Government News
Patients Must Have Control Over Records, APA Says
Psychiatric News
Volume 42 Number 10 page 13-55

Patients must have the authority to restrict clinicians' access to information in their electronic medical records if the medical community expects patients to accept and provide full information to such digital data depositories.

APA recently endorsed the inclusion of data blocking by patients—despite the risk that needed information might be kept from physicians—in the coming National Health Information Network (NHIN) in testimony before a Department of Health and Human Services (HHS) panel considering guidelines for digital health records.

The federally funded NHIN will aim to make patient health information electronically available at any location that a patient goes for health care. The network is expected to help physicians provide better care and avoid ordering duplicate services and lab tests.

Psychiatrist Robert Kolodner, M.D., national coordinator for health information technology in the Department of Health and Human Services, is overseeing the approval of several contracts that will help develop the NHIN (see "Psychiatrist Appointed To Top HIT Post").

"Although some individuals have expressed concerns that patient restrictions on information access may hamper care by impeding knowledge of key medical information, the opposite may actually be true," said Zebulon Taintor, M.D., vice chair of the Department of Psychiatry at New York University. "Patients may feel more comfortable sharing personally sensitive information with physicians if such access controls are in place."

Taintor testified on behalf of APA at a hearing last month held by HHS's National Committee on Vital and Health Statistics Subcommittee on Privacy and Confidentiality. He is a member of the APA Committee on Electronic Health Records.

In addition to concerns raised by APA and others, the use of health information technology (HIT) in general and electronic health records (EHRs) in particular face many obstacles to broader adoption, including the cost and complexity for physicians. The panel's hearing was focused, in part, on plans to establish the NHIN to digitize patient records and modernize the health care system.

APA supports patient control of specific elements of their EHRs, including control of access to the EHR or personal health record (PHR), Taintor said.

The need for such patient controls was made clear by a growing body of research that found a significant number of patients were already withholding information due to concerns about who can access it. A Harris Interactive poll in March found that 17 percent of patients withheld information from their health care professionals because of worries the information might be disclosed.

"These rates are likely to be even greater if information exchange is electronically enabled," Taintor said.

On a practical level, research indicates that medical information remains vulnerable. A 2006 Government Accountability Office report concluded that medical and financial privacy for Medicare, Medicaid, and other federal health program enrollees is vulnerable to fraud and abuse.

Patient concerns about the release of medical information and the danger inherent in the release of this information—accidentally or otherwise—are particularly important to psychiatry, due to the societal stigma and heightened confidentiality concerns that come with mental health and substance abuse treatment.

Such a patient-controlled system also could include special provisions giving physicians access to all areas of a patient's record "under emergency conditions," that is, when rapid access to information is essential and the patient is unable to give consent. This type of feature would allow increased access to patient information, even within a design that gives patients control of access to EHRs.

Other testifying physician groups also called for emergency access provisions to patient-blocked EHR data if it is necessary to protect" the patient and society from the harm that could be reasonably expected to occur if critical data were not disclosed."

Such protections would allow patients to benefit from the advantages of an EHR, including the ability of all treating physicians to have access to their complete medical record.

"Currently, health records are often limited to a single practice in a single specialty, providing only a slice of a patient's medical history.. .potentially missing information from other treating physicians that may be relevant to the diagnostic or treatment process," said Robert J. Flagnant, M.D., who testified for the American College of Obstetricians and Gynecologists.


Although EHRs introduce new risks to patient privacy, Taintor said, a properly implemented system could provide more protection than possible with paper records, such as an audit trail of who has viewed the record.

"Indeed, the ease with which data in electronic form can be disseminated makes such control essential," he said.

Additionally, EHR access logs should include detailed information, such as the role of the person who accessed the information and the reason for the access, to be meaningful to the patient.

Taintor called for so-called granular sharing that would limit access to an individual's record for people other than clinicians, including insurance companies, family members, and administrative support staff. This type of access would better protect patient privacy and maintain physician-patient trust than "all-or-none" record-access proposals.

Patient access controls were not universally supported at the hearing. Michael Zaroukian, M.D., Ph.D., a representative of the American College of Physicians, testified in support of patient privacy controls for "mental health therapy notes" but not for information such as prescriptions and allergies.

"The absence of such information—or even delayed access—could result in otherwise avoidable patient harm," he said.

Brian Keaton, M.D., president of the American College of Emergency Physicians, said his organization supported the right of patients to withhold information in EHRs but requested that guidelines require the record to state that the information it contains is incomplete.


The success of a patient privacy protection system for EHRs will ultimately depend on the use of "tough enforcement mechanisms" to ensure that breaches are few and privacy violators are punished.

"Apologizing and making improvements once data are lost is not a sufficient response," Taintor said. "Rather, existing privacy rules must be enforced, and all electronic storage or transfer of information must rigorously protect the privacy of patients' personal health information."

Strong privacy protections would allow the many advantages of a national HIT system to raise the overall quality of care provided to patients, increase patient safety, keep health professionals informed about the latest standards of care, and improve efficiency in communicating important health care information, according to Taintor.

Information on federal health information technology efforts is posted at <www.hhs.gov/healthit/onc/mission/>.

Interactive Graphics


Citing articles are presented as examples only. In non-demo SCM6 implementation, integration with CrossRef’s "Cited By" API will populate this tab (http://www.crossref.org/citedby.html).
Related Articles