Risks of Electronic Health Records
Governments will assure citizens that the system will be secure, confidentiality and privacy will be a top priority, and encryption and other protections will be of the highest level – but the reality is that the global history of the privacy protectiveness of large centralized databases like these is not good. Privacy breaches are common, and the costs of the system typically spiral upward.
For this reason, (and because the risks of e-Health and electronic health records are not discussed by the province or Infoway in their websites) we explain what new e-Health projects the province of BC is undertaking, and outline some of the risks they pose to patient privacy. First, we discuss the general risks posed by centralizing patient information, then we briefly discuss specific ongoing projects in BC.
Electronic health records systems are like any other electronic system that holds personal information in that they should be protected by rigorous electronic safeguards, and by detailed procedures and practices that employees and others with access are required to follow. But even the most strongly protected electronic system is subject to the risk of a privacy breach.
Privacy Breaches – Snooping, Stalking, Identity Theft
There are numerous privacy risks posed by the EHR system. The most obvious risks are of privacy breaches by “malicious insiders” – individuals who are authorized to access the EHR system for legitimate purposes (doctors, nurses, other healthcare providers or other authorized individuals) but who use that authorization to look up a particular individual for no reason other than to find out about their personal health information. This can happen, for example, when a relative or nosy neighbour wants to know about an individual’s health status, when a stalker or ex-spouse wants information about an individual for their own purposes, or when a healthcare worker accesses the health information of a famous person, to provide it to the media. The risk of such abuses is very real (in fact, numerous cases have already occurred in Canada, the U.S. and Britain).
Despite these grave risks, there is little ability in the system to prevent privacy breaches, if a person with a legitimate right of access abuses that right. The only remedies available are generally disciplinary in nature – the individual can be disciplined or fired if the privacy breach is discovered.
Another risk is that of theft by an insider. Medical identity theft is a growing problem in the United States, where there have been several recent incidences of individual employees collecting and selling the personal information of many patients, which is then sold on the black market to people, including illegal immigrants, or people without health coverage, who want to take advantage of the information in order to receive free medical care. Although our universal health care system reduces the risk of medical identity theft in Canada, it does not eliminate it, as people new to the province awaiting eligibility for the Medical Service Plan and those seeking private health insurance numbers for fraudulent purposes still provide a market for medical identity information.
The most serious impact of medical identity theft is the harm that can result when the individual’s health records – now compromised and filled with the thief’s health information – are relied on by health care providers to give her care. This can pose very serious risks to the individual’s health.
Other risks of privacy breaches exist every time a staff person puts patients’ personal health information on a portable device, including a laptop, a memory stick or a smartphone. These devices are capable of holding large amounts of data, and the loss or theft of the device can expose the personal health information of many patients to the risk of identity theft.
Constant Surveillance
Less obvious are the privacy risks posed by the way the system is built. As discussed at the beginning of this chapter, our privacy rights are fundamental rights. Our right to keep our personal health information confidential except in very limited circumstances is a bedrock principle of medical ethics. Yet electronic health records systems make it very difficult for us to ensure that our information does not flow where we do not want it to go.
Before the advent of the EHR, our privacy was generally protected and the confidentiality of our medical information was generally secure (except for the rare legal requirement to report, such as for reportable communicable diseases or child abuse). But in the near future, our entire medical history will be available to innumerable participants in the healthcare system.
In this future, we may be unable to object to our personal health information being used for a particular kind of research. We may not be able to guarantee the privacy of our mental health history, because a great deal of health information that can reveal that we have a mental illness (such as when a drug we take is available for viewing on PharmaNet, or a record of a visit to a psychiatrist or a stay in a psychiatric hospital is recorded in our EHR) can be seen by others, and it will be increasingly difficult to ensure that information is kept confidential. Or maybe we do not want a specific person to learn that years before, we were treated for a sexually transmitted infection. If that person has access rights to the system, it could be difficult to prevent her from discovering our personal information.
And even if we don’t have a medical condition or diagnosis that is stigmatized, like mental illness or a sexually transmitted disease, we may simply want the confidentiality that is a traditional part of the medical system.
Unfortunately, individuals may soon get the feeling that their most private personal circumstances could be known by others at any time. Some individuals may feel that they have no choice but to give up their privacy in order to get health care. And some may stop seeking certain forms of health care altogether for fear that their confidentiality will not be guaranteed. And the reach of this system eliminates the ability of individuals to seek treatment privately in another city or town. Thus if a teenager wishes to obtain an abortion in another part of the province, or a business person wants to see a psychiatrist out of town, their records will nevertheless be available to authorized healthcare professionals in their own town. We no longer have a right to not be known.
The system itself is built to violate our privacy, simply by the way it is designed. Furthermore, by enabling the potential for constant surveillance, it invades our dignity and has the potential to threaten our psychological integrity.
Control and Consent – A Fundamental Right
In the health system, the patient’s consent to the collection, use and disclosure of their personal health information is treated as implied or assumed. That is, the doctor does not ask you at every visit for permission to send your information to another doctor or part of the health system for the purpose of treating you. She assumes that you consent, unless you tell her otherwise. Your consent is implied by your request for a treatment, or for a prescription, or a referral.
Most people would consent to the disclosure of their health information in order to receive health care or for billing or payment for health care. This type of disclosure, to a limited group of people for very limited purposes, is an expected part of the relationship between a doctor and the patient. But it cannot be assumed that equal numbers of people would consent as readily to their personal health information being on a centralized database and accessible to many, many more people (with as-yet undefined authorization) for many more purposes than simply to give them health care.