Privacy and Security Issues in Electronic Patient Record Keeping

Privacy and security are important limitations when it comes to electronic health and medical records (EMRs) and PHRs (personal health records). You may have already reviewed the hurdles created by the local nature of EMRs and their lack of standardization. Additional problems exist with security and privacy of these records.

Security is potentially a major problem. There may be no system in the world that can't be hacked, including EMRs or PHRs. Think back during the past few years to the losses of credit card records at large retails chains or the Veterans' Administration loss of its patients' records. Despite tight security on these systems, data was lost or accessed by others who should not have access.

When it comes to EMRs, patients have little say in their participation; therefore, even if they have concerns about their records being a part of an EMR, there is almost nothing they can do about it.

With PHRs, however, patients have much more ability to control content and access. Because these records are developed by a patient for himself, the patient also determines who has access, and how that access is made.

Privacy is a similar concern. HIPAA, the Health Information Portability Accountability Act, federal law, determines how health information may be shared electronically.

This provides good opportunities for sharing the information, but it also creates roadblocks, too, when someone other than you, the patient, wants to access your records. That's good if the person wanting access isn't allowed to get those records. It can be a major problem if a loved one or a healthcare proxy wants access. Confusion about the HIPAA laws themselves and how they need to be implemented is rampant throughout doctors' offices and healthcare facilities across the country.

One other privacy concern for EMRs is the fact that most of the applications being used by health systems, doctor's offices, hospitals, and other facilities. A patient's records are kept in a format on computer servers that are owned by another company, and not by that hospital or doctor's office itself. That third party probably falls under the HIPAA HITECH Act of 2009 and the Omnibus Rule of 2013 and must use the same protections, but it is one more system that could be vulnerable to breach.

Personal Health Records (PHRs) raise their own privacy questions. Some patients have developed PHRs on websites that provide applications for such a purpose. Some of the websites offering PHRs, mostly the ones that offer storage space for free, are not concerned with privacy. They may sell the data to other companies or advertise on the same page as the content uploaded by the patient.

Other websites claim they will keep information private but may claim other rights such as data-mining, the selling of patient information in bulk. As an empowered patient, if you want to keep your records online yourself, be clearly aware of privacy issues as they relate to the information you upload. Check the terms of service to learn what that website may do with your information.

These particular privacy questions are not a concern for records kept on a local/home computer or a personal (thumb) drive. Privacy of your information on these types of systems will be more at the mercy of how you handle them and less at risk from hackers or other violators. For example, if your thumb drive is attached to your keychain, and you lose your keys, your personal health information could be at risk. Or, if you sell your computer without completely erasing the hard drive, then the person who purchases your computer may be able to gain access.

A wise patient understands the privacy and security issues of keeping health and medical records in a digital format and plans accordingly for their use.