Health Exchanges' Sharing of Patient Data Heightens Privacy Concerns
Victor Hand, a semi-retired railway manager in Maine, grew so alarmed when he learned that his state was building a database to store all residents' medical files that he rushed to the hospital to try to opt out.
"I sure don't want my information in that thing," Hand said. "I just don't think they can keep it private. If I knew for sure that nobody could get it but my doctors, then maybe I'd participate, but there's no way to guarantee that.''
Maine was one of the first states to set up a health information exchange -- a computer network connecting disparate medical practices, from rural, one-physician outposts to urban mega-hospitals -- to help doctors share patient files with the click of a mouse. Fueled by $548 million in federal grants as part of the Obama administration's health-care overhaul, the exchanges represent a radical change in how patient records are handled and used in treatment, Bloomberg.com reports.
The networks have also stirred controversy. In some cases, they include data without patients' consent, and privacy advocates fret that some exchanges may lose or even sell personal information.
A gap in federal law lets states set their own rules about whether to tell patients their medical data are being shared with an exchange and whether to let people opt out. The result: Many exchanges in the U.S. give patients no choice about such matters, according to the EHealth Initiative, a nonprofit organization that researches health-care technology. Many people don't know their medical files have been shared with an exchange, and they may not have a choice about having them removed.
"The whole system could get torn apart by the privacy issues," said Mark Rothstein, director of the Institute for Bioethics, Health Policy and Law at the University of Louisville's medical school. He said that if people were properly notified, most would approve of the exchanges.
There are now at least 255 exchanges throughout the country at various stages of development. New York and Texas each have 17, Florida has 12, and California and Michigan have 10 apiece, according to Washington-based EHealth Initiative. The databases have won support from care providers such as the Cleveland Clinic, Johns Hopkins Hospital and Mayo Clinic.
The exchanges may also be a boon for big insurance companies that provide the underlying technology, a market expected to grow to almost $800 million this year, according to Chilmark Research, which covers health-care technology. Suppliers include UnitedHealth Group's OptumInsight and Aetna Inc.'s Medicity.
Rushed to Hospital
While concerns over privacy have scuttled formal plans for a national exchange, the federal government is pushing for standards that will let exchanges in different states communicate with each other.
The idea is to mimic cell phone networks, letting patients roam between providers and have electronic medical records follow, according to the Office of the National Coordinator for Health Information Technology, which oversees the efforts.
The exchanges have clear benefits, such as letting emergency room doctors look up an unconscious patient's medication history, lab results or record of previous problems. That can help physicians make quicker and more accurate diagnoses.
When Ann Sullivan, a 65-year-old, chronically ill retiree from Kennebunkport, Maine, was rushed to the hospital in December with sudden shortness of breath, she fretted that she was having a heart attack.
Sullivan was taken to Southern Maine Medical Center, which is a part of the state's health information exchange, so her doctor knew quickly what to look for: blood clotting in the lungs from a previous treatment. He diagnosed it as a chest cold and sent her home.
"Asking for Trouble"
"It gives me peace of mind -- tremendous peace of mind -- that something's there all in one place and that I'm being looked at holistically,'' said Sullivan, who said this was the fastest she had ever been discharged.
Yet many patients may not even know their data are being used. In the U.S., 48 exchanges give patients no choice at all about such matters, according to the EHealth Initiative.
"If you don't ask people and you just do it, you're asking for trouble," Rothstein said. "It's foolish. It's a shortcut that doesn't pay off in the long run."
Joy Pritts, chief privacy officer for the Office of the National Coordinator, said government officials are taking steps to ensure that patients have a say over inclusion and updating laws to impose privacy and security requirements on exchanges.
"We ensure that patients have some sort of meaningful choice and they're involved in the process," she said.
Maine offers a case study in what can go right -- and wrong -- with exchanges. By some measures, the state's exchange is a success. It holds the medical files on more than 1 million residents, or three-quarters of the population. Still, the state's American Civil Liberties Union discovered that many patients weren't told their files were in the database, provoking a privacy outcry and prompting the passage of a new state law mandating that patients get an opt-out form at treatment.
Medical data are "at the heart of my humanness," said Kathleen McGee, a 58-year-old artist and environmental consultant from Bowdoinham, Maine, who campaigned for the law. "I don't think anyone else should have that information."
Devore Culver, chief executive of HealthInfoNet, the nonprofit that runs Maine's exchange, said many medical professionals had been ignoring a requirement the exchange imposed at its launch in 2008 that they alert patients. He said he welcomes the new law.
"It's a constant education challenge to keep people on the front lines informed about notification," said Culver. He said 10,000 patients have opted out, only a slight increase since the opt-out statute was enacted.
A big concern over sharing health records is that the information, which often contains a person's most private data, is a prime target of thieves. Medical providers suffer more breaches than any other type of organization, with 690 involving a total of 23 million records since 2005, according to the Privacy Rights Clearinghouse, a nonprofit consumer advocacy organization.
Medical identity theft, a form of insurance fraud in which thieves masquerade as others to receive treatments, affects 1.5 million people in the U.S. every year, according to the Ponemon Institute, an independent research organization.
Another concern is that exchanges with shaky finances could be tempted to sell data to marketers, which is permitted if the information is exchanged in an anonymous form.
Dave Miller, chief security officer of Covisint, a division of Compuware Corp. that makes technology for health information exchanges, said that while there is widespread interest in selling the data, it's not being done yet. Target customers would be pharmaceutical companies, academics and government researchers, he said.
"This is the stuff where everyone is on edge and waiting for the other guy to jump first and see if he gets his butt sued," Miller said.
Even patient-friendly policies can yield shortcomings. A recent report by the New York Civil Liberties Union found "significant flaws" in that state's exchanges, which cover nearly 3 million people. New York has an "opt-in" model, which is generally seen as the most favorable to patients. A key concern in New York is that because it's an all-or-nothing model, patients can't control which information is shared.
California Doctors Balk
Some doctors have reservations, too. In California, health-care providers have refused to join exchanges because of membership and technology costs, according to Dorothy Glancy, a law professor at Santa Clara University who has studied the state's exchanges.
In Santa Barbara County, one of the nation's most ambitious exchanges collapsed in 2006 after repeated technical delays and a failure to sell health-care providers on the business case for making the investment.
Little could persuade Hand, the semi-retired railway worker, that it's wise to join a health information exchange.
"Insurance companies will get it -- that one really scares me -- marketers will get it, drug companies will get it, crooks will get it," said Hand, who plans to opt out of the exchange. He acknowledged that privacy poses risks, too: "If I have a stroke and the delay takes 10 minutes, then I lose the gamble.'"
-- Editors: Marcus Chan, Tom Giles
To contact the reporter on this story: Jordan Robertson in San Francisco at firstname.lastname@example.org
To contact the editor responsible for this story: Tom Giles at email@example.com