 businesspractices.kaiserpapers.info
Link for Translation of this Kaiser Papers page from Google Translation Service ENSURING THE PRIVACY AND CONFIDENTIALITY OF ELECTRONIC HEALTH RECORDS Nicolas P. Terry* Leslie P. Francis** In 2004, President Bush announced his plan to ensure that most Americans would have electronic health records within ten years. Although substantial progress has been made toward achieving that goal, this progress has primarily reflected institutional interests and priorities by focusing on system architecture and technical standards. This article argues that in order for a nationwide transition to electronic medical records to be successful, however, the system must receive acceptance from patients and physicians. Thus, it must address and protect issues at the forefront of their concerns: namely, privacy and confidentiality. Instead of merely adopting the minimal protections afforded by HIPAA, the electronic health records system must embrace an autonomy-based, default position of full patient control over personal information, with very limited exceptions. Consequently, hard choices must be made as to the architectural and patient consent models that may involve subjugating some interoperability and comprehensiveness ambitions to principled protections of patient autonomy. I. INTRODUCTION On April 26, 2004, President Bush announced his plan to ensure that most Americans would have electronic health records within ten years.1 Although some technical and many financial issues remain, there † Copyright © 2006, Nicolas P. Terry and Leslie P. Francis. All Rights Reserved. * Chester A. Myers Professor of Law, Co-Director, Center for Health Law Studies, Professor of Health Management & Policy, Saint Louis University, e-mail: terry@slu.edu. I thank Michael Henderson, SLU J.D. candidate 2007, for his most helpful editorial suggestions. ** Professor and Chair, Department of Philosophy, Alfred C. Emery Professor of Law, University of Utah, e-mail: francisl@law.utah.edu. 1. THE WHITE HOUSE, TRANSFORMING HEALTH CARE: THE PRESIDENT’S HEALTH INFORMATION TECHNOLOGY PLAN, http://www.whitehouse.gov/infocus/technology/economic_policy 200404/chap3.html (last visited Oct. 3, 2006). A more generalized commitment was announced in the 2006 State of the Union Address: “We will make wider use of electronic records and other health in UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 has been substantial progress towards this goal. The project has now reached the point where acceptance by patients and physicians is crucial. In the health information technology (HIT) domain, the interests of patients and physicians do not always coincide;2 patients tend to want more connectivity and online service from their physicians, while physicians are still ambivalent about technologically mediated care.3 However, physicians and patients share common ground over many of the confidentiality and privacy issues raised by electronic health records (EHRs). To date, the Bush administration has framed the EHR privacy-confidentiality issue quite narrowly, identifying only divergent state laws as creating barriers to successful implementation of its grand scheme. In fact, the issue runs far deeper.4 In our view, the proposed national EHR system creates some fundamental privacy-confidentiality issues that must be satisfactorily resolved prior to implementation. Patients who lack trust in the national EHR system will opt out or frustrate many of the system’s goals by hiding information from their physicians. Equally, physicians who perceive the new system as inconsistent with their professional standards of confidentiality or as creating liability “traps” will avoid participation or, if given no choice, will reduce or distort their charting. formation technology, to help control costs and reduce dangerous medical errors.” President George W. Bush, State of the Union Address (Jan. 31, 2006) (transcript available at http://www.whitehouse.gov/news/releases/2006/01/20060131-10.html). 2. See generally Nicolas P. Terry, Prescriptions sans Frontières (or How I Stopped Worrying about Viagra on the Web but Grew Concerned about the Future of Healthcare Delivery), 4 YALE J. HEALTH POL’Y L. & ETHICS 183, 226–32 (2004). 3. See Health Information Technology Activities at the Agency for Healthcare Research and Quality: Hearing Before the S. Comm. on Commerce, Science, and Transportation Subcomm. on Technology, Innovation, and Competitiveness, 109th Cong. 2, 6 (2005) (statement of Carolyn M. Clancy, M.D., Director, Agency for Healthcare Research and Quality, U.S. Department of Health and Human Services) (“Unlike the baseball field in the movie Field of Dreams [sic], we have dramatic examples of the building of health IT systems, whose designers found physicians and other clinicians neither came nor played.”); see also Robert G. Brooks & Nir Menachemi, Physicians’ Use of Email With Patients: Factors Influencing Electronic Communication and Adherence to Best Practices, J. MED. INTERNET RES., Jan.