The use of electronic medical records is no longer equivocal, including electronic
linkage of medical records at both the system level and at the individual level of service
utilization. Indeed, personal health data have become a refined commodity that
have
considerable worth in the health care market place. However, computerization of health
data is being accomplished without the knowledge or permission of health care recipients.
Policies regarding security and control of medical records have not been evaluated in
terms of the impact on health consumers, nor have their voices been represented in
consensus-building activities around standards.
Government and industry have failed in the past to promote rigorous standards and
penalties that would prioritize the rights of individuals to determine appropriate access
and use of medical information. Even though policy-makers are health consumers, the
individual perspective is submerged in the development of protocols and standards by a
hegemonic system perspective based on the office and function of the participants. There
is also an eagerness in government to use medical and behavioral health information as a
means to control social behavior. Instances where ethical concerns have been put aside in
the service of public policy are not new to our history. This problematizes the role of
government as the protector of medical privacy. Today, legislation may well allow federal
and state agencies the very type of access that once was only gained through covert
activities. In addition, there appears to be little vision or incentive to develop systems
that would facilitate broad and meaningful consumer control of their health records, and
consequently, the concerns and solutions of health consumers as reflected in the national
polls and surveys have not been adequately addressed in the health privacy debate.
Therefore, any abstract balance of the rights of the individual against the welfare of the
nation that is championed by policy-makers is strictly in the eyes of only those present
at the bargaining table.
People care deeply about their medical privacy. It is clear that an improperly thought
out and implemented data system can result in invasion of privacy, personal surveillance,
abridgment of constitutional rights, inappropriate monitoring and control of individuals,
and access to personal data for private profit or criminal use. With the risks of exposure
of medical records multiplying, we read or hear of others who have lost insurance, jobs,
housing, or suffered public humiliation because of something in their medical records.
Inadvertent breaches of confidentiality, health data searches by law enforcement agencies,
and the myriad of data merging activities now taking place have created a chilling effect
on people who seek medical help. People do not tell the whole story to doctors if they
fear that they or friends and relatives will be harmed due to leaks in the health
information system or that Big Brother is watching. It is the expectation of privacy that
leads to trust in the doctor-patient relationship. Stigmatized populations such as people
with mental illness, HIV/AIDS, or alcohol and substance abuse problems are most vulnerable
to violations of health privacy since the practical consequences of being identified are
extreme. Medical privacy looms over their everyday lives and must be addressed within the
critical context of civil liberties.
Protocols protecting health data are in a regulatory gray zone. The important ethical
questions that behavioral health providers and services researchers now face in their
investigations have seldom been addressed. As the federal government initiates national
medical privacy standards that can accommodate the new technologies, it is important to
recognize that promises of better services are not compelling for either the general
public, or for stigmatized populations. Public attitudes in general reflect overwhelming
support for more controls regarding medical privacy. On the other hand, most efforts to
develop medical privacy standards in the United States proceed from the assumption that
access by third parties, including provider networks, billing companies, law enforcement,
and researchers, is necessary and most protections being drafted accommodate demands for
data linkage and transmission. Further, mandating privacy protocols and technologies
packed with security features are useless if people do not aggressively use them. While
rules and regulations can provide pressure to control abuse, without the development of a
profound respect by all constituencies for the value and worth of individual consumers,
compliance is inextricably subverted. Many people fail to realize that they are treating
others in disrespectful, dehumanizing ways when they carelessly handle a health record, or
they begrudgingly follow security protocols. Perhaps the stigmatized role of consumers and
the "them" and "us" mentality of professionals contributes the lack of
genuine concern.
One of the most disturbing claims to override the consumers’ rights to
confidentiality is the need for outcome studies. Such studies may involve not only the use
of psychiatric records without consent, but may require that service recipients fill out
highly intrusive questionnaires as a condition of their treatment. Consumers question the
value of this type of research, and ask if system values, in this instance the potential
for lower costs and more effective treatment modalities, trump the value of respect for
individual autonomy?
