The Blog

Electronic Medical Records: Privacy Risks and Opportunities

You'll be hearing a lot more about electronic medical records in the next few years, but should add your voice now to the discussion to ensure that they are properly implemented so that your privacy is respected.
This post was published on the now-closed HuffPost Contributor platform. Contributors control their own work and posted freely to our site. If you need to flag this entry as abusive, send us an email.

You'll be hearing a lot more about electronic medical records ("EMR") in the next few years, but should add your voice to the discussion to ensure that they are properly implemented so that your privacy is respected. At present, there are serious concerns over whether such records will be maintained in an accurate, secure manner.

Under legislation enacted last year, doctors are being paid by the federal government to implement EMR systems which provide for "meaningful use" of such records. The Department of Health and Human Services has just issued extensive regulations indicating what capabilities are required of such systems in to order to qualify for reimbursement. Such regulations appropriately indicate the clinical capabilities which are sought. They are summarized in an article published in the July 13, 2010 New England Journal of Medicine by Dr. David Blumenthal, the administration's point man for the initiative, and Marilyn Tavenner, RN. "The 'Meaningful Use' Regulation for Electronic Health Records."

This promises to improve the quality and lower the cost of health care by allowing great improvements in the analysis and sharing of health information. The problem is that in their zeal to expedite the use of EMR's, Dr. Blumenthal and the administration are giving short shrift to the matter of their security and accuracy.

As an attorney who deals extensively with information technology contracting matters, I see how seriously the private sector takes the need to have material accurately converted to electronic form and to prevent its improper eradication or appropriation. There are technical measures such as encryption -- scrambling of data so that if it falls into the wrong hands, it is meaningless -- and use of "firewalls" and intrusion detection devices, which are customarily utilized by the private sector. The credit card industry has a set of protocols for securing sensitive material, which are widely used by merchants accepting cards. In a recent communication, Blue Cross of IL states that it will encrypt any data furnished to policyholders on portable media. While these techniques are not perfect, few security breaches have occurred when mainstream practice was utilized (and vice versa!). It is obvious that records need to be accurately digitized; however, this requires the use of commercial grade -- not home grade -- scanning equipment.

However, such attention is not apparent in the government action. In the four page NEJM article referenced above, there is commendable discussion of how EMR should be used by practitioners to improve their work. However, there is no mention of accuracy and the only mention of security appears in the most cryptic terms as the last consideration:

Finally, realizing that the privacy and security of EHR's [EMR's] are vital, the DHHS has been working hard to safeguard privacy and security by implementing new protections contained in the [enabling] legislation.

Another commentator, Deven McGraw of the Center for Democracy and Technology makes the observation, that security is largely ignored in the regulations:

Unfortunately, using the meaningful use objectives to achieve significant advances in privacy and security appears to be off the table. Maintaining patient privacy and data security remain stated goals of meaningful use, but nothing is required to achieve this goal beyond the mandatory security risk assessment and response. CMS rejected recommendations from the Health IT Policy Committee to make compliance with state and federal privacy and security laws a meaningful use requirement,...

This is not surprising. When the author sought to communicate his technical level suggestions and volunteer services on advisory panels to Dr. Blumenthal, the only response was a terse "Thank you." Similar responses have also been obtained from pertinent members of Congress (through their staffs). It is difficult to see how the public can be confident that their records will be handled properly when there is no explanation of the steps taken to make this true.

It was not comforting to read the recent comments in the WSJ of Mary Grealy, President of the Health Care Leadership Council. In response to privacy concerns, she explained that standards will "strongly encourage" the use of encryption. Consider the sort of compliance which would be obtained if the Internal Revenue Code "strongly encouraged" the payment of income taxes.

Accentuating concern is the fact that none other than Sam's Club has announced its own turnkey solution (in collaboration with traditional technology vendors) for physicians to implement EMR. There is much to be said for Sam's Club -- efficient operations, low prices, large selections -- but they are simply not a recognized technology vendor or information security specialist. This is one area where low prices should not be an important consideration -- any more than it should be for any other medical equipment. The task is much better left to the many large and small vendors who concentrate in this area.

The Administration needs to publicly commit to and make a high priority the development and use of only state of the art technology and practices which maximize accuracy and minimize security risks and, to the extent consistent with good security practice, promptly explain to the public its approach to doing so and the persons or firms who are being utilized. Those who utilize medical services need to communicate their concerns in this regard to their elected officials.