Friday, September 04, 2015

This Is An Issue That Really Worries Me With Electronic Record Keeping - Especially In Shared Environments!

This appeared a little while ago.

Electronic mental health, substance abuse records need special care

August 26, 2015 | By Marla Durben Hirsch
I have little sympathy for the millions of people who joined the Ashley Madison website that facilitates extramarital affairs and now are dealing with the exposure of their involvement due to hackers. It is naive in these electronic times to think that there's anything private. 
The National Security Agency monitors our email. Healthcare entities, banking institutions, large retailers and even the federal government all have been victims of cyberattacks. Cellphones have become witnesses to bad public behavior.
But it is disconcerting to think that electronic substance abuse and mental health records are more vulnerable to exposure, as a recent article in The Intercept reports. The article details how the move from paper records to electronic health records caused at least one bipolar patient's data to be readily available to a multitude of physicians in the practice, which the patient did not expect, to her dismay. The article also highlights how easily electronic patient records of Canadians who were treated for attempted suicide ended up in the hands of the U.S. Department of Homeland Security, which used the data against the patients even though they were no threat to anyone.
And these were purposely shared records, not even compromised by user error, a rogue employee or hacking.
This is a disturbing development. Many people still don't seek this help. But we really need and want them to.  
So many of tragic shootings occurring in this country have been perpetrated by people with mental health issues. If more of them had been in treatment, perhaps some of the carnage could have been prevented.
And look at our veterans. So many of our servicemen and women are suffering from post-traumatic stress disorder. They also have higher drug abuse and suicide rates than the national average.
Lots more here:
Here is the source article:

The Devil Is In the Details: How Patients’ Mental Health Data Is At Risk

Aug. 22 2015, 4:35 a.m.
When Julie (who requested that her last name not be used for reasons that will become obvious) went for a routine doctor visit in 2009, she found a nervous resident filling in for her regular physician, who was on maternity leave. He quickly told her that he’d read her psychiatric records, even though she wasn’t coming in for mental health issues, and that he wanted her to see a therapist. Immediately. In the aftermath of the visit, she discovered exactly what he’d been reading — “Uncovering past trauma. Sexual abuse by boy in preschool…. Patient is looking to change her job; problems with family continue. She and her mother are not talking….She has defaulted on student loans and has begun to deal with this including consulting an attorney.” In all, there were 200 pages of details from her therapy sessions, including issues that had taken years for her to disclose even to a professional.
Julie has bipolar disorder, which she and her doctors have managed successfully for two decades. She has a graduate degree, a good job and a child. But she didn’t have a true picture of what would happen to her mental health records as her provider, Partners HealthCare, transitioned to electronic medical records (EMRs). She had been seeing a primary care doctor, gynecologist and psychiatrist in the practice for many years. But, she says, “I thought I’d have to give permission for my regular doctors to see my psychiatry records.”
Nope. It turns out that all doctors in the practice could see all of her records when they logged in to the new system. Her primary care doctor regularly refilled her prescription for bipolar medication, something she’d expected during this visit, though it wasn’t her reason for coming. The substitute doctor refused at first, then agreed, but only after adding a note to her permanent medical record saying, “I counseled patient that she needs to see a psychologist immediately.” Julie was aghast. “The next time I have any kind of appointment that’s what they’re going see first.” Then she sighs, “I talked to him after. He was a resident. He wanted to do a good job, and he was trying to be diligent in reading all my records. It kind of backfired.”
If the effort to blend the efficiency of technology with patients’ privacy needs has backfired in general health care (see “Medical Privacy Under Threat”), it is causing particular emotional and financial wounds in the world of mental health, where even a well-managed diagnosis can become a job-threatening stigma. HIPAA laws, long assumed by patients to protect their privacy, only apply in certain circumstances to certain entities. There’s a raging debate over how to regulate the new privacy issues around employee assistance plans and workplace wellness incentives. And the issue of how and when to track mental health patients has even become an issue at the U.S.-Canada border. Citing the high numbers of Americans who have experienced sexual abuse, major depression, or substance abuse, Dr. Deborah Peel, a psychiatrist who founded Patient Privacy Rights, a research and advocacy group, says, “You cannot force people to cough up information when it’s not private. They will hide it. How can we accept an electronic records system that drives people away from being open and honest?”
Peel was also an expert in a case involving the Employee Assistance Program at a Fortune 500 company. “The person had a great track record but didn’t do well with the next boss,” she says. “She had some problems with substance abuse but had treated it. But there was information in the EAP about it, which was paid for by the company.” The information leaked to her boss — and the person was fired.
Privacy experts also worry about workplace wellness programs, which offer employees financial incentives in return for behavioral changes such as quitting smoking or walking 10,000 steps a day. The Equal Opportunity Employment Commission (EEOC) is seeking to allow employers greater latitude in asking for medical data in exchange for these incentives. Their proposal is intended to be in line with the Obama administration’s focus on wellness and fitness, but some advocates from the civil rights, women’s rights, and medical rights communities argue the cost is too high. Jennifer Mathis, director of programs at the Bazelon Center for Mental Health Law, suggests that what the rule change describes as voluntary could seem coercive to employees living with mental or physical disabilities, in violation of the Americans with Disabilities Act.
A great deal more is found here:
It is hard to know what to say about these stories. The damage that can be done to people by others sharing their information can be incalculable and life- destroying!
Do you think the geniuses who gave us the PCEHR considered all these issues. I am pretty sure the answer is no!
Another reason not to go near the PCEHR! It seems authorities think they can do as they like with your information as long as you don’t get to find out!
David.

4 comments:

Anonymous said...

This is a difficult question.

First, the the PCEHR should not be a repository for information that should be of restricted distribution, such as mental health issues. There is very limited scope for managing access to these sorts of records in the PCEHR, and the only safe way is to not put such records there in the first place.

It is important, however, that a treating clinician is able to see medications that a patient is on. This includes medications for mental illnesses, etc. Just disclosing the medications list discloses something about the patient, but without this medication list there are too many possibilities for harm.

I have not seen any worthwhile discussion of this issue, and it is something that requires discussion and careful deliberation.

Andrew McIntyre said...

The concept of a shared record is, and always has been flawed. What we need is shareable data in standard formats with shared terminology. Then the appropriate data can be easily shared with the appropriate people. This is point to point messaging and that is what we need. Shared repositories make privacy protection a nightmare and if compromised an enormous amount of sensitive data is compromised.

Its not appropriate for the podiatrist to see your psychiatric assessment or STD screen and a referral to a eg. podiatrist should only contain relevant data. Every provider should have their own repository of patient data, which they can forward to other providers as appropriate. The often quoted unconscious presentation to emergency is a very rare event and could could be covered by break the glass provisions on GP repositories by the local emergency department. Patient repositories should follow the same design but be hosted by many different organisations, including self hosting by patients. A market for these would create far more innovation than our centralized government specified and consulting firm built PCEHR which has killed innovation in this country.

We need solid compliant standardized messages that can be reliably handled by all endpoints and that would allow only the appropriate information to flow freely to the appropriate providers. The PCEHR is a privacy nightmare that is not right for any user. One size fits all does not cut it.

Bernard Robertson-Dunn said...

Andrew,

In a shareable data approach, how does a health professional (or a system supporting that professional) know what data exists and where to go to for that data?

I'm not suggesting that a shared record is a better solution, even with a shared record a health professional doesn't know if all the data is available, and there is also that possibility that shear data volume can be a problem of its own.

I think both approaches are problematic, I'm trying to understand the issues both face.

Andrew McIntyre said...

It would be possible to query many repositories to find data, but this is also a privacy concern because to mere existence of data from say a psychiatrist is information in itself. The best option is to ask the patient, have them sign a consent form and they request data from places they have previously attended. They then have the right to omit some data sources but to maintain privacy that's the risk you have to take. There is a role for more centralized information on things such as drugs of addiction, but that is outside their medical records. These requests for data is what we do now. Being able to have it transmitted quickly and easily in standards based formats is what we need.

I can achieve this now with all previous results available in HL7V2 format and they can be messaged to a new provider on demand with a couple of clicks. They then arrive in their original format, not as a blob of text or a pdf. If everyone supported those standards then we would have the ability to quickly more data around as it is needed without loss of fidelity or privacy. This is available to be in the private sector with Path labs, XRay reports, GPs, some allied health and specialists. What is lacking is good support from government organisations who are the worst supporters of standards as a general rule. The PCEHR has them blinkered, riding at full speed to the cliff top atop a very expensive animal that they keep insisting is a race horse, but is increasingly looking like a mule.