nyclu_patientprivacy
TRANSCRIPT
-
7/30/2019 nyclu_PatientPrivacy
1/40
ProtectinPatientPrivacy:
StrategieS ForregUlatiNgeleCtroNiCHealtH reCordS
exCHaNge
-
7/30/2019 nyclu_PatientPrivacy
2/40
NEW YORK CIVIL LIBERTIES UNION125 B S, 19h F
N Y, NY 10004
.nycu.
Mch 2012
ACKNOWLEdgEmENTS
This paper was written by Corinne A. Carey, NYCLU assistant legislative director, and Gillian Stern, volunteer attorney with the NYCLU.
Research assistance was provided by Erika Rickard and Andrew Napier. Special thanks to outside readers Gretl Rassmussen and Jeanne Flavin.
It was edited by Robert Perry, Jennier Carnig, Melissa Goodman and Helen Zelon.
Graphics were created by Willa Tracosis.
It was designed by L i Wah Lai.
ABOUT THE NEW YORK CIVIL LIBERTIES UNION
The New York Civil Liberties Union (NYCLU) is one o the nations oremost deenders o civil liberties and civil rights. Founded in 1951 as the New
York aliate o the American Civil Liberties Union, we are a not-or-proft, nonpartisan organization with eight chapters and regional oces and
nearly 50,000 members across the state. Our mission is to deend and promote the undamental principles and values embodied in the Bill oRights, the U.S. Constitution, and the New York Constitution, including reedom o spee ch and religion, and the right to privacy, equality and due
process o law or all New Yorkers. Fo r more in ormation about the NYCLU, plea se visit www.nyclu.org.
-
7/30/2019 nyclu_PatientPrivacy
3/40
1 gLOSSARY OF TERmS
3 gRAPH IC: Who gets to See Your meical History?
4 INTROdUCTION
8 PART 1: The New Worl of Electronic Health Inforation Exchane8 wh Cm Bf
9 Mnnn Pcy Pcns n h Fc f N tchny
12 PART 2: developin New Yorks Electronic Health Inforation Exchane
13 Pn Cnsn incusn n Us f Mc rcs n n ecnc infmn echn
14 A new pa tien t consent protoco
15 Breaking the glass: patient privacy in a medical emergency
16 Pn Cn f infmn-Shn
17 Granular control o patient inormation
18 Patient control over sensitive health inormation
19 The mineield o adolescent consent
21 CONCLUSION
22 RECOmmENdATIONS
24 NYCLUS INVOLVEmENT IN HIE ImPLEmENTATION IN NYS
26 ENdNOTES
CoNteNtS
ProtectinPatientPrivacy:
StrategieS ForregUlatiNg eleCtroNiCHealtH reCordS exCHaNge
-
7/30/2019 nyclu_PatientPrivacy
4/40
-
7/30/2019 nyclu_PatientPrivacy
5/40
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
New York Civil liBertieS UNioN 1
BREak THE glaSS. A provision in New York
States policies and procedures that reers
to the ability o a health care provider or
other authorized user to access a patients
Protected Health Inormation (PHI) without
obtaining patient consent. NYS policies allow
a provider to break the glass in the case o a
medical emergency where a patient is unable
to give consent to access his or her health
inormation.
COVEREd ENTITY. Those entities that are required
to comply with ederal health inormation
privacy rules under HIPAA, which denes a
covered entity as (1) a health plan, (2) a
health care clearinghouse, or (3) a health
care provider who transmits any health
inormation in electronic orm or insurance or
reimbursement purposes.
daTa MININg. A process o pulling pieces o datarom a database or electronic network in order
to look or patterns and relationships. In the
context o health inormation technology,
data mining can be used or public health
purposes, or example, to identiy patterns
that reveal an epidemic. But it can also be used
or marketing purposes to determine where to
ocus promotional campaigns.
daTa SEgREgaTION/gRaNUlaR CONTROl.
The ability to separate out or sequester healthinormation, sometimes based on specially
protected sensitive health inormation but
not always. Data segregation or granular
control 1) allows patients to exert some
control over the type and level o inormation
that can be shared; 2) restricts inormation
access to specic individuals or entities; and
3) establishes preerences or time rame and/
or duration during which specic inormation
can be electronically accessed.
EHR (Electronic Health Record). A digital version o
the traditional paper-based medical record or
an individual either kept within a single acility,
such as a doctors o ce or a clinic (sometimes
reerred to as an electronic medical record
or EMR), or the o cial health record or an
individual that is shared among providers,acilities and agencies.
HEal-NY. New York State passed the Health Care
E ciency and Aordability Law or New Yorkers
Capital Grant Program in 2004, oten reerred
to as the HEAL NY Program, to support
the development and implementation o
New Yorks health inormation technology
inrastructure.
HIE (Health Inormation Exchange). Genericterm or any system that acilitates
electronic exchange o medical inormation.
Alternatively, HIE reers to the act o
transmitting or exchanging electronic
medical inormation among acilities, health
inormation organizations (HIOs) or HIEs, and
government agencies.
HIO (Health Inormation Organization). An
entity that acilitates electronic exchange
o medical inormation. A HIO is one type oHIE; or example, a RHIO, or Regional Health
Inormation Organization, is an HIE.
HIPaa.The Health Insurance Portability and
Accountability Act(HIPAA) was enacted by
Congress is 1996. The HIPAA Privacy Rule (45
CFR Part 160 and Subparts A and E o Part 164)
regulates the use and disclosure o personal
gloSSarY oF terMS
-
7/30/2019 nyclu_PatientPrivacy
6/40
2 New York Civil liBertieS UNioN
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
health inormation (or Protected Health
Inormation) held by covered entities.
HIT (Health Inormation Technology).The storage,
retrieval, exchange and use o health
inormation in an electronic environment.
HITECH. Enacted as part o the American
Recovery and Reinvestment Act o 2009, the
Health Inormation Technology or Economic
and Clinical Health (HITECH) Act is designed
to promote the widespread adoption and
standardization o health inormation
technology. HITECH required the Department
o Health and Human Services (HHS) to amend
the HIPAA Privacy, Security, and Enorcement
Rules to strengthen privacy and securityprotections or electronic health inormation
sharing.
IT (Inormation Technology).The development,
implementation, and maintenance o
computer hardware and sotware systems
to organize and communicate inormation
electronically.
NCVHS. The National Committee on Vital and Health
Statistics (NCVHS) was established by Congressto serve as an advisory body to the Department
o Health and Human Services on health data,
statistics and national health inormation
policy.
NwHIN.The Nationwide Health Inormation Network
(NwHIN) is sometimes described as a network
o networks that allows participants (state
level exchanges, ederal entities, public health
entities and health inormation organizations)
to locate and exchange health inormationelectronically. The initiative is sponsored by the
Oce o the National Coordinator (ONC) or
Health Inormation Technology, which began
developing the NwHIN in 2004.
NYeC (The New York eHealth Collaborative). A
state designated not-or-prot public-private
partnership and statewide policy body ormed
in 2006 that is charged with the development
o policies and procedures governing the
implementation o the electronic exchange o
health inormation in New York State.
OHITT. New York States Oce o Health Inormation
Technology Transormation (OHITT) was created
in 2007 by the New York State Department
o Health to coordinate New Yorks Health
Inormation Technology eforts.
PHI (Protected Health Inormation). PHI is dened
by HIPPA (ederal law) as any inormation
held by a covered entity that concerns health
status, provision o health care, or payment or
health care that can be linked to an individual.
This is interpreted rather broadly and includesany part o an individuals medical record or
payment history.
PHR (Personal Health Record).An electronic health
record maintained by a patient that includes,
or example, patient-reported data, as well
as physician-generated data and lab results
(either entered by the patient or downloaded
rom the lab itsel ). A PHR difers rom an EHR,
which is maintained by provider or a health
inormation exchange.
RHIO (Regional Health Inormation Organization).
A group o organizations within a specic
geographical area that share health care-
related inormation electronically. A RHIO
typically oversees the means o inormation
exchange and develops health inormation
technology (HIT) standards.
SHIN-NY (Statewide Health Inormation Network
or New York). Described as an inormationsuperhighway, the SHIN-NY is the
technological inrastructure being designed by
New York to acilitate the exchange o health
inormation between and among providers,
consumers, payers and government agencies.
