Electronic Medical Records:
Confidentiality, Care, and Epidemiology
Michael Lesk | Rutgers University
A uniied patient medical record ofers hope for better care and reduced costs without deteriorating the conidentiality of patient information. However, two kinds of conidentiality concerns—patients’ desire to preserve privacy and vendors’ desire to limit knowledge of their systems—impede the full exploitation of medical records for better patient care.
E
lectronic medical record (EMR) systems are ex-pected to improve patient care, save staf time, and support epidemiological research. For these and other rea-sons, the Afordable Care Act requires that all US patients have an EMR by 2014. Approximately US$35 billion will be spent to support doctors’ and medical facilities’ instal-lation of records systems, with a criterion of achieving “meaningful use” in actual practice. Unfortunately, EMRs in the US sufer from not only implementation problems but also policy decisions about their privacy that might impede both patient care and medical progress.What Does the Rest of the World Do?
Europe has seen impressive results with EMR systems— Denmark has had full coverage for more than 10 years, and other countries such as the Netherlands and Sweden also have essentially full coverage. Denmark has the low-est drug error rate in Europe, and its doctors report that EMR systems save them approximately one hour per day.1 Meanwhile, the US is still struggling to reduce errors. he famous 2000 National Research Council report “To Err Is Human” estimated that approximately 100,000 deaths resulted from medical errors each year; a decade later, esti-mates suggest that the rate is approximately the same.2
he most common serious errors relate to phar-maceuticals. In addition to unintentional drug errors, there are also cases of prescribed but medically inap-propriate drug administration. Denmark has the low-est rate of inappropriate medication in eight European countries (Denmark, the Netherlands, the UK, Ice-land, Norway, FinIce-land, Italy, and the Czech Republic— a 5.8 percent rate, compared to 19.8 percent in these countries on average).3 Fear of medical error is much less common in Denmark than in countries with less complete records, suggesting that Denmark’s popula-tion has recognized the gains from their system, or that publicity about the dangers of EMRs hasn’t obscured observation of their beneits.
HEALTHCARE IT
Patient compliance with physician instructions—a key ingredient in improving health—doesn’t seem to improve as a result of automation. he excitement about personal health records and geting people to monitor their own health has died down a bit, with the demise of Google Health being an example. Devices such as the FitBit, which tracks calorie consumption, and Wi-Fi-enabled bathroom scales atract young “geeks” who are still in their 20s and don’t represent a major share of health problems or costs. he elderly are less enthusias-tic about maintaining their own health records.
Electronic health records (EHRs) are also vital for epidemiological research. From 2000 to 2007, studies on electronic records increased by a factor of 6.5 he UK announced that it will make a medical records data-base available for UK researchers.6 Patients choose to opt in, but a high rate of participation is expected, with some 52 million records available for study. France will similarly be making health data available for epidemio-logical research.
Software Problems Alict
the US EMR System
he US EMR systems’ code base is quite old, and their interfaces old-fashioned. Years ater mobile devices have become ubiquitous, many medical systems still pres-ent doctors with a desktop system, showing a screen of ields to populate. Presentation issues detract from care; for example, screens listing patient drug schedules in the order that prescriptions are writen make detect-ing multiple prescriptions for the same drug diicult. Recently, a doctor sent me a screenshot from an EHR system showing a list of four prescriptions for the same drug interspersed with 13 warning messages (many duplicative) and asking how he could quickly and con-idently igure out the total prescribed dosage with such a confusing interface.
Interoperability is another problem. Many patients are treated by multiple healthcare providers, and for-mating problems can impede data exchange. Oten, when a patient moves to a new provider, the old records system won’t deliver structured data to the new system, just images of printed forms. One physician related an amusing problem—in her hospital, EKG tracings were presented horizontally, but when patient records arrived from a nearby provider, EKG tracings were dis-played vertically, causing her to spend her time standing with her head turned 90 degrees.
