Op-Ed: Patient Privacy is Placed at Risk in the Digital Age (Buffalo News)

No doubt you’ve sat in an examination room as a doctor scrawled notes about your treatment or diagnosis. You’ve probably had to describe your medical history to new doctors, or endured the hassle of transferring your paper records from one physician to another.

Those cumbersome paper records are disappearing as doctor’s offices — like most things these days — go digital. New York State has invested more than $840 million in developing electronic information-sharing networks for medical records. A dozen existing regional networks will eventually allow health care and insurance companies to easily access a patient’s complete medical history. Ultimately, these networks will connect to a national network.

This transition promises many benefits, but without careful planning, electronic medical records will pose a genuine threat to privacy.

Like all electronic records, networks of medical records are vulnerable to data mining, security breaches and other abuse. More importantly, the state’s current health information sharing system strips patients of control over who accesses what information.

When doctors join electronic networks, their patients’ medical records are uploaded to the network without the patients’ consent. And when a new provider asks a patient for consent to access the network, New York’s all-or-nothing approach deprives the patient of the ability to share portions of her records without revealing her entire medical history. There are good reasons why people might want to withhold certain information from new doctors. For example, while you want your primary care doctor to have access to information about your allergies, past surgeries and vaccinations; you may not want your optometrist or podiatrist to know that you were treated for a sexually transmitted infection 10 years ago.

As the transition to electronic records proceeds, policy makers must take several steps to protect patient privacy. First, individual medical records must not be uploaded to electronic networks without patients’ consent.

Second, patients must control who can access what kinds of information about them. To accomplish this, and to comply with state and federal privacy laws, the state’s information-sharing network must be designed to sort and segregate medical information. Currently, it does not have this crucial capability.

And third, policy makers must place limits on how personal medical information is shared. They should prohibit the electronic networks from disclosing or selling people’s medical data to third parties without patient consent. They should also prohibit and sanction the misuse of medical information.

With these protections, patients can reap the benefits of shareable electronic medical records and have confidence that their privacy is secure.

Carey is assistant legislative director of the New York Civil Liberties Union.