-
7/30/2019 nyclu_PatientPrivacy
7/40
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
New York Civil liBertieS UNioN 3
Who gets to see your medical history?Until the advent of electronic health information exchange, patients had the
ability to control which providers had access to what information about their
medical history. Even when a patient consented to allow a new provider to
access her records, what information went into those records depended on
what the patient wanted to tell her doctor, and then what the doctor chose to
send to the new provider. Unless exchange networks are carefully designed,electronic health records that can be shared at the click of a mouse can
threaten patient control over sensitive health information.
PROTECTING
PATIENT
PRIVACY
Traditional patient privacy controls
Patient privacy in an electronic world
STD CLINIC
ALLERGIST
It's important for
my new doctor to speak to my
primary care doctor and allergist,
but not to all of them.
NEW DOCTOR
PRIMARY CARE
ABORTION CLINIC
STD CLINIC
ALLERGIST
NEW DOCTOR
PRIMARY CARE
ABORTION CLINIC I dont think
you needed to
know all that.
ELECTRONIC
HEALTH
RECORD
-
7/30/2019 nyclu_PatientPrivacy
8/40
4 New York Civil liBertieS UNioN
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
Electronic health inormation technology is
transorming the health care system as we
know it. Like many aspects o our lives, the
medical o ce is going online. Doctors, health sys-
tems, insurers, care coordination systems, regulators,
governments and patients themselves are demand-
ing electronic access to health records. Near instan-
taneous sharing o inormation between and among
health care providers promises signicant benets
to both doctors and patients, including greater
coordination and e ciency in service delivery,
reductions in medical errors and misdiagnoses, and
convenience. Tese benets are also likely to im-
prove the e ciency and eectiveness o the health
care system more broadly.
However, this step orward poses signiicant
risks. Easily shareable electronic records threaten
patient privacy, and can lead to security breaches,
misuse o inormation, and most importantly, loss
o patient control over conidential and sensitive
health inormation. his threatens the coniden-
tial communication between doctors and patients
that has been a bedrock principle o modern
medicine. Conidentiality ensures that patients
seek out care, and that they are open and hon-
est with their providers. Fully inormed by the
totality o a patients circumstances, providers can
render the best care possible.1 Patients who ear
a loss o control over their private medical inor-
mation may lose aith in their doctorand in the
health care system. hey may ail to share critical
inormation with their treating providers or they
may avoid treatment altogether.
Guaranteeing condentiality and patient control
over sensitive health inormation is critical to the
success o electronic health inormation exchange.
Only with condence that personal medical inor-
mation will be shared in ways that benet them and
not cause them harm will patients ully engage in
this promising technological advancement.
New York State has taken a national leadership
role in transorming the manner in which patients
records are created and shared. Hard-copy docu-
ments and electronic records stored in an o ce
computer are now being converted into a compre-
hensive, statewide network o integrated, searchable
databaseswith the goal o ultimately linking to a
uture nationwide health inormation network.
A growing inormation-sharing network, guided by
the New York eHealth Collaborative, a public-pri-
vate partnership unded by the New York State De-
partment o Health, has invested more than $840
million towards developing health inormation
exchanges, or HIEs. A dozen existing HIE networks
will eventually permit providers and payers to gain
access to a patients aggregated medical records in
New York State and, ultimately, connect New Yorks
HIEs with a national network.
Te state has endorsed a set o privacy and security
policies and procedures or the implementation
o health inormation exchange.2 But these poli-
cies have signicant aws that pose challenges to
the integrity o electronic record-sharing in New
York State. Most signicantly, these policies do not
allow or patient control over the inclusion o their
health inormation in the network. In addition,
the technological inrastructure used by the states
HIEs represents an all-or-nothing approach: Once
a patient consents to allowing a provider to gain ac-
cess to his or her medical records, the provider sees
everything that was ever entered into the network
about that patient, regardless o whether the inor-
mation is relevant to current treatment.
iNtrodUCtioN
-
7/30/2019 nyclu_PatientPrivacy
9/40
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
New York Civil liBertieS UNioN 5
Te New York Civil Liberties Union supports
electronic sharing o medical records, but takes the
position that patients must be able to control who
has access to their medical inormation. Patients
must also be assured that those who do have access
receive only inormation that is relevant to their
treatment. Otherwise, those in need o medical
care may be reluctant to seek it or to give providers
consent to review their medical records. Patients
will have conidence in the states approach to
electronic health inormation exchange where
vigorous informed consentrequirements and
specic limitations on information-sharingprotect
sensitive inormation and ensure individual control
o personal medical records.
Te New York State Department o Health, theNYeHealth Collaborative, and the New York State
Legislature must take steps to protect individual
privacy and autonomy as the state develops a cen-
tralized electronic exchange o health and medi-
cal inormation. Te NYCLU oers the ollowing
recommendations in support o this goal.
nGive Patients and Providers Control Over
Access to, and Sharing o, Medical Records.
Inormation-sharing data systems must be
designed to sort and segregate medical inorma-tion to comply with privacy protections guaran-
teed under New York State and ederal laws. At
present they do not. Without such protections,
people who receive medical care that requires
strict condentialityor example, treatment o
conditions to which stigma attachesand the
providers who deliver that care may choose not
to share medical records in order to protect pri-
vacy. Tis increases the risk o harm to patients
and to the general public.
nOfer Patients the Right to Opt-Out Altogether.he state must adopt a policy that requires
providers to oer patients the option o de-
clining to participate in health inormation
exchange altogether, or at least ensure that a
patients identiying inormation is not ac-
cessible by those who have not obtained the
speciic consent o the patient.
nRequire Patient Consent Forms to OerClear Inormation-Sharing Options. Te
state must revisit its policy on consent to allow
greater patient control over how medical inor-
mation is shared. Consent orms should oer
patients three distinct options: to opt-in andallow providers access to their electronic medi-
cal records, to opt-out except in the event o a
medical emergency, or to opt-out altogether.
nRequire Notice to Patients When TeirProviders Become Data Suppliers. Te state
must adopt a policy mandating that providers
notiy patients when the provider links to an
HIE. In the absence o consent to upload patient
inormation, patients must be notied when
inormation about them rom their providerinitially becomes accessible through an HIE.
nGuarantee the Right o Patients to Correctand Amend Inormation. Current law permits
patients to review and submit amendments
to medical records held by individual provid-
ers. Te practice o correction and amendment
must be adapted to ensure that a correction to
any error is automatically sent to any provider
who has previously accessed the patients medi-
cal record through an HIE.
nProhibit, and Sanction, the Misuse o MedicalInormation. Te state should adopt a policy
that prohibits, and strongly sanctions, the
misuse o patient medical inormation obtained
through an HIE. New Yorks current all-or-noth-
ing data-sharing system gives providers access
to all o a patients medical recordsregardless
o how old the inormation or how relevant it is
or current treatment. New York must protect
patients rom bad actors: that small minorityo providers who may abuse inormation out o
ear, prejudice or malice.
nMandate Redisclosure Prohibitions or TirdParties. Current state policies do not require
HIEs to warn those who access patient health
inormation that redisclosing sensitive medical
inormation without patient consent violates the
-
7/30/2019 nyclu_PatientPrivacy
10/40
6 New York Civil liBertieS UNioN
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
law. State policy should require HIEs to explic-
itly communicate to third parties that redisclo-
sure is prohibited and that there are penalties or
violating this prohibition.
nProhibit Health Inormation Exchanges romSelling Data. Te New York State Legislature
should pass legislation prohibiting HIEs rom
selling patients private health inormation; this
prohibition should apply to records with or
without a patients personal identiers. Medical
inormation must not be used to target indi-
viduals or providers or promotional pitches
or advertising campaigns; nor should HIEs be
allowed to prot rom the sales and marketing
opportunities created by the release o inorma-
tion in patients medical records.
nCareully Regulate the Use o CommercialVendors o Personal Health Records. A num-
ber o commercial vendors now oer patients
the ability to collect, store and manage their own
medical inormation online. State and ederal
condentiality restrictions may not apply to
inormation held by these commercial vendors.
