Electronic health records (EHRs) have many real or potential advantages, but those need to be balanced against equally real and potential opportunities for breaches of privacy, confidentiality, and security, said speakers at the APA Institute on Psychiatric Services in Philadelphia in October.
Done right, EHRs could help physicians coordinate a patient’s care, reduce prescribing errors and drug interactions, and speed administrative tasks and claims processing, said U.S. Air Force Col. Daniel Balog, an assistant professor of psychiatry at the Uniformed Services University of the Health Sciences in Bethesda, Md.
EHRs could also help patients fill out forms, answer screening protocols such as the PHQ-9, and monitor their health information.
Special issues arise for psychiatrists, Balog noted. On which servers will psychotherapy notes reside, and who will be authorized to access them? How will patients’ concerns about EHR vulnerabilities affect their sense of trust and influence how psychiatrists record diagnostic details?
“Privacy is the patient’s right,” said Zebulon Taintor, M.D., a psychiatrist in private practice in New York. “Confidentiality is what the doctor does to keep the patient’s information between doctor and patient. Security is what others do.”
And security is the most problematic area for Taintor. Outsiders, he maintained, want to break into EHRs for three reasons: to steal money, identity, and patient data.
To get money, thieves go after credit-card information and bank-account numbers.
Others look for insurance identification numbers. A stolen Medicare card is worth $100 these days, he said. Identity theft can cause the patient to lose insurance coverage, be asked to pay for health care someone else received, or have their credit rating downgraded.
Less often, adverse medical data about a patient may fuel custody battles, employment background checks, or landlord-tenant feuds, he said.
“Technology is getting ahead of protection, and theft gets easier as data are connected in a chain,” said Taintor. “When doctors connect with a hospital system, for instance, it puts all their data at risk.”
The clinical process may also be affected if a patient fears security breaches. Patients may not disclose previous diagnoses such as cancer, mental illness, or sexually transmitted diseases, for example, worried that such medical information could eventually harm them.
Protecting medical information calls for action by patients, physicians, and organizations, said Taintor.
“Patients should look carefully at their Explanation of Benefits for services they did not receive and should protect their health insurance ID cards,” he stated. “If security is breached, they should notify doctors, insurers, hospitals, the police, and the Federal Trade Commission and then check their credit reports.”
Physicians’ offices must institute good computer security practices, such as cancelling passwords once an employee leaves the job, he pointed out. “Think as if you are an organization.”
That’s what Taintor does. When he works with an actual organization, he follows all its health information policies and procedures. In his private practice, he files patient data in a computer that is never connected to the Internet. He uses different passwords when possible and turns off all computers when not in direct use.
And perhaps the field missed another alternative, he said. At a panel on EHRs at the APA annual meeting in 2012, Taintor asked who in the audience would prefer adopting an old tried-and-true system for ensuring medical-record security like that used by the Department of Veterans Affairs. Everyone in the room applauded. ■