A balancing act: Consumer control and EHR security

One of the reasons consumers were opposed to electronic health records (EHR) systems when they were first introduced to the public was privacy.

Consumers wanted assurances as to who could access their data. It’s a reasonable worry—there is nothing more personal than one’s health and body. The Health Insurance Portability and Accountability Act (HIPAA) addresses such concerns from a legal perspective, putting the responsibility for protecting patients’ information on providers, while at the same time giving consumers control.

Perspective

EHR systems are designed to make sharing information easier, and while most patients would agree that collaboration among healthcare providers is a good thing, the idea that it is easy to share their personal health information (PHI) may be uncomfortable. Thus, consumer control and security are closely related.

The question of privacy is complex for consumers. While a patient may be perfectly willing to disclose information in a conversation with a healthcare provider in a conversation, the same patient may be more hesitant if he or she knows their disclosure will be digitized and included in an EHR.¹ However, there is little doubt that a patient who has been diagnosed with osteoarthritis would like for her DC and rheumatologist to communicate.

Patients are also generally in favor of anything that streamlines their visits to the office. Since the goal is a better patient outcome, there is no doubt that EHRs benefit patients, even if those benefits are less obvious from a patient perspective.

Access

HIPAA clearly gives patients certain rights as to who may access data. In fact, one of the principles of the privacy rule is the individual choice principle, which states, “Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.”²

There are some exceptions to this rule. For instance, information may be collected by specific entities charged with protecting the public health.

Responsibility

Most Americans recall specific instances of HIPAA security breaches, such as patient records being left in dumpsters or laptops with PHI stored on them begin stolen. One of the most important considerations when it comes to choosing an EHR for a HIPAA-covered entity, including a chiropractic practice, is security. When it comes to PHI, consumers have control but healthcare providers have responsibility.

Since practitioners bear the burden of protecting patients’ PHI, it is important to keep security in mind when it comes to EHR software. Choosing a program that appears on the Certified Health IT Product List (CHPL) is one way to safeguard your practice. The products on the CHPL have undergone rigorous testing and been found to have appropriate security measures in place.

The balance between patient choice and provider responsibility when it comes to personal data can be difficult to maintain. However, a clear understanding of HIPAA regulations coupled with a strong EHR vendor can help DCs remain within the boundaries of the law while providing patients with options regarding their PHI.

References

¹ Agarwal R, Anderson C. The Digitization of Healthcare: Boundary Risks, Emotion, and Consumer Willingness to Disclose Personal Health Information. Information Systems Research. 2011:22(3);469–490.

² Office for Civil Rights. “Individual Choice.” U.S. Department of Health & Human Services. http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/healthit/individualchoice.pdf. Accessed April 2015.