I commercially available health records systems
are oered to New Yorkers as a way or them
to access and manage their own health inor-mation, the state must require that patients be
warned o privacy risks. Patients must also be
given access to their records without having to
resort to a commercial vendor.
nStep Up Public Outreach Eforts. Public healthocials must ully inorm New Yorkers about
the implementation o health inormation
exchanges (HIEs) in New York State. Under
current state policy, patient medical inormation
is linked to the system without patient notice orconsent. Patients require a better understanding
o what is at stake. Tis requires clear inormed
consent mechanisms and a robust public educa-
tion program that explains to people what they
need to know about electronic medical records
exchange before a visit to the doctors oce.
-
7/30/2019 nyclu_PatientPrivacy
11/40
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
New York Civil liBertieS UNioN 7
The art o medicine aces a technological
re-invention as record-keeping moves rom
ile cabinets and desk drawers to a web
o interconnected computer database systems.
As cumbersome paper records are supplanted
by ostensibly secure electronic networks, physi-
cians, insurers, health care coordination systems,
regulators, governments and patients themselves
are eager or rapid electronic access to health
records. Accordingly, New York State has begun
to transorm the procedures by which patient
records are created, stored and shared. Hard-copy
documents, once stashed in a older or stored in
an oice computer, are now being converted into
a comprehensive, statewide electronic network o
integrated, searchable databases that will one day
link to a national health inormation network.
Since 2004, New York State has been working to
develop electronic health inormation exchanges
(HIEs) via the New York eHealth Collaborative, a
public-private partnership unded by the New York
State Department o Health. In many parts o the
state, shareable electronic health record systems
are already up and running. welve regional health
inormation organizations (RHIOs) in New York
permit providers to share patient records with
other providers in their networks. Eventually, all
o New Yorks RHIOs will be linked to a statewide
health inormation network (or SHIN-NY).3 Other
types o health inormation organizations will be
able to access this network, and it will soon become
directly accessible by individual providers.
Rapid inormation sharing promises signicant
benets to health care providers and patients. Te
advent o electronic inormation exchange will also
benet the health care system. Services can be bet-
ter coordinated and more eciently delivered, and
the incidence o medical errors and misdiagnoses
can be reduced as inormation becomes more ac-
cessible and convenient or both patients and pro-
viders. But networked electronic records create the
potential or security breaches,4 misuse o inorma-
tion, and loss o patient control over condential
and sensitive health inormation.
Privacy protection and inormed patient consent
must be the oundational principles o a air, eec-
tive electronic health inormation exchange. With-
out guarantees o privacy, shared networks will
ail.5 I private medical inormation is vulnerable
to public dissemination and inspection, medi-
cal consumers may avoid care. And i signiicant
numbers o patients decline to participate, the
personal and public health beneits o HIE will be
diminished. he potential or public backlash is
greatone need look no urther than the periodic
public uproar over changes in Facebooks privacy
practices as an example.6 Robust and enorce-
able privacy protections and consent procedures
must be in place rom the start in order to ensure
patient conidence.
What Came Beore
Patient privacy has been paramount in medical
care at least since Hippocrates amous oath, which
impels physicians to keep condential any inorma-
tion obtained in the course o treating a patient.
7
Until very recently, patient inormation was kept
in physical orm; thus, saeguarding privacy was
relatively simple. o share patient inormation
with another provider, the doctor would secure
the patients permission, copy the relevant portion
o the patients le and send it along. Consent was
required or each communication, and the patient
retained the ability to control which providers had
Part 1: th N w f ecncHh infmn echn
-
7/30/2019 nyclu_PatientPrivacy
12/40
8 New York Civil liBertieS UNioN
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
access to what inormation. Even when records
were shared, the inormation that went into those
records was limited by what the patient wanted to
tell the doctor; and subsequently what the doctor
chose to send to another provider. A patient visit-
ing a podiatrist might understandably choose not
to disclose his prior psychotherapy, or example.
When asked about past surgeries, he may share
that hes had an appendectomy but omit mention o
hemorrhoid surgery.
Moreover, the actual sharing o records by doc-
tors has always involved a second screening step.
Doctors and acilities rarely i ever transmit entire
patient records to a second providerthey omit
extraneous inormation, and they requently sae-
guard sensitive inormation at the request o thepatient. As in the example above, the general prac-
titioner would inorm the podiatrist o a diabetes
diagnosis, but would not pass on the name, or even
the existence, o the patients psychotherapisti
the general practitioner even knew it.
Indeed, the conidentiality o individual medical
records has long been mandated by proessional
practice standards, and by ederal and state laws.
All modern medical schools administer oaths that
impose the duty o conidentiality on physicians.8
Nationally, a basic right to conidentiality was
codiied in ederal law in the Health Insurance
Portability and Accountability Act (or HIPAA);9
even stronger protections were extended by the
recent American Reinvestment and Recovery
Act.10 Additional privacy saeguards protect
speciic categories o sensitive inormation like
amily planning services, substance abuse treat-
ment and genetic testing.11 Federal laws set the
minimum standard; state laws requently impose
even more stringent conidentiality protections.12
All o these patient privacy protections are rooted
in the understanding that compromising patient
privacy means compromising individual care and
the public health.
New York State has long been a national leader in
protecting the conidentiality o personal medical
inormation. State law has strict privacy stan-
dards or medical records.13 Unlike HIPAA, New
York requires patient consent beore a physician
can disclose an individuals medical inorma-
tion to another treating physician.14 It also limits
disclosure to immediately relevant inormation.15
Even stronger protections restrict the release o
certain especially sensitive inormation regarding
genetic tests,16 mental health,17 medical treatment
o adolescents18 sexually transmitted inections19
and HIV.20
Maintaining Privacy Protections in the
Face o New Technology
Advances in technology do not void existing state
laws or eclipse the ethical concerns that gave riseto those laws. Rapidly evolving inormation tech-
nology requires that the state undertake a compre-
hensive in-depth analysis to determine (1) whether
current policies and procedures governing HIEs
comply with existing laws; and (2) whether laws
protecting the condentiality o patients medical
inormation are sucient in light o new techno-
logical capabilities.
New York State laws governing personal medical
inormation were drafed or the world o paper re-cords; inherent in these laws is a presumption that
patients control the dissemination o their medical
records and that a physical human lter in the
doctors oce decides what inormation is shared
with third parties. Electronic systems that share
entire records at the click o a mouse cannot help
but undermine these controls.
Nowadays, the challenge o protecting condential-
ity is exacerbated by the complexity o the modern
health care system where records migrate beyondthe connes o the doctors oce. Existing law has
been amended to require that medical inormation
is kept condential not only by the doctor but by
the array o other entities that have access to private
medical inormation: HMOs, the laboratories that
process medical tests, the hospital system in which
the doctor participates, the doctors or hospitals
records management company, the patients insur-
-
7/30/2019 nyclu_PatientPrivacy
13/40
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
New York Civil liBertieS UNioN 9
ance company, and the medical underwriter who
insures that insurance company.21
Failing to extend the strong medical privacy
protections that exist in current law to electronic
health inormation exchange creates a serious risk
o harm to individual patients. However, the great-
est danger is to public health in the broadest sense.
Should patients decline to give their providers ac-
cess to their medical records, misrepresent medical
inormation or avoid treatment altogether, New
York may lose both the individual and commu-
nity-wide benets health inormation technology
promises. Both individual patient records and
aggregated public health data will be increasingly
susceptible to error due to incomplete or inac-
curate inormation. Doctors may unwittingly basediagnoses on alse or misleading inormation,
leading to treatment decisions that are not in the
patients best interestor that cause actual harm.
Data compiled or the purpose o analyzing public
health issues will be skewed, underreporting in-
ormation rom the records o those patients with
greater privacy concerns. In turn, this phenom-
enon would lead to the awed assessment o public
health problems and trends.
Americans want their medical inormationwhether in paper or electronic ormto be held
in private with their medical providers.22 Most
patients expect that medical privacy is ar more
vigorously protected by law than it actually is.23
All health care consumers have an interest in the
condentiality o their medical records; but or
some, privacy saeguards are essential when they
seek treatment and services or sensitive health care
issues related to HIV/AIDS diagnosis and treat-
ment, reproductive health, substance abuse, mental
health, genetic conditions, sexual assault, and do-mestic violence.24 Minors seeking care have perhaps
the greatest need o assurance that their medical
inormation will be held in condence.25 Studies
indicate that minors will avoid or delay seeking
care i they believe that their parents will nd out.26
As records become electronically linkedoce
to oce, region to region and ultimately state to
statethe need to ensure that adequate privacy
protections are in place grows in proportion to the
sheer number o people, including legions o non-
medical personnel, who have push-button access to
a patients entire medical history.
