Why the days of medical privacy are over

I’m lucky, I work for one of the best hospitals in the country and I have access to the best medical care that our society has to offer. With one glitch, that is — when I access that care, my medical records are put into a system that can be viewed by thousands of people, some of whom include my bosses, co-workers, supervisees, neighbors, and even some of my patients.

I must be kidding, since that would be a HIPAA violation, but actually, I’m not. In our hospital electronic record, the only thing that prevents any clinician from looking at records is the trust that people will do the right thing and not indulge their curiosity, and the fear of repercussions. There is no before-the-fact hold on who can view a medical record. If one is caught, the culprit can be fired, but by that point, the information has been viewed. The precise mechanism that triggers an audit or flags a record for investigation remains a mystery, but I would contend that patients should have to authorize access to specific records, and they should be permitted to limit those records to specific health professionals within reason. Does the podiatrist really need to know the patient was treated for vaginismus?

Soon we will be adding outpatient psychiatry notes to the system and access comes with a provision that the health care provider must press through an extra screen to “break the glass.” Reportedly these views will be monitored more closely. In a way, this is good – it makes psychiatric conditions the same as any other medical conditions and perhaps this will help to destigmatize psychiatric disorders.

On the other hand, it’s still possible that other physicians give an inferior level of care to psychiatric patients, and that very personal information will be available as the psychiatric histories are quite detailed and may include reports of psychotic episodes, sexual abuse, prison stays, and suicide attempts. A patient may not want his dermatologist to know all that, much less a curious lover who happens to work for the hospital and has access to the system. It is not yet clear to me what protections are added by marking a document as “sensitive.” The new system even allows one clinician to access the schedule of any other physician in the hospital, even those in other departments, complete with the names of the patients that doctor is scheduled to see.

Electronic health records are reported to be a major advance in the delivery of better health care through improved communications, and instrumental in cost containment. They are so good, that the government pays doctors and hospitals to implement them, though we don’t yet know that EHRs either improve care or decrease cost. On the other hand, we value patient privacy, and HIPAA – used and abused — is an acronym that has come to stand for privacy rights. HIPAA is cited for why a doctor won’t give information about a sick relative, and HIPAA is often misused or ignored even if a patient has specifically given given permission to have their health care information shared – it’s become the default position that sometimes takes the form of laziness.

But when electronic health records exist in an organization , the patient may have no way to contain their information to those who provide treatment. While the public may not think about this, as an employee of a hospital, I do.

Information gained in hospital settings are now beginning to enter state databases, something few people — even doctors — are aware of. From there, other agencies can get your information, which is good if you show up in a coma in an emergency department, but not so great if you value your privacy. In Maryland, this system is called CRISP, for Chesapeake Regional Information System for our Patients, and everyone goes in automatically unless they specifically request an opt-out.

I did opt out, and I received a letter from the state telling me that I was endangering my health and that they would hold on to my information in case I changed my mind. Wait, I don’t want CRISP to have my information, but again, that’s not a possibility; Big Brother gets my records whether I like it or not, I’m only permitted to opt out of their release to other entities.

I’d like to see a physician at the wonderful hospital where I work, and to know that I can have a private conversation that can’t be accessed by curious bystanders, the state of Maryland, or perhaps even by my other physicians. I’ve asked others, many of whom get care at this facility, and I’ve collected a number of stories, none of which I can confirm are true. One friend says a nurse accessed information about an ill parent on her child’s little league team and shared it with the other parents on the sidelines, noting she could get in trouble. A patient was released from the hospital with a discharge summary that stated his medical episode came on while he was masturbating. Was that really necessary information for a permanent electronic record? Finally, I heard a story of a physician who accessed the medical records of his psychiatrist, and as a psychiatrist myself, I’d like to believe that my medical records would not be accessible to curious patients.

I’m not sure how large a concern this is. I don’t know of others who are complaining, and I’m not aware of any organized effort to retain privacy rights on medical records – treating them perhaps like bank account access where the patron plugs in a Personal Identification Number to allow access. When I’ve brought it up, I’ve been asked what I have to hide, why I think anyone would care about my records, and the response I get is generally dismissive. HIPAA, you know, so of course there is medical privacy and of course everyone at our institution is either above being curious or malicious, or at least is afraid of the consequences.

Even the compliance officer at our institution tried to reassure me that records are private, that different types of clinicians have different levels of access, but then admitted that they review accusations of breaches on a regular basis (she wouldn’t give me precise data on this) and there are employees who check their medical records daily to be certain no one is accessing them.

I’m not the most private of people; I have a strong social media presence and I’m quick to talk about whatever is on my mind, but somehow, I still think a patient should be able to speak with a physician in confidence. The HIPAA delusion aside, I believe the days of medical privacy are over.

Dinah Miller is a psychiatrist who blogs at Shrink Rap and co-author of Shrink Rap: Three Psychiatrists Explain Their Work.

Comments are moderated before they are published. Please read the comment policy.

  • Suzi Q 38

    I was told that whenever someone accesses my EMR, there is a record of this.
    I think that I am going to ask for that record of activity.

    It should be interesting.

  • Dinah

    There is a record, but you have to know to ask, and then figure out what to do with that information. For the most part, I don’t think health professionals are trolling records randomly curious about strangers.

  • Sonia D.