–Mar. 2006, available at http://www.jmir.org/2006/1/e2/ (survey reporting only modest advances in the adoption of e-mail communication with patients by physicians); Wall Street Journal Online/Harris Interactive Health-Care Poll, Few Patients Use or Have Access to Online Services for Communicating with their Doctors, but Most Would Like To, Sept. 22, 2006, http://www.harrisinteractive.com/news/newsletters/wsjhealthnews/WSJOnline_HI_Health-CarePoll2006vol5_ iss16.pdf (finding that large majority of adults would like e-mail reminders and online appointment scheduling and that a majority of patients consider the offer of such services as a discriminator in choosing a provider). 4. One issued Request for Proposal on “Privacy and Security Solutions for Health Information Exchange” focuses on the need “to assess and develop solutions to address state and business privacy and security practices that may pose challenges to interoperable health information exchange.” U.S. Dep’t of Health & Human Servs., Fact Sheet: Health Information Technology Requests for Proposals (June 6, 2005), http://www.os.dhhs.gov/healthit/documents/RFPfactsheet.pdf [hereinafter Fact Sheet]. This resulted in a $11.5 million contract awarded to Privacy and Security Solutions to study the issue. Press Release, U.S. Dep’t of Health & Human Servs., HHS Awards Contracts to Advance Nationwide Interoperable Health Information Technology (Oct. 6, 2005), available at http://www.hhs. gov/news/press/2005press/20051006a.html. No. 2] ELECTRONIC HEALTH RECORDS There are great advantages to using electronic records more extensively, both within the offices of individual providers, where they are known as electronic medical records (EMRs), and also when such records are linked across multiple providers, in which case they are known as electronic health records (EHRs). One obvious advantage is clarity. Electronic records are far more readable than handwritten documents stored in fading folders, allowing providers to avoid the low-hanging fruit of medical and medication errors. Another advantage is searchability: electronic records can be scanned for drug interactions or for consistent patterns of symptoms. They can also be matched with evidence-based protocols to discern treatment strategies that do not meet the standard of care or to recommend improved methods of patient management. Moreover, in an EHR, records cease to exist in information silos, thus creating additional advantages over paper records. First, they are combined or interlinked to maximize coordination of care. Second, they offer enhanced accessibility: electronic records can be available to providers all over the country and the world, as mobile as the patients they describe. Finally, on a social level, EHRs are searchable for patterns of disease, prescription use (or abuse), treatment outcomes, or even the costs of therapy. These great benefits cannot be gainsaid. At the same time, these advantages are threats. When inappropriate or false material is included in records, it will be persistent and reverberate in subsequent patient management decisions. Linkages may be drawn that violate patient requests for, or expectations of, confidentiality. EHRs may be searched in problematic ways. Records might be accessible to those who many believe should not have access to them (secondary users). Commercial entities may seek to add medical data to their other data holdings and sell the aggregated data for marketing or surveillance purposes. Groups might be targeted in epidemiological searches. As a regional or national EHR becomes a technologically achievable goal with broad congressional support, we must distinguish the genuine advantages of EHRs from the deep problems they present and engineer the technical and legal models to minimize the problems. Yet, these are difficult tasks. Several possible EHR architectures and a myriad of patient choice models can be engineered. Worse, where the architectures and models fail to deal with the problems we identify, the legal and regulatory systems that should operate as surrogates themselves prove to be awkward or obstructive. In the United States, records law and privacy-confidentiality systems encompass both state and federal components. The United States does not have a robust track record in either conceptualizing or regulating health privacy.5 Apparent federal solutions, such as the confidentiality regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), are as sieve-like as they are incomprehensible. 5. James G. Hodge et al., Legal Issues Concerning Electronic Health Information: Privacy, Quality, and Liability, 282 JAMA 1466, 1467–68 (1999). 