The Privacy of Medical Records (2)
Part 2.
The basic solutions that are being proposed are, first, to require record makers and keepers to implement a set of technical steps to protect the security of medical records and, second, to impose penalties on makers and keepers of records who release them for unauthorized or inappropriate purposes. Technical steps being touted include unique patient and access identifiers; "audit trails," which are electronic methods of detecting and recording the identities of anyone who accesses a record; encryption of external transmissions of record information; appointment of internal information security officers with responsibility to police record-keeping practices; and "firewalls," which are electronic barriers that isolate records systems from unauthorized access or penetration.
The Issues
The problem is that these techniques are expensive and no one is sure how well they work. I received a glimpse of how unrealistic these solutions might be at a meeting on medical records privacy I attended as a member of a joint working group of the Joint Commission on the Accreditation of Healthcare Organizations ("JCAHO") and the National Committee for Quality Assurance ("NCQA"), the organization that accredits managed care organizations. One member of the working group, the person in charge of medical records at a large managed care plan, pointed out that neither she nor anyone else in her organization knew what records existed or where they were! She suspected that this was likely to be true of most managed care plans and provider organizations. Moreover, she explained that the greatest single threat to the privacy of medical records was post-it notes: people jotted down their passwords and pasted them on or near their computers. The more passwords, personal identifiers and other electronic steps a person had to take to access records, the more these little reminders would be necessary, rendering the fancy security techniques ineffective.Some of the other issues that are being debated by policy-makers include:
- Whether electronic medical records requiring patient enrollees to authorize each release of medical records or only to require them to give a blanket release, say upon enrollment. Advocates of blanket releases argue that requiring a signed authorization for every record release would be burdensome and most patients don't care. Proponents of individual authorization respond that this is necessary to alert patients that their records are being disclosed so they can take steps to prevent inappropriate disclosures.
- Whether electronic medical records establishing uniform standards or minimum standards. Managed care organizations and other record makers and keepers like uniform standards because it tells them clearly what they have to do. Some patient advocates propose minimum standards to enable plans to compete for enrollees on the basis of how well they maintain privacy: plans that adopted more stringent security measures could publicize this fact to potential enrollees who have a choice of plan.
- Whether electronic medical records to enact a federal law that pre-empts stricter state laws. A uniform law would facilitate interstate business by allowing a managed care plan to comply with one standard nation-wide. But some patient advocates urge that states be allowed to adopt more stringent security requirements, if only to permit experimentation to see what works best at protecting privacy.
- How much electronic medical records control giving patients over what goes in and what stays in their medical records. Most privacy proposals would give patients the right to correct inaccuracies in their records but not to delete material. Some patient advocates argue that patients should have the right to block the entry or remove information that they fear would stigmatize them or lead to insurance or employment discrimination. Health care professionals are concerned that incomplete records could interfere with proper medical management. Patient advocates respond that, so long as the incomplete records are marked as such, patients should be permitted to weigh the risks of stigma or discrimination against the risks of a reduced quality of care.
There is almost certainly going to be federal legislation on medical record privacy. But this will not end the debate. Accreditation organizations such as the JCAHO and the NCQA will establish their own standards; managed care plans and provider organizations will adopt their own internal policies and procedures. Meanwhile, the science of electronic records and their security will develop, presenting new options and challenges. Stand by for further reports.
