Tuesday, April 17, 2012

EHRs & Privacy: Am I The Only One Who Cares About This Stuff?

Electronic Health Records are a wonderful thing.  They allow for the easy access of information from one doc to another.  Now when the patient takes the white pill for that bump, I can go in to the records and see what the bump was and what the white pill is.  Once in a great while, it has meaning for their psychiatric care, and it's good for general curiosity, too, and periodically, I may help with the education process if it seems important that the patient should have a greater understanding of their bumps.  Roy likes EHRs and President Obama will pay you tens of thousands of dollars to implement one in just the right way (too many hoops for me).  As a doctor, it's mostly nice.  I still see a lot of people who get portions of their health care in another system and I can't access their labs-- labs I actually need to have to safely monitor how their bodies are tolerating their psych meds, but I'm doing my best.  When I run labs on a patient who gets their primary care outside of our system, I hand them a copy to give to their doctor, hoping that I will spare them a needle stick and spare the 'system' (usually Uncle Sam) the cost of repeating the same blood work.  Who knows if that ever happens.

I've mentioned before that my gripe with this system is that any healthcare professional in the system can access information.  Now everyone I work with, and approximately 10% of my neighbors (wild guess here), and even some of my patients,  have access to this system.  The only thing that stops someone from looking up a friend's medical history is the knowledge that you will get in trouble-- and likely fired-- if you get caught.  But you have to get caught, which means that someone has to look up who accessed the information and track down if it was a legitimate accessing of information.  Now they do it, and people have been fired, and the prohibition is real, but we don't think that in a system of many thousands of people, there isn't a sociopath here or there?

Let me give you an theoretical example: what if a young nurse (he has access) starts dating a pretty young hospital worker (she does not have access to the records; also these people can be old and/or ugly if you'd like....just enjoying my fiction here).  He's curious about her; in fact, he's prone to a bit of pathological jealousy.  He decides to take his chances and look up her records and he notices that someone has run an HIV test on her (it was negative) and she's had a miscarriage a couple of years ago, one she never mentioned to him.  Oh, and psych records aren't in the system (yet, coming soon) but her primary care doc mentioned that she's on Prozac for depression and Seroquel for sleep.  Isn't Seroquel the big guns, maybe she's crazy.  So if he tells her he looked at her records, and she wants to report him, he's toast. But maybe she doesn't want to get him fired, so she eats it.  Also, once he's fired, he's just fired, not dead.  He can then tell whoever he likes, I suppose, especially if he loses his license.  And the saying goes that there are random "flags" that go up to catch wrong-doers, but this is a big system, so I am skeptical.

I've mentioned my concern about this to a few people, especially since the system is about to be overhauled.  I've suggested that each patient have a card or an identifier that the provider should get from the patient to authorize access to the information.  I've asked that this be brought up at planning meetings.  I get looks like I'm from Mars.  Obviously, all health care providers should have access to their patient's records, and in this system, there is no absolute guarantee that your neighbor won't be curious and you don't have the right to not tell the dermatologist that you had a vasectomy three years ago, or to keep your internist from making a note that your antibiotic was started in jail.  Okay, I will say that all of the records I've read (it's been years, that's a lot) are very professional, but still, sometimes the facts are the facts and they aren't all that savory.  I asked if the topic came up at the planning meeting and was told no one else was concerned.  My boss has agreed with me that I watch too much 24.

So I went to schedule a routine screening exam the other day.  I have no reason to be concerned about this, but I am generally uneasy about being in the massive data bank that is the system's records and I avoid it.  I called for the appointment, and the office had been taken over by my hospital system, something new!  I asked if my results would go into the main hospital computer.  Of course they will!  Thank you, I said, I will get my test elsewhere, and I hung up. 

Why doesn't anyone else care about this stuff?


Anonymous said...

Do you believe that patients should have access to their own EHR? If so, then you really do care about this stuff.

clairesmum said...

