Should we worry about physician privacy in the EHR era?

As we move to electronic health records (EHR), the debates over security and privacy are becoming more frequent and more poignant.

We of course have HIPAA laws on the books and Office of the National Coordinator for Health Information Technology (ONC) has a Tiger team assembled to recommend privacy and security policies to Secretary Sebelius.

CIOs and entire IT departments are all focused on protecting the privacy of patients and their Personal Health Information (PHI). This is, of course, as it should be, but how about privacy of those taking care of patients? Do physicians have a right to privacy too?

As EHRs become more prevalent and interconnected, increasing amounts of clinical and administrative data will be flowing out of doctors’ offices and into the great beyond. Most of this data is indeed patient data, but some of it could be combined, sliced and diced to derive pretty extensive information about doctors. For example, and in no particular order:

1. Prescribing patterns. Prescription data has been collected and sold to pharmaceutical companies for decades. EHRs will make this much easier to accomplish and the data will become richer and more granular, since it will contain the exact nature of the visit where a particular drug was prescribed or discontinued, including physician notes on the subject. Of course, such information finding its way to public websites would present a novel difficulty if, say, we can look up Dr. X and see that she wrote 30 prescriptions for contraceptives last month, half of which were for girls under 16 years of age.

2. In the interest of informing patients on physicians’ expertise, a company may decide to publish names and frequencies of procedures performed by physicians. In addition to the fact that the raw number of performed procedures is not indicative of proficiency if not accompanied by outcomes data which is almost impossible to obtain, our beleaguered Dr. X may find a web listing of the number of abortions she performed on teenage girls right next to her name and home address.

3. Administrative data can provide average times spent with patients, with no differentiation between the 5 minutes required for allergy meds renewal and the half hour you spent with elderly complex patients. Schedule data can also be manipulated to deduce when you take vacations. Is anybody watching your house while you’re enjoying those exquisite Hawaiian sunsets?

4. Of course the call for greater transparency will create numerous websites trying to provide patients with a Consumer Reports style rating of doctors. Quality measures similar, or identical, to the ones submitted to CMS will come in very handy. If you report that only 20% of your patients have an acceptable Hb1Ac level and I am a diabetic looking for a good doctor, I’d probably pick one with better “outcomes”. The fact that most of your patients are underserved, poor and even homeless and you are pretty much a saint is not evident in your outcomes. Sorry.

5. EHR progress note data can indicate how thorough you are. If you routinely document only a handful of Exam and Histories elements, maybe I should find a doctor that takes more time and is more thorough, or one who has an EHR that documents all negatives by exception, whether he looked at it or not. There will be very few patients savvy enough to know the difference.

6. Here is a more interesting possibility. By examining your SOAP notes, computers can figure out your decision making patterns. These patterns can be cross aggregated and will make for very interesting research. However, these patterns, once established, could also become admissible evidence in a court of law.

As data becomes richer and more liquid, more possibilities to monetize physician data will emerge, just like monetization of patient data will become rampant. Fortunately, patient privacy is central to all new standards and policies being created by the Government.

By contrast, physician privacy is not even an afterthought. While physicians have always been morally and legally obligated to protect their patients’ privacy, perhaps the time has come to also consider the doctor’s privacy in this brave new digital world.

Margalit Gur-Arie is a partner at EHR pathway, LLC and Gross Technologies, Inc. She blogs at On Healthcare Technology.

Submit a guest post and be heard.

View 11 Comments >

Most Popular