Such interoperability problems impede eforts for coor-dinated care. Modern healthcare atempts to consider all patient problems together, rather than isolating and treat-ing issues separately. When diferent specialists can’t easily see the same record, care might sufer. Using a single record per patient—as many European systems do—can reduce
conlicts and improve care. Many participants recognize interoperability as a major issue; for instance, Minnesota law requires interoperable health records by 2015.
One disadvantage of the single record is that it’s bulkier. he modern medical record averages more than 200 pages, and doctors are supposed to spend less than 10 minutes with each patient. As a result, information overload is a serious problem, and bad displays and lack of summarization make things worse. When health pro-viders spend all their time looking at screens instead of patients, aspects of patient behavior might be missed, and patients might feel ignored and less involved.
Some EMR standards exist, both at high (CCDs [continuity of care documents] and CCRs [continuity of care records]) and lower levels (radiological image exchange). However, too oten it appears that the ven-dors’ goal is to lock in customers rather than to facilitate data transfer to new systems.
A combination of interface and interoperability problems, along with training issues, planning prob-lems, and installation diiculties, has meant that 30 to 40 percent of US atempts to install an EHR system fail.7 here’s now an entire literature on EMR system problems in practice, with discussions on procedures to improve interfaces, worklow, and user engagement. A recent Middleton review reports on eforts to increase computer systems’ usability for the patients’ beneit.8
Typically, outsiders can’t inspect EMR system code. Although the Veterans Administration uses an open source system, and West Virginia Senator Jay Rockefeller proposed a bill in 2009 to fund open source records sys-tems, the industry in general hasn’t been enthusiastic about using open source. his makes debugging health-care sotware a proprietary and unobservable task.
To obtain the improvements observed in Europe, the US requires beter sotware. Unfortunately, during the three-year period between the enactment of the requirement for health records in 2009 and the 2012 election—which might have resulted in the repeal of the Afordable Care Act—less was done to develop and improve EMR systems than might have happened with-out uncertainty. Over the next few years, rapid progress is necessary to achieve real patient beneit.
Problems Imposed
by Vendor Conidentiality
EMR/EHR sotware still lacks oversight.
Conidentiality clauses prohibiting disclosure of medical sotware problems contrast with the mandatory reporting of drug problems and the medical device– reporting systems. he FDA operates the Adverse Event Reporting System to which pharmaceutical companies must report adverse drug efects. Individual clinicians and even consumers can also make reports (but aren’t compelled to do so). Similarly, FDA’s Manufacturer and User Facility Device Experience system collects reports of adverse events involving medical devices. Again, device manufacturers must report adverse events, and hospitals must report deaths related to medical devices to the FDA but can report injuries only to the manu-facturer. No similar system exists for sotware problems.
he largest single class of medical errors is drug errors, and e-prescribing systems are believed to reduce error. A recent comparison of e-prescribing systems’ error rates found wide variations, from 5 to 37 percent.10 However, the authors couldn’t get permission to publish the sys-tems’ names, so physicians don’t know which are best.
If patient safety is a critical health IT issue, corpo-rate policies that interfere with research to help patients by restricting hazards disclosure—in the name of intel-lectual property and liability limitations—are diicult to defend. For improved patient safety, we need data about actual problems, particularly given the increasing dominance and complexity of computer sotware. In fact, the conidentiality imposed on bug reports hurts the sotware further: vendors are encouraged to ix bugs only at the hospital that reported the problem, leading to a proliferation of versions with diferent bugs persist-ing in diferent places. Enforcpersist-ing ignorance of sotware problems hurts patients and is poor public policy.
