Skip to Content

When Health Care and Privacy Meet Online: Health Care Records Are Going Online. Can Privacy Be Maintained?

Health information and communications technologies (HIT) will play a vital role in the creation of a 21st century health care system that is safe, effective, patient-centric and fair.

For doctors, HIT brings the promise of advanced knowledge at the point of care. For patients, HIT transforms their passive role into one of collaboration and partnership with their health care team.

While the integration of technology into health care has been slower than hoped for, the transition is well under way in health care systems around the country. For example:

Electronic Health Records (EHRs) are replacing paper records. While many still experience the frustration of a paper-driven system that is only slightly more sophisticated than black-and-white reruns of Marcus Welby, M.D., EHRs give leading health care providers a complete and accurate medical history as well as links to practice guidelines and best practices. Doctors can access a wide range of tools that support prevention, care management and compliance with protocols.

Electronic Prescribing (ePrescribing) significantly cuts down the errors that can arise in the chain from doctor to pharmacy to patient. It’s not just about sending a prescription electronically to ensure legibility. A good ePrescribing system automatically flags potentially harmful drug interactions and checks a health plan’s reimbursement schedule to reduce costs for patients.


Personal Health Records (PHRs) are patient-owned and controlled electronic health records that allow people to store, access and coordinate their complete health history and make appropriate parts available to those who need it. The key here is that individuals are in control of their own information. This helps patients become engaged in their own health care.

For anyone with a chronic condition that requires regular monitoring, a PHR is a valuable tool. PHRs are sometimes offered by health care systems, insurers and employers. Increasingly, they are also available on the Internet. Microsoft recently launched a PHR service and Google is beta testing its service.

So what do we need to do to make this vision of a 21st century health care system a reality? First and foremost, we have to address privacy, building it into law, standards, technology, institutional policies and contracts.

Patients, doctors, hospitals and others will hesitate to adopt the potential of HIT until all can be assured that the sensitive information transferred to digital form will be stored and shared safely, going to the people who need to see it and no one else. A robust, flexible and enforceable national privacy framework can be built on longstanding fair information practices.

However, despite all the potential benefit that HIT promises, little progress has been made toward resolving the privacy issues associated with electronic exchange of personally identifiable health information.

Consumers understand the importance of making strong privacy part of a move toward HIT. According to a 2005 study, two-thirds of Americans understand the potential of information technology to improve health care.

But an equal amount have concerns about the privacy of their personal medical records, and a growing number of Americans — now more than half — are concerned that insurance claim information might be used by their employers to discriminate against them on the job.


One need look no further than the recent revelation that a laptop containing the personal information of thousands of participants in a National Institutes of Health clinical trial was stolen from the trunk of a car to understand that the concerns about privacy are well founded.

Current health privacy protections provided under the Health Insurance Portability and Accountability Act are important, but there are weaknesses and gaps that leave many critical privacy issues unresolved and many new players in the health information data chain outside of the legal regime.

This is a critical time for health information privacy. Consumers want the benefits of HIT-enabled health care and at the same time they want assurances that their privacy will be protected.

That’s why my organization has joined forces with the Health Privacy Project to create a new initiative that will take on the key policy questions: What is the proper role of notice and consent in this new environment? How do we ensure the right of patients to access their own records in electronic format? What policies and laws should govern new Internet-based PHRs? What secondary uses of patient data should be allowed, and under what conditions? What enforcement mechanisms need to be provided at the federal level?

To get privacy right, we will need to ensure that policies work with, rather than against, the complex realities of an interconnected health care system. Those who view privacy as a barrier to a 21st century health care system are simply wrong. Privacy must be seen as an essential enabler of that vision. We can achieve harmony between privacy and health care, but to do so we have to reimagine both.