J Med Syst (2016) 40:174 DOI 10.1007/s10916-016-0533-2
SYSTEMS-LEVEL QUALITY IMPROVEMENT
Too Much or Too Little? How Much Control Should Patients Have Over EHR Data? Soumitra Sudip Bhuyan 1 & Sandra Bailey-DeLeeuw 1 & David K. Wyant 2 & Cyril F. Chang 3
Received: 19 April 2016 / Accepted: 26 May 2016 # Springer Science+Business Media New York 2016
Abstract Electronic health records (EHRs) have been promoted as a mechanism to overcome the fragmented healthcare system in the United States. The challenge that is being discussed is the rights of the patient to control the access to their EHRs’ data and the needs of healthcare professionals to know health data to make the best treatment decisions for their patients. The Federal Trade Commission has asked those who store consumer information to comply with the Fair Information Practice Principles. In the EHR context, these principles give the rights to the patient to control who can see their health data and what components of the data are restricted from view. Control is not limited to patients, as it also includes parents of adolescent children. We suggest that the ongoing policy discussion include consideration of the precise questions patients will be asked when a need for data sharing arises. Further, patients should understand the relative risks that they face, and the degree to which their decisions will (or will not) significantly reduce the risk of a data breach. As various approaches are considered, it is important to address the relative resource requirements and the associated costs of each option. Soumitra S. Bhuyan and Sandra Bailey-DeLeeuw contributed equally to this article. This article is part of the Topical Collection on Systems-Level Quality Improvement * Soumitra Sudip Bhuyan
[email protected] 1
Health Systems Management and Policy, School of Public Health, The University of Memphis, Memphis, TN, USA
2
Jack C Massey College of Business, Belmont University, Nashville, TN, USA
3
Department of Economics, Fogelman College of Business and Economics, The University of Memphis, Memphis, TN, USA
Keywords Electronic health records . Patient privacy . Data ownership . Patient rights . Consumer health information . Patient data privacy . Privacy of patient data . Data sharing
Electronic health records (EHRs) are being widely used in hospitals, physician practices, and other healthcare organizations. Since the 2009 passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, there have been financial incentives to spur the adoption of health information technology in the United States. The goal of widespread adoption of EHR is to improve outcomes, quality, and safety; increase efficiency, productivity and cost reductions; and increase patient satisfaction and experience [1]. Published studies have shown that each of these policy targets can be improved through the adoption of a high-quality EHR system, but not without opening the door to privacy and security risks. Between 2010 and 2013, data breaches that affected over 500 patients each covered over 29 million records in the United States [2]. As these data breaches become more widely publicized, a concern arises if this will possibly cause individuals to withhold critical information when seeking treatment. In a 2014 study, it was reported that 13 % of patients admitted that they did not disclose full information to their providers for security reasons [3]. The purpose of the EHR can be diminished if nondisclosure becomes more widespread. In addition, a system vulnerable to security risks and data breaches can result in penalties to providers under HIPAA. Philosophical, clinical and legal questions arise regarding patient nondisclosure of personal health information as to the ownership of the EHR data. The clinical documentation contained in the EHR systems typically contains very sensitive personal information. For this reason, the patient’s right to privacy and confidentiality of the data must be ensured [4]. The 2010 President’s Council of Advisors on Science and
174
Page 2 of 4
Technology asserted that the national goals of electronic health information is to have a system for allowing all consumers, researchers, physicians and institutions to access the health information that they need in an integrated clinically pertinent manner [3]. The EHR technology has the potential of becoming this mechanism. Most patients desire the control over who has access to their personal data and how the highly sensitive personal information is distributed. To this end, there is a need for a mechanism to provide such personal scrutiny. Noted clinicians and health policy experts such as Donald Berwick and David Blumenthal have described clinicians as guests in patients’ lives [5, 6]. Medical advancements lose their value if patients do not trust the system. For these and other reasons, the need to respect patient privacy preferences and provide a mechanism for them to manage these preferences is necessary. It is thus reasonable and understandable that the Office of the National Coordinator for Health Information Technology adopted the Fair Information Practice Principles in 2008 to outline the necessity of giving patients the control over the availability and use of their health records [7]. However, these same principles could result in missed opportunities for providing appropriate medical care for these individuals. Those opposing controls have cited evidence to suggest that patients who engage in risky behavior would be less willing to share information regarding these behaviors [3]. This nondisclosure could result in care delays, misinformation leading to ineffective or inappropriate care, in addition to