well, i do care (as a patient and a nurse) but it feels like the battle is already lost. I am in 'a system' that has its' nearest outpost about 25 miles away - easy enough for seeing my PCP, having labs done. May not be so practical when I have an issue that needs LOTS of treatment (such as MI, cancer, etc.) Keeps me out of the 3 networks that overlap where I live and work, and that is part of why I go 'so far away." Also like my PCP, have been with him 15 years+. My EHR allows patient access to parts of it. My psych meds are listed accurately, with a notation of 'other provider prescribes." There are 3 meds, none would be a red flag for psychosis. My list of dx lists 'H/o sexual abuse" but not the accompanying psych diagnoses. He knows about my depression/PTSD stuff, but it is not in the parts of the record that I see.
My mental health providers (2 LICSW, 1psych MD) are not in PCP's network - LICSWs not in any hospital networks yet, here. PsychMD is in different network, but does not bill insurances - so I pay her with a check and get BCBS to pay me back (a small portion of the cost, the rest comes from me.) The LICSWs both bill BCBS, and have done so for years.
Now I have glaucoma, and an opthalmologist. His practice recently adopted the EHR of their affiliated system.(the 800 lb gorilla health care system of this area.) I don't see anyone in that
system so he had to enter me into the database. Then he needed to start me on medication for glaucoma, and was considering one that has a side effect of vivid dreams. He wanted to alert me about it cuz he knows my history (survivor of sexual abuse, so difficulty w/ anxiety, being in a dark room stuck in an exam chair with a man between me and the door, etc.) and is also conscientious about charting. Together we came up with wording that felt OK for both of us. He was very clear that he did not want to put anything in 'the records in the system' about my mental health issues, to prevent me from stigma in the future.
I told him I appreciated his concern but was also angry that it matters at all, to anyone! I didn't choose to be an incest victim, but I did choose to survive!
How is this all gonna play out in the next 15-20 years, in terms of my access to and quality of health care, my insurance, and stigma? Well, I have some patient advocacy skills and self advocacy skills already, and they are gonna get a workout, I am sure. For me, this is one of the results of being an incest survivor - lots of stuff is hard for me, and I have learned to explain what I can when I can, and to leave situations where I cannot make myself understood and get my needs met. However, it is a challenge and will continue to be so.
I do think EHRS ought to require a higher level of authorization to access information related to psychiatric and substance abuse treatment. I think the only way to reduce some of the assumptions about stuff like lab tests and pathology reports by professionals and paraprofessionals who access EHRS (both legitimately and sneakily) is a combination of teaching, controlling and monitoring access to EHRs, a more accurate understanding and implementation of HIPPAA (I'm no fan, but it is supposed to protect the patient in this area, I believe) and significant consequences for violations (up to and including notification of professional licensing authorities.)
Sorry this is so long - I DO care. I can try to teach, and 'lead by example."

Dinah said...

Psych information can be pretty benign (h/o depression, single episode, treated with Prozac for 6 months in 1994) and non-psych information can be pretty damning: 5 abortions, stds, jailhouse tattoo infected, endocarditis from shooting, mild-mannered CEO on methadone, injury related to rape, and maybe you don't want your neighbor knowing you used to do cocaine, or that you have diabetes (he glares at me and says "nonono" whenever I eat birthday cake at a party).

I absolutely believe the patient should see the information. This is allows for the correction of errors, and there are many.

I believe that the patient should control who can access the information and that it shouldn't be a matter of trust regarding hospital workers not involved in health care, or the that the patient has no right to withhold sensitive information from a given care provider. You can't have a basal cell carcinoma removed without the dermatologist knowing you were raped?

Anonymous said...

Reminds me of the old post on why wouldn't you tell your shrink everything? I said I wouldn't tell my shrink about a yeast infection and a few people jumped all over that.

Patient Health Record said...

Yes I want to be able to see everything that I can in my medical records. It is after all my history isn't it? Looking up the date of my last yearly, seeing test results and knowing that all information in my records are true should be something I have access to. These records are a wonderful thing that I am happy we have available.

jesse said...

It is common knowledge that employees at certain insurance companies look up information on anyone they meet at a bar. Dinah's concerns are already fact.

In the olden days, with written records and a doctor actually looking at the patient and not a laptop, psychiatric records contained a good deal of information useful to future treatment. Today we have records that are check lists of symptoms. Much of it is worthless in terms of truly understanding a patient but does supply labels that can be seriously abused.

One way in which doctors will protect patients (an important obligation) is to omit information deemed peripheral to the conclusion. The unhappy consequence could be that in time physicians think less astutely in terms of understanding causality: I saw once a chart of a patient who had a psychotic decompensation and the history did not mention that a short time previously she had an abortion.

Sarebear said...

Haven't read the comments yet, in a hurry, but I have alot of concerns, although I have positve feelings too.

The thing is, I know no matter how secure the system, it can be hacked, but . . . with this most personal of information, shouldn't it be treated as securely if not more so than financial information? We often hear about some credit card company or another that got hacked . . . How do you make an EHR secure enough and yet not make the security procedures so much of a pain it takes too much precious time out of a provider's time to access? I'm not saying security isn't worth ANY of their time, but . . . like my GP is extremely busy, something that's too onerous won't work. How much is too onerous? Guess someone will have to hammer that out.

See, in the last year I've had my information hacked; one was last year's spring hack of Sony's online and PS3 game users, which I could avoid in future by not using anything online I don't have to (how feasible is that nowadays?)

THEN just this month, Utah's Medicaid sytem was hacked, and 100,000 records were compromised. (At first they thought only a quarter of that, but since they changed the amount I no longer believe such estimates). I'm currently waiting to see if I'll receive one of the letters they are sending out to the compromised people, or if I'm "safe" (can they/I be sure?).