684 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 Medical literature, opinion polls, United Kingdom and other foreign EHR implementations, and our own interactions suggest that patients and physicians are skeptical about the privacy, security, and safety of HIT systems. Consumers are told on a daily basis that their computers, when attached to networks, are pathologically insecure. Physicians continue to push back on safety technologies and remain deeply suspicious (even resentful) of the HIPAA transactional and patient privacy constructs.6 Meanwhile, the media tirelessly report medical privacy horror stories of lost, stolen, or hacked records.7 A rational policymaker may view these stories as merely transitional or statistically insignificant aberrations. Yet public and professional perceptions of an EHR system are far different and potentially corrosive. The nature of such a system is difficult to convey to the public. A public perception of an EHR as a governmental “big brother” is increasingly likely. Take, for example, the views of the Association of American Physicians and Surgeons in a recent letter to Congress: Patients will definitely not benefit from this type of program because they do not control who has access to their sensitive identifiable medical records in any meaningful way. . . . [A] national health information system would effectively eliminate any and all patient consent to the release of their records by placing the records online. Patients would have virtually no control over who can sneak-a-peak at their very private and sensitive medical records.8 6. Electronic Health Records and Privacy: Hearing Before the U.S. Dep’t of Health and Human Servs. Nat’l Comm. on Vital and Health Statistics Subcomm. on Privacy, 109th Cong. (2005) [hereinafter Health Records Hearing] (statement of Nicolas P. Terry). 7. See, e.g., Nicolas P. Terry, To HIPAA, a Son: Assessing the Technical, Conceptual, and Legal Frameworks for Patient Safety Information, 12 WIDENER L. REV. 137 (2006); Joplin Hospital Records Stolen from Company, COLUM. DAILY TRIB. (Columbia, Mo.), July 25, 2005 (computers containing personal information of 27,000 patients stolen from microfilming company); Hawaii Warns 43,000 Residents of Health Data Theft, MOD. HEALTHCARE ONLINE, Apr. 14, 2006, http://www.modernhealthcare.com/news.cms?newsId=5039; Gary T. Kubota, Hospital Loses Patient Data, HONOLULU STAR BULL., Oct. 21, 2005, at A3 (hospital lost computer drive of personal information implicating 130,000 patients); Todd Milbourn, Stolen Laptop Contains Files on HIV Patients, SACRAMENTO BEE, Feb. 23, 2006, at B3 (“A laptop computer containing health information for 1,764 clients of CARES, a Sacramento HIV/AIDS clinic, was stolen during a home burglary.”); Sean Webby, Medical Records Theft Alarms Parents, MERCURY NEWS (San Jose, Cal.), Sept. 20, 2005, at 1B (theft of records from Palo Alto nonprofit that works with emotionally troubled and developmentally challenged children); Update: Thief Nabs Backup Data on 365,000 Patients, COMPUTERWORLD, Jan. 26, 2006, http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,108101,00.html (theft of generally unencrypted computer backup data on 365,000 hospice and home healthcare patients in Oregon and Washington from employee’s care); Press Release, Providence Health Sys. in Or., State Finds Providence Acted Appropriately Following Theft of Computer Disks, Tapes, available at http://www.providence.org/oregon/hcs/newsrelease.htm 8. Letter from Jane M. Orient, M.D., Executive Director, Ass’n of Am. Physicians & Surgeons, to Congress (Feb. 2, 2006), available at http://www.aapsonline.org/confiden/hr4157-letter.php; see also Press Release, Institute for Health Freedom, Congress Could Vote Soon on a Bill that Abolishes State Health-Privacy Rights (Feb. 8, 2006), available at http://www.forhealthfreedom.org/Publications/ Privacy/ActNowHR4157.html. No. 2] ELECTRONIC HEALTH RECORDS This article is premised on the end of one important phase in the development of a national electronic interoperable health records (EIHR) system: the satisfactory near completion of the technical specifications for infrastructure and data exchange.9 As this “insider baseball” phase concludes, the “outside” stakeholders must be identified and satisfied. For a national EIHR system, cost10 and lack of confidentiality are the two potential deal-breakers. This article addresses the second of these: the question of whether such an ambitious EIHR system can operate within a framework of ethically and practically satisfactory confidentiality, privacy, and security protections. Here, we analyze the possible EHR architectures and compare their implications for confidentiality, privacy, and security. Similarly, we examine the possible models of patient choice that can be integrated into such systems. Finally, we discuss what legal and regulatory steps will be required to provide privacy and confidentiality protections. II. THE ROAD TO INTEROPERABLE HEALTH RECORDS A. Technologies and Terminology The HIT movement assaults us with a bewildering array of terminology expressed in “insider” acronyms.11 Records technologies have their own confusing labels. In this article, we discuss several electronic records technologies. The most generalized label is EMR, which describes any form of computerized record-keeping, from a modest software package used in a single doctor’s office to an enterprisewide, database-driven application. Primarily, however, this article concerns the EHR, a type of EMR architecture that permits the sharing of patient data among healthcare providers. Some EHRs are conceptually and technically quite simple. For example, the personal EHR (PHR) is a database of medical information that is collected and maintained by the individual patient.12 However, the EHR label is most often applied to far more complex systems that rely on technical interoperability between diverse electronic records systems. 