Prying eyes

In a previous issue, I related a conversation I had with a patient about the electronic medical record (EMR) and described to her the problems of poor documentation and up-coding. My conversation with my patient continued, as I told her about the legal intrusions of her privacy made possible or made easier with the EMR.

The government, in 1996, passed into law the Health Insurance Portability and Accountability Act (HIPAA), an act intended to strengthen privacy for healthcare, among other goals. But, when the final rule mandated by that law took effect in 2003, privacy was the last thing patients gained.

This very complicated HIPAA rule allowed access to your patient-identifiable medical record by a staggering number of organizations, individuals, and the government without your consent. Such organizations include your insurance company and outside vendors hired by your insurance company, your employer under a self-insured plan, some marketers (you see your pediatrician and get a mailing advertising diapers), organ donor groups, and others.

I related how the government has even more authority to see your record. The government needs no consent for quality, regulatory and compliance auditing, public health, and fraud and abuse investigations. The police can see your record without a court order if they have any suspicion you may be involved in domestic or child abuse. Exemptions to your consent apply to workers' comp, national security, the military, and some judicial proceedings.

Even mental health records, the most sensitive information about you, can be legally disclosed without your consent in some circumstances.

Minor revisions to this rule in 2008 notwithstanding, these far-reaching but legal violations of your medical privacy mocks the Oath of Hippocrates in which I pledged to "keep to myself" confidential patient information. Most people know nothing of these legal intrusions into their medical records. The Fourth Amendment prevents the government from searching your house or person without a warrant, but the government needs no warrant and requires no permission from you to access your most private information.

Then I told her about the dark side of the EMR that makes a computer terminal and a password all that is needed for the curious to snoop. (A California hospital fired employees for accessing the records of a celebrity and selling the information to a tabloid.) Hackers and lost laptops are always a threat.

Most troubling, the government wants all EMRs to share your data across all platforms. (Minnesota has a bill before the legislature right now that would mandate patient information be shared across all EMR systems in Minnesota.) This goal of the government to share your private medical data nationwide means doctors in Florida could access your records from Minnesota. You would have to trust every medical professional and medical organization in the country to keep your record private. That's a lot of trust. And, conceivably, your entire record could end up on the internet.

By now she was frightened and angry as I continued.

If an error is logged into your electronic record, it can take on a life of its own as it is spread from place to place at internet speed. I've had patients complain to me about the consistent errors in their chart that show up each visit in spite of attempted corrections. Such errors cause patients and doctors to lose faith in the accuracy of the records.

Part of the foundation on which good medical care is based is the trust patients have in their doctor to keep their most intimate medical information safe from prying eyes, the trust patients have in the accuracy of their records, and the special, trusting bond formed between patient and doctor. The EMR undermines trust. -For a more thorough treatment of this topic, go to Citizens' Council on Health Care, www.cchconline.org.