New concerns will arise as electronic networks al-
low patients direct access to their own medical re-
cords, via provider-created portals or through con-
tracts with ree-standing Personal Health Record
(PHR) systems such as Microsof Health Vault.27
Patients may also have access through smart phone
applications and other means not yet envisioned.28
Tese powerul tools will permit patients to iden-
tiy and correct errors in their records, collate and
track their own health inormation retained in
multiple sources, and ultimately enter their own
health-behavior inormation in electronic data-bases.29 Some regional health inormation organi-
zations have already considered providing patients
access to their own health inormation via the use
o commercially-available PHRs.
he prolieration o personal health records raises
questions about privacy that have been largely
unexamined and wholly unresolved. Which sorts
o records are governed by New York State privacy
laws, which by HIPAA, and which by the Federal
rade Commission? Can patients rely on the sameprotections o medical inormation held by PHRs
as they do or inormation held within a doctors
ile cabinet or computer? What protections do pa-
tients have against disclosure or data mining 30 by a
third-party vendor o a smart phone app when the
vendor may not be required to comply with ed-
eral privacy standards?31 Would such inormation
be protected i requested pursuant to subpoena?
What i records are accessed or downloaded by a
patient on his or her employers computer? New
York State must thoughtully and deliberatelyconsider the issues raised beore entering this
uncharted territory.
-
7/30/2019 nyclu_PatientPrivacy
14/40
-
7/30/2019 nyclu_PatientPrivacy
15/40
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
New York Civil liBertieS UNioN 11
Eorts to create a network o shared electronic
health records began in earnest in April
2004 with an executive order rom the Bush
administration setting adoption o interoper-
able electronic health records by 2014 as a na-
tional goal.32 he executive order also established
the Oice o the National Coordinator or Health
Inormation echnology in the Department o
Health and Human Services, and a strategic
plan and unding streams or state and national
HIE programs.
During the Bush years, national policy or de-
veloping an electronic medical records system
ocused largely on market-based, ree-enterprise
strategies and on initiatives undertaken by indi-
vidual states. he Obama administration brought
signiicant resources to this undertakingin-
cluding unding, policy guidance and national
organizationthrough the Health Inormation
echnology or Economic and Clinical Health
Act (HIECH), passed in February 2009.33 While
HIECH greatly increased unding or health
inormation technology, it also transormed the
ederal governments approach to privacy and
consent, establishing new protections or person-
al health privacy and substantially extending the
limited protections o HIPPA.34
New York States health inormation technology
initiatives also date to 2004, with passage o theHealth Care Eciency and Aordability Law or
New Yorkers Capital Grant Program (HEAL NY).35
HEAL NYs primary objective was implementing
a 21st Century health inormation inrastructure.36
New York State established the Oce o Health
Inormation echnology ransormation in 2007 to
begin building an inrastructure to share clinical
inormation between patients, providers, payers
and public health entities. Tis inrastructure will
ultimately be integrated into a statewide network
and into the planned national network.37 New York
State has since invested more than $840 million to
develop HI networks throughout the state.38 A
state-unded grant program now unds 12 Regional
Health Inormation Networks (RHIOs) that acili-
tate patient record-sharing.39 At present, more than
65,000 health care providers participate in RHIOs.40
As New York State began to develop the health in-
ormation exchange, the state introduced a process
or developing policies and procedures that govern
patient consent and privacy.41 Stakeholder meetings
took place even as some RHIOs recruited providers
and patients. Te accelerated policy development
process lef little time or careul consideration o
policy debates about privacy and consent happen-
ing at the ederal level and across the country, or o
rapidly evolving technological capabilities.
Te states operational plan acknowledges that
New York State currently has a ragmented legal
and regulatory ramework or the exchange o
Health Inormation.42 Nevertheless, New York has
not carried out a comprehensive analysis o state
law as it relates to the states own HIE policies and
procedures governing patients privacy interests.43
Likewise, the state has not provided any legal
analysis or guidance to RHIOs, HIEs or providers
to ensure that they implement HIE in ways thatcomply with existing law.44
New York aces a daunting challenge: creating an
electronic inormation exchange while making
prudent choices in design and policy that en-
sure compliance with state and ederal laws, and
incorporating evolving technological capacity to
segregate and protect patient data. Tis balancing act
Part 2: dpn N Ys ecncHh infmn echn
-
7/30/2019 nyclu_PatientPrivacy
16/40
12 New York Civil liBertieS UNioN
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
is no small eat. However, two early, critical policy
choices made by the statewide collaborative process
have created signicant problems aecting elec-
tronic record sharing in the state: (1) an inadequate
patient consent protocol that gives patients little
choice in whether and how to participate in health
inormation exchange; and (2) an all-or-nothing
approach to data sharing that prevents participat-
ing patients rom controlling the dissemination o
their medical inormation.
Patient Consent to Inclusion and Use
o Medical Records in an Electronic
Inormation Exchange
Administrators o an HIE could employ any oneo a variety o patient-consent models to allow
or greater or lesser deerence to patients wishes
regarding the inclusion o their medical inorma-
tion in a network and the ability o providers or
other entities to gain access to that inormation.45
Most models give some measure o control to pa-
tientsan option to opt-in or to opt-out. With
opt-in models, patients must do just thatprovide
explicit consent that their records can be linked to
a network or electronically accessed. In an opt-out
model, all patient records are automatically sharedunless the patient opts out by electing to withdraw
rom the program. New York State describes its
patient consent protocol as an opt-in model,46 but
it is actually a hybrid that incorporates elements o
the two models just described.
Tere are two stages in New Yorks protocol or
establishing access to electronic medical records:
First, patients are linked to a patient registry (or
patient locator system) and their records become
accessible through an HIE. Second, a provider orother entity seeks access to those records. When a
health care provider joins an HIE, inormation that
identies each o the providers patients is automat-
ically linked to a search system that permits those
who have access to the network to identiy patients
in the network. Identiying inormation could be
demographic (an address) or some kind o unique
patient identier. At this point, patient inormation
is accessible through the HIE. Patient consent is
not sought at this stage.47
New York, in e ect, requires the automatic en-
rollment o all patients o providers participating
in an HIE. Patients may not opt out (and there-
ore their identiying inormation is available to
those with access to the network); and they are
not notiied that their inormation is now avail-
able through the HIE.
New York employs an element o the opt-in mod-
el once a provider or other entity seeks access to
a patients inormation through the HIE. In the
course o ordinary treatment, a patients airma-
tive consent is required beore a provider can
access that patients records through the HIE.48
Generally, patients are presented with a consent
orm or release o their medical inormation
with the paperwork illed out upon arriving in
a providers oice, along with a pamphlet that
explains the beneits o the electronic record-
sharing program and provides a short statement
about potential risks.49
New York State has adopted a model consent orm,
but HIEs across the state may use a variation o
this orm provided it conorms to basic minimumstandards.50 Te consent orm asks the patient to
opt-into permit the provider to access all o the
patients records available throughout the network.
In addition, New Yorks model patient-consent
orm cautions patients that by placing their signa-
ture on the orm, they surrender any and all rights
under New York and ederal law regarding the dis-
semination o, and access to, sensitive inormation
in their medical records that is accessible through
an HIE.51
Patient consent, in this context, serves as blanket
permission to release all medical inormation,
notwithstanding the type o treatment received;
the date it was provided; the acility at which
treatment was received; or even the relevance
to the medical condition or which treatment is
sought. (See discussion o patient control and
granularity below.) Whats more, depending on
-
7/30/2019 nyclu_PatientPrivacy
17/40
the consent orm used by the HIE, the patient
may be consenting to access by ailiated provid-
ers as wellranging rom the doctors practice, a
hospital, ailiated health acilities or to all pro-
viders in the network.52
On the surace, the distinction between mandatory
inclusion o patient inormation in an HIE and the
option to allow a provider access to that inorma-
tion may seem slight. However, there are two key
issues to consider: First, some patients may seek
to avoid being included in a patient locator system
by going to a provider who is not enrolled in the
network or by paying or services out o pocket.53
Some may reuse care altogether to avoid being
part o a state or national listing.54 Second, and,
perhaps more important, some patients may aceactual harm rom inclusion in a patient registry
that reveals demographic inormation such as a
residential address.