As an example of a similar conidentiality issue in a diferent domain, consider NASA’s Aviation Safety Reporting System, which accepts reports from air trans-port workers, including pilots, light crews, and ground staf in both industry and government, of any incident that presents a safety risk. As an incentive to report inci-dents, people who report a problem that didn’t involve an actual accident or a violation of law aren’t penalized for their actions if they promptly report the situation. In addition, the data is kept conidential, and the entire sys-tem is run by NASA, not the Federal Aviation Adminis-tration, which would be the enforcement agency. NASA has no enforcement power over air travel. As a result of this bargain—beter data in exchange for immunity— more than 1 million incidents are in the database. hese are available in anonymized form for research.
published only by state, making it diicult to ind “can-cer clusters” or other data. Daniel Wartenberg and W. Douglas hompson discuss the conlict between privacy and research, noting that in 1988, public health records included county or city location and date, whereas now they have no geographic information and only a partial date.11 he authors note that important research on air pollution done in the past couldn’t be done today. We might ask why death statistics need the same level of pri-vacy as the recording of events about living patients.
Similarly, a study of the Health Insurance Portability and Accountability Act’s (HIPAA) impact on inluenza research observed the distortion resulting from HIPAA restrictions on geographic coding. As a result of pri-vacy concerns, one research group’s question about the relationship of a bacterial infection to stomach cancer in a small community couldn’t be answered.12 Because health professionals couldn’t say whether the commu-nity actually had a higher-than-normal risk of stomach cancer, they couldn’t address the resulting anxiety or resolve the underlying issue.
he onrush of genetic data will make privacy an increas-ingly relevant issue. Groups like Sage Genomics believe that by analyzing patient genomic data, they can revolu-tionize cancer treatment, making chemotherapy more efective with fewer side efects. Today, however, patient privacy is an obstacle to gathering such data. In the UK, the law recognizes “DNA thet” as an ofense, although research on DNA samples is permited with approval. If the US adopted similar rules, those rules would impede progress in genomic research. As with other data that might be personally identiiable—genomic or radiologi-cal, for example—research that requires access to the data can be impeded by privacy constraints.
It’s particularly upseting to epidemiologists that com-mercial companies have beter access to medical records than researchers do, because companies can buy records from insurance companies, pharmacies, and hospitals. A few years ago, Vermont tried to give doctors the right to prohibit the sale of information about the prescriptions they wrote, but the Supreme Court struck down the law. As a result, epidemiology is easier in corporations than in medical schools and hospitals—although billions of public dollars are spent on medical research, public researchers are hampered in their eforts.
Anonymization Has Been Given
a Bad Name
HEALTHCARE IT
medical records of William Weld, then Governor of Massachusets, in an anonymized dataset. More widely publicized examples are the identiication of particu-lar people in nonmedical datasets, in particuparticu-lar, AOL search logs and Netlix movie recommendations. hese instances frightened people into further fuzzing of med-ical data, which impacts formal research. Institutional review board requirements also constrain atempts to do medical research. he recognition that DNA data-bases and radiological images are also personally iden-tiiable has further frustrated eforts to create patient databases for use in research.
More recently, there’s been some pushback. Daniel Barth-Jones argued that the Weld deanonymization case depended on publicity given to his hospitaliza-tion and doesn’t represent a set of generally applicable circumstances.13 Researchers are exploring additional ways to anonymize data. In general, these methods rely on aggregating data to a level at which individuals can’t be identiied. hese methods can be diicult to under-stand and rely on statistical methods, so confusion can lead to disclosure out of ignorance. For instance, data administrators who don’t understand statistical meth-ods might allow searches that tell you that 102 people in a group are more than 40 years old, but 101 are more than 41 years old, so that you know exactly one person is 41 years old; by combining this with other features, you can ind out more about that one person.
It’s sometimes possible to deanonymize data by comparing multiple public sources, but it won’t be apparent that individuals can be identiied until the vari-ous data sources are compared. For example, people can be identiied from cell phone records, even though the locations aren’t reported to full precision. Limiting the number of data requests to databases can impede some-one who wishes to identify an individual by comparing results from multiple queries. For example, consider how the Netlix dataset was de-anonymized. Imagine I take three rarely watched movies and ind that one and only one person in the Netlix dataset saw all of them. hen I ind that one and only one person on IMDb has reviewed all of them. It’s a good guess that this is the same person, and IMDb reviews are signed and oten link to real names and biographies. he restrictions that prevent this kind of game-playing also pose obstacles for researchers, and so restrictions and permissions for qualiied researchers need to be negotiated.