Anonymous said...


You are bang on. I used to have a doctor who looked at me and wrote few note in the chart. Now the best I can get is a doctor who I would not recognize on the street because I we have never looked at each other. The laptop sits on the desk, the doctor sits in front of the laptop, shoots questions at me as I sit off to the side of the desk. I wish I could go to an appointment and say: please prove you're not a robot.

A said...

why do you keep saying no one cares about this stuff? every time you post about it you get responses from people who care quite a bit. And, you need to understand that psych histories are not benign; the fact that one exists at all is a powerful tool/weapon/reason for stigma, etc. Jail, etc, you can "overcome." Psych history never gets overcome.

Dinah said...

'A' I know some of our readers are very concerned about this issue, but when I bring it up at work, where the system is in place and where a new system will soon be implemented, no one else seems fazed. At risk management meetings, there are guidelines given for who an employee may look up: patients under their care, themselves, their child under the age of 10. But in a world where there is such a big deal made out of HIPAA issues, where the dentist has to cross your name off the list so no one knows you were in his waiting room, it feels like an inconsistency to me that the only thing that stops someone from being curious about your personal information is trust and fear. It was true with paper records, but then you had to go to a record room, request them and sign them out, and just plugging in a name in the privacy of your office is so much easier.

Sarebear: Okay for some unknown reason, I don't worry about my info being stolen from a cloud, or with hundreds of thousands of other peoples' info, or what if my doctor's cell phone is stolen with my phone number. I worry about things like my supervisees, colleagues, or neighbors, being curious and purposefully looking at my health information, or that if I tell something very personal to one physician that every random nurse or physician I see will have access to it. Total strangers, I don't care about.

I am the first to admit that none of this makes any sense.

Anonymous said...

Fear I understand. Trust. What on earth is that?

Sarebear said...

Dina, I understand why you feel that way.

Hrm, I sound like a therapist, heh!

The people who are in proximity to the records, will have alot more opportunity, are likely to have more motive, and have the means at their disposal. As well, some of them wlll have alot more context in which to place the info, since they may know you, or of you one or two people removed, etc.

Still, it's surprising how violated and vulnerable one feels when your information is stolen; on the Sony one, the said only some of the Europeans had their credit card infomation taken; USA and other people had other information taen, enough to be an identiy theft risk though.

Yeah, the stranger looking at my info is less creepy than someone who KNoWS me seeing my info; heck, most of my family desn't even know I play Everquest 2 from time to time. I just don't want to be judged, by THEM. You all, well, what does it matter if I say I play it here?

Of course, I've said more personal things here, like the awful things I did recently.

Oh. pardon my increasingy frequnt typos; mykeyboardkeeps screwing up, ugh dumb spacebar too.

Sarebear said...

Oh, and don't try to audibly sound out "frequnt", I was reading the comment to my husband and I sounded it out and then clapped my hand over my mouth after it came out cause it sounded REALLY bad.


Sunny CA said...

I worry about electronic records. I think the best system would be a password that only the patient and a designated health care proxy would know. Just like at the bank when you enter your password for the teller to access your account, the patient would enter her password in the examining room for that doctor to access the records at that moment. Permanent permission would never be given.

I worry personally about global electronic health records because I am hypothyroid. My endocrinologist is the only one I have met who gives me an adequate dose of thyroid replacement. My general practitioner and other endocrinologists I have tried believe in taking the thyroid-stimulating-hormone up the the maximum within the normal range. I think at the top of the normal range, the thyroid isn't functioning. Dosing me so low that I am at the top of the normal for TSH puts me into hair loss, shivering in warm rooms, falling asleep midday, skin that damages easily, and a host of other low-thyroid symptoms. My current endocrinologist who prescribes enough hormone is about 70 years old. What will I do when he retires? The only thing I can think of is to go to two doctors and thus put together the dose I currently take. The alternative is gaining 50 pounds and spending the rest of my life totally exhausted. This is theoretically"abuse" of the system, but in reality it is my biggest concern. Meanwhile at this current dose, which my GP is surprised at (at 225mcg my GP says I have a higher dose than any of his other patients), my resting heart rate is about 60. I am not over-medicated. My heart never races. My endocrinologist joked that I was "barely alive" because my heart rate was so slow when I came in under-medicated. I also think the under medication give me symptoms of depression that I feel are physiological. Anyway, I fear being stuck forever with a nearly dead metabolism and nobody willing to give me enough synthroid to wake me up.

Zoe Brain said...

One countermeasure: as an indelible part of the patient's record, keep an append-only file of who accessed it, when, where, and for how long.

The patient should be given this information on request, and the entity granted access must be able to give a "reasonable justification" or face criminal prosecution.

Should a record be accessed in error (it happens), an authorised super-user should be able to annotate the file accordingly, again an indelible record kept.

