Can We Have EHRs and

Privacy Too?Dr. Alan F. Westin

Professor of Public Law and Government Emeritus,

Columbia University; Principal, Privacy Consulting Group

At the Fall Conference of the HIPAA Collaborative of Wisconsin, 9-11-09

US Entering the EHR Era• Computerization of medical records goes back to 1960’s• Current push for universal EHRs came with Bush in 2003• Endorsed by Obama in 2008 campaign – “electronic health records, with privacy…”• Stimulus legislation assigns $19-30 billion to adoption and implementation of health IT • And so, a transformation of US healthcare operations and administration is under way

Advocates See Major Benefits

• Better coordination of patient care

• Reduce duplications of tests and procedures

• Reduce medical errors

• Enhance medical research

• Strengthen public health monitoring

• Reduce administrative costs in the paper world

But Important Issues Raised by Critics

• Conflicting EHR software, outmoded systems• Lack of best practicing-medicine design features in many EHR systems• Likelihood of electronic-system errors• Worries about compulsory participation• Concerns about weakened privacy and confidentiality • Concerns about information security• Concerns about costs and practice-disruption in small- medium sized practices

So How Does the Public Feel -- 1

• Over 75 national surveys on healthcare information issues since 1990, 20 since 2007 explore EHR• General majority views on health care and privacy:

-- High concerns over privacy and confidentiality of medical records

-- Worries over medical data breaches and medical- information security

-- Consider “existing” health-privacy laws and administration inadequate

How Does the Public Feel -- 2

• Overall public views -- Trust healthcare providers to protect confidentiality-- But worried about “secondary users” -- health

insurers, life insurers, employers, marketers, and for government social programs -- Worries are over discrimination in all these

contexts-- Concerns highest among persons with adverse health conditions, minorities

Public Views on EHR Systems

• Majorities basically ambivalent on EHRs• Accept and support the assumed benefits – two-thirds of public believes these benefits could happen• But also see EHR systems as assembling more sensitive medical information in patient electronic records and making these more accessible• Apply existing data security worries to EHRs• And some believe participation in new EHR systems by their providers should be voluntary, not automatic and compulsory

Privacy and Trust Already a Battleground

• Widespread recognition by healthcare leaders that winning trust of patients in EHR systems will be critical to their success• Studies document that lack of trust leads such patients not to seek care, adhere to regimens, etc.• Trust challenges highest among those with chronic conditions, genetic issues, minorities• No studies as yet on trust levels of members of EHR systems, especially compared to patients in traditional systems

Good Start From ARRA This Year - 1

• Key provisions re privacy and security in ARRA-- Stronger audit trail for patients-- Right to get electronic copy of own record-- Limits uses for marketing; authorization needed-- Required notification if data breach-- State Attorneys General may enforce-- Stronger penalties and enforcement provisions-- Applies to business associates, including RHIOs and

HIEs, with civil and criminal enforcement

But Key EHR Privacy Issues Remain - 1

• Recent California Healthcare Foundation Issue Brief by Deven McGraw (CDT) concluded:

ARRA “still falls short of the comprehensive framework needed to build public trust in the health care system’s information privacy and security, and particularly in electronic health information exchanges.”

Areas Needing Attention

• Coverage of activities not included (including PHR vendors like Google and Microsoft)• Apply better marketing-use controls• Provide for Individual legal redress• Issue strong regulatory rules, including data security standards• Apply audit and survey methods for enforcement• Provide guidance for privacy and patient-rights notices

How To Pursue Earned Trust

• Develop model patient satisfaction and trust surveys, to map trends over time nationally and for individual EHR systems

• Conduct in-depth empirical studies of EHR systems in action; develop Best Practices guidelines• Apply new patient-control software and systems to assure patient control for research and other uses beyond care, treatment, and assurance (e.g. new “switch but not store” patient empowerment systems)

A Fundamental Question

• Some privacy and consumer groups call for patients to have right not to have their records computerized – favor a “voluntary EHR approach”• Seems impractical to me, keeping some records in paper and having to administer two sets of information systems • Would also be destructive to the improved overall health care that EHR systems intended to achieve• Better approach would be to assure a clear “opt out”

for record uses beyond care and administration

In Summary

• Implementing EHR systems will be the work of a decade, with much trial and error• Earning patient/member trust will be critical for EHRs• The new ARRA provisions for privacy, confidentiality, access, and security are a welcome improvement over HIPAA and state health privacy laws• The next stage will be good implementing regulations and active enforcement – and identification of areas that may need additional legislative action