Opting for Patient Privacy: Are You In or Are You Out?
By: Todd Fisher, CEO MobileMDThe introduction of information technology in healthcare is clearly increasing, is certainly long overdue, and provides great potential in terms of improved patient care and cost containment.
Todd Fisher
CEO, MobileMD
As PHI is increasingly stored and processed electronically, the perception that PHI will be inappropriately disclosed thus violating patient privacy has increased. One only needs to view the news. Health records of the rich and famous seem to be violated on a regular basis by those with access and a desire to earn a quick buck. While this type of inappropriate access has gone on since well before the personal computer, the massive distribution power of the Internet has, in essence, created a new level of concern against having one’s records available and distributable via electronic means – even if such distribution is highly secure, such as electronic financial transactions. After all, many think to themselves, if an illicit picture taken without one’s consent can make its way on to the Internet for all to see, what might happen if one’s private health information is communicated over that very same medium? Patient privacy becomes a rallying cry for those that value personal privacy in absolute terms.
Ironically, the Internet’s massive distribution capability provides health systems and physician communities with opportunities to share patient health information in ways that have heretofore been impossible. Provider silos are torn down and replaced with networked, interoperable systems (facilitated in large part by the emerging Health Information Exchange market) that store, process, and share critical clinical data necessary to provide physicians with all the information required to make proper care decisions. The aggregation, filtering and sorting of PHI that used to take days and weeks, if performed at all, can now be done in seconds. And, access to that information is a simple login away.
To address these two competing values – privacy vs. access for care – federal and state legislation exists and continues to be developed that targets the proper disclosure of PHI. One such legislative concept is the Opt-in/Opt-out concept. While several regulations exist that govern who can see what PHI based on relationships to the patient, legislation is currently being contemplated in several regions that will require patients to explicitly grant permission (i.e., opt-in) for their PHI to be distributed, including the details of what PHI is to be distributed and to whom. To date, the opposite position has largely been the norm. The default position for most regions and healthcare organizations is to grant permission for the appropriate care providers to see the applicable patient health information (if it is available*), as required by the type of care, patient-physician relationship, and information necessary to provide that care.
It is my opinion that a strategy designed to require an explicit opt-in declaration with specifics will not reduce the potential for inappropriate PHI disclosure. Such a strategy has no way to protect against system errors or malicious human behavior – both of which exist and will always exist. Rather, an explicit opt-in strategy will potentially limit access to PHI from which a physician or other care provider must make critical decisions, potentially leading to an increase in medical errors.
If patients wish to opt-out, that is choose to control the distribution of their PHI as they (the patients) see fit, then such patients actively choose to take responsibility for what information is distributed to whom and thus ultimately a significant aspect of the care provider role. That is a conscious decision made and should certainly be available to patients as an option. But, by defaulting to that option and requiring explicit opt-in selection by the patient, legislators, and healthcare entities are abdicating certain care responsibilities to the patient that are likely beyond the patient’s ability to fulfill. Moreover, in such an environment (i.e., explicit opt-in required), what happens if a patient presents and is unconscious with no family to provide the necessary permission to access critical PHI?
Personal privacy is a valued right Americans enjoy and should be protected vehemently whenever and wherever possible. It is important to remember, however, that the right to privacy is not absolute. One simply needs to visit a security line at an airport to experience a justifiable loss of privacy. When a patient presents for care, that patient presumes the best care possible will be provided. That cannot happen if critical PHI access is limited in the name of patient privacy. Rather than rely on patients to opt-in and ensure their clinical data is properly shared, the healthcare industry needs to adhere to clearly established rules regarding PHI disclosure based on patient-physician relationships, and “break the glass” features** generally associated with emergency situations.
This is a sensitive topic debated by clinicians, administrators, attorneys, and patient advocates. I’ve offered my opinion and would love to read yours. Please feel free to email me at tfisher@MobileMD.com.
In the purely analog (i.e., paper) world, often much of a patient's health information, contained in the patient's medical record, was scattered in several locations and inaccessible in its entirety by any given care provider.
Such features allow for a care provider to access a patient's PHI even if a previous physician-patient relationship with that patient doesn't exist. This is often the case where a patient presents in an emergency situation, for example. In such cases, the physician simply indicates the reason for accessing the information and that reason, date, time, and physician information is audited as a way to protect the patient’s privacy.>