incomplete health records. Should providers be held accountable and even liable for damages caused by patients who withhold critical information? Further, when patients’ decisions affect the health and well being of others as in the case of Ebola exposure by patients who had traveled to infected countries, doesn’t the greater public interest override the privacy concerns of a few individuals? Therefore, a need exists to find a balance between the rights and desires of the patient and the need for complete patient information to provide high-quality patient care and to safeguard the health of the general public. From the view of the patient, the key to getting the most complete information is an issue of trust. Historically that confidence was maintained by the privacy of patient records kept in a private and secured office and not shared without a written request and consent by the patient. The advent of the EHR has created a new dynamic that necessitates a need to find mechanisms to assure privacy while providing access to health information as appropriate. The practitioner or researcher would say that they need access to all information to provide excellent care or conduct high-quality research. How do we promote trust and honor patient wishes while promoting disclosure of complete patient health information? Knowing that protecting the EHRs from data breaches has been a big challenge, there seems to be a need for a balance between security and individual flexibility. The traditional role
J Med Syst (2016) 40:174
based access mechanism used in most locations is a step to categorize who can view patient information but does not allow for the patient to have input. There is a need for the security mechanism to have an emergency access override feature so the life of a patient can be saved, or delegated to another individual in the event the patient is incapacitated. Flexibility with structure seems to be the key to any solution. For purposes of illustration, we will consider two such models. One model proposed by Leventhal and others allows patients to control providers’ access to sections of the patients’ EHRs [8]. The second model is the attribute based access model (ABAC) proposed by Bhartiya and others [9]. In the model proposed by Leventhal and others, a webbased system was developed that allowed patients to determine who could view their records. Patients could restrict access to any of five sensitive types of data: mental and reproductive health, sexually transmitted diseases, HIV/AIDS, substance abuse and by specific patient age to allow adolescents to have control over parental view of data [8]. If patients did not specify restrictions, all data was displayed. In cases where they did apply restrictions, there was no indication that data had been redacted. There was also a mechanism where providers could break the patient restrictions in case of imminent danger to the life of the patient. The findings suggested that while redacting all data was impossible, the redaction of data elements such as diagnoses, tests and medications was possible [8]. This model is patient-centered but can restrict provider access to data depending on the patient’s selection of items to redact. In the Attribute Based Access Model (ABAC), the model assigns access to each individual based on rules defined as Bpermit or deny^ rules [9]. One advantage to this model is that roles can be assigned to providers outside the originating source. For example, as a physician outside the source is consulted for care, he would be assigned a level of access based on his role. Roles are assigned from the center based on each user’s relationship to the patient as per the predefined role access guidelines. This approach does allow for changes in access when information is required to care for the patient in the event of an emergency. One limitation of this model is that it does not provide for patient input into what data each role can access. Access is determined by the rules of the parent organization. An informed patient would likely ask to agree to such predetermined rules, however many patients would not know that there was the opportunity to view the rules without careful communication with the primary provider at the beginning of the care episode [9]. There is not a nationally accepted model at this time. The cornerstone of any successful model needs to be flexibility and input from the patient. Roles change, circumstances change and patient preferences may change with time. The patient has a right to input in who may see their highly personal health information. There is also the need to override
J Med Syst (2016) 40:174
mechanisms in the event of imminent danger to the individual’s life. This should be explained as part of the initial discussion and agreement with the patient. Healthcare is very personal, and each person has different opinions about sharing health data. These views need to be honored. In choosing an approach to maintaining patients’ privacy, a larger context suggests several other issues. For example, principles of risk management suggest that the likelihood of relative threats should be considered [10]. A study of 949 data breaches of personal health information that each affected more than 500 individuals found that about two thirds of the breaches involved theft (58.2 %) or hacking (7.1 %) [2]. In the same study, another 11.1 % of breaches involved loss or improper disposal of data. Limiting some providers’ access to data may not prevent these breaches, and it may have a negative influence on a patient’s care. An informed consumer should understand how much (or little) their decision influences the