Various researchers are now trying to balance anony-mization with clinical needs. For example, Oscar Ferrández and his colleagues look at various methods to anonymize clinical reports and compare their efectiveness at remov-ing personal information while leavremov-ing enough detail for clinical study.14 Privacy advocates will object that the rec-ommended methods don’t guarantee anonymization;
however, perfect conidentiality is an unachievable goal (and didn’t exist with paper records, either). More com-puter security wouldn’t have helped in the recent case of two Australian comedians who, by impersonating the Queen of England, persuaded London hospital staf mem-bers that they had authority to know about the Duchess of Cambridge’s medical condition.
Amateur Epidemiology
Sites such as www.patientslikeme.com and www.23 andme.com atempt to collect medical records for research, as do professional researchers in organizations like Sage Genomics. hese eforts demonstrate that sharing medical data can produce beter results for indi-vidual patients, so that patients enthusiastically partici-pate. For example, patients know privacy risks exist in using Internet discussion groups about health, but the more serious their illness, the more willing they are to disclose information.
Professional epidemiologists have some hesita-tion about these sites owing to problems such as self- selection and inaccurate reporting. Nevertheless, Internet data has been valuable for medical research. he best-known example is Google Flu Trends, which uses information about popular search terms to track those that are correlated with inluenza outbreaks. his search data detects places where the disease is occurring faster than the Centers for Disease Control receives and publicizes reports from doctors. Today, there is more interest in sites with more direct medical data, such as disease support groups and the volunteer sites I men-tioned earlier. However, A. Cecile Janssens and Peter Krat have several hesitations about exploiting data from online communities.15 hey worry about selec-tion bias, for example. If you imagine that people who like the Internet are more likely to ill out forms about their psychological health, you might get a distorted view about the impact of Internet use on depression. Similarly, confounding can arise when people report only a few variables, some of which might be related to unreported variables. In a normal experiment, we might be able to ask about those other variables, but this can be more diicult with a volunteer survey. Janssens and Krat also stress a need for careful disclosure of what’s being done.
he individual genomics data on the 23andMe web-site can also be used in research, but questions have arisen as to whether risks are adequately disclosed. A problem with discussion of the detailed risks is that suiciently frightened patients might refuse to discuss their problems with their physician. Others have dis-missed (or at least criticized) personal testing as “rec-reational genetics” and tried to steer clear of this data.
can be valuable for epidemiology. In addition to the gen-eral sites already mentioned, researchers have exploited data from several UK diabetes-related online communi-ties. Again, we must take steps to ensure patient protec-tion and to understand the risks involved in data sharing. Paul Wicks and his colleagues wrote a particularly interesting article on data exploitation from Patients-LikeMe in which they selected control patients from a dataset to reduce selection bias.16 heir article suggests that patient-reported data can accelerate the discovery of new treatments as well as help evaluate the efec-tiveness and side efects of current methods. Patient- contributed data is available in large quantities and more rapidly than data from most clinical trials. It’s par-ticularly important for rarer diseases in which research-ers in one geographic location might have diiculty inding enough suferers to achieve statistical validity.
In all these situations, patients voluntarily contrib-uted data. hey might not know what the risks are, or they might have decided they are small. In any case, patients have decided that voluntary disclosure is use-ful to them personally and are willing to accept that other people will use the data for research. People who aren’t currently sick don’t see the same advantages in disclosure, but we can’t do longitudinal studies without information on people who haven’t yet developed the diseases we’re investigating.
Risks
In the US, data from patient records can indeed be used against you. Although your health insurance company can’t use genetic testing results in rate seting, there’s no such prohibition for life insurance or long-term-care insurance companies. And, of course, it’s legal to ire people for being sick. As a strange metric of risk, criminals sell social security numbers for $5 but medi-cal records for $50. People perceive particular dangers in medical data exposure—aside from the now famil-iar and general risks of identity thet, barrages of tele-marketing, and public notoriety, medical records might afect employment, medical treatment, insurance, and many other facets of life such as the ability to buy ire-arms or criminal sentencing decisions.
