I’m lucky, I work for one of the best hospitals in the country and I have access to the best medical care that our society has to offer. With one glitch, that is — when I access that care, my medical records are put into a system that can be viewed by thousands of people, some of whom include my bosses, co-workers, supervisees, neighbors, and even some of my patients.

I must be kidding, since that would be a HIPAA violation, but actually, I’m not. In our hospital electronic record, the only thing that prevents any clinician from looking at records is the trust that people will do the right thing and not indulge their curiosity, and the fear of repercussions. There is no before-the-fact hold on who can view a medical record. If one is caught, the culprit can be fired, but by that point, the information has been viewed. The precise mechanism that triggers an audit or flags a record for investigation remains a mystery, but I would contend that patients should have to authorize access to specific records, and they should be permitted to limit those records to specific health professionals within reason. Does the podiatrist really need to know the patient was treated for vaginismus?

Soon we will be adding outpatient psychiatry notes to the system and access comes with a provision that the health care provider must press through an extra screen to “break the glass.” Reportedly these views will be monitored more closely. In a way, this is good – it makes psychiatric conditions the same as any other medical conditions and perhaps this will help to destigmatize psychiatric disorders.

On the other hand, it’s still possible that other physicians give an inferior level of care to psychiatric patients, and that very personal information will be available as the psychiatric histories are quite detailed and may include reports of psychotic episodes, sexual abuse, prison stays, and suicide attempts. A patient may not want his dermatologist to know all that, much less a curious lover who happens to work for the hospital and has access to the system. It is not yet clear to me what protections are added by marking a document as “sensitive.” The new system even allows one clinician to access the schedule of any other physician in the hospital, even those in other departments, complete with the names of the patients that doctor is scheduled to see.

Electronic health records are reported to be a major advance in the delivery of better health care through improved communications, and instrumental in cost containment. They are so good, that the government pays doctors and hospitals to implement them, though we don’t yet know that EHRs either improve care or decrease cost. On the other hand, we value patient privacy, and HIPAA – used and abused — is an acronym that has come to stand for privacy rights. HIPAA is cited for why a doctor won’t give information about a sick relative, and HIPAA is often misused or ignored even if a patient has specifically given given permission to have their health care information shared – it’s become the default position that sometimes takes the form of laziness.

But when electronic health records exist in an organization , the patient may have no way to contain their information to those who provide treatment. While the public may not think about this, as an employee of a hospital, I do.

Continue reading...