In order to empower the individual health consumer, to reposition their concerns within
the center of the health privacy debate, it is necessary to introduce to the policy-making
process the concept of consumer ownership of medical records, and for policy-makers to
accept the fact that Americans do not want new laws that will expand the use and
disclosure of identified health information. Rather, the public wants to be genuinely
protected and medical privacy enhanced through the enforcement of long established privacy
principles based on constitutional and statutory law, common law, the Hippocratic oath,
the canons of medical ethics, and common sense.
With the computerization of health records, the risks of data collection cannot be
separated from the medical interventions it documents. Most people do not realize who sees
their medical data. Self-insured employers often review medical information such as
doctor’s bills and prescription records to track their health plan’s expenses.
HMOs often require detailed data about patients before they approve treatment. In some
states regulators collect Social Security numbers and other data about every person who
enters a hospital or alcohol/drug treatment center. Furthermore, with the emphasis on
patient tracking and controlling health costs through outcome based decision-making, the
potential for misuse of health data in services research has increased enormously as
researchers have liberal access to records, including those of people with stigmatized
conditions. Therefore, policies and procedures for the protection of consumers within a
health data system should be mandated, and protections now accorded to research subjects
should apply to health data subjects.
At the core of such protections is the concept of informed consent. Consumers want to
control the use of their records, and for the sharing of health information to be
voluntary. Therefore, any use of medical records should require the consent of the
consumer. The inclusion of consumer data within electronic databases of unified records or
management information system should also be voluntary and follow informed consent
protocols. Without specific informed consent, clinical records should not be
retrospectively integrated into an information system. Data sharing and integration
between agencies and systems may pose problems with regard to breaching both consumer and
family confidentiality. An informed consent protocol regarding release of information
between agencies or for storage in a data bank should be required before any data is
synthesized or integrated. If services should not be denied consumers that decline to give
consent, consumers also need to be able to "op-out" of an electronic record
system (that is, the organization would keep a person’s health records in paper form
with some limited exceptions). Therefore, procedures should also be developed and
implemented for consumers to dis-enroll or decline enrollment in an information system
(except for minimal necessary data required to deliver services) without penalty. They
also want time limits on data storage to be specified and data destruction and removal
protections developed and implemented when a person is no longer in the health system.
Equally important to consumers is the right to full access to all personally
identifiable medical records. No records should be kept secret. Access to clinical and
management information system data by service recipients should be supported with
protocols developed for individuals to review and amend their records, or remove any
inaccurate, irrelevant or out-of-date information.
A comprehensive protocol to insure data security should be implemented. The methods
used for data storage and distribution should be explicit and storage and distribution
practices periodically audited for compliance. Records in storage or transit should be
encrypted. Audit trails should track each access to an individual’s file. Policies
and procedures should also be developed for protections of consumer confidentiality when
using cellular phones, facsimile machines, automated information systems with multiple
access points, and other technologies that are used to store, analyze, and transmit
information. The use of a person’s social security number as an unique identifier
should be discouraged, as well, since this identifier provides the means to link private
nonmedical information, and is particularly vulnerable to fraud.
Ultimately, preceding use of consumer records the policies and procedures developed for
the protection of human subjects within the data systems should be reviewed by a panel to
evaluate the adequacy of human subjects’ protections in the collection, analysis,
storage and distribution of information. These review panels should be based in the
community. With local oversight shared by community members, and especially by members of
stigmatized or underrepresented populations, the interests of a review panel would be
broadened and become responsive to the health privacy needs of individual consumers rather
than health organizations and research institutions
Currently, where laws do guarantee to individuals medical privacy, exceptions
proliferate and penalties are few. In order for penalties to be a deterrent against
unauthorized disclosure, substantial criminal and civil fines should be imposed for actual
or attempted unauthorized access, disclosure, or use of medical information. Individuals
should be able to enforce rights and obtain damages and related costs in civil court.
Further, an independent agency should be created to conduct oversight and enforce the
provisions of any federal medical privacy law.
