Skip to Content

Health Information Exchange Brief Examines Privacy and Security Concerns

SAN FRANCISCO – A new policy brief by Consumers Union and the Center for Democracy & Technology offers solutions to strengthen the privacy and security of electronic health information systems and support the increased use and appropriate sharing of patients’ health data.  It also identifies gaps in current law and offers recommendations to address those gaps to help assure a trusted, secure electronic health records system. 

“While patients and consumers overwhelmingly support the move to electronic health information exchange, they have concerns about the privacy and security of their personal health information,” said Mark Savage, senior attorney for Consumers Union, the policy and advocacy arm of Consumer Reports.  “Building enhanced privacy and security into electronic health systems will bolster public trust and foster increased use and appropriate sharing of patient data.”
A recent nationwide survey found that 83 percent of doctors still share their patients’ information with other medical professionals by paper or fax – not electronically.  The federal government recently launched an ambitious program to build a nationwide electronic health information exchange system. Numerous studies have demonstrated that electronic health information exchange can improve the quality, safety, and efficiency of health care, as well as decisionmaking and care coordination among patients, doctors, and other caregivers. 
According to the policy brief, the shift from paper to electronic health records presents new challenges and new solutions to protecting the privacy and security of patients’ health information.  A breach that formerly affected a single paper record now can expose an entire database of patient records.  At the same time, health information exchange presents powerful new ways to improve the privacy and security of patients’ data, including encryption, authentication and authorization controls, and electronic audit trails. 
In 2010, a cross section of California consumer, patient, and civil rights organizations came together to develop a set of principles to maximize the benefits of health information exchange while assuring the privacy and security of electronic records.  The overarching message of the principles is that there is no inherent tension between protecting privacy and sharing personal health information for appropriate treatment purposes. 
“It’s not a choice between privacy and better health care,” said Kate Black, staff counsel of the Health Privacy Project of the Center for Democracy & Technology.  “Health information exchange initiatives should aim to achieve both.”
While current law sets rules for how health care entities may collect, use, and share health information, the policy brief identifies gaps in the law that should be addressed.  Among other things, the brief notes that accountability for compliance with federal and state health privacy and security protections should be strengthened; laws that protect electronic health data should be reassessed to ensure they address new security challenges and incorporate technological innovations such as encryption; and penalties should be established for unauthorized re-identification of de-identified health data. 
The policy brief by Consumers Union and the Center for Democracy and Technology was supported by a grant from the California HealthCare Foundation, based in Oakland, California.