Te linking o ones medical records to an elec-
tronic network may provoke ear o unauthorized
access or breach that could allow a hacker to gain
access to patient identities or entire medical histo-
rieseither as a wholesale medical records thef or
in pursuit o inormation about a specic patient.
And this ear may be well ounded. Te mere inclu-sion o demographic inormation in a directory o
existing records, regardless o whether complete
medical records are made accessible, can pose an
unacceptable risk to patients. ake, or example,
those patients at risk o domestic violence, harass-
ment, stalking or with other special concerns about
condentiality, such as public gures or crime
victims.55 Te ability to glean an address or indeed
any inormation that may reveal a patients location
may cause irreparable harm.
New York maintains that this two-stage process
satises the myriad laws that require patient
consent beore inormation can be shared with a
third party.56 Tis is highly debatable. Inormed
consent requires prior notice that is clearly com-
municated: presenting the consent orm amidst a
shea o insurance documents, HIPAA releases and
other paperwork ails to meet this basic criterion.
Whats more, the automatic disclosure o patient
identiying inormation to an HIE most likely
constitutes a violation o New York State law, which
requires patient consent whenever patient inorma-
tion (including patient identiying inormation) is
disclosed to a third party.57
In many respects New Yorks patient consent proto-
col represents a radical departure rom current law
and practice. Te protocol eectively eviscerates
decades o careully considered and crafed law,
replacing special consent requirements and con-
dentiality protections or inormation related to
sensitive conditions such as HIV, substance abuse
and others with one all-or-nothing consent orm.58
New Yorks share-rst, ask-later approach is basedon a questionable interpretation o the law.59 Under
this reading o the law, HIEs and RHIOs would be
exempt rom rules regarding third-party disclosure
because they are considered practitioners or other
personnel employed by or under contract with the
acility[.]60 o date, no case law recognizes orga-
nizations like HIEs and RHIOs as exempt rom the
prohibitions against third party disclosure. Tere
is, however, a considerable body o law that up-
holds the restriction on dissemination o patients
records to third parties.61
A new patient-consent protocol
Once provided with inormation and guidance re-
garding health inormation exchange, patients must
be aorded clear options regarding the inclusion o
their identiying inormation and medical records
in an electronic health inormation network, and
or sharing that inormation.
In light o the concerns outlined here, it is the posi-
tion o the NYCLU that the state should revisit its
policy on uploading individual medical inormation
to a shared network and adopt a requirement that
such inormation cannot be uploaded without a-
rmative patient consent. Should the state reject this
reorm, it should at least allow patients to arma-
tively opt out o the system at any time so that their
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
New York Civil liBertieS UNioN 13
-
7/30/2019 nyclu_PatientPrivacy
18/40
BREakINg THE glaSS:
PaTIENT PRIVaCY IN a MEdICal EMERgENCY
In a medical emergency where a patient is unable to authorize access to his or her medical records,
New Yorks policy purports to create a limited exception to the law that patient consent is required
beore the release o such records. Under the states break the glass policy, a provider who asserts a
need to see a patient s medical record in such an emergency can access the patients entire medical
records without consent.64 In addition to the lack o clear authority to promulgate such an exception,
the break the glass exception poses myriad problems. Even sensitive medical inormation subject
to speciic state and ederal conidentiality protections may be accessed, regardless o whether the
provider needs to see such inormation in order to treat the patient.
In all circumstances, New York law requires patient consent beore medical inormation can bereleased to a third party; there is no emergency exception to the law s straightorward requirement.65
Patients and providers may see the value in giving an emergency care doctor access to medical
inormation that could improve patient care. However, only the legislature has the authority to
create an exception under the law or emergency care. Should the legislature choose to do so, such
an exception should be limited to allowing providers access to only that inormation that is relevant
to the emergency.
14 New York Civil liBertieS UNioN
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
medical inormation is not included in the network.
Patients should also be aorded the opportunity to
mask or exclude demographic inormation rom a
patient registry or locator system while retaining
the ability to share medical records with specic
providers.62 Indeed, one can easily choose to have
an unlisted telephone number; why not have un-
listed medical records as well?
Once a patients medical inormation is included
in the network, the state should oer three
clear options regarding provider access to
such inormation:63
Opt in: Patients consent to make inormation
in their medical records available to specic,
designated providers through electronic inor-mation networks.
Opt out: Patients prohibit under all circum-
stances access to their medical inormation
through electronic inormation networks.
Opt out with exception: Patients consent to
make inormation in their medical records
available through electronic inormation net-
works only in the case o a medical emergency.
In addition to oering these patient consent
options, patients must be notiied in advance o a
providers joining an electronic records exchange.
his notice must clearly explain the manner in
which electronic medical records will be ac-
cessible, as well as the steps a patient can take
to exclude or limit the release o their medical
inormation through an HIE. his same notice
requirement should apply when the network o
providers with access expands, as or example,
when a hospital that has previously obtained
consent rom a patient adds new ailiates. Undercurrent consent policies, these ailiated providers
may gain access to the patients records. It should
not be let to the patient to continually check a
website to ind out whether new providers have
joined an exchange network.
-
7/30/2019 nyclu_PatientPrivacy
19/40
The states just iication or this policy appears to be based on another section o the publ ic health
law, which in act only permits an exception or providing emergency treatment in the absence o
inormed consent,66 not access to records. Even i the law could be interpreted to give a provider access
to medical inormation by virtue o his authority to treat without inormed consent, the provider
would only be entitled to inormation material to emergency treatment. But the inrastructure o
New Yorks network (an all-or-nothing approach to inormation sharing, as described herein) does
not provide a means to separate out and allow access to only that inormation that is directly
relevant to emergency treatment.
New Yorks model consent orm allows patients to decline consent or medical providers to access
their electronic medical records in a medical emergency. But exercising this option is predicated
on knowing that the networkand the break the glass policyexists. Patients are likely unaware
that their demographic inormation is electronically accessible or that their medical inormationcan be accessed in an emergency without their consent. Consider the patient whose doctor links
his practice to the electronic network the day ater the patients annual visit. The patient will not
learn that his records are part o an electronic system until his next annual check-up, a year later.
The only routine opportunity a patient has to decline provider access to her medical records in a
break the glass scenario will be during some later medical visit long ater the records have become
accessible through the system.
Individuals may not ully appreciate the potential
harm in having their health inormation accessible
until they no longer have the ability to reduce that
risk. Consider the patient who chooses a provider
or treatment o a sensitive, personal nature be-
cause the provider does not participate in an HIE,
only to learn at a later date that the provider sub-
sequently made his patient les available through
a medical records network. Te same concern may
arise when records in a regional health inorma-
tion exchange are included in a statewide network.
Patients who are willing to include their medical
inormation in a local HIE may want to prevent,
or to limit, the dissemination o that inormation
through a regional, state or national health inor-
mation network.
Patient Control o Inormation-Sharing
New York State has made two critical policy
decisions in creating the states electronic health
inormation exchange inrastructure. he irst
was to allow patient inormation to be uploaded
to the network without patient consent. he
second was to adopt an all-or-nothing model o
sharing inormation.67 When a patient consents to
allow a provider to access her medical inorma-
tion through an HIE, that provider will receive
any and all inormation contained in her record,
regardless o who provided the treatment; the
type o care received; the date it was provided; or
even its relevance to current medical treatment.
Consent automatically coners access to all inor-
mation in the patients record, including sub-
stance abuse treatment, mental health conditions,
abortion and other reproductive health care, and
testing and treatment or sexually transmitted in-
ections. In addition, consent is generally granted
to entire acilities; patients cannot speciy whichdoctors mayor may notaccess their records.
his kind o blanket consent stands in stark
contrast to the nuanced controls possible in the
world o paper records. And despite New York
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
New York Civil liBertieS UNioN 15
-
7/30/2019 nyclu_PatientPrivacy
20/40
gRaNUlaR CONTROl OF PaTIENT INFORMaTION
The ability o an electronic data-sharing system to sort and segregate inormation is oten reerred to
as granular control or data segmentation. Patients and providers have the ability to exercise granular
control over health data when they can speciy which pieces o data rom a patients medical record to
include or block when that record is conveyed to a third party. In systems capable o granularization,
personal health inormation ideally can be sorted by data type (e.g., a blood test, a diagnosis, a
procedure); by provider (e.g., a gynecologist, a psychologist, an internist; or medical providers vs. oce
sta ); by time range (e.g., between x date and y date, within fve years, or or a 24-hour period or
emergency treatment); and by purpose (e.g., payment, care delivery, quality improvement, clinical
research or health services research).
