Privacy Protections for Cybercharts: An Update on the Law | JAMA | JAMA Network
[Skip to Content]
[Skip to Content Landing]
April 4, 2001

Privacy Protections for Cybercharts: An Update on the Law

Author Affiliations

Not Available

Not Available

JAMA. 2001;285(13):1767. doi:10.1001/jama.285.13.1767-JMS0404-5-1

The age of computers has heralded the slow replacement of the paper medical chart. Although it may be irrational to fear more for the privacy of a cyberchart than that of its paper cousin, in recent years concerns about protecting electronic medical records have mounted. Perhaps the unease is this: the paper records were tangible, locked away in an office or a basement, while with a few mouse clicks, computerized records could be bouncing all over the Internet into the hands of anyone, from an employer to a teacher to a friend. At least, that may be a common fear. When even Microsoft's "impenetrable" databases are vulnerable to hackers, abstract concerns about an inviolate chart seem closer to a disturbing reality.

Patients, not surprisingly, are worried about how their medical information will be used—so worried that they may withhold details from providers or forgo medical care altogether.1

Legislators, too, are concerned. At the state level, legislatures have begun to map the largely uncharted terrain at this intersection of medical records and technology.2 Yet, in the "laboratory of the states," these laws are inherently varied and may offer spotty coverage.3

Federal legislators have also been struggling to provide uniform protections for computerized medical records. As electronic medical records gained prominence, policymakers began to notice legal oddities in the current protections for computerized records. Notably, the law protected videotape rental records, but it left electronic medical records vulnerable. In 1996, partly in response to that "Blockbuster phenomenon," Congress included a provision to create strong federal privacy protections, with a 3-year deadline for congressional action, in the Health Insurance Portability and Accountability Act.4 When ensuing legislative proposals became mired in genuine disagreements over language and substance, as well as partisan politics, Congress missed that target date. The task of creating comprehensive legislation to guard the nation's medical records fell to the US Department of Health and Human Services (HHS).

At the twilight of the Clinton administration, HHS offered its Final Rule on Standards for Privacy of Individually Identifiable Health Information and effectively created the first extensive federal regulations for medical records.5 The rule, which would preempt only weaker state laws, offered sweeping protections for electronic and paper records, as well as spoken communication. Some key provisions: patients may inspect their medical chart and request corrections; health plans and physicians must obtain written consent in many instances before disclosing identifiable information; civil and criminal penalties may follow compliance failures and wrongful disclosures.

While the rule has been widely praised, it has also been roundly criticized as onerous, costly, overreaching, and incomplete. Patients do not own their records, and they have no new right to sue those who illegally obtain and use their medical information. Plaintiffs are still limited to theories based on, for example, a constitutional right to privacy or a common-law duty of confidentiality. Also, there is an exception for using identifiable chart excerpts in direct-to-patient marketing. Rather than require written informed consent for that disclosure, the rule employs a different mechanism—companies may contact a patient at least once about a product, at which time the patient may exercise a right to "opt out" of future mailings. While direct marketing may be an effective way to alert patients to new and useful products, this loophole could stamp the federal government's imprimatur on a practice that, without stringent safeguards, may be ethically problematic.6

Today, national protections for electronic medical records float in a kind of nether world, somewhere between the proposed rule, a Bush administration review, and its enactment. Meanwhile, researchers have recognized the need for standards and have created secure record-keeping systems based on the National Research Council guidelines.7 Still, ethical questions remain. How should physicians balance the need for record keeping and data collection against patients' pleas to leave medical histories, physical findings, or test results out of the electronic chart? Who should be responsible for confidentiality breaches, from the loudly whispered elevator gossip to the discriminatory uses of ill-gotten information? Where can patients turn for recourse?

Federal protections for cybercharts may eventually become as comprehensive and as balanced as those on the front lines would like, but the evolution of law is often a slow, even maddening process. The medical community may need to address issues of privacy on its own, without waiting for a perfected federal mandate to safeguard a seemingly simple ideal: that patients will be able to share their most intimate secrets with physicians, confident that they will remain safe within a very private world.

Not Available, Health Privacy Project Polling Data.  Georgetown University Law Center: California HealthCare Foundation survey conducted by Princeton Survey Research Associates January1999;Available at Accessed January 23, 2001Google Scholar
Not Available, Cal. Civ. Code. § 56, et seq.2000;
Hodge  JGGostin  LOJacobson  PD Legal issues concerning electronic health information: privacy, quality, and liability.  JAMA. 1999;2821466- 1471Google ScholarCrossref
Not Available, Not Available 42 USC §1320d-2 (West 2000)
Not Available, Not Available  Federal Register. December28 2000;(65 FR 82462). Div 2000)Google Scholar
Lo  BAlpers  A Uses and abuses of prescription drug information in pharmacy benefits management programs.  JAMA. 2000;283801- 806Google ScholarCrossref
Halamka  JDSzolovits  PRind  DSafran  CS A WWW Implementation of national recommendations for protecting electronic health information.  J Am Med Inf Assoc. 1997;4458- 464Google ScholarCrossref