Such measures are standard when dealing with sensitive information, financial transactions, etc.

It won't stop abuse, but it will stop casual browsing.

If you start adding passwords etc, you get problems such as the out-of-state car crash victim, brought in unconscious, and you need data on allergies etc NOW not in two hours time.

BTW I've worked on defining the requirements of such systems. If you can think of a better balance between privacy and swift access by new medical personnel, please let me know.

Actually I use this as an example case for my students in "Requirements Elicitation and Analysis", a post-grad course at the Australian National University.

Anonymous said...


If you write a tell all biography, you will never have to worry about who knows what.

Anonymous said...


Anonymous said...

If my therapist or psychiatrist started using electronic health records I'd quit seeing them immediately. I'd see it as a violation of my privacy and trust. I don't agree that every provider needs to know all my personal business, and like other commenters I'm concerned about hacking and nosy people.

I do like Dinah's idea about the patient having some kind of code that they can give the provider to allow access. I'm not sure how something like that would work. It sounds like a card they'd have to remember to bring or like a pin number they'd have to recall. Either way I can imagine a lot of patients who are unable to give to the code when they would like to.

Sideways Shrink said...

I use an EHR, in part because mine allows scheduling, billing, and authorizing refills all to dovetail together seamlessly. With no office staff, it makes it possible to bill insurance companies without losing my mind. I do NOT use a check list format for documentation, nor do I sit with the laptop on my lap with the computer on my lap when the patient is with me--except at the end to enter the co-pay and schedule the next appointment. My state is taking part in the mother of all electronic medical records and I have recently signed on: all pharmacies are logging every single controlled/"narcotic" prescription they fill for every patient into a database that is accessible by registered prescribers. I thought I knew my patients, what they were up substance use/abuse wise because I practice and believe in a harm reduction approach and am always address substance use with patients: that I will not judge them or tell them to stop, but that if they are honest with me, it will help me give them the best kind of medication for their mood or anxiety problem, etc. (and I think that stopping the lying generally faciliates the beginning of a therapeutic relationship if someone is struggling with real addiction. Well, well!!!
I found in my searches through my patients pharmacy records that the highest correlating factor with "hidden" large pain medication prescription filling (2 patients) and doctor shopping for immediate release adderall in addition to the extended release I am giving them (1 patient) was that these 3 patient no show more than any of my other patients. It makes sense in retrospect looking at the behavior of an addict.
But my records and everyone's psych records should not go into the grist of the great EHR churn.
My husband (a jazz musician, but ever so wily without being paranoid) nailed it the other day when he said that all of the funding of EHRs was eventually going to benefit insurance companies so they could build their database of pre-existing conditions. This would allow them to deny all kinds of insurance coverage to people in the future. Who knew he listened to all of my rants about public health policy after all, let alone could distill something so keen?
Yet another gimme to the insurance companies to come out of health insurance "reform". I love you Obama, but prove you're not a robot....

Dinah said...

Anon: Ha! I have had the thought that maybe I should put my entire medical history on the blog and get over my anxiety about it. For all my concern about EHRs and privacy, my personal history to date is not that interesting. My life could make a blog post, but not a whole autobiography, not unless something interesting happens, like that lottery ticket.

Zoe Brain: The system does have a control like that, and I can go into my own record and see if anyone has accessed it. But it's an after-the-fact thing, and I think they get sanctioned or fired, not criminal prosecution. The system tells how long someone was on it, and so it's assumed that if you got there by mistake, you're off in a matter of seconds. So what I do if I go to see who has accessed my records, and I see that one of my patients has gone in to them? Do I report them and get them fired? How do I explain that they were my patient? And since I won't get medical care at my institution because of these records, what's there is minimal-- I woke up one morning with a horribly swollen eye and made a brief stop at the ophtho ER where a culture was negative and it soon became apparent that I had a contact lens irritation and not an infectious conjunctivitis. Do I report a neighbor/patient/colleague for accessing such information?

It's the idea.
The coma issue is valid, but you can have medical records at super-hospital and then be brought by ambulance to another hospital where they can't access your stuff anyway. And you keep the card/access number in your wallet for such things, or have a master method of breaking it only in the ER.

Sideways Shrink said...


