Can Governments Force Patient Data into EHRs?
If a government builds an EHR, can it require your data be put into it?
Governments in many jurisdictions have embarked on a concerted effort to build and use electronic health records (EHRs) and to encourage health professionals to use electronic medical records (EMRs). Everyone seems to have assumed that creating an EHR would be so advantageous to patients that requiring placement of patient data in multi-million dollar EHR systems wouldn’t be an issue. But there are privacy and security concerns and the authority, at least in a number of Canadian jurisdictions, to require the placement of patient data in an EHR does not seem clear.
As a brief and somewhat simplistic aside, “electronic health record” is a term often incorrectly used to describe both EHRs and EMRs. There is a distinction between the two and it is an important one. Hospitals and physicians use EMRs. EMRs, along with other databases, are expected to feed into a longitudinal “virtual” patient record which is to be accessible across providers and institutions and which is properly referred to as the EHR. For example, lab results, radiology images and drug data might come from separate systems and, together with data from an EMR, populate the EHR. Over time, in Canada, the EHR would be provincial or inter-provincial in nature.
Why might there be patient/provider concern about patient data in an EHR (as distinct from an EMR)? All jurisdictions have professed privacy as a key component of their EHR initiatives. Proclaiming the importance of privacy though is different from day-to-day privacy management and it remains to be seen if the large-scale accessibility associated with EHRs will cause problems. One need only look at the privacy audit in Vancouver for a recent example of why this should be a concern. With more reports of medical privacy breaches surfacing, one can see why there might be some hesitation to put patient data into EHRs, especially when one combines legitimate security concerns about EHRs with ethical obligations of confidentiality.
The British Medical Association has serious privacy concerns about the UK’s summary care record and issued a warning to that effect. There are even eHealth “opt-out” campaigns in the UK and British Columbia. Australia is in the midst of a debate about healthcare identifiers – considered a key component in the deployment of electronic health records since they form the heart of any patient registry. Privacy is at the core of these debates – specifically the privacy and security of electronic health records and the ability of patients to control their own medical data. In Canada, we haven’t really debated the issue of whether EHRs can adequately ensure the privacy of patients and it appears that the discussion is only just starting in the United States.
The assumption seems to be that EMR data will be fed into the EHR. This might generally be considered beneficial but what if patients and providers don’t want that to happen? In some models, there is the concept of a “lock box” whereby some patient information is to be shielded from access but no one has really demonstrated how this concept is actually going to work in practice in an EHR. Ontario’s Personal Health Information Protection Act, 2004 is an example of a statute that essentially provides for a “lockbox” while British Columbia’s eHealth Act provides for disclosure directives for personal data held in designated databanks. But these statutes arguably assume that the data will go into an EHR, with specific data being withheld at the request of the patient.
Alberta is taking a different approach with the Health Information Amendment Act 2009 (enacted but not yet proclaimed), which leaves the submission of data to an EHR in the hands of the provider but does allow the Minister of Health to direct such a submission, subject to certain preliminary requirements including consideration of the views of Alberta’s Privacy Commissioner.
Alberta’s approach strikes me as a step in the right direction, assuming that providers respect the wishes of their patients. It introduces a new principle of greater provider control over what may get displayed in an EHR and arguably recognizes that the potential for widespread accessibility as a problem. It also raises the question of whether other provinces, without such an express requirement, have the authority to require data to be submitted to EHRs. Governance of EHRs in Canada is still very much a live issue but one that doesn’t seem to receive much attention from government (at least publicly) or the media (except, perhaps, for this recent CBC article on PHRs).
At a minimum, Alberta’s new legislation should open the door to debate as to whether governments can require the population of EHRs with patient data without express legislative authority to do so. Who really decides what should go into one’s EHR? The government? Healthcare providers? Patients?
It is worth noting that while BC’s eHealth Act does contain a Disclosure Directive provision, it also provides the discretionary authority for the government to disregard those directives, for PHI contained in designated HIBs.
Michael, as I broaden my understanding of this issue, what strikes me most is that Governments are developing these infrastructures with blinders on with regard to the lessons learned internationally. It seems to be a “it won’t happen here” mindset.