At the heart of the mental health consumer movement is the belief that the goals of
health care reform cannot be achieved without attending to the way individual decisions
are made. In response to public demand for health organizations to be more open and
accountable, a new vision for health care in the 21st century that is more humane,
effective, and accountable can be achieved through the coordinated use of data by all
stakeholders. Information technologies have the potential to humanize health care
relationships by providing people with access to the most complete knowledge at the time
of decision making, allowing them to partner effectively in care. To protect medical
privacy, we must recognize that the future is contingent on all of us to explore new
terrain and climb for higher ground.
Trust in the process is needed and must be earned. It is only by making sure that
foremost people’s privacy and confidentiality are protected, and then that people
have access to health information they want and need--both clinical and
administrative--can the mental health system effectively engage service recipients in
building electronic health information networks.
The MIMH Coordinating Center submitted IRB forms to the University of
Missouri—Columbia School of Medicine for review of human subjects protections of data
repository and cross-site outcomes and program fidelity analysis, and to the University of
North Carolina—Chapel IRB for review of cost analysis plans. UM-IRB indicated that
since MIMH is contracted to do data analysis only, no IRB was required. UNC-IRB was
reviewed and approved under an expedited review procedure because the cost study involved
no more than minimal risk to human subjects.
Besides issues of confidentiality, there are no other potential risks posed by the
activities of the Coordinating Center.
The target population at the study sites is adults with severe mental illness, of both
genders, and diverse racial/ethnic composition. There are no pregnant women,
institutionalized individuals, or other special population groups involved. Recruitment of
people receiving services at a traditional mental health center will be conducted by the
study sites by trained evaluation staff at the traditional mental health service provider.
Since each study site is submitting a separate application to SAMHSA for a Cooperative
Agreement to Evaluate Consumer-Operated Services, the MIMH CC cannot address the specifics
of the recruitment and selection protocol.
Participation in the study is voluntary, and if a person drops out of the study they
will not lose any services. However, MIMH CC will recommend to the SC that issues of
coercion be reviewed with study participants when the dialogue sessions are held at each
site.
Data will be collected directly from participants through surveys and instruments, and
cost data will be obtained through review of claims data. Further, there will be site
visits by R.O.W. personnel to monitor program fidelity.
In the computer age, it is not sufficient to keep surveys and data in locked file
cabinets. Nor is access to data limited to a single computer, or a local site. Data are
stored electronically and available through the internet for receipt and transmission.
Therefore, risk to the confidentiality of a research subject could be significant. The
following protections will be implemented at the MIMH CC Data Repository. The Data
Repository Team under the direction of Matthew Hile, Ph.D., MIS Director, will take all
the appropriate and necessary security measures to protect the data. Foremost, the data on
the central repository will not have consumer identifying information. Data will be
stripped of personal identifiers at the study sites and issued a unique identifier.
Further, on the PC network based application system, there are a multiple levels of
security concerns. Perimeter security controls physical access to the network components
such as servers, workstations, and routers, etc. and controls entry and exit between
public and private networks. The security policy will maximize user convenience and
productivity while at the same time limiting security violations. MIMH has installed CISCO
PIX firewall between its private LAN and public INTERNET, and maintains tight physical
access control. To protect sensitive data privacy and identity during information transfer
between CC and study sites, deployment of data encryption and decryption technology will
be employed. At the host security level, access management issues such as who is entering
the network, repository, and e-mail (authentication), the determination of what they can
do (authorization), and the tracking of what they do (accounting) are very important. The
MIMH installed a procedure forcing users to change password every 90 days to sign on to
network. MIMH plans to install another layer of authentication, authorization, and
accounting security measures even after one gets on to the network. The MIMH e-mails are
already protected through this extra authentication layer. With physical access control, a
firewall, network sign on procedure, and repository sign on and access authorization
procedure, the repository will be very secure. Access to the data by R.O.W. for analysis
will be limited to project faculty. Access codes will be issued for authorized personnel.
Consent forms for all data will be developed and collected at the study sites. The CC
will recommend to the SC a standard consent form that will address those issues of consent
discussed in the GFA. Consent will also be obtained for cost information such as claims
data that may be in an agency’s management information system and not directly
provided by the participant.
5400
Arsenal Street