Federal and state law provisions mandating confdentiality or certain types o medical inormation make
granularity an essential component o electronic health inormation exchange. Beyond the confdentiality
rules that apply to narrow categories o medical inormation like HIV and substance abuse treatment,
patients may have a desire to exercise granular control over inormation that they deem sensitive or a
variety o reasons, including ear o discrimination or misuse, a personal preerence or privacy, a valuation
o undamental autonomy, or because the inormation is erroneous. Likewise, providers may appreciate
granularity so that they can limit the vast amount o inormation they may be expected to review or any
given patient. On the other hand, providers may have concerns about the level o confdence they can
have in relying on an incomplete medical record where certain inormation may be restricted rom their
view at the request o a patient.
Allowing or granular control in health inormation exchange presents technological, conceptual, and
implementation challenges that policymakers must careully grapple with to achieve a balance that
satisfes legal requirements, the need or patient acceptance and engagement, and provider confdence.70
State and ederal law requirements that providers
share only that inormation which is medically
necessary or the patients current treatment,
New Yorks current policies and procedures do
not allow the sharing o inormation to be lim-
ited in this way. It is possible, however, to realize
the public health beneits o an electronic health
inormation network without requiring patients
to completely surrender control over inormation
contained in their medical histories. hese two
interests are not irreconcilable; they must
be balanced.
Tis principle o balance inorms an emerging na-
tional model regarding the collection and dissemi-
nation o medical records in electronic inormation
networks.68 Tis model recognizes that patients
must have discretion regarding which inorma-
tion is shared with what health care providers. And
patient choice, in this context, requires the capacity
to segregate data. Policy technicians use the phrase
granular control to describe this concept.69
Afer exhaustive deliberationsincluding no ewer
than nine public hearings conducted over the course
16 New York Civil liBertieS UNioN
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
-
7/30/2019 nyclu_PatientPrivacy
21/40
PaTIENT CONTROl OVER SENSITIVE HEalTH INFORMaTION
Once a patient consents to allow a provider to gain access to his or her medical records, the provider
gains access to everything in that patients recordsthere is no way to ensure that the provider only
sees inormation that is relevant to current treatment. This all-or-nothing approach to data sharing
orces patients to choose between giving a current provider access to their medical records and
maintaining uture control over sensitive health inormation. Once sensitive inormation enters into
the patients general medical record, there is no way to exclude it again. When patients are unable
to exercise granular control over inormation in their health records, there are serious ramiications.
Sexual Assault Care
Consider, or example, a patient who was raped in her twenties, and briely took antidepressants
to cope with trauma. New Yorks all-or-nothing system does not allow her to restrict access to
this sensitive inormation to those providers or whom it is medically relevant. I she were to seektreatment or a skin condition, she cannot share current medical inormation with her dermatologist
without also revealing this traumatic incident in her past. Each time the need or medical care
arises, she must determine whether or not to provide access to her medical records because her
assent means inorming the provider that she had been the victim o rape.
Reproductive Health Care
Abortion is controversial or some, yet 3 in 10 adult women will have an abortion at some point
in their lives.73 A woman who terminates a pregnancy may be concerned about making that
inormation available to anyone with access to an electronic network that contains her medicalinormation. She may want her current medical providers to have access to any inormation in her
medical history that may be relevant to her treatment, but she cannot do so without losing the
power to shield inormation about her abortion rom uture providers 10 years hence.
Substance Abuse Treatment
The level o stigma that attaches to those who have struggled with substance abuse is proound.
For this reason, inormation about substance abuse treatment is accorded the most stringent
conidentiality protection by law. While inormation about that treatment may be relevant or a
period o time, it becomes irrelevant or the medical provider treating that patient or a whollyunrelated condition 10 sober years later. The indiscriminate release o that medical history could
undermine both personal and proessional relationships, and the potential harm is not limited to
social stigma. Including inormation about past treatment opens the door to misuse o medical
inormation. A provider may rerain rom prescribing medically appropriate pain relie to a patient
who has been treated or substance abuse many years in the past based upon an assumption that
the patient is exhibiting drug-seeking behavior.
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
New York Civil liBertieS UNioN 17
-
7/30/2019 nyclu_PatientPrivacy
22/40
THE MINEFIEld OF adOlESCENT CONSENT
For adolescents and their care providers, the ailure to allow or patient control o sensitive medical
inormation poses an insurmountable obstacle to the delivery o essential medical care. In New York
State, minors can consent to specifc types o health care, including reproductive health and certain
mental health treatment, without parental involvement (sometimes reerred to as minor-consented
services).75 While parents have a right to access their childrens medical records generally, parents and
uture providers may not obtain inormation about such minor-consented services, and doctors may
not share such inormation, without the minors permission. Ideally, a system should allow access only
by health care providers who have received the minors consent, while shielding that inormation rom
parents who routinely access their childs other medical records. New York does not allow segregation
o data in this way. As a consequence, many RHIOs simply exclude the medical records o all minors
between the ages o 10 and 18 rom the network altogethera practice that protects minors privacy
rights but deprives them o the potential benefts o health inormation exchange.76
In the case o a 15-year-old seeking testing and treatment or herpes, or example, his pediatrician would
like to enter this inormation in his chart. But the doctor has no way to prevent his patients parents
rom gaining access to this inormation when they request copies o their sons medical records. In a
world o paper records, the pediatrician could record this inormation on separate pages in the fle but
not release the confdential portion o her patients records when she provides a copy o the records
to a parent. In an electronic inormation-sharing system, the only way to protect this young persons
confdentiality is to exclude the patient rom the electronic-records system altogether. However,
excluding only those minors who have exercised their right to consent on their own to certain types o
medical care would signalto providers, parents and othersthat the minor has exercised that right,
which then compromises the right. A system that allows or granular control o medical inormation
would allow all minors to ully beneft rom participation in HIEs, while ensuring that those who need it
are assured confdentiality when they receive medical care o a sensitive nature.
o six yearsthe National Committee on Vital Sta-
tistics (NCVHS) concluded that patients condence
and trust in the integrity o an electronic health
inormation network is essential to its eectiveness;
and that creating trust in this enterprise requires
giving patients control over the release o personal
medical inormation. In 2010 the chairperson o the
NCVHS sent a letter to Kathleen Sebelius, secre-
tary o the U.S. Department o Health and Human
Services, making a strong case that the capacity to
segregate (and thereore the ability to restrict) the
release o patients health care inormation must be
context specic, and that granular segregation o
that inormation must be responsive to the specic
concerns o patients.71 Te Oce o the National
Coordinator o Health Inormation echnology, a
unit in the U.S. Department o Health and Human
Services, has taken a position that is consistent with
the analysis set out in the NCVHS letter.72
New York policymakers insist that existing
technological inrastructure does not have the
18 New York Civil liBertieS UNioN
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
-
7/30/2019 nyclu_PatientPrivacy
23/40
capacity to allow patients to control access to
medical inormation by data type, provider, time
range or purpose. But the vendors o electronic
health-inormation technology maintain that the
capacity to segregate data in health records is well
within reach.74 he technological and logistical
challenges o developing this data-segregation ca-
pacity are not insigniicantbut neither are these
challenges insurmountable.
National experts insist that the capacity to
achieve granular segregation o patient health
care inormation is a key goaland a critical
success actorin the implementation o health
inormation networks. Should the ederal gov-
ernment mandate as a condition o unding that
states develop the capacity to segregate patienthealth inormationa likely possibilityNew
York States electronic health inormation ex-
change system may ind itsel out o money and
lagging well behind the emerging consensus
regarding best practices.
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
New York Civil liBertieS UNioN 19
-
7/30/2019 nyclu_PatientPrivacy
24/40
20 New York Civil liBertieS UNioN
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
Electronic sharing o health records promises
signiicant beneits. Ensuring that patients
are able to control who has access to what
parts o their medical histories is vital to this
endeavor. Providers and public health advo-
cates consider indispensible unettered access to
individual medical records that technology now
makes possible.