Strangely enough, some of the same arguments made about patient privacy are made about corporate con-identiality. Medical sotware companies want neither mandatory disclosure of sotware laws nor regulation by the FDA. hey argue the possibility of inancial loss if disclosure of errors leads to liability lawsuits, for exam-ple. Just as individuals worry that they won’t be able to
evaluate new options. hey argue that government reg-ulation, in particular, will slow the creation of new fea-tures and the introduction of new sotware methods; this would be more convincing as an argument if there weren’t still EMR systems using Cobol. Again, there’s a conlict between public beneit and participants’ privacy, in this case, vendors’ privacy. Most of us see an ethical diference between conidentiality of patient data and conidentiality of sotware design, but similar arguments are being made, and I am reminded that Governor Mit Romney argued that “corporations are people.”
People—real people—legitimately fear losing their job as a result of medical records disclosure. Sometimes, these consequences are justiied. In 1996, a train crash in New Jersey killed three people, including the train engineer who ran through a red signal and who had con-cealed from the railroad company his loss of color vision as a result of diabetes.17 And, going back more than a century, a New York woman best known as “Typhoid Mary” infected multiple people with typhoid fever but kept taking jobs as a cook. She was released from quar-antine ater promising to stop working as a cook, but being a laundress paid less, so she changed her name and returned to cooking. Ater another series of typhoid cases, she was conined until her death.
he news media regularly feature stories about thet of records, typically credit card numbers. One result of these stories is an increased level of fear about data disclosure, causing people to demand ever more coni-dentiality about medical records, which as noted, inter-feres with medical research and treatment decisions. We don’t see news stories about our inability to recognize carcinogens because we can’t do adequate data mining. hus, the media bias the discussion in favor of privacy and against medical research.
he Conlict between
Epidemiology and Privacy
Jane Yakowitz wrote a detailed and insightful article about the conlict between research and privacy, rang-ing far beyond medical epidemiology.18 She points to the many valuable studies done with large datasets and the importance of continuing such research. Anony-mization is possible, if not perfect, and she suggests that the public beneit is so important that it outweighs exag-gerated privacy concerns. We can also anticipate further improvements in our knowledge of anonymization techniques and our understanding of the risks.
HEALTHCARE IT
payment. Given that patient data is routinely traded today,19 albeit in an anonymized HIPAA- compliant form, it’s understandable to think that if patient data is sold, the patients should get the money. However, intro-ducing property rights in medical records is likely to cre-ate a mess for the entire healthcare system. Many aspects of people’s lives, such as their credit, where and how rapidly they drive, what books they buy, and what mov-ies they watch, are of commercial value and exploited today. Should all these become an individual’s property right? At a minimum, this will produce a vast expansion of license agreements, so that buying a cell phone will require acknowledgment of a transfer of ownership of travel history. As a society, we’re unwilling to impede data studies done for marketing; is it not more impor-tant to preserve our ability to do medical research?
As an example of the importance of detailed data, Janet Currie and W. Reed Walker have shown that intro-ducing E-ZPass electronic toll collection in New Jersey improved health—reducing premature births and low birth weight infants among mothers who lived within 2 km of a toll plaza.20 Avoiding the need for drivers to stop at the tollbooths lowered congestion and pollu-tion. his study couldn’t have been done without access to the mothers’ exact street addresses, which is exactly the kind of precise data that privacy advocates fear can be used for deanonymization. Should we make it dii-cult to have done this study?
M
ore openness about medicine would beneit all of us. We should believe in anonymized records and make them more widely available for study and push for disclosure and regulation of medical sot-ware programs.References
1. D. Proti and I. Johansen, “Widespread Adoption of Infor-mation Technology in Primary Care Physician Oices in Denmark: A Case Study,” Commonwealth Fund, Mar. 2010.
