New statewide patient database raises privacy concerns
By Mary Elizabeth Fratini | Special to the Vermont Guardian
Posted March 15, 2007
Editor’s note: This is the first of a two-part look at the privacy of medical records in Vermont. This story takes a look at the current state of electronic medical records management, while the second part will focus on the existing privacy and security of medical records, paper-based and electronic, and pending legislation at the state and federal levels.
In light of the multiple breaches of personal information held by state agencies in recent months, should Vermonters be concerned about the privacy and security of their medical records as the state moves forward with pilot programs in electronic medical records (EMRs) and health care information exchange?
“We have concerns any time medical records are aggregated into electronic databases,” said Allen Gilbert, executive director of the Vermont chapter of the American Civil Liberties Union. “Most people feel medical records are some of the most private information that exists about them. Once it is put into an electronic format, you run into all the problems you have with any electronic record, which is hackers getting in even when you’ve done everything you can to make it as secure as you possibly can.”
In April, the 120-bed Rutland Regional Medical Center and the 25-bed Northeastern Vermont Regional Hospital in St. Johnsbury will begin using an emergency room medication history database based on claims data from insurance companies. In June, the 91-bed Mount Ascutney Hospital in Windsor will launch a disease management program as part of the Blueprint for Health’s Chronic Care Initiative.
Vermont Information Technology Leaders, Inc. (VITL), a non-profit founded in July of 2005 with the a vision of sharing real-time clinical information among health care providers across the state, is a driving force behind both projects, although the medication history pilot will initially be funded by a hospital-paid per use charge and the disease management program is part of a five-year contract with the state Department of Health (DOH).
Both pilot programs will require patients to consent, or opt-in, to the systems. Access is governed both by the federal Health Insurance Portability and Accountability Act (HIPAA) as well as Vermont’s Patient Privilege Statute that requires patient consent for any type of transaction.
“The goals of the prescription drug program are quite good. The question is, will patients’ privacy be adequately protected?” Gilbert said.
According to Greg Farnum, VITL’s president, opting in to the medication history program requires both a verbal agreement and separate signed consent form. Once permission is given, a triage nurse electronically retrieves a list of all medications paid for through insurance claims for that patient in the last six months and reviews the list with the patient.
“If there is an inaccuracy, and because this is claims data it is possible that there might be, the nurse notes that on the paper and that goes into the patient’s medical chart for the physician,” said Steve Larose, VITL’s communications manager. “The only people who see the information are the nurse and the physician.”
VITL’s contract with DOH is to provide data services for the Chronic Care Initiative, beginning with a diabetes management program at Mount Ascutney Hospital in June. Physicians will use an EMR system from GE Healthcare (formerly IDX) in conjunction with disease management applications from Orion Health to collect and analyze lab results for diabetic patients who choose to participate in the program. DOH listed expanding the Chronic Care Initiative to six of the state’s 14 hospitals as one of their goals for this year in a report to the Legislature in January.
Deb Richter, MD, founder of Primary Care Vermont, described the diabetes management program as not the way she would approach chronic care. “My feeling is that we need to address the financing issue and administration of health care first before we start dealing with changing the way we deliver care,” she said. “If you want to take care of diabetes you need to ensure access to a nutritionist, to health insurance and exercise. If you want to address chronic care we have to adequately finance the services. We are asking primary care providers to deliver more services with less capacity and less financing.”
Initially, only clinicians will have access to the records and results in the program, although VITL’s website states that long-term goals for an integrated electronic health records system include patients retaining ownership of their medical information.
Gilbert called the lack of patient access to the records from the outset disturbing. “From a patient standpoint, you should always have access to your own records and know at all times who has right of access to your records and that should not be able to be passed on from one party to another — just because you give permission to your doctor doesn’t mean s/he has the right to pass that information onto drug companies. It should be a right that rests with you solely as the owner of your records.”
“There will be in the future what is called a patient portal that will allow patients who opt-in to access their information on a secure website,” Larose said. “It is important for people to understand that in Vermont they have to opt-in and say, yes, they want to be part of the system; if they don’t, they are not part of the system.”
According to VITL, studies suggest a high return on investing in an integrated health information exchange system including a 25 percent reduction in repeated laboratory tests, 35 percent more child immunizations, 30 percent less clinical-related administrative work and overhead, 35 percent reduction in patient complaints, eight percent savings in daily operations, and fewer hospital referrals from primary care.
“I would like to say, yes, you can balance privacy concerns with efficiencies, because I think that all of us recognize there is a benefit to the patient when a doctor has quick access to medical records, especially in an emergency room, and I want to believe there are cost savings in aggregating records electronically,” Gilbert said. “But we don’t have very many good examples in other areas about how records can be kept secure — it seems like every day there is a data breach somewhere. You wonder what is protecting sensitive information from getting out. Medical records are the highest level of sensitivity and people aren’t convinced there is a way to keep these records secure.”
According to an Internet security report released on March 1, state government uses a federated structure, meaning that individual agencies and departments have unique computer servers, applications, staff, and systems. For VITL’s programs, all data will be maintained at GE Healthcare’s data center in Chittenden County.
“When we talk about medical records, we are in a whole different class of security. Concerns about the security of health care is quite a bit different than other records,” Larose said. “GE Healthcare handles millions of transactions a day and are doing it in the most secure environment known to man.”
“I’m not concerned that my information will be in there,” Farnum added. “I think there is medical information and other private security information that should be protected with the same level of security — but we used a very deliberate process looking for the highest level of security, selecting a vendor that was the best available in the industry for handling the medical information.”