Should we worry about physician privacy in the EHR era?

As we move to electronic health records (EHR), the debates over security and privacy are becoming more frequent and more poignant.

We of course have HIPAA laws on the books and Office of the National Coordinator for Health Information Technology (ONC) has a Tiger team assembled to recommend privacy and security policies to Secretary Sebelius.

CIOs and entire IT departments are all focused on protecting the privacy of patients and their Personal Health Information (PHI). This is, of course, as it should be, but how about privacy of those taking care of patients? Do physicians have a right to privacy too?

As EHRs become more prevalent and interconnected, increasing amounts of clinical and administrative data will be flowing out of doctors’ offices and into the great beyond. Most of this data is indeed patient data, but some of it could be combined, sliced and diced to derive pretty extensive information about doctors. For example, and in no particular order:

1. Prescribing patterns. Prescription data has been collected and sold to pharmaceutical companies for decades. EHRs will make this much easier to accomplish and the data will become richer and more granular, since it will contain the exact nature of the visit where a particular drug was prescribed or discontinued, including physician notes on the subject. Of course, such information finding its way to public websites would present a novel difficulty if, say, we can look up Dr. X and see that she wrote 30 prescriptions for contraceptives last month, half of which were for girls under 16 years of age.

2. In the interest of informing patients on physicians’ expertise, a company may decide to publish names and frequencies of procedures performed by physicians. In addition to the fact that the raw number of performed procedures is not indicative of proficiency if not accompanied by outcomes data which is almost impossible to obtain, our beleaguered Dr. X may find a web listing of the number of abortions she performed on teenage girls right next to her name and home address.

3. Administrative data can provide average times spent with patients, with no differentiation between the 5 minutes required for allergy meds renewal and the half hour you spent with elderly complex patients. Schedule data can also be manipulated to deduce when you take vacations. Is anybody watching your house while you’re enjoying those exquisite Hawaiian sunsets?

4. Of course the call for greater transparency will create numerous websites trying to provide patients with a Consumer Reports style rating of doctors. Quality measures similar, or identical, to the ones submitted to CMS will come in very handy. If you report that only 20% of your patients have an acceptable Hb1Ac level and I am a diabetic looking for a good doctor, I’d probably pick one with better “outcomes”. The fact that most of your patients are underserved, poor and even homeless and you are pretty much a saint is not evident in your outcomes. Sorry.

5. EHR progress note data can indicate how thorough you are. If you routinely document only a handful of Exam and Histories elements, maybe I should find a doctor that takes more time and is more thorough, or one who has an EHR that documents all negatives by exception, whether he looked at it or not. There will be very few patients savvy enough to know the difference.

6. Here is a more interesting possibility. By examining your SOAP notes, computers can figure out your decision making patterns. These patterns can be cross aggregated and will make for very interesting research. However, these patterns, once established, could also become admissible evidence in a court of law.

As data becomes richer and more liquid, more possibilities to monetize physician data will emerge, just like monetization of patient data will become rampant. Fortunately, patient privacy is central to all new standards and policies being created by the Government.

By contrast, physician privacy is not even an afterthought. While physicians have always been morally and legally obligated to protect their patients’ privacy, perhaps the time has come to also consider the doctor’s privacy in this brave new digital world.

Margalit Gur-Arie is a partner at EHR pathway, LLC and Gross Technologies, Inc. She blogs at On Healthcare Technology.

Submit a guest post and be heard.

Comments are moderated before they are published. Please read the comment policy.

  • stressedmd

    What a timely post…

    I’m certainly worried. Seems to me most physicians are like sheep, munching placidly whatever crumbs anyone will throw their way, going into the pen at night, never lifting their heads up to look at the big picture. Here’s a new and scary way to farm the sheep.


    >>“The new Sermo Client Center allows us to follow actual physician conversations and learn what’s important to them,” said Emily Downward, senior vice president of digital health at Edelman. “With the updates, we can set email alerts to track specific conversations, filter search results, and drill down into content most relevant to our clients’ brands.<<

  • jsmith

    Going down the list
    1. Can be done already.
    2. Should be done for major procedures already.
    3. In the realm of paranoia.
    4. Already being done.
    5. Fine, go see another doctor (if you can find one).
    6. See #3 above.
    Not too scary to this doc at least. What really scares me is the waste of resources on all these EHRs when there is no credible evidence that they do any damn good for pt care.

