The age of computers has heralded the slow replacement of the paper medical chart. Although it may be irrational to fear more for the privacy of a cyberchart than that of its paper cousin, in recent years concerns about protecting electronic medical records have mounted. Perhaps the unease is this: the paper records were tangible, locked away in an office or a basement, while with a few mouse clicks, computerized records could be bouncing all over the Internet into the hands of anyone, from an employer to a teacher to a friend. At least, that may be a common fear. When even Microsoft's "impenetrable" databases are vulnerable to hackers, abstract concerns about an inviolate chart seem closer to a disturbing reality.
Patients, not surprisingly, are worried about how their medical information will be used—so worried that they may withhold details from providers or forgo medical care altogether.1
Legislators, too, are concerned. At the state level, legislatures have begun to map the largely uncharted terrain at this intersection of medical records and technology.2 Yet, in the "laboratory of the states," these laws are inherently varied and may offer spotty coverage.3
Federal legislators have also been struggling to provide uniform protections for computerized medical records. As electronic medical records gained prominence, policymakers began to notice legal oddities in the current protections for computerized records. Notably, the law protected videotape rental records, but it left electronic medical records vulnerable. In 1996, partly in response to that "Blockbuster phenomenon," Congress included a provision to create strong federal privacy protections, with a 3-year deadline for congressional action, in the Health Insurance Portability and Accountability Act.4 When ensuing legislative proposals became mired in genuine disagreements over language and substance, as well as partisan politics, Congress missed that target date. The task of creating comprehensive legislation to guard the nation's medical records fell to the US Department of Health and Human Services (HHS).
At the twilight of the Clinton administration, HHS offered its Final Rule on Standards for Privacy of Individually Identifiable Health Information and effectively created the first extensive federal regulations for medical records.5 The rule, which would preempt only weaker state laws, offered sweeping protections for electronic and paper records, as well as spoken communication. Some key provisions: patients may inspect their medical chart and request corrections; health plans and physicians must obtain written consent in many instances before disclosing identifiable information; civil and criminal penalties may follow compliance failures and wrongful disclosures.
While the rule has been widely praised, it has also been roundly criticized as onerous, costly, overreaching, and incomplete. Patients do not own their records, and they have no new right to sue those who illegally obtain and use their medical information. Plaintiffs are still limited to theories based on, for example, a constitutional right to privacy or a common-law duty of confidentiality. Also, there is an exception for using identifiable chart excerpts in direct-to-patient marketing. Rather than require written informed consent for that disclosure, the rule employs a different mechanism—companies may contact a patient at least once about a product, at which time the patient may exercise a right to "opt out" of future mailings. While direct marketing may be an effective way to alert patients to new and useful products, this loophole could stamp the federal government's imprimatur on a practice that, without stringent safeguards, may be ethically problematic.6
Today, national protections for electronic medical records float in a kind of nether world, somewhere between the proposed rule, a Bush administration review, and its enactment. Meanwhile, researchers have recognized the need for standards and have created secure record-keeping systems based on the National Research Council guidelines.7 Still, ethical questions remain. How should physicians balance the need for record keeping and data collection against patients' pleas to leave medical histories, physical findings, or test results out of the electronic chart? Who should be responsible for confidentiality breaches, from the loudly whispered elevator gossip to the discriminatory uses of ill-gotten information? Where can patients turn for recourse?
Federal protections for cybercharts may eventually become as comprehensive and as balanced as those on the front lines would like, but the evolution of law is often a slow, even maddening process. The medical community may need to address issues of privacy on its own, without waiting for a perfected federal mandate to safeguard a seemingly simple ideal: that patients will be able to share their most intimate secrets with physicians, confident that they will remain safe within a very private world.
Cantor JD. Privacy Protections for Cybercharts: An Update on the Law. JAMA. 2001;285(13):1767. doi:10.1001/jama.285.13.1767-JMS0404-5-1