Patient privacy in a digital world

May 31, 2008
| Reprints
People with behavioral health problems may be particularly sensitive about having their health information shared

During the past decade, behavioral healthcare has seen the advent of new technologies for capturing patient data. In fact, the conversion of paper records to electronic medical records (EMRs) has been identified as a national healthcare priority by a presidential executive order. Such changes have generated many challenges and opportunities for behavioral healthcare organizations looking to capture information about their services' quality, ensure patient safety, and protect patient privacy in an electronic environment.

Legal Considerations

The federal government has set some ground rules for using patient data. Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, protected health information (PHI) may be disclosed for “primary” purposes, including treatment, payment, and program operations, without obtaining a patient's specific written authorization. However, the Privacy Rule does mandate that an organization's privacy policies and practices be explained in writing to patients prior to service.

The Privacy Rule also allows covered entities to disclose PHI for “secondary” purposes without patient authorization for a number of broad national priorities, including research. The Privacy Rule grants law enforcement access to PHI without court approval or oversight. HIPAA defers to state privacy laws, including those that govern mental health or substance use treatment, if they provide more stringent patient privacy protections.

HIPAA isn't the only national regulation in town. The federal Confidentiality of Alcohol and Drug Abuse Patient Records law (42 CFR Part 2) was enacted decades earlier, providing significantly greater privacy protections for individuals receiving substance use treatment. The law prohibits the unauthorized disclosure of information about substance use treatment for purposes that would be permitted under HIPAA. There are few exceptions to the stringent privacy protections of 42 CFR Part 2.

Advantages of Using Patient Information

Dr. Eric Goplerud, director of Ensuring Solutions to Alcohol Problems in the Department of Health Policy at George Washington University Medical Center, notes that sharing personal health information for primary purposes has several recognizable benefits, particularly when substance use is involved. “A very important one is just straight patient safety,” he explains. “There are any number of medications that interact very negatively with alcohol use.” Dr. Goplerud points out that a patient can prohibit a provider from sharing information about his/her substance use treatment, but the law permits disclosure in medical emergencies without patient permission (Disclosure must be documented by the disclosing treatment provider).

Speaking specifically about the secondary use of health information, Harry Rhodes, director of practice leadership at the American Health Information Management Association, says, “It does help you to identify trends. It helps you to monitor treatment and the success of that treatment.”

Privacy Concerns

Yet some advocates of patient privacy rights argue that regardless of whether information is being used for primary or secondary purposes, patients should have direct control over who sees their health record and how it's used. They have identified a host of problems around advertent and inadvertent data disclosure, and these problems may be compounded for individuals receiving treatment for mental health or substance use disorders.

Dr. Goplerud notes that “in a number of states, if a woman gives birth and tests positive for drugs, particularly cocaine, her baby may be taken away and put in foster care…. Information about one's mental or substance use treatment can and is used in the courts around custody disputes. And so there's this retaliation that may take place.” He adds that disclosure of substance use or mental illness can lead to difficulties in obtaining health or life insurance, could jeopardize employment, and could result in a loss of benefits. Thus, patients may feel the need to protect potentially pejorative types of their PHI from all but specifically designated caregivers or authorities.

Ensuring Privacy

Ensuring that advertent or inadvertent data disclosure will not occur is particularly challenging in an electronic environment, in which third-party vendors often develop and maintain provider databases. Dr. Deborah Peel, founder and chair of the nonprofit organization Patient Privacy Rights, suggests that to protect patient privacy, behavioral healthcare executives should closely examine their vendor contracts. “You should never use a vendor that ever wants to own or data mine protected health information,” she says. “But a great many of them have that in their contracts as a way of helping to pay for the infrastructure.”

Rhodes agrees that contracts should contain clear agreements between parties on how the information will be used and shared. “Once a secondary database has the information, they could rationalize using it for different purposes, only to find out the original owner didn't agree with the use of the data for that purpose, because it was not clearly stated in advance,” he says. If data are to be analyzed for secondary purposes, Rhodes suggests making certain that third-party vendors agree to properly deidentify the data, “removing all of the data elements that HIPAA recommends.”

Page
of 2Next
Topics