    • Margalit Gur-Arie

      It’s not supposed to be scary. Most people are not scared of having their medical records become public, or being sold, because “they have nothing to hide”. The point is that Government has a duty to protect patient privacy. Maybe it should pay a little attention to physician privacy.

      How long do you think it will take current ambulance chasing law firms to go high tech and figure out that they can buy complete charts and scour them for malpractice events?

      • r watkins

        Seems like there’s a big collision between trial lawyers and EMRs that’s going to happen at some point.

        Our malpractice carrier is now advising primary care docs to add NOTHING from other physicians to their charts except letters addressed “Dear Dr. W.” No test results, no progress notes, no old records, etc. This is in response to the fact that “failure to coordinate care correctly” by PCPs is their number one growth area in liability cases. They are finding it very easy to convince juries that the PCP is partly liable for everything done by any other physician the patient sees. Trial lawyers love the PCMH model!

        How will this trend interact with EMRs that make everything available to everyone?

  • rjh

    The staff have privacy rights in Europe, unlike the US, where all the privacy laws are written in terms of personal privacy not patient privacy. So the situation there is quite different.

  • Leor

    I agree that most of the items in your list stem from paranoia. Consumer ratings for Dr’s already exist, albiet not on the level you describe, but it doesnt take more than 2 or 3 patients who had bad experience in your office (even due to the front end staff, and not you) to totally smear your name in the mud. This is the age we live in, EMR or not, people can mine plenty of data on you and your practice.

  • stressedmd

    I think when it comes to hi-tech and information, we all live in a state of denial, a fool’s paradise. Till we’re confronted by a rattlesnake. By then it’s too late.

    Still, it’s hard for me to understand the blase attitude of other doctors here. Don’t you want to have some privacy? Don’t you care if someone is tracking every little move you make int he treatment room? Do you really want every little offhand remark you’ve ever made to be exposed to the whole world? Don’t you understand that your reputation can be ruined forever?

    Have you read this?

  • Marc Gorayeb, MD

    You know, paper charts really aren’t all that bad. I swear that paper templates combined with brief narratives satisfies my requirements and those of my patients; and it’s far more efficient than any speech recognition software hybridized to a Meditech monster.

  • Dr. Mary Johnson

    It’s not just about charts people.

    Risk managers these days are telling physicians/nurses that what they put on Facebook or blogs might come back to haunt them if they are ever named in a lawsuit.

    And, of course, our dear/departed Flea proved that.

    I had a dose of this a few years back – when an ambulance-chaser who had named me in a malpractice suit – Googled me and started to flex. Neither I, nor my attorney at the time, was particularly scared (I’m paraphrasing my lawyer talking back to said ambulance-chaser):

    “I’m certain that Dr. Johnson would LOVE to take the stand and discuss what she has endured for the horrible/awful sin of intervening to STOP malpractice in order to save another child’s life . . .

    . . . and I’m sure it would be SOOOOOOO helpful to your your case.”

    The story is related in a post I did on our dear, departed Flea:

    OBTW, the mlapractice case was dismissed.

  • stressedmd

    As I came to realize yesterday – Sermo, you know, that “safe secure doctor’s only lounge”, is worse than Facebook, because there’s no opt-out. You can never close your account. Ever.

    On Facebook you can control who sees what, and you can in fact de-activate your account so that no one can access it. If you really want to, you can remove the account permanently. Not so on Sermo.

    And Sermo now allows everyone and their dog to eavesdrop on you and follow all your posts, not to mention all the lawyers etc. who are doctors and are silent members. I feel this is a huge problem. As you could tell if you read my blog…

  • ljpmt

    I think it’s very short-sighted to assume we know how EMR documentation will be used in the future and not be worried about privacy. I’m also surprised there seems to be no interest in the quality of the reports themselves. The other day I was looking at an H&P in our EMR system and even the disclaimer at the bottom of the report (indicating that the report was generated in part using voice recognition software and every effort was made to prevent errors) was riddled with typos. That documentation may be suitable for providing care, but it reflects poorly on the provider who signs off on it. Who knows who will see it one day and under what circumstances it will be used. In a sense, the EMR has become a form of online publishing, only we don’t know who the target audience will be in the future.

Most Popular