Sunday, March 13, 2011

Healthcare Privacy - Why are patients afraid

There have been a few articles lately that point out that surveys of patients indicates that patients are worried about the privacy of their data as doctors start to use EHR technology more often.

What Type of Impact Do U.S. Adults Believe EHRs Will Have on the Privacy of Health Data?

Forty percent of surveyed U.S. adults think that electronic health records will have a "somewhat negative" effect on the privacy of personal information and health data, while 20% believe EHRs will have a "somewhat positive" impact on the privacy of personal data, according to a new survey from CDW Healthcare.
My view is that the reason why they get this answer is because of the way they ask the question, but more specifically because everyone fears the unknown. There is very little evidence that the move to EHR will result in more privacy violations. YES, there is some evidence, and when it happens it is usually large amounts of patients that have been violated or very specific high value patients. But these kinds of things happen, and is it really made worse by EHR or even HIE? I think it is, but don't think that is the problem.

Here is a good skeptic post on HISTalk
From Tobias: “Re: privacy and security. Local and state legislatures are afraid of HIEs and other electronic data because they perceive that because data is electronic, it will be easier to hack. I’m curious if you have any data or can use your network to find any that speaks to this.”

There is good reason for patients to worry. With financial breaches, the bank is compelled to limit the damages. This is offset by the banks through technology that makes revocation of credentials fast and effective, but also through managing the likelihood of the risk through the use of insurance. These same factors simply are useless in the case of health data. First, there is not equivalent regulations on those that do the breaching to make the breached individual whole; yes there is some weak regulations and I am happy that HHS is posting the big offenders.  Second, there is no way to revoke the health information. Health information is facts (or observations) made about the patient. These facts can't be revoked. So, there is not really any way to fix the problem after the fact.

There are actually some really important Privacy factors that only can happen with EHR use. This is the Privacy factors of Access to their health data and the factors of providing their preferences. These could be done in the paper world, but they are so expensive there that I will assert that these will only happen as we move to an EHR.

There is also simply too much FUD (Fear Uncertainty and Doubt). Much of this FUD is based on true and realistic concerns. I am just worried that we are being overly concerned, without a track record of true harm. I am not saying that we should let things happen so that we can observe privacy violations in the wild. I am simply saying that naturally those patients participate with EHR, PHR, and HIE; that can see a benefit that THEY see is more helpful than the RISK. Those that are not convinced should be allowed to not participate, or be flagged as being very concerned.

For example Army Mental Health Providers Not Entering Data Into EHR System