The New York Civil Liberties Union yesterday submitted comments to the New York State Department of Health warning the department that its current proposed regulation for electronic health records poses significant privacy concerns for patients. The regulation fails to guarantee patients adequate control over who accesses what information in their medical records. For example, once a patient consents to allowing a provider access to their medical records, the provider may see everything that was ever uploaded about that patient, whether or not the information is relevant to current treatment.

“Easily shareable electronic health records can improve the quality of medical care, but without proper technology and regulation, they can also raise serious privacy concerns,” NYCLU Executive Director Donna Lieberman said. “There are plenty of reasons why people might want to withhold information from some doctors. Some people may want to share their general medical records with their neighborhood doctor, but not highly sensitive information such as a record of an abortion, sexual assault or previous substance abuse problem. If patients cannot exercise this level of control over their medical information, we cannot enjoy all the benefits of the electronic health records system.”

The Statewide Health Information Network for New York allows health care providers to share medical information with each other. The proposed regulation, submitted for public comment in November, would provide rules for how health records within the network could be shared and with whom. As proposed, the regulation would not give patients adequate control over their medical information, while ignoring state laws which provide added protections, including protections regarding the medical records of minors. They would also give the government broad access to health records beyond what current law requires and they would allow health care providers emergency access to health records despite there being no state law authorizing such access.

In the comments submitted to the Health Department, the NYCLU makes the following recommendations:

  • Patients should have the right to exercise granular control over their medical information.
  • Minors should generally have control over the sharing of their medical records where they consented to the medical treatment.
  • The regulation must make clear that a public health agency is entitled to access only that information to which it is authorized by law, and nothing more within a patient’s medical records.
  • The Health Department should not allow emergency access to medical records that is not permitted by law.
  • The Health Department should require consent to upload data or, at the very least, guarantee patients a choice to opt out of upload.

Many of the same concerns raised in the comments submitted this week have been voiced for years by the NYCLU, including in the 2012 report, Protecting Patient Privacy: Strategies for Regulating Electronic Health Records Exchange.

“When it comes to the health and privacy of New Yorkers, we cannot afford to take any shortcuts. The proposed regulation does not go nearly far enough in protecting our privacy,” said NYCLU Senior Staff Attorney Mariko Hirose. “New York needs to invest in a health care network that is fully capable of respecting the privacy of people’s most sensitive information.”