‘Patient-Controlled Encryption’ May Help Achieve EHR Privacy

You go to a Web site and make an online purchase using a credit card. Happens all the time.

The reason your credit card information is (reasonably) secure is that the number has been "encrypted"—converted into code that will be meaningless to a third party trying to make use of your card number.

Now, imagine that access to a patient's electronic health record required an encrypted code, and that the code was solely owned by the patient. That, in abbreviated form, is what "patient-controlled encryption," or PCE, might look like. Also, it is one answer to the challenge of how to expand the use of electronic health records (EHRs)—with all of the promised benefits to public health research and system efficiency—while protecting the security and confidentiality of patient health records.

"Encryption is known as the lock and key of the information age," says Montpelier, Vt., psychiatrist Stuart Graves, M.D.

Graves has worked to educate physicians about PCE through the Vermont Medical Association, as well as through APA's Assembly. He and Alice Silverman, M.D., president of the Vermont Psychiatric Association and a representative to the APA Assembly, wrote a resolution urging APA to advocate for the study of PCE.

"Patient-controlled encryption gives patients the keys to encrypt and decrypt their own record and thus control access, just as we control access to our homes with keys for the outside and inside doors," he told Psychiatric News.

Graves said that while public health research will benefit from EHRs, the aggregation of medical information also makes those records vulnerable to data mining by third parties for nonbeneficent purposes.

"With paper records, the physician or hospital that owns and insures the paper record's existence also controls access, and historically this has worked adequately," Graves told Psychiatric News. "Individual records of VIPs or relatives of employees may be compromised by break-ins and snooping, but the aggregate of records and their information in paper remains safe. Nobody backs a truck up to a room full of paper records and drives away with them all."

The situation is different with EHRs. "The benefits of EHR—access to the same complete record across the lifespan and whether a person is in Seattle or Burlington, and the ability to do research—come with a new vulnerability that does not exist for paper records," Graves explained. "The interconnectivity that allows access regardless of location creates a virtual single repository. The indexing, retrieving, and sorting of electronic data that enable research also enable the same for nonbeneficent purposes, such as data mining."

Graves said that no matter how good the security employed by an administrative system overseeing access to medical records—say, one of the new health exchanges envisioned in the health care reform law—it will remain vulnerable to compromise. "So PCE breaks the aggregate into individually accessible pieces, with the code for access controlled by the patient," Graves said. "PCE is that simple in principle. The inevitable failure of trying to protect the entire aggregate of records with a few keys held by a few people is why we need it."

Nonetheless, technical questions remain about how well PCE would work across health care systems and patient care settings. A central problem confronting the expansion of EHRs is "interoperability"—the ability of diverse computer systems to "talk" to each other as they attempt to share data.

"I do think it is an interesting idea and incorporates many of the principles that I would see as crucial for EHRs such as granular privacy protections with patients having control over who can access their information and when access can occur," Laura Fochtmann, M.D., chair of APA's Committee on Electronic Health Records, told Psychiatric News. "However, it is not clear to me how feasible patient-controlled encryption would be across all settings of care and all patients."

Children's Hospital in Boston has developed a patient-controlled electronic health record called "IndivoHealth." According to the hospital's Web site, the Web-based technology "allows patients to own and control—not merely view—a single, unified, complete medical record that integrates health information gathered across different sites of care over their lifetime.

"Patients have complete authority to grant or withhold access to their record by individuals or institutions," according to the hospital's Web site. "However, if patients wish, their data can be used for research and public health surveillance, retaining complete confidentiality and security. Children's Hospital Boston has adopted Indivo as the medical records system for all its patients and will begin piloting its use in the near future."

Silverman said she believes PCE is an option that should be explored.

"We use encryption all the time," Silverman told Psychiatric News. "Patient-controlled encryption would seem to offer protection of privacy while also enabling the promise of electronic health records. I encourage other psychiatrists to become educated about PCE."