Privacy of Medical Records
Study Guide
Catalyst
Most people require a certain amount of privacy. Everyone holds a certain information about themselves to be personal and to be shared with only people whom they trust. This is the major cause of medical privacy issues. Because doctors’ offices and hospitals keep records on each of their clients, the issue becomes, who has a right to access these records? The widespread use of databases and other technology to maintain this data has caused the medical privacy issue to blow up at an even greater rate. Now, not only do insurance companies and billing agencies have access to your medical records, but hackers can now access them also.
Content of Medical Records
Medical Records may include your medical history, details about your lifestyle such as smoking or involvement in high-risk sports, and family medical history. In addition, your medical records contain laboratory test results, medications prescribed, and reports that indicate the results of operations and other medical procedures. Your records could also include the results of genetic testing used to predict your future health. And they might include information about your participation in research projects. Information you provide on applications for disability, life or accidental insurance with private insurers or government programs can also become part of your medical file. So, it is easy to see why people consider information about their health to be highly sensitive.
Accessibility
Medical records are shared by people both in and out of the health care industry. These include:
- Insurance companies
- Government agencies
- Medical Information Bureau(MIB)
- Employers
- Subpoenaed for court
Generally, access to your records is obtained when you agree to let others see them. In reality, some situations offer no choice but to agree to the sharing of your health information in exchange for care and to qualify for insurance. Other places where identity may or may not be disclosed are:
- Health care operations, or the evaluations of hospitals or individual physicians
- Public health agencies for health research
- Direct marketers when you participate in informal health screenings
Electronic Medical Records/Electronic Health Records
An electronic medical record (EMR) is a medical record in digital format. In health informatics an Electronic Medical Records(EMR) are considered by some to be one of several types of EHRs (electronic health records), but in general usage EMR and EHR are synonymous.
Adoption of EMRs and other health information technology, such as computer physician order entry (CPOE), has been minimal in the United States. Less than 10% of American hospitals have implemented health information technology, while a mere 16% of primary care physicians use EHRs. The vast majority of healthcare transactions in the United States still take place on paper, a system that has remained unchanged since the 1950s. The healthcare industry spends only 2% of gross revenues on health information technology, which is meager compared to other information intensive industries such as finance, which spend upwards of 10%. The following issues are behind the slow rate of adoption:
A major concern is the confidentiality of the individual records being managed electronically. According to the LA Times, roughly 150 people (from doctors and nurses to technicians and billing clerks) have access to at least part of a patient's records during a hospitalization, and 600,000 payers, providers and other entities that handle providers' billing data have some access. The possibility of patient data interception increases with multiple access points over an open network like the Internet. Protected Health Information(PHI), as it's referred to, is addressed under many local laws, as well as the Health Insurance Portability and Accountability Act (HIPAA). In the European Union (EU), several Directives of the European Parliament and of the Council protect the processing and free movement of personal data, including for purposes of health care. Those managing this information are required to ensure adequate protection is provided and that access is given only to authorized parties. Since electronic data may be physically much more difficult to secure, the growth of EHR creates new issues, as flaws in data security are increasingly being reported. Information security practices have been established for computer networks, but technologies like wireless computer networks offer new challenges as well.
Limits in software, hardware and networking technologies has made EMR difficult to implement in small, budget conscious, multiple location healthcare organizations. Until recently most EMR systems were developed using older programming languages such as Visual Basic and C++; however with many systems now being developed using Microsoft .NET Framework and Java technology EMRs can be securely implemented across multiple locations with greater performance and interoperability. Prior to the recent introduction of IEEE 802.11 g and n wireless technology access to large files such as MRI and X-Ray images was slow. With these new wireless technologies data can be securely transferred at speeds of up to 108 Mbit/s, across extended distances and in older buildings built with brick or concrete walls. Tablet PC technology has significantly improved over the recent years, Li-Ion/polymer batteries for battery life of up to 8 hours, biometric security, low-voltage processors and lighter weight solutions.
Under data protection legislation and the law generally responsibility for patient records (irrespective of the form they are kept in) is always on the creator and custodian of the record, usually a health care practice or facility. The physical medical records are the property of the medical provider (or facility) that prepares them. This includes films and tracings from diagnostic imaging procedures such as X-ray, CT, PET, MRI, ultrasound, etc. The patient, however, according to HIPAA, owns the information contained within the record and has a right to view the originals, and to obtain copies under law. Additionally, those responsible for the management of the EMR are responsible to see the hardware, software and media used to manage the information remain usable and not degraded. This requires backup of the data and protection being provided to copies. It will also require the planned periodic migration of information to address concerns of media degradation from use.
Medical records, such as physician orders, exam and test reports are legal documents, which must be kept in unaltered form and authenticated by the creator.
- Digital signatures Most national and international standards accept electronic signatures. According to the American Bar Association, "A signature authenticates a writing by identifying the signer with the signed document. When the signer makes a mark in a distinctive manner, the writing becomes attributable to the signer." With proper security software, electronic authentication is more difficult to falsify than the handwritten doctor's signature. However, as the recent rise in identity theft demonstrates, no security method can totally prevent fraud, so auditing information security will continue to be prudent when using EMR.
- Digital records such as EHR create difficulties ensuring that the content, context and structure are preserved when the records do not have a physical existence. As of 2006, national and state archives authorities are still developing open, non-proprietary technical standards for electronic records management (ERM).
Laws
Medical laws have been put into place for patient privacy protection. Under the Clinton Administration, the Health Insurance Portability and Accountability Act of 1996 was administered. Since then, there have been man amendments to the act, the most noteable being one of Clinton’s last actions as president. On Dec. 28, 2000, Clinton administered changes to the HIPAA of 1996. These changes gave patients unprecedented rights to track their medical files. It implemented new criminal and civil sactions for improper disclosure of medical records and it protects against unauthorized use of medical records for employment purposes. Although this last act gave patients unprecedented access and control of their medical records, some are not satisfied.
Genetic Mapping
More than 40 U.S. states have laws requiring hospitals to make available to insurance companies and researchers certain information about each visit they receive. With this information, hospital records can be obtained and all sorts of genetic testing can be done. This becomes extremely controversial because the laws are vague about what constitutes a research group.
Technology
Bibliography
How Private Is My Medical Information
Does Government Need to Know if Grandpa Curses?
Hospital Hacked - records stolen
PROTECTING THE PRIVACY OF PATIENTS' HEALTH INFORMATION
President's Statement on Medical Privacy Information
Guidelines for medical and health information sites on the Internet
Guidelines for the Clinical Use of Electronic Mail with Patients
Office for Civil Rights - HIPAA
Protecting Privacy In Computerized Medical Information (Office of Technology Assessment): Digest
Who Controls Your Medical Records?
The Medical Information Privacy and Security Act (MIPSA)
Medical Net privacy? It's unhealthy
Guard Your Genetic Data from Those Prying Eyes
Should Community Rights Override Individual Rights to Privacy?
Key Elements Needed to Protect Medical Information Privacy
New Electronic Privacy Information Center
New Develop a HIPAA Privacy Policy
New U.S. Privacy Act outdated, hasn't kept up with technology, experts say
New Tech Firms Eye Medical Privacy Market
New Health Insurance Portability and Accountability Act.
New Medical records security at risk
New TITLE 45--PUBLIC WELFARE AND HUMAN SERVICES