Do you really write your chart notes "with a Q-tip" so to speak? This whole idea of patients seeing all of their records sounds great until someone actually reads their own records. People sometimes do not like the way their illnesses or their behaviors are described. Angry patients are the one who might sue you or file a board complaint against you. (I can't believe I'm saying this, but last fall was a wake up call for me in terms of increasing my cautiousness.) For example, have you never had to describe a patient who is trying to manipulate you to get a certain medication from you in ways that that patient were they to read that note would be very angry about? So, what happens then, they get to put a note in their own chart saying they really do think that "2 milligrams of xanax 4 times a day is the right way to treat their panic disorder and that Dr. Dinah is a quack for not giving to them like old Dr. Miller down in Florida did and she ought to have "her license revoked!" I don't think that patients should be all over their charts. I don't want to start second guessing what I am writing in the already sparse notes I do keep.
I personally would never want to see anyone's therapy notes or medical chart notes about me, really. The only thing I could think of wanting to see would be my radiology report. I would never dream of showing many emotions in a primary care setting. They can write what they want, I am not attached enough to it to want to read it or change it. Just because someone writes something about me or you in a medical chart does not mean that it defines us. Investing in the chart enough to want to read and possibly change it seems like a lot of life to give away. (Some diagnoses might be worth getting changed, but I don't know how anyone would accomplish it.)

Shruti Malik said...

The idea seems too late to me.
We assess the kids' records from home with Childrenconnect and email doctor our questions if not meeting her. We have complete assess to all the info about them and so does the staff on the other end.
The nurse working for her replies with in few hours to our questions and we are hoping this will continue without us to worry about morals of the staff involved!


Liz said...

this makes me ill. and wish i could either change my identity or move to another country and start over.

i KNOW too many people who are professionals and don't have utmost respect for confidentiality. for example, a friend of mine is a social worker. he checked the state's records about another friend of ours whose father had been accused of abusing her. without her permission.

i don't want my information to be posted for anyone with a damned medical or nursing degree- or anyone else for that matter! it's MY body and MY brain and MY medical history.

but if that shit is going to be put out there, damn right i should have the right to access it, totally and completely!

Sideways Shrink said...


In my state patients can view and amend their medical records in cooperation with their medical provider. I am sorry that you know people who abuse their access to confidential information. As for myself and the people I know in this field, we are full up on confidential information and would not spend spare time looking at medical records when we don't have to. I am passionate about caring and advocating for patients, but it is a job at the end of the day and people's private lives are not recreational material when you are entrusted with them.

Anonymous said...

In addition to privacy, I'm concerned about the potential for stigmatization. I've suffered from mental illness for over 20 years and would hate to think that my status as 'mentally ill' would impact my treatment by other health professionals responsible for my care. I know it's not supposed to happen, but it does.

When an organization converts from paper to EHR, do they typically convert existing paper records for their client base or do they prefer to start fresh, leaving the old paper files as is? I guess what I'm asking is: what is the likelihood that my doctors have transferred my paper files into digital format?

jesse said...

@Zoe Brain and Dinah: would it help if when anyone accessed the record they would first see a note informing them that their identity was recorded and if they accessed the record in error they should leave it now?

Zoe's suggestion seems excellent. There is always a way around any system, however. There must be a balance between ultimate protection and needed access.

Sideways Shrink said...

Almost all practices scan patient paper records and convert them into the new Electronic Health Record--otherwise the practitioners would be juggling paper charts and the digital devices and it wouldn't work at all. I don't know how far back they go or how practices or organizations make this decision. I am sure that the Center for Medicare Services has some guideline.

Dinah said...

Nothing would make it better. I want to be able to have a private discussion with my physician and now wonder who has access to the information.

So let me ask you: You're at the hospital and you look your self up. There's the urologist's note, your internist mentions something suspicious for malignancy (ah, many tests, you're fine, everything is benign), and you look to see who has accessed your records and you note that one of your patients (a doctor at the same hospital) has looked at your medical record. What do you do?

On another note, my new post is up on CLinical Psychiatry News at http://www.clinicalpsychiatrynews.com/views/shrink-rap-news.html on Everyone's Favorite Topic.

jesse said...

@Dinah: What would I do if I found out that one of my physician patients accessed my records without any apparent legitimate need? I would call the patient and ask him about this. What to do next depends entirely on the situation. In my experience patients tend to be quite professional about these things and I have never heard of a patient abusing access.

Sarebear said...

Why did I never think of this before? When my husband's male cousin turned out to be one of my nurses at the hospital for one of my knee replacement surgeries, all I felt at first was worry that he was going to see my bum; I had called for a nurse that night to help me to the bathroom, it was the same day as the surgery.

Then, 15 mins later, either the ther nurse or the one over him came in and asked if I wanted the cousin removed from my care; I figured, it's too late, he's seen my behind, oh well, and said no.

But now I'm realizing, "Oh crap how much do the nurses look at the medical record?" I believe there's stuff in there about me sleeping with a bunch of guys a year before I got married, and the resulting STD tests and stuff. Course, that's a ways back and would they look that far, and is that far back even in there?

There's also something else really embarrassing in there that's a current thing, so now I'm wondering if he saw that.

