Non-use of Patient Clinical Data a Greater Risk than Misuse

November 1, 2008

There are incalculable advantages to be gained from the use of clinical data in studying chronic diseases across communities and larger populations.

The recent launches of online health management tools Google Health and Microsoft HealthVault have re-ignited the mainstream debate about the privacy and security of personal health information. Despite its potential to dramatically improve the quality, safety and affordability of healthcare, many contend that the electronic sharing of clinical data among health care's various stakeholders puts patient information at great risk of falling prey to cyber-criminals, illicit data mining operations or any number of other potentially dubious pursuits.

As examples of the type of privacy infringements we risk by automating health information, health information technology (IT) skeptics are quick to point to highly publicized incidents involving celebrities, such as those in which staff members at hospitals in New Jersey and California gained unauthorized access to the medical records of George Clooney and Britney Spears. Thankfully, neither celebrity was harmed as a result of the respective improprieties. Moreover, in each case, the people responsible for the infringements were appropriately reprimanded and, in the Clooney case, fired. Interestingly, neither incident was a matter of faulty security: the individuals involved actively chose to violate HIPAA and access the records.

In fairness, health IT isn't 100% foolproof. Like any other record keeping methodology, there is a degree of security risk associated with it. However, these threats are no greater than those we assume when we shop or conduct our banking online. In fact, the most significant risk to the American healthcare system is not the misuse of information, it is the non-use of it.

Not sharing existing clinical data is far more dangerous to us as individuals and as a society than any potential privacy risks associated with sharing it. Consider an unconscious accident victim presenting with severe injuries in an emergency department. With no knowledge of the individual's medications, existing conditions, treatment history or other vital data, clinicians are forced to make fast, often life-altering decisions based solely on incomplete evidence gleaned from immediate observations.

The availability of more thorough clinical information - such as that found in an electronic health record - enables physicians to more accurately and efficiently diagnose and treat patients, and potentially save lives. On a larger scale, as Dr. Levine alludes, there are incalculable advantages to be gained from the use of clinical data in studying chronic diseases across communities and larger populations.

Health care IT offers far too many potential benefits to allow concerns over the misuse of information to paralyze its progress. Instead, we must begin focusing our collective energies on creating universally accepted definitions of exactly what the misuses of health information are. This will then enable us to thoughtfully formulate and expedite passage of legislation to help prevent such misuses and impose stringent penalties and punishments for those who do.

Efforts to ensure privacy while promoting the adoption of health IT must also incorporate two additional crucial components: critical mass and consumer choice. Any privacy solution we ultimately decide to pursue must be applicable to a majority of patients in order for physicians to more easily implement it, and to justify the expense, workflow adjustments and other infrastructural changes it will require. In this regard, the current opt-out model, which assumes that patients are willing to share their health information unless they specifically indicate otherwise, is favorable.

It allows the information for a vast majority of individuals to flow unimpeded. Additionally, it places little burden on providers and offers the greatest potential benefit to the largest amount of people, while preserving the rights of those who choose not to participate.

And patient rights are paramount. It is essential that health IT privacy regulations incorporate measures through which individuals who wish to exclusively control their medical information are enabled to do so. However, these individuals must be willing to accept this right knowing that, at least initially, their control choices will usually be limited to an encompassing "yes or no."

Eventually, technology will enable more granular selectivity wherein patients can pick and choose the data they want to be made available and the respective physicians and other entities to whom they wish to grant access. Additionally, consumers will have to agree to assume responsibility for their opt-in/opt-out decisions. For example, if an individual chooses not to disclose certain information to a physician and then suffers an unfavorable outcome that that information would have helped avoid, the physician cannot be held liable. Patients - not the members of their care team - are solely responsible for the consequences of that decision.

The health information privacy debate is as complex as it is necessary. As the benefits of health IT continue to render themselves more apparent, it is essential that we develop technology that can improve healthcare - and save lives - that also simultaneously safeguards the confidentiality of very private information. In effect, we need to identify and maintain the balance of medical benefit and personal privacy. And as we work toward that goal, we must always be mindful that the greatest risk is not the remote possibility of data being misused, it's not using data at all.

David St.Clair is the Founder and CEO of MEDecision, Inc.