Health Data Privacy: What Providers Need to Know

By Robert L. Murry, PhD, MD, FAAFP, Chief Medical Officer, NextGen Healthcare
Twitter: @NextGen

A survey published by the American Medical Association (AMA) last year reveals that patients are very concerned about the privacy of their medical information, perhaps more concerned than most physicians and practices are aware. As healthcare providers using the latest medical technology, we tend to view the ability to share information electronically with other providers and payers (and the ability to view and obtain records from care delivered elsewhere) as a good thing. Overall, I agree, but it is important that we understand our patients’ view of this sharing and privacy of their records.

The AMA survey of 1,000 patients delineates the comfort level of patients concerning the use of their medical records. Most tellingly, 92% of those surveyed believe privacy is a right and should not be available for purchase. While three quarters of people are “most comfortable” with data records shared with their provider/doctor’s office, a similar percentage are “least comfortable” with their data made accessible/shared with social media sites, big tech, or prospective employers.

Transparency and control

I recently went to a new doctor who gave me a list of medications he thought I was taking during his intake. He had obtained these, I believe, through “medication history” functionality available in his EHR (not NextGen), which uses both pharmacy fill data and information from insurance company pharmacy benefit management plans to see what medications patients are on. However, there was a medication on the list that I paid cash for and had specifically told my pharmacy not to put through my insurance. Now, this wasn’t an embarrassing medication (think antibiotic, not Viagra), but I was surprised that my data was made available to my doctor—and presented back to me for review—without my consent. When I asked where he’d gotten the list, he didn’t seem sure and said something like, “It just appears in the computer for me.”

So what should physicians and practices do?

Here are some points to consider to help us all avoid a big backlash over medical privacy from patients:

  • Understand where data in your EHR system comes from. It is unlikely these days that it was all entered by someone from your practice into your EHR. Did you convert from another system, and if so what does that data look like? Are you connected to a “medication history” service, or to a Health Information Exchange (HIE), or to Carequality or CommonWell—if so, do you import data from these sources and how does that appear in your system? Do you get electronic data directly from other providers or from your state? Could you recognize the “provenance” of the data if a patient asks, “How do you know that? Where’d you get that?”
  • Review your practice’s HIPAA (Health Insurance Portability and Accountability Act) privacy policy statement. You require that your patients sign that you have provided this to them annually, but does it include all the places you might be sending their medical information? Do you even know all the ways that medication information leaves your practice? Consider faxes to other providers, lawyers, insurance companies, direct messages, sharing with local or state HIEs or immunization registries, sharing with public health registries, connections to national networks like the eHealth Exchange, etc. Privacy laws vary by state and not all of these necessarily need to be explicit on the privacy practices statement, but it is worth an annual review of the document and a conversation at the practice level to ensure everyone knows the ways data might be shared externally.
  • If a patient asks, “I’d like a list of all the places you have sent or shared my medical records,” can your practice provide it? This is the spirit behind HIPAA, but are you using your EHR correctly to log these events and does your staff know how to review this log if a patient asks? Speaking of HIPAA, do you have policies in place and a way to police them for inappropriate access of patients’ medical records by staff? Could you answer a related patient request: “Tell me if [your employee] has ever looked at my medical records”?

Just as you have prepared for years to have conversations with patients about medical as well as mental and social health topics, be ready to address their concerns about the privacy of their medical records at your practice.

This article was originally published on the NextGen Healthcare blog and is republished here with permission.