Privacy, Confidentiality, and Security Concerns Over Electronic Health Records

Privacy, confidentiality, and security have always been a concern whenever electronic transmission of patients data are involved The definition of privacy was explicitly explained by Justices of the Supreme Court Warren and Brandeis (1890) as the “right to be let alone,” entailing that the “the foundation of individual freedom in modern age is the protection of the private realm.”  In addition, both believed that the privacy law must evolve in order to keep up with technological change (Harman, Flite, & Bond, 2012). 

With the evolution of electronic health records, people’s private medical history must also be protected and be treated as confidential. However, this notion of confidentiality is not absolute since the information is shared not only with physicians but also among others.  According to the American Health Information Management Association (AHIMA), patients for the most part are unaware of whoever is accessing their medical record.  During a typical hospital stay, a patient’s record will be accessed at an average of about 150 times.  And although the people that have access to a patient medical record are authorized, what they do with the information they see no one knows because there are no laws governing who these people are (Steward, 2005).

There is a reason for people to be concerned of EHRs because it is a common knowledge that even the most secured electronic data system can be hacked, manipulated or even destroyed.  It would mean that anyone’s medical record can be copied, cut, pasted, altered and can be shown to the world via Internet. Patients afflicted with serious illnesses, non-whites and other ethnic minorities have been studied to be very fearful of their medical record getting breached. A 2005 California Healthcare Foundation survey cited by Terry and Francis (2007) reinforces that fear. According to the study, 67% of the people in the United States are worried about their health care record getting breached. The same study revealed that 73% of non-whites and other ethnic minorities are even more worried. This fear causes behaviors such as withholding information from their primary care physicians, providing inaccurate health history, bribing providers to keep their medical history out of insurance records, and even to the extent of not willing to get medical care altogether. Half of people surveyed in the same study indicated their fear of divulging any information that will compromise their current job or future employment (Terry and Francis, 2007).

The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) mandate the establishment of information security.  A full security measure that includes placement of firewalls, antivirus, and intrusion detection software must be in placed to preserve the integrity of the system.  Perhaps the most important security measure that must be adopted by the medical community is the installation of an audit trail system. An audit trail is a monitoring system that keeps track of activities relating to a patient’s medical record. However, it could not prevent unintentional access or disclosure of information –   it could only warn people not to do anything foolish (Harman, Flite, & Bond, 2012).

The HIPAA security rule mandates audit trails for all organizations qualifying for the “meaningful use of EHRs,” which means keeping and maintaining an audit log for six-years.  The meaningful use of EHRs is a government incentive program that provides funding to those organizations that could not afford EHRs.  An audit trail checks on the credentials of the end user before they can access the medical record. It also generates the date and time the record was accessed, by whom, how long, what was viewed, and log of any modifications.  The people in-charge of the monitoring can pinpoint what computer was used to submit request for print outs, the number of screen shots taken, and if the user is actually accessing the record of his or her own patient (Harman, Flite, & Bond, 2012; Steward, 2005).

 

Cesar Aquino is a Cytotechnoloist with an MBA in Healthcare Management and currently a PhD Candidate in Healthcare Administration.