However, well-established law and policy have rec-
ognized that patients have the right to control access
to their private medical inormation. And indeed,
patients have always controlled access to their medi-
cal records. Whether one doctor even knew that her
patient was seeing another doctor depended entirely
on what the patient chose to share.
Allowing patients to retain a measure o control
over their medical records will increase condence
in the systems ability to saeguard condentiality.
Tis, in turn, will likely result in increased patient
and provider willingness to participate in electronic
health inormation exchange.
It is the position o the NYCLU that the state
should revisit policy choices that aect the ability
o patients to control the dissemination o their
personal medical inormation. Accordingly, we
oer 10 speciic recommendations designed to ac-
commodate patient concerns, and in turn, create a
more reliable inormation-sharing system.
CoNClUSioN
-
7/30/2019 nyclu_PatientPrivacy
25/40
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
New York Civil liBertieS UNioN 21
reCoMMeNdatioNS
1.Ensure Patient and Provider Control
o Access and Inormation-Sharing.
Te state must require that the electronic
systems employed by HIEs have the capability to
sort and segregate medical inormation in order to
comply with guaranteed privacy protections o New
York and ederal law. Te inability to exercise this
kind o granular control over data poses an intrac-
table barrier to realizing the ull benets o healthinormation exchange. Tis limitation jeopardizes
patient condence, and it has led to the exclusion o
young peoples records rom the network. Without
the ability to exercise granular control over data in
the network, people who receive medical care that
requires strict condentialityor example, treat-
ment o conditions to which stigma attachesand
the providers who deliver that care may choose not
to share medical records in order to protect privacy.
Tis increases the risk o harm to both patients and
to the general public.
2.Ofer Patients the Right to Opt-Out
Altogether. Te state should revisit its
decision to upload patient inormation to
the system without patient consent. Barring that, the
state must adopt a policy that would allow patients
to a rmatively opt-out o the system so that their
medical inormation is not included in the network.
Te state should also ensure that a patients identiy-
ing inormation is not accessible by those who have
not obtained the specic consent o the patient.Providers who seek access to a patients medical
records do so by accessing a patient locator system
that contains the names o patients and some other
identiying inormation. Patient locator systems vary
by HIE, with some HIEs utilizing patient addresses.
For some, like domestic violence survivors, public
gures, crime victims and celebrities, allowing that
inormation to be accessible absent consent poses
a signicant risk o harm. For this reason patients
must be oered the option o being unlisted in
patient locator systems.
3.Require Patient Consent Forms to
Ofer Clear Inormation-Sharing
Options. Te state should revisit its policy
on consent to allow greater patient control over how
medical inormation is shared. Most consent ormsused by New York State RHIOs are inadequate. Tey
do not make clear that i the patient declines to sign
the orm, their inormation remains available in
an emergencyrustrating both patients who want
only emergency access and those who do not want
even emergency access. Consent orms should oer
patients three distinct options: to opt-in and allow
providers access to their electronic medical records,
to opt-out except in the event o a medical emer-
gency, or to opt-out altogether.
4.Require Notice to Patients When Teir
Providers Become Data Suppliers. Te
state must adopt a policy mandating that
providers notiy patients when the provider links
to HIE. In the absence o consent to upload patient
inormation, patients must be notied when inor-
mation about them rom their provider initially
become accessible through an HIE.
5.Guarantee the Right o Patients to
Correct and Amend Inormation.Current state law allows patients the right
to review and submit amendments to health inor-
mation held by individual providers.77 Te practice
o correction and amendment must be adapted to
ensure that a correction to any error is automati-
cally sent to any provider who has accessed the
patients medical records through an HIE. With
paper records, a patient need only correct inorma-
-
7/30/2019 nyclu_PatientPrivacy
26/40
22 New York Civil liBertieS UNioN
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
tion in one doctors le. But the implementation o
electronic records exchange amplies the impact o
any error, and erroneous inormation in a medi-
cal le can have a devastating impact on a patients
subsequent care.
6.Prohibit, and Sanction, the Misuse o
Medical Inormation. Te state should
adopt a policy that prohibits and strongly
sanctions the misuse o patient medical inorma-
tion obtained through an HIE. Providers misuse
health inormation when they use that inorma-
tion to discriminate against, mistreat or withhold
treatment rom patients. New Yorks all-or-nothing
system gives providers access to all o a patients
medical recordsregardless o how old the inor-
mation or how relevant it is or current treatment.State policies have rightly ocused attention on the
potential or breach as the state moves toward an
integrated statewide network o medical records,
but have not addressed the potential or the misuse
o such inormation. New York must protect pa-
tients rom potential bad actorsthat small minor-
ity o providers who may abuse inormation out o
ear, prejudice or malice.
7.
Mandate Redisclosure Prohibitions or
Tird Parties. Current state policies donot require HIEs to warn those who access
patient health inormation that redisclosing sensi-
tive medical inormation without patient consent
violates the law. While some RHIOs provide this
notice as a matter o course,78 state policy should
require HIEs to explicitly communicate to third
parties that redisclosure is prohibited and that
there are penalties or violating this prohibition.
8.
Prohibit Health Inormation Exchanges
rom Selling Data. Te New York StateLegislature should pass legislation
prohibiting HIEs rom selling patients private
health inormation. Tis prohibition should ap-
ply to records with or without a patients personal
identiers. Medical inormation must not be used
to target individuals or providers or promotional
pitches or advertising campaigns; nor should HIEs
be allowed to prot rom the sales and marketing
opportunities created by the release o inormation
in patients medical records.79
9.Careully Regulate the Use o
Commercially Available Personal
Health Records (PHRs). A number o
commercial vendors now oer patients the ability to
collect, store and manage their own medical inor-
mation online (such as Microsof HealthVault80).
Under existing law, it is unclear to what extent and
under what circumstances these commercial entities
are bound by HIPAA or New York State condenti-
ality laws.81 State law should extend condentiality
obligations and protections to private entities that
oer PHRs. I commercially available health records
systems are oered to New Yorkers as a way or them
to access and manage their own health inormation,the state must require that patients be warned o
privacy risks. Patients must also be given access to
their records without having to resort to a commer-
cial vendor.
10.Step Up Public Outreach Eforts.
Te state should engage in a ro-
bust and eective public outreach
campaign to ully inorm New Yorkers about the
implementation o HIEs. Tis public outreach and
education program must not be a mere promotion-al campaign.82 Patients require a basic understand-
ing o what is at stake, both in terms o risks and
benets, beore their medical inormation is linked
to an HIE. Tis is particularly important because
current New York State policy does not require
consent beore linking a patients medical records
to the network, and does not provide patients with
an option to decline participation. Inormed con-
sent must be the cornerstone to health inormation
exchange in New York, as has long been the case
with sharing physical records. Consent cannot beconsidered inormed i patients rst learn about
New Yorks network when they arrive at their doc-
tors oce.
-
7/30/2019 nyclu_PatientPrivacy
27/40
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
New York Civil liBertieS UNioN 23
NYClUS iNvolveMeNt iN HieiMPleMeNtatioN iN NYS
The New York Civil Liberties Union at-
tended one o a series o early stakeholder
meetings convened by the New York State
Department o Health (DOH) in 2007 to garner
community input about the creation o an elec-
tronic health inormation exchange inrastruc-
ture. DOH has been the lead agency heading up
this state eort, but the department delegated
authority to develop the inrastructure and poli-
cies and procedures governing health inormation
exchange to the New York eHealth Collaborative
(NYeC). NYeC is a non-proit organization that
was ormed in 2006 to guide the development
o the states health inormation exchange and is
described as a public-private partnership.
NYeC and the DOH ormed the New York State-
wide Collaboration Process (SCP) to guide imple-
mentation and policymaking activities. Te SCP is
comprised o six work groups (Consumer and Pro-
vider Engagement, SHIN-NY Architecture, Privacy
and Security, Public Health, Collaborative Care,
and EHR Implementation) along with a Policy
and Operations Council (POC), which reviews the
activity o the work groups and reports directly to
DOH and NYeC.
