Setting the Record Straight on Health IT Privacy

On June 15, 2011, Betsy McCaughey wrote an article in the New York Post regarding privacy concerns around the adoption of electronic health record systems (EHRs) in the health care industry. CDT has a long and distinguished track record of privacy advocacy, and normally we are glad when the media engages these issues. Privacy is a fundamental right, closely associated with and enabling of our autonomy and freedom, and the media plays a key role in ensuring that our rights are protected.

However, CDT was dismayed to see McCaughey’s article, which contains numerous inaccuracies and distortions regarding proposed and existing health IT programs. We do not believe the public benefits when misinformation is injected into the debate, especially when accompanied by a clear political motive. As such, we believe it necessary to counter McCaughey’s article and set the record straight. Only then can an earnest discussion of the real issues take place.

The most outlandish claims in the article are McCaughey’s insistence that there will be a single central database with everyone’s health records, that all physicians will be forced to participate, and that millions of government and industry personnel will somehow have access to said database.

Over the past five years, the Office of the National Coordinator (ONC) (part of the federal Department of Health & Human Services) has seeded a number of initiatives designed to increase adoption and use of EHRs to improve individual and population health. None of these initiatives requires or encourages centralized data collection. For example, ONC’s Beacon Project gives money to health care systems that have developed innovative policies and protocols for sharing health information from their EHRs to improve health care quality and reduce costs. There is also the Direct Project, which will allow health care providers to securely share patient information with one another without the need to create any additional databases. In addition, ONC is providing financial support to states to create their own health information exchange infrastructure, but the states determine how that exchange will occur. Despite McCoughey’s assertions, at no time has any law or regulation mandated the creation of a single centralized patient database that millions of people could access, and no one has seriously suggested doing so.

Furthermore, there is no federal requirement for doctors or hospitals to participate in any of these initiatives. CMS is giving up to $44,000 to every Medicare participating practitioner over the coming years to adopt meaningful use of EHR systems; even more will be given to those participating in Medicaid. While penalties will be assessed for non-compliance after 2014, under current law they will never grow to more than 5% of the practitioners’ Medicare/Medicaid reimbursements. This is hardly a draconian measure, and it only applies to those who participate in Medicare or Medicaid.

McCaughey also has a puzzling take on clinical decision support (CDS) tools, which are loosely required by the current regulations. She explicitly states that CDS tools will subject doctors to the will of computers. This characterization is incredulous at best. These tools have broad support from the medical community, including strong support by the American Medical Association and the Healthcare Information and Management Systems Society. These systems help enable better physician decision making by promoting evidence based medicine. Examples include automated contraindication systems to detect negative drug interactions, and programs that list the range of real outcomes from a particular treatment. These tools do not replace or replicate the physician’s expertise or decision-making ability; rather, they improve the information the physician starts with when exercising his or her judgment.

This response is not meant to conceal the potential privacy risks associated with the increased adoption of EHRs. These risks are real, and CDT is working hard with policy makers, IT specialists, and various other industry stakeholders to make sure privacy is taken into account. However, hyperbolic claims such as millions of people gaining systematic access to our most sensitive health information are not only inaccurate, they are dangerous. Such rhetoric can and does drown out the real concerns about health privacy, making it easier to ignore privacy concerns altogether. Whether funded by the government or not, the health care industry will continue to adopt EHR systems, increasing risks to patient privacy. Therefore it is critical that the debate over privacy is not muddied by politics, so that real technical and policy solutions can be reached. Unfortunately, McCaughey’s article is the type of reporting that hurts the privacy cause more than it helps.