Shoot. At the time I remember thinking, well, he's acting very professionally yet kind, of course acknowledging our relationship and wanting to be even more helpful andkind than most nurses had been because he knows me (not that I'd seen him in years though). So I figured, if he's acting so wonderfully he'll probably treat my medical care with the utmost respect, and not tell anyone. So I guess I sort of thought of it, but there's alot of assumptions in there . . .and DANG I just realized, he'd have seen I was bipolar, and none of my husband's extended family knew that and I wanted it to stay that way. Crap.

This sucks. I'd rather he see my bum, than see all that stuff. I mean, only if he HAD to, I'm not an exhibitionist.

Sarebear said...

Eep and the suicide attempt that ended me up in an ER (but not an admit).

jesse said...

@Dinah, I may be way off about this, but cannot you have a private discussion with your physician that is off the record? We can tell our doctor that we would like to discuss something but do not want any note made of it.

One concern not yet mentioned: yes, the insurance companies can collect a great deal of information. This can be used for purposes other than increasing premiums. For instance, when one applies for insurance the company aka for past history. It is not easy to remember everything. There is usually the provision that leaving out information can result in lack of coverage or cancellation. At a later date the policyholder may give more complete information as part of an exam and the company may then have reason to deny coverage for that condition.

I do think there is much wrong with the system.

Anonymous said...

If you were my doctor and I asked if I could speak to you off the record about something I think you would say it depends. If I tell you I am suicidal, you would tell me you have to record that. If I tell you I found a great new sushi place you would say that's nice and keep it off the record. I am pretty sure that most things a patient wants off the record is probably something a doctor would think should be on the record.

jesse said...

@Anon, I think that a patient has the right to request that certain discussions stay off the record. One obvious exception would be those that involve plans to harm oneself or others.

A good example of a subject that a patient would want a psychiatrist to keep out of a record is that of an extra-marital affair. There are ways to record that a patient is having anxiety, or stress, without recording the cause of it.

There are many subjects that are kept out of records, and properly so.

moviedoc said...

No system is perfect. I want to be able to let my patients have full access to their record online. Privacy is history.

Sideways Shrink said...

While I understand people's concern for privacy of their health care records this whole conversation has a subtext. It accepts without question the growing idea in the culture that patients can't trust their doctors. This is interesting on a psychiatry blog. In the culture at large I think it stems from the squeezing effect of insurance companies on reimbursement and primary care seeing 4 patients an hour. Patients feel frustrated by having only one complaint addressed at a visit. But you Dinah, a shrink, to be so concerned about the privacy of your records is odd, because as shrinks are the keeper of secrets. You could say my reverse reaction, as a secret keeper, of not ever wanting to see my records is equally odd. But I don't think I can control who sees them, plus I don't want to know who has. I want to be ignorant. I want to control and know about a lot of things, but when knowing something which I consider a minor violation of my rights that would just get under my skin, I think I'll just take a pass. It is oddly pacifistic of me. But the other thing is I truly do not feel that health conditions or illnesses or other human conditions are shameful information. If someone with access to my records reads something and judges me based on it, then I truly feel sorry for them: they are a small person and have chosen the wrong line of work--they certainly aren't a professional. But that is about them and not about me.

Anonymous said...


I don't mean to offend but why should patients trust their doctors? We can't know which ones will turn out to be the ones who have been molesting children their whole careers, which ones have been made a sideline of selling narcotics, until and if they ever get caught. Moving away from criminal and into ethical territory, we don't know which doctors fail to safeguard patient records which ones are big gossips and which ones have poor boundaries. We also don't know which ones will be there for us when we need them over the course of an entire career withSo out ever doing any of those things. To say that most doctors cannot be trusted is nuts but there are enough bad apples or apples gone bad that I do not blindly put my faith in any of them. I have had experience with a few of the bad apples who ended up losing their license to practice. Is it just that I had bad luck to encounter more than one? I don't know. It does color my view. I might find my doctor to be a pleasant enough person but still I wonder and so I want to protect myself in whatever way I can and I think that this is one of those ways.

Dinah said...

It's not just a question of patients trusting their doctor. Do you trust your neighbor not to be curious about your information? Do you trust that cute young nurse who asked you on a date not to look at your stuff? Do you want your dermatologist to know you that 4 years ago you took diet pills? or that you're taking Happy Pills, which he doesn't believe in and he makes some snide remark? What if you really don't like the dermatologist and he's someone prone to say insensitive things?

Do you know how often I call to speak with a patient's physician and get told they won't speak with me without a signed release (the patient gave oral permission and provided the name and number of the doc, and my intention is coordinating care, or to say, "Please don't prescribe them psych meds since I'm doing that too"...and they won't talk to me.

If another doc won't speak with me without my obtaining a signed release and faxing it over, why is it fine to enter medical histories into the patient record, available legitimately to any care provider and accessible illegitimately to any care provider in the system (thousands in this city) without the patient's permission? And without the patient's right to say "You may keep a chart on me but I do not want my information placed in an electronic data bank." Actually, I'm off to email the hospital lawyer....

