You have greater privacy rights regarding the size of a shirt you purchased online than you do about information in your mental health records under the Consumer Privacy Bill of Rights, issued by the White House in February 2012. At least that’s the position of James C. Pyles, an attorney specializing in patient privacy rights. He authored the forthcoming Health Information Privacy Bill of Rights, an initiative to provide at least the same level of rights to patients as are offered to consumers under the Consumer Privacy Bill of Rights.
The Health Information Privacy Bill of Rights, developed with the American Psychoanalytic Association, comes at a critical time when, with the nationwide implementation of Electronic Health Records (EHRs) and Health Information Exchanges (HIEs), the issue of patient privacy is more important than ever. With the advent of electronic records, Mr. Pyles and others point out that it’s possible to improperly disclose identifiable electronic health information of millions of patients almost instantly.
The numbers back it up. During the past two years, the health information privacy of nearly 18 million Americans has been breached electronically, a statistic cited in The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security, a seminal report by the American National Standards Institute (ANSI), The Santa Fe Group/Shared Assessments Program Healthcare Working Group, and the Internet Security Alliance (ISA). Unprecedented health privacy breaches along with complex and conflicting health privacy laws have resulted in a loss of trust by patients that their health information privacy will be protected and confusion by those who handle health information about what is expected.
With the rapid adoption of EHRs, serious issues in patient privacy rights need to be addressed: gaps in legislation, lack of trust in the system, and lack of patient control over their electronic data.
1. Legislative gaps
Federal legislation, such as HIPAA and the HITECH Act, seek to safeguard protected health information (PHI). In addition, according to the National Conference of State Legislatures, 46 states have data breach notification laws. And, of course, there’s the Consumer Privacy Bill of Rights which affords some level of privacy rights to patients.
HIPAA and the Consumer Privacy Bill of Rights, however, create an odd legislative gap. Mr. Pyles notes that the Consumer Privacy Bill of Rights excludes patients to the extent their health information is covered by HIPAA, while offering greater privacy rights with respect to health information not covered by HIPAA. He cites the year-long study by ANSI and others that uncovered the “inadequacies” of HIPAA, including the fact that the HIPAA Privacy Rule was not even intended by the Department of Health and Human Services to serve as a “best practices” standard for privacy protection.
This means that HIPAA-protected PHI does not benefit from the Consumer Privacy Bill of Rights and is subject to the same privacy pitfalls as before. The Health Information Privacy Bill of Rights seeks to “protect the fundamental right to privacy of all Americans and the health information privacy that is essential for quality health care,” with prescriptions for patient control, security, accountability, and other rights.
2. A lack of trust
Maintaining patient trust is the cornerstone to a successful healthcare system. The Office of the National Coordinator for Health Information Technology has indicated that a lack of this trust may affect [a patient’s] willingness to disclose necessary health information and could have life-threatening consequences.
Dr. Deborah Peel, founder of Patient Privacy Rights, agrees. “The lack of privacy causes bad health outcomes. Millions of people every year avoid treatment because they know health data is not private,” she says. She cites several cases where privacy concerns affected the quality of healthcare:
- The HHS estimated that 586,000 Americans did not seek earlier cancer treatment.
- HHS estimated that 2,000,000 Americans did not seek treatment for mental illness.
- Millions of young Americans suffering from sexually transmitted diseases do not seek treatment.
- The Rand Corporation found that 150,000 soldiers suffering from PTSD do not seek treatment because of privacy concerns.
- The lack of privacy contributes to the highest rate of suicide among active duty soldiers in 30 years.
3. A lack of patient control
A colleague of mine recently posted this blog: Who Owns Patient Data in Electronic Health Records? He wondered who has “control” over the modifying, accessing, and sharing of electronic data. With paper records, control was rarely an issue, as data exchange was point-to-point, e.g., faxing records from one physician to another. EHRs and HIEs, however, create countless data sharing and proliferation points. Who has control over what information is shared where and with whom?
For sensitive medical information, such as psychotherapy or gynecological records, the issue of control is critical. In his paper, Debate Over Patient Privacy Control in Electronic Health Records, Mark A. Rothstein, Chair of Law and Medicine at the Louis D. Brandeis School of Law in Kentucky, notes a federal initiative that would enable patients to retain control over sensitive categories of medical information. He admits, however, that “there have been no explicit proposals” to bring the proposal past the drawing board. If this is the case, then these controls would have to be implemented after the fact as part of existing electronic health systems — a costly addition. The Health Information Privacy Bill of Rights may fill that void.
Patient privacy is a fundamental right that is being challenged as patient records are digitized, and access to those records increases exponentially. “The success of our national healthcare ecosystem depends on respecting that right,” Mr. Pyles says. “Patients should not be required to sacrifice their right to privacy in order to obtain health care. Public trust in the health care delivery system cannot be maintained if privacy rights for sensitive health information are weaker than the privacy rights of individuals for less sensitive non-health data.”