As physicians and hospitals increasingly move away from physical record-keeping to electronic health record (EHR) systems, the push and pull between the need for healthcare privacy/security on one hand, and the necessity of sharing healthcare information on the other, continues to grow as well. One example of how this problem plays out is that moving sensitive healthcare information to the cloud makes it easier to share and access patient information, but it also makes it more complicated to protect that information. The recent Ebola scare in the United States also highlights this dichotomy.
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare providers to protect a patient’s health information, but HIPAA violations have been on the rise and the intense media interest in hot stories like Ebola in the U.S. makes it even more difficult for hospitals to comply with HIPAA. Even apart from the privacy violations resulting from hackers targeting healthcare data, a high-profile case makes it more likely that curious or mercenary employees at a hospital may try to obtain a patient’s records. A hospital in Nebraska recently fired two employees who violated an Ebola patient’s privacy by inappropriately accessing his medical file.
The right to privacy is perhaps especially important when it comes to something like Ebola, a communicable disease that causes a lot of fear because of its lethality. In addition to the potential direct danger to patients from having their personal information leaked, there may be a greater public health risk from possibly-infected patients being reluctant to present themselves for testing because of the threat of being exposed as an Ebola victim to the world.
On the other side of the coin, there are multiple arguments in support of making it easier to share healthcare information, even though sharing of information by its very nature poses a risk to privacy. For example, there are those who argue that the open sharing of the massive quantities of healthcare data that have been collected since the arrival of EHRs is critical for future advancements in medicine that rely heavily on population-level data. Some also argue that the public’s right to be informed of communicable diseases trumps an individual’s right to privacy; members of the public should be allowed to protect themselves, and perhaps more importantly, making the public feel like they are receiving accurate and complete information is crucial to maintaining public trust and confidence, and preventing panic. One of the main complaints with EHRs currently is the lack of interoperability between practices and the decrease in productivity.
It is also critical for a patient’s information to be easily accessible to all the medical professionals caring for that patient. The case of Thomas Eric Duncan, the first patient diagnosed with Ebola in the U.S., clearly illustrates this. Duncan reportedly informed his nurse that he had been in Liberia prior to his arrival in this country, a vital piece of information that the nurse entered into Duncan’s record. However, a misdiagnosis resulted in Duncan being released the following morning. Although it is not entirely clear why the misdiagnosis happened, Texas Health Resources, the hospital system which treated Duncan, initially seemed to blame a flaw in their electronic health record system that caused Duncan’s travel history to not appear in the physician’s standard workflow even though the nurse had entered the information. Texas Health Resources later retracted their statement, saying there was no such flaw. Some have hypothesized that the problem wasn’t a flaw within the EHR system but rather an error in how the system was set up by the hospital and/or used by the healthcare providers. Regardless of who or what was actually at fault in this particular case, at least one study suggests that there is a pattern of medical errors caused or aggravated either by flaws in EHR systems or by healthcare providers who were not using the EHR platforms correctly.
Of course, there is no inherent HIPAA/privacy concern in merely making a patient’s medical file more accessible to the medical team treating that particular patient. However, some argue that electronic health records systems are already too easily accessible to staff members who are not responsible for a patient’s care, leading to HIPAA breaches such as the previously-mentioned Nebraska case and other cases involving well-known individuals.
Going forward, vendors of EHR systems and the healthcare providers who use them must make it a priority to maintain a solid security framework to protect patient data, not only from hackers but from employees who may be trying to access the information inappropriately. At the same time, it is equally important that EHR systems become better able to share information with each other and become easier to use for healthcare providers, both to increase productivity and to decrease medical errors.