    Dinah, I would not doubt that health professionals are “snooping.” Though many value confidentiality, if they have access to such information, there are certainly people who are going to go through that information just to satisfy their curiosity. Not surprised that our medical privacy days are over. This article is quite discomforting, but a great read! Thank you for sharing!

  • Gary Levin

    KevinMD thank you for carrying this story and for Dr Miller’s assessment. Unfortunately it is all true. Recent disclosures by NSA, while not addressing health care specifically, it opens the door to how ‘lurkers’ are able to penetrate IT networks and storage at will. Akin to a ‘freeway’ with traffic anyone can enter and ‘drag off’ a vehicle. Instead of a ‘carjack let’s call it a packet jack.
    Readers can find several serious incidents of unintended ‘leaks’ of private information to unintended ‘innocent’ recipients. The recent ‘Samaritan Hospital” incident with the Troy Sherrif’s dejpartment and the Rennsaelar Correctional Facility

  • Anthony D

    True, If you can easily find information on your doctor using their NPI number to find where they practice or where they live, what else can be at risk?!

  • Dinah

    Is anyone else troubled by the fact that hospitals send your medical information to a state pipeline? Or that there is no before-the-fact barrier to keep curious coworkers/supervisees or the guys who is infatuated with you from looking at your medical records? Do we trust that fear of being caught in a HIPAA violation is enough of a safeguard? It’s so ironic in a world where they erase your name in the dentist’s waiting room for fear anyone will know you get your teeth cleaned.

    • Maura69

      Yes I am very troubled by that fact. A couple of years ago I had a “thunderclap” headache that was horrible so I went to the local ER. When I was brought into the examining room a doctor came in with some sheets of paper and asked me if I had taken this medicine. I looked at the sheet and was shocked that is was a DEA form with every single prescription that I had taken for the past two years. I had Breast cancer that metastasized to the bone and have several deformities of the spine that are incredibly painful and debilitating. I answered yes and he left the room. I told the nurse that I felt this was very demeaning and if he had questions he should have asked me before walking out. She proceeded to tell the doctor what I said and he pulled up my chart, (I have lived here for over 40 years). He then came in and proceeded to apologize and explain the problems with selling narcotics in our area and was naturally on alert. To make a long story he gave me medicine (inj) to take care of the pain and we have become very close friends after this incident. I feel that if there was a problem, check the charts/records of the patient first and then talk to the patient. What bothers me is how many other people are questioned because of the information that is not properly shared nor is it complete…luckily I was at a “home” area hospital instead of one where my complete record is not accessible…what problems would/could rise up…Not a comfortable situation!

  • EmilyAnon

    Where does the patient go to find out who has accessed their hospital medical records?

    • drdaviss

      Emily,

      • EmilyAnon

        Thanks, Dr. Daviss, I’ll check with my hospital medical records dept. I’m nosy about who’s been nosy with me. ;)

        • http://drdaviss.com/ Steve Daviss MD

          Sure. Keep it mind, inadvertent access happens all the time. Meant to click on one person, and move the mouse as you click… oops, wrong person. Good systems will look at how long the record was accessed. 5 seconds… probably a mistake. 5 minutes… and you opened multiple related files (not just made a cup of coffee for 5 min)… probably snoopy if you have no good reason for being in there.

          I have yet to hear from any patient who has looked at these access records and tried to determine which are legitimate accesses and which are not. I expect it won’t be easy. Walking us through such an exercise would be a great blog post.

  • Sarah95

    I hate electronic medical records. I no longer confide in my doctor at all, do not consider her a resource any longer because of the lack of privacy. It used to be that what I told her stayed within those four walls. Now my records are open to staff members of her office, the hospital that owns her office, ALL of the many other practices that hospital owns and–appallingly–staff at another hospital in another city with which the owning hospital has made an automatic deal to share my information.

    I wish I had a doctor, but I no longer do. I have a person with whom I share as little information as possible, with whom I now have to waste time negotiating what gets written down and who I can no longer trust, thanks to the system for which she works.

    And let’s not forget I’m mostly talking to the top of her head as she worships the God of Electronic Records on her laptop.

    She isn’t happy with all of this, either. She’s a really good person in a really bad system. I wish I could confide in her but the walls now have ears.

  • Sarah95

    PS: The fact that the many staff members who have access to my records are mostly way to busy to bother is small comfort. It only takes one.

  • Sarah95

    “it’s still possible that other physicians give an inferior level of care to
    psychiatric patients”

    Dinah, are you being overly polite to your medical colleagues when you say this? I hope so. I’d hate to think you are a psychiatrist who is somehow so naive as to not be aware of the horror stories most psych patients face once a doctor finds out they’re on psych meds or have any sort of psych history.

    The ER is a very dangerous place for any psych patient. God help you if you have a serious physical problem now that electronic records allow you no privacy.

    • meyati

      My son has been told that his spinal problems would go away if he didn’t have mental/emotional problems. He’s also been told that he wouldn’t have mental/emotional problems if he didn’t have a severe spinal injury. Note: He’s alive-some of his shipmates were killed or injured worse than he was in this military maritime accident. He’s a 150% VA disabled. My doctors are circumspect, as far as I can tell in what’s in my electronic medical records.

  • AKMaineIac

    Excellent article and I will share it on my my page and comment. I hope it promotes some discussion.