Progress at the Cost of Privacy?

by Ross White

As we all anxiously await the Supreme Court decision on the Affordable Care Act, it is worth remembering that for many reforms, “the train has already left the station.” Many payment and delivery changes are going to continue regardless of the Supreme Court ruling. One such reform is the continued implementation of health information technology, particularly electronic health records (EHRs). While these technologies promise to increase the transmission, sharing, and use of health data across the health care system—thereby improving quality and reducing unnecessary costs—they do not come without raising serious ethical questions about the use of that data and how patient privacy can best be assured.

The incentives to implement electronic health record systems have never been greater. The Health Information Technology for Economic and Clinical Health Act (HITECH Act), which is a portion of the American Recovery and Reinvestment Act of 2008 (ARRA), designated incentive payments of up to $44,000 from Medicare and $65,000  from Medicaid per individual physician who demonstrate “meaningful use” of an EHR system. In order to meet CMS-defined criteria, providers must demonstrate improvement in the collection and sharing of health information to improve quality, efficiency, and patient safety. A Health Affairs study from last year suggests that it would cost a five-physician primary care practice approximately $32,400 per physician and $85,500 in maintenance expenses during the first year to meet these criteria, which is largely consistent with incentive payments.  Providers who do not demonstrate meaningful use of EHRs by 2015 will be penalized with a 1 percent annual reduction in Medicare reimbursements. The Affordable Care Act continues us down this path. While many physicians are embracing this opportunity, others continue to resist—or have already experienced adverse effects after having done so.

Many of these adverse effects resulting from the rapid deployment of EHRs were discussed at the 2nd International Summit on the Future of Health Privacy recently held at Georgetown Law. One anecdote from the meeting particularly stuck with me. Scott Monteith, clinical assistant professor in the Departments of Psychiatry and Family Medicine at Michigan State University, relayed the story of a patient who found that her electronic medical record erroneously indicated a history of inhalant abuse. After much investigation and confusion, it was revealed that the patient actually had a history of caffeine dependence and intoxication (yes, this is a real diagnosis), which shares the same diagnostic code (305.9) as inhalant abuse—a diagnosis that could lead to embarrassment and stigmatization, or prevent appropriate treatment for mental health illness in the future. Although this diagnostic code is used for four different diagnoses, the default EHR window only made the inhalant abuse diagnosis visible to the physician. Despite reporting the error to the EHR vendor, the problem persists.

As a result of these stories, and many more, the Principles Committee drafted a Consumer Health Privacy Bill of Rights modeled on the Consumer Privacy Bill of Rights released by the White House in February, which ensures protection of personal information shared by individuals who shop, sell, bank, communicate, and work on the internet, but did not include any specific protections for health information. The document is organized around ten principles: Individual control; Transparency; Respect for Context; Security; Access and Accuracy; Focused collection; Accountability; Applicability; Enforcement; and Notice. The principles are founded on the notion that consumers have a right to exercise control over what personal health information is collected; how it is used; and what information, and in what context, it can be shared with third parties.

These principles are largely consistent with recommendations set forth by Ross Anderson, Professor of Security Engineering at Cambridge. Based on the shortcoming of European efforts at health information sharing, Anderson argued that health data should be kept with the provider and patient, not stored in large databases vulnerable to attack. He also insisted that patients be informed of all secondary uses of their health data and that we as a society be prepared to draw “red lines” that should not be crossed with health data use.

… innovation can come at the cost of patient privacy, autonomy, and respect, and technology is not a panacea for all that ails the health care system.

These recommendations and principles are no doubt admirable, but formal legislative adoption and implementation appears highly unlikely. There is very strong inertia in the health care system toward technologies that help to drive payment and system reforms. The further deployment of health IT and EHRs is wholly consistent with increasing pressure on providers and insurers to try to improve the quality and decrease the cost of health care.

But innovation can come at the cost of patient privacy, autonomy, and respect, and technology is not a panacea for all that ails the health care system. Mark Rothstein, Herbert F. Boehl Chair of Law and Medicine at University of Louisville School of Medicine, emphasized that HIPAA and other privacy regulations have unfortunately become the ceiling, rather than the floor for health privacy. Patients must insist that health privacy protections continue to expand with new technologies, not continue to simply meet the bare minimum.

Most importantly, however, we might best heed Anderson’s recommendation that our health privacy system move from one of consent law to veto law. Rather than patients having the right to consent to the use of their health data, they would instead have the right to veto the use of their health data. Although this may appear to simply be a matter of language and messaging, it might better empower patients to know that they have a right to say “no,” not just a right to say “yes.” This is just one step in reconfiguring how our health care system ensures the protection of health privacy, but this progress may well be the beginning of a deeper examination of how we can more meaningfully balance technological progress with patients’ rights.

Regardless of the pending Supreme Court decision, further expansion of EHRs is nearly inevitable. Given that EHRs will play an integral part in the future of health care in the United States, we would do ourselves a great disservice if we are not more prudent about how to ensure the protection of patient privacy in these systems.


Ross is Public Policy Associate at The Hastings Center and a graduate student in philosophy and social policy at George Washington University. Follow him on Twitter @rossswhite.


4 thoughts on “Progress at the Cost of Privacy?

  1. Amy Myers says:

    Ross, I’m glad you wrote this piece! I feel like this is the misconception I run into the most with the health reform is that people forget that the HITECH Act was actually part of ARRA and not ACA (how’s that for alphabet soup?). There is a lot changing in this arena and millennials are wise to pay attention!

  2. Ross says:

    Thanks, Amy! I liked your recent post as well. I’m really excited to be a part of the blog and look forward to what we can achieve.

  3. krchhabra says:

    Thanks, Ross! I’d love to hear about how you think the need for patient privacy ought to be reconciled with the need to improve communication and care coordination among healthcare providers in different settings.

  4. Karan,
    Sorry for the delayed response; I just noticed it. You are correct that it’s a very difficult balance between privacy and improving the health care system. I think the most important thing is to have transparency and make sure that patients know how, when, where, and by whom their health information is being used. I find myself teetering back and forth on how many protections and regulations (obviously requiring more money and time) should be imposed on EHR, but I think it comes down to ensuring trust between the patient and clinician and not assuming that more information is always better. I’m very sympathetic to the notion of contextual privacy and regulation–making it easier for only the relevant information to be shared with the requesting party. An employer might need to see certain parts of your medical record to know that you are physically fit to perform job duties, but they do not need to know that you had a bout of depression as a teenager. If we can better compartmentalize and only share relevant information, rather than the entire health record, we can reduce stigmatization and privacy concerns, and make patients more willing to share confidential information. Those are just a few additional thoughts.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: