Patient Consent to Health Information Technology: Safeguarding Patients’ Records and Confidences

• Publication year: 2010

Varsha D. Gadani⁰

As the health care reform encourages more hospitals and physician networks to adopt electronic health record systems and more regional networks to develop, the federal and state governments will have the difficult task of safeguarding patients' records and confidences. While the public health benefits of electronic health record systems are plentiful, concerns of privacy and consent permeate patients' minds. North Carolina has made great strides in laying the groundwork for creating these networks; however, more regulations are necessary to advocate measures for obtaining consent from patients and to facilitate patient confidence in these networks. In order to encourage participation in the network, North Carolina should incorporate an opt-in, provider by provider consent process and should consider expanded recourse rights for patients.

I. Introduction

Patrick is fifty-six years old and suffers from diabetes, high cholesterol, and heart disease. He has different specialists for each condition and was recently referred to a new specialist, Dr. Rodriguez, for his heart disease. At Patrick's first appointment, Dr. Rodriguez changed his medication to a newer, more effective medication and scheduled a follow-up appointment with Patrick to monitor his progress. Patrick incorporated this new medication into his regimen. Four nights later, soon after going to sleep, he awoke with an uneasy feeling. Patrick was sweating and felt dizzy. His wife immediately took him to the emergency room. The emergency room physicians, upon soliciting his medication information, realized that his new medication was adversely interacting with his cholesterol medication. They were able to stabilize him, and fortunately, Patrick suffered no long-term health consequences.

Patrick's problem arose primarily because Dr. Rodriguez was unaware of the other medications he was taking. Prior to his appointment with her, Patrick completed the preliminary paperwork but had inadvertently left off one of the medications he was taking to control his cholesterol. Had Dr. Rodriguez been aware that Patrick was taking this medication, she would have known not to prescribe the new heart disease medication. Unfortunately, she had incomplete information.

If there had been a system in place that allowed Dr. Rodriguez to view Patrick's medical history, including diagnoses and treatment plans from other physicians, adverse health consequences such as the one that Patrick suffered could be avoided. This is precisely what the Health Information Technology for Economic and Clinical Health ("HITECH") Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, aims to do. ¹ The Act seeks to encourage the adoption of electronic health records ("EHRs") by providing Medicare incentives.² While the public health benefits are potentially plentiful, there are a myriad of concerns that arise from the creation of a nationwide health information network ("NHIN") as it raises questions about whether patients have control over how their health records are shared.³ These concerns include determining what organizations will have access to a patient's medical records, what these organizations' motives are for obtaining access, how patients can control which organizations may have access to the records, and whether a patient may choose which records are shared and which remain private.⁴ This Recent Development focuses on two preliminary concerns: the ideal methods of patient consent regarding the sharing of patient health information through regional health information organizations ("RHIOs") and how to encourage patient participation in RHIOs.⁵

Specifically, this Recent Development will explore the background of the HITECH Act, the public health benefits that are likely to result from the widespread adoption of EHRs and coordination through RHIOs, and North Carolina's efforts to create RHIOs. Further, it will explore the Tiger Team's recent recommendations for ensuring privacy.⁶ Finally, this Recent Development will advocate measures for obtaining consent from patients and for facilitating patient confidence in the network.

II. Background

A. The HITECH Act

The HITECH Act was passed as a part of the American Recovery and Reinvestment Act of 2009 ("ARRA"). ⁷ The Statement of Purpose includes, as the third of five purposes, the intent to "provide investments needed to increase economic efficiency by spurring technological advances in science and health."⁸ As a result, $25.8 billion of recovery funding was devoted to health information technology.⁹ The overall goal of this funding is to create a nationwide health information infrastructure by encouraging the adoption of health information technology to create health information organizations.¹⁰

B. Public Health Benefits

President Obama illustrated the need for EHRs and the benefits of a NHIN when he addressed the American Medical Association on June 15, 2009. President Obama said:

We need to upgrade our medical records by switching from a paper to an electronic system of record keeping. And we have already begun to do this with an investment we made as part of our Recovery Act. It simply doesn't make sense that patients in the 21^st century are still filling out forms with pens on papers that have to be stored away somewhere . . . . You shouldn't have to tell every new doctor you see about your medical history, or what prescriptions you're taking. You should not have to repeat costly tests. All of that information should be stored securely in a private medical record so that your information can

be tracked from one doctor to another—even if you change jobs, even if you move, and even if you have to see a number of different specialists. That will not only mean less paper pushing and lower administrative costs, saving taxpayers billions of dollars. It will also make it easier for physicians to do their jobs. It will tell you, the doctors, what drugs a patient is taking so you can avoid prescribing a medication that could cause a harmful interaction. It will help prevent the wrong dosages from going to a patient. And it will reduce medical errors that lead to 100,000 lives lost unnecessarily in our hospitals every year.¹¹

As President Obama highlighted, Patrick's unforeseen health consequence could have been avoided if Dr. Rodriguez had access to his medical records from his other physicians to determine what other health problems he had as well as how his other physicians were treating him. Indeed, these types of errors are common; as the Institute of Medicine's notable To Err is Human indicates, more Americans die annually from preventable medical errors than from AIDS or breast cancer.¹²

C. North Carolina's Efforts

Prior to the adoption of the HITECH Act, various RHIOs had already developed in North Carolina.¹³ The most developed of these is the Western North Carolina Health Network, which was established in 2006 and includes sixteen hospitals.¹⁴

Since the passage of the HITECH Act, North Carolina has taken additional steps to stimulate the development of a more extensive and coordinated RHIO. Pursuant to the funding provisions of the HITECH Act,¹⁵ North Carolina Governor Beverly Perdue signed Executive Order 19 on July 16, 2009, which designated the North Carolina Health and Wellness Trust Fund as the State Designated Entity ("SDE").¹⁶ As the SDE, it applied to the Office of the National Coordinator for Health Information Technology ("ONC") for funding of a statewide health information exchange ("HIE").¹⁷ North Carolina subsequently received $12.9 million in funding from the ONC with the intent of using the funds to create a public-private partnership model for its not-for-profit network, the NC HIE.¹⁸

To further guide the adoption of health information technology, on August 31, 2010, the state released the update to the North Carolina Statewide HIE Strategic Plan, recognizing that while there are various statutes related to the requirements of confidentiality and privacy as well as disclosure of medical records,¹⁹ the state has none geared towards the sharing of EHRs.²⁰ Additionally, the state has not yet determined a model for consent although it has established guiding principles to help with this determination.²¹

III. Tiger Team Privacy Recommendations

Although North Carolina's guidance for creating networks is limited, the ONC created the Privacy & Security Tiger Team under the Health IT Policy Committee, which should provide guidance to North Carolina as well as other states that apply for funding from the ONC.²² The Tiger Team was tasked with researching privacy and security issues arising under the HITECH Act and making recommendations to address these issues.²³ On August 19, 2010, the Tiger Team released consent suggestions for directed exchange for treatment and for RHIOs.²⁴

A directed exchange for treatment occurs when a physician exchanges a patient's health records with another physician for the purpose of treating that patient.²⁵ A RHIO refers to a collaboration of health care organizations in a specified geographic area that share health information electronically for the purpose of improving health care in the community. ²⁶ Because of the differences in purposes of these two types of exchanges, the Tiger Team has created different standards for each.²⁷

The Tiger Team maintains that patient consent is not required for directed exchange for treatment, which corresponds to the guidelines of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").²⁸ Prior to the HITECH Act, HIPAA was the primary source of guidelines for safeguarding privacy in the context of health information exchanges.²⁹ With the adoption of EHRs, the HITECH Act maintains HIPAA's guidelines for directed exchange and allows the exchange of a patient's health records for the purpose of treating that patient without the consent of the patient.³⁰ Directed exchange of medical...