relative risks that they face. In addition, it should be recognized that while the decision is being made to restrict a patient’s potential caregivers’ access to this information, some individuals who are not directly caregivers may have access to the data. For example, public health agencies, such as cancer registries, will have access to some data. Within the billing process, employees other than clinicians at both the provider and insurer settings may see information from patient records. There is also an issue concerning the structuring of the questions that the consumers are asked. For example, a consumer who is asked Bshould anyone other than your doctor be able to see your data^, might answer Bno^. But the same consumer might answer Byes^ if asked the question in another way as, BIf your data was de-identified, and if it were possible to use that data in a very large study that could potentially find a cure to the type of cancer you have, but getting the permission from everyone would be prohibitively expensive, should individuals other than your doctor be allowed to use the data?^ Given this possibility, it is worth considering whether consumers that answer Bno^ to the first example will have a clear understanding of the situations that will arise that could impact their care. As we look to advance this discussion through further study, another issue deserves our attention. Previous studies that reported various approaches usually did not directly report the relative resource use by each model, although costs were referenced. For example, a paper by Leventhal and others noted that redacting all sensitive references in the notes is Bimpossible^. It also states that the process of entering patients’ preferences involved a fourth year medical student guiding the patients through the process. Both of these involve
Page 3 of 4 174
considerable costs, although it is unclear in this example if the medical student spent 2 minutes or 20 minutes with the average patient. Clearly, patient rights issues should not be resolved by choosing the system that requires the lowest resource use. However, experience has shown that solutions can be developed that ensure patient rights in the face of resource issues. For example, during the 1970’s, there was major concern over the rights of nursing home residents. One such concern dealt with the practice of using physical restraints to tie Bconfused^ patients to chairs to keep them Bsafe^ [11]. The cost of individually monitoring such patients was noted as a concern. But this was dealt with by a change in practice which grouped these patients together in Special Care Units. In a similar manner, a focus on patients’ right to privacy could encourage IT vendors to compete by developing approaches that reduce the resources that are necessary to ensure privacy. For example, it may be possible for IT vendors to develop mechanisms that flag sensitive sections of notes. Although a human review might still be necessary, this might greatly reduce the time involved. Similarly, templates might speed the process of inputting patients’ preferences. More generally, including relative resource use in the discussion is likely to lead to innovations that reduce resource use. The rights of the individual must have a role in the access to this highly sensitive data. However, the consequences of redacting information needs to be fully vetted with the patient at the time of decision, so the choice that is made is clear and informed. Given the diversity of the possible scenarios that might require the use of this data; this may not be an easy task. Careful consideration needs to go into the choice of the questions asked and the way the relative risks are described. Finally, an effective and feasible solution is likely to be reached sooner if proposals take into account the relative resources used by alternative options.
References 1.
2.
3.
4.
Wagner, K. A., Lee, F. W., Glaser, J. P., Healthcare information systems: A practical approach for health care management. John Wiley & Sons, 2013. Liu, V., Musen, M. A., and Chou, T., Data breaches of protected health information in the United States. JAMA 313(14):1471–1473, 2015. Campos-Castillo, C., and Anthony, D. L., The double-edged sword of electronic health records: Implications for patient disclosure. J. Am. Med. Inform. Assoc. 22(e1):e130–e140, 2015. Caine, K., and Tierney, W., Point and counterpoint: Patient control of access to data in their electronic health records. J. Gen. Intern. Med. 30(Suppl 1):S38–41, 2014.
174 5. 6. 7. 8.
J Med Syst (2016) 40:174
Page 4 of 4 Berwick, D. M., What Bpatient-centered^ should mean: Confessions of an extremist. Health Aff. (Millwood) 28(4):w555– w565, 2009. Blumenthal, D., and Squires, D., Giving patients control of their HER data. J. Gen. Intern. Med. 30(Suppl 1):S42–3, 2014. Gellman, R., Fair information practices: A basic history. Available at SSRN 2415020, 2014. Leventhal, J. C., Cummins, J. A., Schwartz, P. H., Martin, D. K., and Tierney, W. M., Designing a system for patients controlling providers’ access to their electronic health records: Organizational and technical challenges. J. Gen. Intern. Med. 30(1):17–24, 2015.
9.
10.
11.
Bhartiya, S., Mehrotra, D., & Girdhar, A., Proposing hierarchy-similarity based access control framework: A multilevel Electronic Health Record data sharing approach for interoperable environment. J. King Saud Univ.-Comput. Inform. Sci., 2015. Pyke, G., Risk assessment and management. In: McCormick, K. and Gugerty, G., (Ed.), Healthcare Information Technology. McGraw Hill pp 589–610, 2013. Ohio Nursing Home Commission., A Program in Crisis. Ohio General Assembly, 1978.