For the record, Jesse, I have never seen an extra marital affair mentioned in a medical record.

I have seen it written that my patient takes restoril when in fact they take risperdal.

Anonymous said...


I used to work in a setting with other trained professionals (not MDs in this case) who did go go into the file room and read the files of their neighbors, ex boyfriends, the teachers of their kids, you name it. I am not sure what security measures they have in place now. My point is that people are nosy and to assume that just because they call themselves therapists and have letters after their names and belong to professional organizations does not make it a given that you can trust them. So my comment about not trusting my own doctors should have included that info as well. I have seen it go on. As for the obvious question: why didn't I do something about it? I was in training, I would have been run out of there. In short, I was a coward.

Roy said...

Dang, late to the discussion.

So, one of my hats is that I chair a committee on electronic health records for the APA. (I also co-chair a work group on behavioral health EHR standards.) We address and comment on various federal proposals, and help to educate members on EHR issues, federal incentives, etc.

One of the things I keep pushing for is consumer choice about which information to share with whom. This would require granular consent policies and patient access to their information. They could see what is there, and indicate whether it should be available to all their providers, some, or none (rather, only to the one who put it there in the first place). I wrote about this on HIT Shrink as it applies to Health Information Exchanges.

Until there are mechanisms to prevent your info being seen without your permission, there needs to be easy ways for you to see who has looked at what when (an audit trail). That way, you could see that the nice man you met on Match.com who works for the Big Blue insurance company fraudulently looked at your medical records. This is why audit trails need to be able to drill down to the individual, not just "someone at Big Blue."

~Someone pointed out that paper records are also subject to snooping, but there is no way to know who snooped or even if it has happened.

~I have seen affairs mentioned in a record, as in "pt admitted to hospital for a suicide attempt after learning that wife was having an affair."

~You have the right to request from a hospital's medical records department a list of everyone who has looked at your electronic record during a specified period of time. It should indicate their name and their role (eg, nurse, physician, secretary, whatever). If it is someone who shouldn't have, like your cousin or neighbor or ex-spouse, then you can complain to the hospital about a breach. If they have a state license, you can complain to the licensing agency. You can also complain to the Joint Commission, as well as to the state licensing board for hospitals. The more that these complaints are made, the more that hospitals and doctors will take this issue seriously and change the way they allow access.

~I like the idea of a card or something that the patient must use to enable access to your record. Someone mentioned about losing it, etc. An alternative would be to use a biometric idea of some sort, such as fingerprint, iris pattern, retinal scan, or palm vein pattern. This is no longer that hard to institute. In fact, a number of developing countries are using biometrics as a form of portable ID, because many of the population lack ID. I doubt that these people worry much about who looks at their record. They probably worry more about being able to get any health care.

~A similar idea is PCE or patient-controlled encryption. Read more in Psychiatric News.

~Jesse made a good point about a notice saying your identity is being recorded when you access a record. That might help.

~In reading the 40-odd comments here (well, their not odd, you know what I mean), the one take-away point I hear is that there are many different viewpoints about EHR pros and cons, and much of it has to do with TRUST and CHOICE. So, we need to build policies and technologies that put the patients in the middle of it all, that give them true choices about who has access to their info at a detail level (not all or none), and that have robust auditing, reporting, and notification tools that instill trust in the system. We shouldn't rely on punishing people who abuse the system, we should make it extremely hard to abuse the system.

Dinah said...

Roy, et al--
The system as is exists such that if you get care in it, your information goes into an electronic record which can be accessed by anyone with access (doctors,nurses, social workers, not sure who else). It's not "all or none" it's All. You can not opt out and you can not control what goes in or who looks at it.
You can ask who has accessed it and get them in trouble if you they should not have, and if you have access to the system, you can read your own records and see who accessed it.
You are not asked permission.
I'm wondering that since the system bought an entity where I got care, if my information will be entered from the past.
I think the only way this will change is via a lawsuit, and only a successful lawsuit at that.
The only control is fear: we all know that if we get caught, we can get fired.
I have mentioned my concerns about this others and no one else seems concerned. I don't know why that is.

Anonymous said...

Dinah, You are basically saying that if you require any sort of medical care care you have to submit the health record equivalent of a strip search. Doesn't feel so good, huh?

Dinah said...

No, it's different because I do think that in the vast vast majority of instances, the records are used appropriately and convey useful information. It's the idea that someone could possibly be looking, in strip search, someone is looking.

And after my CPN article, no one should be mocking me on the Strip Search issue-- I drew my line in the sand and was willing to make enemies over the distress that our readers have expressed.

Anonymous said...

