A policy brief by the New York City-based Consumers Union and the Washington D.C.-based Center for Democracy & Technology is calling for solutions that strengthen privacy and security in EHR systems, as well as in the increased use and appropriate sharing of patients' health data. The brief cites a recent nationwide survey by the Markle Foundation that found 83 percent of doctors still share their patients' information with other medical professionals by paper or fax – not electronically.
The report, jointly put out by the non-profit public policy organizations, looks at gaps in the current law and offers recommendations to ensure EHR systems are secure. "While patients and consumers overwhelmingly support the move to electronic health information exchange, they have concerns about the privacy and security of their personal health information," Mark Savage, senior attorney for Consumers Union, the policy and advocacy arm of Consumer Reports, said in a statement.
According to the brief, the shift from paper to electronic health records presents new challenges and new solutions to protecting the privacy and security of patients' health information. The authors of the report say a breach that formerly affected a single paper record now can expose an entire database of patient records. While the brief’s authors are supportive of patient data exchange, they say things such as encryption, authentication and authorization controls, and electronic audit trails should be leveraged.
"It's not a choice between privacy and better healthcare," Kate Black, staff counsel of the Health Privacy project of the Center for Democracy & Technology, said in a statement. "Health information exchange initiatives should aim to achieve both."
The brief notes that accountability for compliance with federal and state health privacy and security protections should be strengthened; laws that protect electronic health data should be reassessed to ensure they address new security challenges and incorporate technological innovations such as encryption; and penalties should be established for unauthorized re-identification of de-identified health data.