In 2008, the SCP issued a white paper outlining
consumer consent policies and procedures, and
the NYCLU responded to SCPs call or public
comment. In response to the NYCLUs comments,
and our organizations expertise regarding minors
right to condential health care, the NYCLU was
invited to participate in a subgroup ormed by the
Privacy and Security Work Group (PSWG), deal-
ing solely with issues o minors condentiality
and consent. Te NYCLU participated in a smaller
task orce ormed rom that subgroup (the minor
consent iger eam), charged with identiying
solutions to the problem o protecting minors
condentiality in HIE. Te iger eam submit-
ted a white paper in July 2010 calling or ederal
guidance on the issue to the O ce o the National
Coordinator or Health Inormation echnology
(ONC). In February 2011, the NYCLU secured
a position with the PSWG where it advocates on
behal o consumer privacy interests in the states
ongoing process o developing privacy and security
policies and procedures.
-
7/30/2019 nyclu_PatientPrivacy
28/40
-
7/30/2019 nyclu_PatientPrivacy
29/40
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
New York Civil liBertieS UNioN 25
eNdNoteS
1 Mark A. Rothstein, The Hippocratic Bargain and Health Inormation Technology, 38 Journal o Law, Medicine
& Ethics, 7, 7-8 (2010) (In efect, physicians and patients entered into a Hippocratic bargain. Physicians,explicitly or implicitly, said to their patients: Allow me to examine you in ways that you would never
permit any stranger, and tell me the most sensitive inormation about your body, mind, emotions, andliestyle. These intrusions upon your privacy are essential in providing you with sound medical care.).
2 The Statewide Collaboration Process, Privacy and Security Policies and Procedures or RHIOs and theirParticipants in New York State Version 2.2 (April 1, 2011) (NYS Privacy and Security Policies), available at
http://nyehealth.org/images/les/File_Repository16/pd/nal%20pps%20v2.2%204.1.11.pd.
3 New York State Health Inormation Exchange Operational Plan , New York eHealth Collaborative (NYEC)(NYs Operational Plan) 6-10 (Oct. 26, 2010), available athttp://www.nyehealth.org/images/les/File_Repository16/pd/nys_hie_operational_plan_2010.pd; New York Regional Health Inormation
Organizations (RHIOs), New York eHealth Collaborative (NYEC), last visited May 20, 2011, available athttp://www.nyehealth.org/index.php/resources/rhios. New York State has chosen to accomplish this through a
public-private partnership rather than through regulation or law.
4 Security breaches have increased as the adoption o electronic medical records exchange has increased:the number o reported breaches has increased by 32 percent between 2010 and 2011. Each securitybreach costs a culpable institution an average o $2.2 million. Ponemon Institute, Second Annual
Benchmark Study on Patient Privacy and Data Security(December 2011), available at http://www2.idexpertscorp.com/assets/uploads/PDFs/2011_Ponemon_ID_Experts_Study.pd.See also Nicole Perlroth,Digital Data on Patients Raises Risk o Breaches, N.Y. Times (Dec. 18, 2011) (reporting on the thet o alaptop computer rom an employee o the Massachusetts eHealth Collaborative which potentially
exposed over 13,500 patients private dataan identity thet gold mine.). Liability or security breachesoten rests on health care providers who entrust not-or-prot groups like RHIOs because under ederallaw, the legal burden o protecting patient data alls on . . . physicians and hospitals. Id. See also Kevin
Sack, Patient Data Posted Online in Major Breach o Privacy, N.Y. Times (Sept. 8, 2011) (HHS revealed thatthe PHI o more than 11 million people has been improperly exposed during the past two years alone.
Since passage o the ederal stimulus package, which includes provisions requiring prompt publicreporting o breaches, the government has received notice o 306 cases rom September 2009 to June
2011 that afected at least 500 people apiece. A recent report to Congress tallied 30,000 smaller breachesrom September 2009 to December 2010, afecting more than 72,000 people. The major breaches a disconcerting log o stolen laptops, hacked networks, unencrypted records, misdirected mailings,
missing les and wayward e-mails took place in 44 states.); Kevin Sack, Patient Data Landed Online
Ater a Series o Missteps, N.Y. Times (Oct. 5, 2011) (The medical records o close to 20,000 patients wereposted online or nearly a year because the hospitals billing contractors marketing agent used anelectronic spreadsheet with patient data as part o a skills test or a job applicant, who then posted the
data on a public website. The marketing agent explained the breach as a chain o mistakes which are artoo easy to make when handling electronic data.).
5 See National Consumer Health Privacy Survey 2005, Caliornia Healthcare Foundation, 17-21 (2005) (notingthat one 1 o every 8 people surveyed engaged in some type o privacy-protective behavior such as
going to a new doctor to avoid telling their regular doctor about a condition, paying their doctor not torecord their health inormation, or deciding not to be tested out o concern that others might nd out);
-
7/30/2019 nyclu_PatientPrivacy
30/40
26 New York Civil liBertieS UNioN
Protectin Patient Privacy:StrategieS For regUlatiNg eleCtroNiC HealtH reCordS exCHaNge
Deborah C. Peel, Your Medical Records Arent Secure, The Wall Street Journal (Mar. 23, 2010), available at
http://online.wsj.com/article/SB10001424052748703580904575132111888664060.html.
6 See Jenna Wortham, Facebook Glitch Brings New Privacy Worries, N.Y. Times (May 5, 2010). Ater a spate ochanges to privacy settings on Facebook, millions o users voiced their unease with the companys privacy
policies. A leading privacy group led suit against the company with the Federal Trade Commission;
settlement o the dispute now requires Facebook to obtain armative express consent beore allowingpersonal data to be shared more broadly than a user species. See Somini Sengupta, F.T.C. Settles Privacy
Issue at Facebook, N.Y. Times (Nov. 29, 2011). See also Frances Martel, Facebook Privacy Settings AttractAnother Congressional Inquiry, Mediaite.com (Feb. 5, 2011), available athttp://www.mediaite.com/online/
acebook-privacy-settings-attract-another-congressional-inquiry.
7 Rothstein, supra note 1. The classic oath contained the wise dictum: What I may see or hear in thecourse o the treatment or even outside o the treatment in regard to the lie o men, which on noaccount one must spread abroad, I will keep to mysel, holding such things shameul to be spoken
about. See Peter Tyson, The Hippocratic Oath Today(March 27, 2001), available athttp://www.pbs.org/wgbh/nova/body/hippocratic-oath-today.html (translation rom the Greek by Ludwig Edelstein,
citing The Hippocratic Oath: Text, Translation, and Interpretation, by Ludwig Edelstein. Baltimore: JohnsHopkins Press (1943)). A modern version o this portion o the oath holds: I will respect the privacy o
my patients, or their problems are not disclosed to me that the world may know. Id. (The modern oathwas written 1964 by Louis Lasagna, Academic Dean o the School o Medicine at Tuts University andhas been used in many medical schools).
8 Audiey C. Kao & Kayhan P. Parsi, Content Analyses o Oaths Administered at U.S. Medical Schools in 2000,
79.9 Academic Medicine, 882-87 (2004), available athttp://journals.lww.com/academicmedicine/Fulltext/2004/09000/Content_Analyses_o_Oaths_Administered_at_U_S_.15.aspx?WT.mc_
id=EMxALLx20100222xxFRIEND# (stating 129 o a total 141 medical schools in the United States explicitlyaddressed the need or physicians to protect a patients condentiality in the oath administered tostudents); In addition, the AMA describes its own Code o Medical Ethics directive on condentiality in
this way: Inormation disclosed to a physician during the course o the patient-physician relationshipis condential to the utmost degree. See Patient Physician Relationship Topics: Patient Confdentiality,
American Medical Association, last visited May 18, 2011, available athttp://www.ama-assn.org/ama/pub/physician-resources/legal-topics/patient-physician-relationship-topics/patient-condentiality.page.
9 Health Insurance Portability and Accountability Act, Public Law (PL) 104-191, 110, 1936 (1996); SeeAngela Choy, Leigh Emmart, Joanne Hustead, & Joy Pritts, The State o Health Privacy: A Survey o State
Health Privacy Statutes, Health Privacy Project, Georgetown University (2002), available athttp://ihcrp.georgetown.edu/privacy/pds/statereport1.pd (part 1) & http://ihcrp.georgetown.edu/privacy/pds/
statereport2.pd (part 2).
10 American Recovery and Reinvestment Act (ARRA), Public Law No. 111-5, 13401-13424 (2009) (codiedat 42 U.S.C. 17935).
11See e.g., conidentiality