Electronic Medical Records – Act now to protect your privacy
The California state government is preparing to transfer all Californians’ health records into a new electronic system. But there’s a problem: The system they’re planning to use has serious privacy and security flaws.
The primary privacy flaw is that this new system requires only opt-out (those who want to share your personal information may do so unless you affirmatively say they can’t). In order to truly protect your privacy, the system should be opt-in (those who want to share your personal information must get permission from you before they share your data) only. Another flaw is that the California state government is proposing very weak definitions of what “sensitive” medical information is. We need strong definitions of what sensitive information means. Right now, there is no good technological way to separate sensitive medical information (which should require opt-in) from other health information that requires only an opt-out. Because of these inadequate controls, these two types of medical information may be mingled together and inadvertently disclosed under the less privacy protective opt-out. The health insurance industry, which too often treats its customers’ privacy as an unwanted business cost, has put the government under enormous pressure to keep it that way. And the health insurance industry has put the government under enormous pressure to do away with meaningful definitions of what sensitive health information means.
If the public doesn’t take action and demand protections now, Californians’ medical privacy will be in serious danger.
The state government has asked the public to send feedback to the California Privacy and Security Advisory Board (CalPSAB) before December 1. Take a few minutes to send them an email and tell the government that Californians’ health records, databases, and networks deserve ironclad privacy protections.
Californians should not have to choose between privacy and health.
Take action now!
A sample letter that you may use verbatim, or may modify as you wish appears after this introduction. Please send your comments to firstname.lastname@example.org
Sensitive medical information in California is defined as substance abuse, HIV status, genetic information and mental health information. Information that is classified as ‘sensitive’ requires that you ‘opt–in’ to the sharing plan for treatment purposes. Information about you that is not ‘sensitive’, and thus covered by ‘opt-out’. However, even sensitive information could fall under an ‘opt-out’ scheme (HIPAA allows this) for data exchange if California goes with opt-out guidelines rather than opt-in.
Information that is not considered ‘sensitive’ include some of the following:
1) Cancer in general is plain old health information, and there are no special legal
rules in statute or case law.
2) Mental health (like depression) doesn’t have special legal rules for disclosures for providers/treatment; it does for other kinds of sharing.
For example: your pharmacist knows your meds already (ePrescribing is disclosure for treatment purposes). Your prescriptions may ‘disclose’ the condition that you are being treated for, such as HIV.
Note also, that a lot of sexual assault information comes out through psychotherapist general progress notes.
3) Abortion/reproductive health/pregnancy doesn’t have special legal rules.
4) HIV outside of lab context: California law only protects it as a lab test; not when it’s not a lab test, e.g. your doctor knows your status and puts it in your medical records.
There is one well-known case where a doctor was found potentially liable in an action for violating an individual’s rights under the California Constitutional right of privacy for including his HIV status in a medical report for worker’s compensation. Urbaniak v. Newton (1991) 226 Cal.App.3d 1128,1141.
5) Erectile dysfunction, no special category.
Any of the above could end up being disclosed through an opt-out, unless you take affirmative steps to opt out.
Subject: Californians have the right to decide whether their health records are electronically shared
I’m a Californian and I want the right to decide whether my family’s health information will be electronically shared. Patient privacy has always been crucial to health care, and the stakes are even higher with electronic health systems. Patient privacy needs to be designed into the DNA of California’s electronic health information exchange (HIE) system now.
1) “Opt-out” consent isn’t good enough: Right now, it’s not clear how the HIE system will work or how the privacy and security of my health records will be protected. I should be able to decide in the first instance whether my health information will be electronically shared.
2) “Opt-in” consent is crucial for sensitive health information: Some health information is especially sensitive—mental health, alcohol and substance abuse, HIV-AIDS, sexual assault, reproductive health and abortion, domestic violence, and genetic conditions. The interim guidelines (126.96.36.199) acknowledge this by requiring opt-in consent for the disclosure of sensitive health information. But there’s no easy way to separate sensitive from non-sensitive health information. And really, all my health information is sensitive to me.
3) My trust is essential to success of the HIE: Patients need to trust the system to protect the privacy and security of their information, but that trust must be earned. “Opt out” consent for HIE sends the wrong message—that the health care industry doesn’t think it can’t earn my trust, and instead wants to force me into the system.
I should not have to choose between privacy and health care. I will be watching the CalPSAB process and I look forward to seeing strong privacy and security protections for HIE in California.
Tags: medical records