Withholding Information: Patient Privacy and Security Concerns

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

Anecdotally, issues have existed for a long time in healthcare when in terms of knowing whether patients are telling physicians all of the information needed to effectively provide care. From some stories, reasons for a lack of sharing can range from believing the physician does not need to know something, not wanting to share a specific piece of information given perceived embarrassment, or not wanting the information to leak out. Those concerns existed when records were in paper form and not electronic.

The rise in electronic medical records now seems to be complicating matters further. A recent pragmatic randomized control trial interviewed a cohort of patients at one hospital about privacy and security concerns over medical records and how that impacts sharing of information with physicians. Even in spite of the small sample size, the results should be reason for pause and readjusting perceptions.

Specifically, the greater a patient’s concern that information could be compromised when sent the more likely the patient would be to withhold information. A finding that fear of compromise results in data being withheld should not be overly surprising, but the means of getting to that finding reveal misunderstanding of how healthcare data can be (and are) used.

As explained, the dependent variable for the study was whether the patient had ever not shared information with a clinician over privacy or security concerns in connection with the medical record. That baseline question then showed variance based upon four different independent variables in the form of additional questions.

The four independent variables were:

  1. The level concern about an unauthorized person seeing medical information sent electronically;
  2. The patient’s level of confidence in having a say over how medical information is collected, used, and shared;
  3. The patient’s level of confidence in safeguards being in place to protect medical information from being seen by people without permission; and
  4. The patient’s level of interest in exchanging electronically exchanging medical information with a clinician.

Pulling apart the responses, the researchers determined that if an individual was concerned about data being compromised, then the individual would be three times more likely to withhold information from the clinician. Differences were also discovered based upon the individual’s race, which could suggest an underlying trust issue. In trying to gain insight from the responses, one angle could be that patients do not trust the protections implemented by clinicians and healthcare organizations when using technology. Such an interpretation is possible by looking at the aim of the independent variable questions and the framing that each puts around the concerns of privacy and security.

The independent variables are not necessarily indicative of actual (or permitted) privacy or security practices though. Many implicit uses or disclosures are clearly permitted under HIPAA, which arguably means that privacy and security requirements imposed on the healthcare industry are being followed. From that perspective, compliance with HIPAA should address the first and third independent variables. HIPAA requires health information to be protected from unauthorized access and ostensibly calls for controls to be implemented to limit a workforce member from accessing information if not needed for a specific job function. If an individual is concerned about how their information will be used, it could be quite difficult to adequately address the concerns of sharing as limiting could introduce workflow interruptions or otherwise disrupt what is perceived as standard operating procedures. As should be well known, HIPAA is quite permissive when it comes to the use and disclosure of information without needing to inform the patient.

Given the broad ability to use and disclose information, more background is needed to understand what protections or limitations on use patients want to see. If the parameters identified by patients are at odds with HIPAA, then a much different discussion would need to occur as opposed to a scenario where a patient just wants to be better informed as to an organization’s permitted practices. Given some recent rumblings around privacy and unrest when HIPAA compliant relationships come to light, there could be a high likelihood of restrictions tighter than HIPAA may be preferred.

Impact on Direction of Technology Adoption
The admittedly limited results of the study offer an opportunity for reflection when it comes to adoption and use of technology in healthcare. With a lot of technology or digital health based solutions trying to mimic the convenience and ease of data flow found in the rest of daily life, there is a question as to whether that full ease is wanted by patients. Such a question can be a bit far afield and may not reflect patient attitudes, but it may be a question that needs to be tackled.

A bigger and thornier question is what are privacy expectations when it comes to healthcare data. Attempting to resolve that question will involve going down numerous parallel pathways. One aspect will be the controversial ownership versus control question. For example, if patients fully owned their own healthcare data, then some may assert that it would be possible to limit how that data can be used and to impose stronger privacy protections. That argument for ownership can closely mirror the argument for control, which is ultimately why control could be the better issue to focus upon. Regardless of the basis though, is it really preferred to inhibit the ability of clinicians to consult with each other and share critical data in order to have a full say around how healthcare data are used? Some would likely answer affirmatively, though not sure anywhere near a majority. Further, that position would have many ripple effects across the healthcare spectrum and for patients.

Ultimately, the privacy question, and the associated concerns about security, really seems to go in the direction of how to define and protect privacy. Discussions generated by new privacy schemes on both the state level and internationally focus on individual control, awareness, and consent. The new schemes seek to swing the pendulum back more in favor of the individual. However, those same new schemes will often still have carve outs for healthcare data, which means a limitation of individual rights and controls. The unique treatment given to healthcare appears to recognize position held by healthcare. In turn that means some of the concerns implied by the responses in the survey cannot be fully addressed or accounted for.

As first noted, the results of the study should not be dismissed because it is important to learn from everyone’s perspective and try to avoid information gaps. Additionally, the positions beg for better education and information as to the operation of HIPAA since that law permits many of the uses and disclosures that seemingly underly the privacy and security objections. The picture painted from that analysis is to focus on collaboration and coordination, which means all sides coming together for mutual benefit.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.