauthorized use of medical records for employment purposes. Although this last act gave patients unprecedented access and control of their medical records, some are not satisfied.

Genetic Mapping

More than 40 U.S. states have laws requiring hospitals to make available to insurance companies and researchers certain information about each visit they receive. With this information, hospital records can be obtained and all sorts of genetic testing can be done. This becomes extremely controversial because the laws are vague about what constitutes a research group.