2. D. Grady, “Study Finds No Progress in Safety at Hospi-tals,” he New York Times, 24 Nov. 2010.
3. D. Fialová et al., “Potentially Inappropriate Medication Use among Elderly Home Care Patients in Europe,” J. Am. Medical Assoc., vol. 293, no. 11, 2005, pp. 1348–1358. 4. C.M. DesRoches et al., “Electronic Health Records’
Limited Successes Suggest More Targeted Uses,” Health Afairs, vol. 29, no. 4, 2010, pp. 639–646.
5. B.B. Dean et al., “Use of Electronic Medical Records for Health Outcomes Research: A Literature Review,” Medical Care Research and Rev., vol. 66, no. 6, 2009, pp. 611–638. 6. I. Sample, “NHS Patient Records to Revolutionise
Medi-cal Research in Britain,” he Guardian, 28 Aug. 2012.
7. S. Alfreds, Health Information Technology Adoption in Massachusets: Costs and Timerame, Univ. Massachu-sets Medical School; www.umassmed.edu/uploaded Files/CWM_CHPR/Publications/Clinical_Supports/ EOHHS_HITadoptionMassachusets.pdf.
8. A.F. Rose et al., “Using Qualitative Studies to Improve the Usability of an EMR,” J. Biomedical Informatics, vol. 38, no. 1, 2005, pp. 51–60.
9. R. Koppel and D. Kreda, “Health Care Information Tech-nology Vendors’ ‘Hold Harmless’ Clause: Implications for Patients and Clinicians,” J. Am. Medical Assoc., vol. 301, no. 12, 2009, pp. 1276–1278.
10. K.C. Nanji et al., “Errors Associated with Outpatient Computerized Prescribing Systems,” J. Am. Medical Infor-matics Assoc., vol. 18, 2011, pp. 767–773.
11. D. Wartenberg and W.D. hompson, “Privacy versus Pub-lic Health: he Impact of Current Conidentiality Rules,” Am. J. Public Health, vol. 100, no. 3, 2010, pp. 407–412. 12. A. Colquhoun et al., “Challenges Created by Data
Dis-semination and Access Restrictions When Atempting to Address Community Concerns: Individual Privacy Ver-sus Public Wellbeing,” Int’l J. Circumpolar Health, vol. 7, 2012, pp. 1–7.
13. D. Barth-Jones, “he ‘Re-Identiication’ of Governor Wil-liam Weld’s Medical Information: A Critical Re-Exam-ination of Health Data Identiication Risks and Privacy Protections, hen and Now,” 4 June 2012; htp://ssrn. com/abstract=2076397.
14. O. Ferrández et al., “Evaluating Current Automatic De-identiication Methods with Veteran’s Health Admin-istration Clinical Documents,” BMC Medical Research Methodology, vol. 12, 2012; htp://link.springer.com/ article/10.1186%2F1471-2288-12-109.
15. A.C.J.W. Janssens and P. Krat, “Research Conducted Using Data Obtained through Online Communities: Eth-ical Implications of MethodologEth-ical Limitations,” PLoS Medicine, vol. 9, no. 10, 2012; e1001328.
16. P. Wicks et al., “Sharing Health Data for Beter Outcomes on PatientsLikeMe,” J. Medical Internet Research, vol. 12, no. 2, 2010, p. e19.
17. M.L. Wald, “Eye Problem Cited in ’96 Train Crash,” he New York Times, 26 Mar. 1997, p. A1.
18. J. Yakowitz, “Tragedy of the Data Commons,” Harvard J. Law and Technology, vol. 25, no.1, 2011, pp. 1–67. 19. M.A. Rodwin, “Patient Data: Property, Privacy & the
Public Interest,” Am. J. Law and Medicine, vol. 36, 2010, pp. 586–618.
20. J. Currie and R. Walker, “Traic Congestion and Infant Health: Evidence from E-ZPass,” Am. Economic J.: Applied Economics, vol. 3, no. 1, 2011, pp. 65–90.
Michael Lesk is a professor of library and information