I wasn't mocking you. You certainly came down against strip search searches. Why would I mock you on that? That's the problem with the internet. Its hard to tell intentions from the written word sometimes. If it sounded mocking, I guess it was meant for anyone who still is not convinced that our privacy is invaded all the time in the system. I do think EHRs are set up so they can be used to strip search, kind of like hidden mirrors in a change room or microphones recording a conversation with your doctor. That sounds paranoid but haven't people put video cameras in toilet seats? Of course, you are right that most people will not snoop but the system make it easier for people to get access if they want it. You wouldn't be so uncomfortable if you thought otherwise.Again, I was not mocking you in any way. I am angry with the system. I am sorry if it came across the wrong way.

Sideways Shrink said...

Besides how embarrassing being human and having a body is in this Judeo-Christian-Islamic culture we inhabit, I think there is something deeper going on with this medical records conversation. Presumptively there are a fair number of shrinks or medical providers on this blog in this discussion who do NOT inappropriately read patients records but who are still afraid of other practitioners out there who do. Why do you think so little of your fellow practitioners?
To me this just begs the real question of the real fear of the vulnerability of being a patient that perhaps has been made worse by the complexity of medicine and the decisions confronting all patients. I will never forget realizing as I got out the car at the appointment to meet the neuro-otologist we had been referred to to operate on my husband's right middle ear tumor that I had no way of really knowing if this was the best guy to do, what turned out to be surgeries on my musician husband's ear. I realized that unless he appeared to have a tremor or to be intoxicated, we were pretty much going to make a gut decision on this guy. THAT is what is terrifying about being a patient.
The information documenting a procedure or office visit from which you recovered or were prescribed a medication to maintain you seems like nothing as long as you recovered or are maintained in health.
Securing health care coverage for the most people possible that is financial viable for health care providers so that the most people possible can recover from procedures and be maintained in health seems like the best use of money limited health care funds. Chasing down fantasies of ultimate confidentiality is cold comfort to someone without any health insurance. That is just what I have been feeling but I couldn't put my finger on it till now.

Anonymous said...

I work in the health care field, and my concern isn't about co-workers reading my records. My concerns are about my psych records in general.

I want my psychiatric records separate from my general medical record, period. For me the issue isn't so much whether they're paper or electronic, I just want the ability to keep my psychiatric records with the psychiatrist. It would be nice if stigma didn't exist, but it does. My own psychiatrist told me that there were some physicians who refused to see patients hospitalized on the psychiatric ward. Having worked in the health care field, I've heard comments and snide remarks made from time to time, not often, but I've heard them. I cringe when I think about it, and it makes me wonder what has been said about me.

Not to bring up the strip search thing again, but from what I read about the patient who sued Beth Israel she had to strip in an ER because she had a headache plus a psychiatric history. If she had gone to the ER with a headache minus the psychiatric history from what I can tell about the policy she could have kept her clothes on. Yes, I would like to keep my psychiatric records separate, please.

Because of the things I mentioned above, I don't tell other physicians I see that I have a psychiatric history. I worry that doing so would affect the way I'm treated as it clearly has with other patients. If at any point the psychiatric records I do have make their way into a consolidated medical record, I won't see the psychiatrist anymore. If other physicians got access to those records I would avoid routine medical care.

I know that physicians can access medication histroy, and that has kept me from taking certain medications recommended by my psychiatrist. I'm not talking about scheduled drugs, either. It has nothing to do with hiding an abusive or addictive drug habit. I don't have that history. What I worry about is that if I take certain medications (e.g. antipsychotics, for example) that a physician down the line might read my medication history and then I won't be seen as a credible patient. Frankly, I find the whole issue depressing, and it makes me want to hide.

I miss the way it used to be.

Anonymous said...

Actually I do care. I'm really concerned because I recently switched doctors and I don't want my previous doctor digging in my records because I have reason to believe that person does not have my best interest at heart or my health in mind. Without divulging too much I found out that I was said to have been seen at the emergency room when I went to see my new physician. I never went in to the emergency room? My previous physician works in the ER. Is it possible that my records were looked at when I really wasn't seen? Hmm starting to wonder.

Sideways Shrink said...

I do not research patients before I see them except by talking to them on the phone, but if you were billed for an ER visit that you did not make, call your insurance company to make sure they weren't charged. If your shrink worked ER and outpatient s/he could have made an error while dictating into the telephone like they do into a lot of practice settings

Guitargal said...

just came across your post..i care as my confidentiality has been breached..

and personally, the orthopedic does not have to know about my female problem i had years and years ago…

what was not on his computer was the fact that i have osteopenia..

how did this electronic med info help me? it didn't. it embarrassed me.

Anonymous said...

So, I saw this late.

But in general, at least at the hospital where I work, psychotherapy notes are locked, but psychopharm notes may not be unless the patient asks for them to be.

And there are probably other people with legit needs going into the charts looking for data - e.g., what are the factors that might have led to this patient getting readmitted within 30 days. But those people are looking in or using automated searches in thousands of charts and won't remember the particulars of any one individual.