New NYCLU Report Reveals Privacy Threats in Sharing of Electronic Health Records

March 6, 2012 —  Policymakers must take steps to better protect patient privacy as New York State develops electronic networks for sharing people’s medical records, according to a report released today by the New York Civil Liberties Union.

“Easily shareable electronic health records clearly can improve the quality of medical care, but without careful planning, they also pose a genuine threat to privacy,” NYCLU Executive Director Donna Lieberman said. “Policymakers must ensure that private medical information is secure and that patients have control over who can access their medical records.”

The state already has invested more than $840 million in developing electronic information sharing networks for medical records. A dozen existing regional networks will eventually allow health care and insurance companies to easily access a patient’s complete medical history. Ultimately, these networks will connect to a national network.

The NYCLU's new report, Protecting Patient Privacy: Strategies for Regulating Electronic Health Records Exchange, maintains that there are significant flaws in the state’s current privacy and security policies and procedures governing computer networks for sharing electronic medical records.

Most significantly, the state’s current health information sharing system strips patients of control over who accesses what information in their medical records. Once a patient consents to allowing a provider access to her medical records, the provider sees everything that was ever uploaded to the network about that patient, regardless of whether the information is relevant to current treatment.

“There are good reasons why people might want to withhold certain information from new doctors,” said NYCLU Assistant Legislative Director Corinne Carey, author of the report. “For instance, while most people want their primary care doctor to have access to information about their allergies or past surgeries; they may not want their podiatrist to know they were once treated for a sexually transmitted infection.

“When patients lose control over their medical records, they can lose faith in their doctors. They may withhold critical information or avoid treatment altogether.”

The report offers policymakers 10 recommendations to protect patient privacy as the state develops a centralized system for sharing electronic medical records. Those recommendations include:

  • Require that the electronic systems employed by HIEs have the capability to sort and segregate medical information in order to comply with guaranteed privacy protections of New York and federal law. Presently, they do not.
  • Offer patients the right to opt-out of the system altogether. Currently, people’s records can be uploaded to the system without their consent.
  • Require that patient consent forms offer clear information-sharing options. The forms should give patients three options: to opt-in and allow providers access to their electronic medical records, to opt-out except in the event of a medical emergency, or to opt-out altogether.
  • Prohibit and sanction the misuse of medical information. New York must protect patients from potential bad actors—that small minority of providers who may abuse information out of fear, prejudice or malice.
  • Prohibit the health information-sharing networks from selling data. The State Legislature should pass legislation prohibiting the networks from selling patients’ private health information.