by Paul Govern
The recent U.S. Supreme Court decision overturning Roe v. Wade and newly enacted state laws limiting or banning abortion can be expected to bring new scrutiny to the privacy vulnerabilities of electronic health records.
This likelihood is discussed at some length in an article published Sept. 1 in the Journal of the American Medical Informatics Association, written by three health information policy experts at Vanderbilt University Medical Center.
“Our focus is on the liabilities to the parties that are involved in the creation and management of health information,” said Bradley Malin, PhD, “and on the points at which information could be leaked or used in a manner that was outside of the patient’s expectations. That can happen in some very explicit ways, but it can also happen in some ways that are more subtle, that I don’t believe everybody has really taken to heart.”
Malin, Accenture Professor of Biomedical Informatics and a member of the Center for Biomedical Ethics and Society, wrote the article with Ellen Wright Clayton, MD, JD, Craig-Weaver Professor of Pediatrics, professor of Law and co-founder of the Center for Biomedical Ethics and Society, and Peter Embí, MD, MS, chair of Biomedical Informatics.
The article sets out scenarios in which patient privacy, amidst confusion and strife around changing abortion laws, could become newly threatened, and it goes on to consider pros and cons of new privacy solutions that might present themselves.
The article also raises the prospect that health care providers could find themselves increasingly torn between obligations to protect patient confidentiality and to produce patients’ health information when compelled by law.
The article notes that in the wake of the Supreme Court decision the U.S. Department of Health and Human Services Office for Civil Rights has reaffirmed that disclosure of information about a patient’s reproductive health is forbidden and subject to federal penalties, except as required under legal proceedings.
“One of the points we wanted to make is that patient confidentiality is really important,” Clayton said, “and that HIPAA [the federal Health Insurance Portability and Accountability Act] precludes people from looking at someone’s medical records and calling the newspaper or even law enforcement.”
With health care worker access to patient records being a chief health data privacy vulnerability, the article raises the prospect that mistaken ideas about the new laws could lead health workers to commit privacy violations.
“While the vast majority of health care workers respect and honor privacy rules and our health systems have ways of preventing privacy violations, addressing some potential vulnerabilities may lead to changes with real trade-offs,” Embí said. “Whether it’s changing how clinicians document certain pregnancy-related health events, or making it harder for some health care workers to access sensitive parts of a patient’s medical record, each decision will require careful discussion and deliberation.”
Another common health data privacy vulnerability considered in the article is consumers’ use of health information technology applications from which pregnancy information can be captured or inferred — personal health records, for example, or smartphone apps that women use to track their menstrual cycles.
“Personal health apps of the sort that are unconnected with your health care provider or insurance company fall outside the privacy protection afforded by HIPAA,” Malin said. “And of course, few people read privacy policies when they sign up for such apps, and companies can change these terms of service at will.”
Broadening HIPAA to cover such services may be an option. However, commercial development of useful and innovative health information technology could be stifled under the obligations posed by HIPAA compliance, and it appears unlikely that Congress would approve such an expansion of federal oversight. Another option, one favored by the authors, would be to broaden data privacy protections for consumers more generally through a new federal statute — as set out for example in the American Data Privacy and Protection Act, which was recently introduced into Congress.
“In the meantime, what I have been saying to people is just don’t use those apps,” Clayton said.
The article reads in closing, “… it is imperative to recognize that those among us responsible for provisioning and enabling health care delivery and entrusted with the management of health care information are particularly bound by ancient obligations to protect the confidentiality of those who have entrusted us with their care, often at their most vulnerable moments.”