Certified electronic medical records threaten patient privacy

During my 2+ decade tenure as a physician I have always believed that a physician’s promise of confidentiality was a pre-requisite to obtaining accurate information from a patient. With the enactment of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) the rules which stipulate when a physician must disclose confidential medical information (protected health information, PHI) without the prior consent of the patient were codified into law.

In today’s medical world, and likely unbeknownst to many patients, physicians are legally obligated to disclose confidential medical information to third parties on a regular basis. Several times a week I am required to release medical information to a patient’s insurance company, pharmacy or a durable medical goods supply company for the purpose of claims verification, “quality” assessment or to assess the appropriateness of my orders. I am certain that my experience is not unique.

As a result of a recent ruling issued by the federal government, the list of persons/companies who may legally view a patient’s confidential medical information, without the patient’s prior consent, has just increased.

In 2010 the federal government created the Office of the National Coordinator (ONC), the entity which created the regulations that incentivized physicians and hospitals to purchase a federally “certified” electronic medical record (EMR) program. The ONC designated a few private companies (called ONC-ACB) to perform the “certification” process and ensures that the certified EMR meets all ONC’s technical requirements. Until now, the ONC-ACB have conducted their evaluation of EMRs by remotely connecting to an EMR vendor’s office and evaluating the EMR’s functionality by examining the data in the chart of a dummy patient.

Recently, the ONC exempted ONC-ACB employees from HIPAA privacy regulations so that an ONC-ACB employee is now allowed to see live, confidential medical information stored in a physician’s “certified” EMR when the ONC-ACB employee is doing EMR “surveillance.” Neither the physician nor the ONC-ACB are required to obtain patient consent before an ONC-ACB employee looks at a patient’s medical records.

The ONC issues its rules in the form of a question and answer:

#45 Question [12-13-045-1]
Is a health care provider permitted by the HIPAA Privacy Rule to allow an ONC-ACB to conduct “in the field” surveillance on an EHR technology previously certified by the ONC-ACB, when protected health information (PHI) may be accessible to the ONC-ACB during the surveillance?

Answer: Yes. … An ONC-ACB is also required … to perform surveillance on the EHR technology it certifies … in the field. In this capacity, ONC-ACBs meet the definition of a “health oversight agency” in the HIPAA Privacy Rule, and a health care provider is permitted to disclose PHI (protect health information) (without patient authorization and without a business associate agreement) to an ONC-ACB during the limited time and as necessary for the ONC-ACB to perform the required on-site surveillance of the certified EHR technology.

Regardless of the ONC’s ruling, I believe it would be ethically inappropriate for me to disclose my patients’ medical information to an ONC-ACB employee. I am equally certain that most of my patients would refuse to voluntarily disclose their PHI to an ONC-ACB employee. Clearly, there are less intrusive ways for the ONC to ensure that a federally “certified” EMRs are performing up to the ONC’s standards.

If this ONC ruling is allowed to stand, I think physicians who use a federally “certified” EMR are ethically obligated to inform their patients that their physician may be required to expose the patient’s PHI to an ONC-ACB employee, without the patient’s prior consent. If the patient objects, I believe the physician has an ethical duty to remove the patient’s medical records (PHI) from the “certified” EMR and drop the data to paper or to a non-certified EMR.

What makes this ONC ruling all the more outlandish is that the ONC has promulgated many health information technology regulations which are designed specifically to protect patient privacy. Apparently, the hypocrisy of ONC’s latest ruling has been lost on the ONC itself.

Hayward Zwerling is president, ComChart Medical Software, LLC

Comments are moderated before they are published. Please read the comment policy.

  • http://www.ronsmithmd.com/ Ron Smith

    Hello, Hayward.

    The question we really need to ask is who is monitoring the monitors? And then the next question is who is monitoring the monitors of the monitors? And then the next question is…

    Warmest regards,

    Ron Smith, MD

    www (adot) ronsmithmd (adot) com

  • Adrian Gropper

    Hi Hayward,

    The medical profession is undergoing “death by a thousand cuts” as each of the inexorable advances in technology diminishes the physician-patient relationship in favor of institutional allegiance and industrial certification. Your point “I believe the physician has an ethical duty to remove the patient’s
    medical records (PHI) from the “certified” EMR and drop the data to
    paper or to a non-certified EMR.” is not just about ethics but about survival of medicine as a profession.

    Fortunately, technology can work for the patient and the patient-physician relationship. Patients can host their own EMR and allow you as their physician to use it. Encryption and simple escrow arrangements can protect the physician’s access to records in case of a dispute. Services from labs, pharmacies, and third party-payers can be anonymized to minimize tracking. Population health registries and outcomes measures will be vastly more accurate when they ask the patient directly rather than depend on institutional reports.

    My smartphone has 64 GB of storage. An average health record grows at the rate of 50 MB / year, including radiology imaging. That’s 4 GB over an 80 year lifetime or 6% of the storage on my phone. This tiny fraction will shrink even further over the coming years.

    The government has good reasons to drive for digitizing health rerecords but the ends do not justify the current means. Institutional EHR certification needs to be phased out in favor of the sovereignty of the physician-patient compact. Let’s start today.

    Adrian Gropper, MD

  • Sara Stein MD

    How is this different from insurance audits? Seems the same if it’s targeting physicians who benefit from meaningful use payment. Did they say who the auditors are?

  • Paul

    I think your second sentence can be read in two ways. While I believe you meant “must consent” as in the records are only shared with the patient’s permission, what actually happens is “must consent” as a result of coercion of the patient.