Report: Protecting Patient Privacy: Strategies for Regulating Electronic Health Records Exchange (2012)

Protecting Patient Privacy: Strategies for Regulating Electronic Health Records Exchange maintains that there are significant flaws in the state’s current privacy and security policies and procedures governing computer networks for sharing electronic medical records. Most significantly, the state’s current health information sharing system strips patients of control over who accesses what information in their medical records. Once a patient consents to allowing a provider access to her medical records, the provider sees everything that was ever uploaded to the network about that patient, regardless of whether the information is relevant to current treatment. The report offers policymakers 10 recommendations to protect patient privacy as the state develops a centralized system for sharing electronic medical records. Those recommendations include:

• Require that the electronic systems employed by HIEs have the capability to sort and segregate medical information in order to comply with guaranteed privacy protections of New York and federal law. Presently, they do not.
• Offer patients the right to opt-out of the system altogether. Currently, people’s records can be uploaded to the system without their consent.
• Require that patient consent forms offer clear information-sharing options. The forms should give patients three options: to opt-in and allow providers access to their electronic medical records, to opt-out except in the event of a medical emergency, or to opt-out altogether.
• Prohibit and sanction the misuse of medical information. New York must protect patients from potential bad actors—that small minority of providers who may abuse information out of fear, prejudice or malice.
• Prohibit the health information-sharing networks from selling data. The State Legislature should pass legislation prohibiting the networks from selling patients’ private health information.