Why the days of medical privacy are over


I’m lucky, I work for one of the best hospitals in the country and I have access to the best medical care that our society has to offer. With one glitch, that is — when I access that care, my medical records are put into a system that can be viewed by thousands of people, some of whom include my bosses, co-workers, supervisees, neighbors, and even some of my patients.

I must be kidding, since that would be a HIPAA violation, but actually, I’m not. In our hospital electronic record, the only thing that prevents any clinician from looking at records is the trust that people will do the right thing and not indulge their curiosity, and the fear of repercussions. There is no before-the-fact hold on who can view a medical record. If one is caught, the culprit can be fired, but by that point, the information has been viewed. The precise mechanism that triggers an audit or flags a record for investigation remains a mystery, but I would contend that patients should have to authorize access to specific records, and they should be permitted to limit those records to specific health professionals within reason. Does the podiatrist really need to know the patient was treated for vaginismus?

Soon we will be adding outpatient psychiatry notes to the system and access comes with a provision that the health care provider must press through an extra screen to “break the glass.” Reportedly these views will be monitored more closely. In a way, this is good – it makes psychiatric conditions the same as any other medical conditions and perhaps this will help to destigmatize psychiatric disorders.

On the other hand, it’s still possible that other physicians give an inferior level of care to psychiatric patients, and that very personal information will be available as the psychiatric histories are quite detailed and may include reports of psychotic episodes, sexual abuse, prison stays, and suicide attempts. A patient may not want his dermatologist to know all that, much less a curious lover who happens to work for the hospital and has access to the system. It is not yet clear to me what protections are added by marking a document as “sensitive.” The new system even allows one clinician to access the schedule of any other physician in the hospital, even those in other departments, complete with the names of the patients that doctor is scheduled to see.

Electronic health records are reported to be a major advance in the delivery of better health care through improved communications, and instrumental in cost containment. They are so good, that the government pays doctors and hospitals to implement them, though we don’t yet know that EHRs either improve care or decrease cost. On the other hand, we value patient privacy, and HIPAA – used and abused — is an acronym that has come to stand for privacy rights. HIPAA is cited for why a doctor won’t give information about a sick relative, and HIPAA is often misused or ignored even if a patient has specifically given given permission to have their health care information shared – it’s become the default position that sometimes takes the form of laziness.

But when electronic health records exist in an organization , the patient may have no way to contain their information to those who provide treatment. While the public may not think about this, as an employee of a hospital, I do.

Information gained in hospital settings are now beginning to enter state databases, something few people — even doctors — are aware of. From there, other agencies can get your information, which is good if you show up in a coma in an emergency department, but not so great if you value your privacy. In Maryland, this system is called CRISP, for Chesapeake Regional Information System for our Patients, and everyone goes in automatically unless they specifically request an opt-out.

I did opt out, and I received a letter from the state telling me that I was endangering my health and that they would hold on to my information in case I changed my mind. Wait, I don’t want CRISP to have my information, but again, that’s not a possibility; Big Brother gets my records whether I like it or not, I’m only permitted to opt out of their release to other entities.

I’d like to see a physician at the wonderful hospital where I work, and to know that I can have a private conversation that can’t be accessed by curious bystanders, the state of Maryland, or perhaps even by my other physicians. I’ve asked others, many of whom get care at this facility, and I’ve collected a number of stories, none of which I can confirm are true. One friend says a nurse accessed information about an ill parent on her child’s little league team and shared it with the other parents on the sidelines, noting she could get in trouble. A patient was released from the hospital with a discharge summary that stated his medical episode came on while he was masturbating. Was that really necessary information for a permanent electronic record? Finally, I heard a story of a physician who accessed the medical records of his psychiatrist, and as a psychiatrist myself, I’d like to believe that my medical records would not be accessible to curious patients.

I’m not sure how large a concern this is. I don’t know of others who are complaining, and I’m not aware of any organized effort to retain privacy rights on medical records – treating them perhaps like bank account access where the patron plugs in a Personal Identification Number to allow access. When I’ve brought it up, I’ve been asked what I have to hide, why I think anyone would care about my records, and the response I get is generally dismissive. HIPAA, you know, so of course there is medical privacy and of course everyone at our institution is either above being curious or malicious, or at least is afraid of the consequences.

Even the compliance officer at our institution tried to reassure me that records are private, that different types of clinicians have different levels of access, but then admitted that they review accusations of breaches on a regular basis (she wouldn’t give me precise data on this) and there are employees who check their medical records daily to be certain no one is accessing them.

I’m not the most private of people; I have a strong social media presence and I’m quick to talk about whatever is on my mind, but somehow, I still think a patient should be able to speak with a physician in confidence. The HIPAA delusion aside, I believe the days of medical privacy are over.

Dinah Miller is a psychiatrist who blogs at Shrink Rap and co-author of Shrink Rap: Three Psychiatrists Explain Their Work.


View 16 Comments >

Most Popular

✓ Join 150,000+ subscribers
✓ Get KevinMD's most popular stories