9. See, e.g., Consolidated Health Informatics (CHI) Initiative; Health Care and Vocabulary Standards for Use in Federal Health Information Technology Systems, 70 Fed. Reg. 76,287 (Dec. 23, 2005); FDA Selects SNOMED for Drug Labels, GOV’T HEALTH IT, Apr. 21, 2006, available at http://govhealthit.com/article94147-04-21-06-Web. See generally ELEC. HEALTH RECORD VENDORS ASS’N (EHRVA), EHRVA INTEROPERABILITY ROADMAP VERSION 2.0 (2006), http://www.himssehrva.org/docs/roadmap_v2.pdf. 10. For a summary of some of the financial issues, see infra text accompanying note 20. 11. Examples include Radio Frequency Identification (RFID), Computerized Order Entry appliances (CPOEs), and Clinical Decision-Support Systems (CDSS). See generally Terry, supra note 7. 12. E.g., CapMed’s Personal Health Record, http://www.capmed.com/products.html; iHealthRecord, http://www.ihealthrecord.org/; MyMedicalRecords.com, http://www.MyMedicalRecords.com. See generally Julie Appleby, Don’t Let Hurricanes Blow Your Medical Records Away, USA TODAY, Oct. 27, 2005, at B1 (“Backers of direct-to-consumer online medical records say their services will gain ground, spurred by concern about record losses in disasters, the desire by consumers for more ease in moving medical records from one doctor to another and by the growing push to create a more digitized medical system.”). rely on technical interoperability between diverse electronic records systems. 686 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 The federal government is primarily interested in a fully interoperable, longitudinal records system that will initially operate on regional networks (Regional Health Information Organizations, or RHIOs) before transitioning to a National Health Information Network (NHIN).13 Due to scale and architecture, these models reduce or eliminate patient involvement in the sharing process. B. The Bush Administration’s EIHR Plan Concomitant with his 2004 announcement that most Americans should have electronic health records within the next ten years, President Bush appointed Dr. David Brailer to a new post of National Health Information Technology Coordinator (ONCHIT) to guide the “nationwide implementation of interoperable health information technology.”14 ONCHIT has built on the previous work of NCVHS15 and the Consolidated Health Informatics (CHI) Initiative16 and oversees the Federal Health Architecture.17 The Bush administration publicly eschews any regulatory mandate directing healthcare providers to adopt EHRs.18 Rather, it espouses EHR adoption via “a smooth market-led way.”19 Of course, with no government-funded mandate, there remain significant technical, cultural, and, particularly, financial20 barriers to EHR adoption in addition to the confidentiality-privacy issues raised in this article.21 13. See generally H.R. 4859, 109th Cong. (2004); H.R. 4157, 109th Cong. (2004). 14. Exec. Order No. 13,335, 69 Fed. Reg. 24,059, § 3 (Apr. 30, 2004). 15. U.S. Dep’t of Health & Human Servs., National Committee on Vital Health Statistics, http://www.ncvhs.hhs.gov (last visited Oct. 15, 2006). 16. U.S. Dep’t of Health & Human Servs., Office of the National Coordinator for Health Information Technology, http://www.hhs.gov/healthit/chiinitiative.html (last visited Jan. 3, 2007). 17. U.S. Dep’t of Health & Human Servs., Federal Health Architecture (FHA), http://www.hhs.gov/fedhealtharch (last visited Jan. 3, 2007) (“The FHA is managed within the Office of the National Coordination for Health IT . . . .”). 18. Chris Murphy & Marianne Kolbasuk McGee, Industry Must Improve Its Technology, INFORMATIONWEEK, June 21, 2004, at 30 (“I don’t want to see a Son of HIPAA put into law.” (quoting David Brailer, Coordinator, Nat’l Healthcare Info. Tech., Speech to the National Alliance for Health Information Technology)). 19. Press Release, U.S. Dep’t of Health & Human Servs., Secretary Leavitt Takes New Steps to Advance Health IT (June 6, 2005), available at http://www.os.dhhs.gov/news/press/2005pres/ 20050606.html. 20. The core issue is the misalignment of incentives such that, basically, there is an inverse relationship between those required to invest in EMR/EHR and those who would benefit. See Joan S. Ash & David W. Bates, Position Paper, Factors and Forces Affecting EHR System Adoption: Report of a 2004 ACMI Discussion, 12 J. AM. MED. INFORM. ASS’N 8, 10 (2005), available at http://www.jamia.org/cgi/reprint/12/1/8; Michael W. Bender, Ahmed H. Mitwalli, & Steven J. Van Kuiken, What’s Holding Back Online Medical Data, MCKINSEY Q., Dec. 2005, http://mckinseyquarterly.com/article_print.aspx?L2=12&L3=63&ar=1699; Terry, supra note 7, at 173–84; see also Nancy Ferris, Doctors Want Payment Boost for Using e-Health Records, Gov’t Health IT, Jan. 31, 2006, available at http://govhealthit.com/article92155-01-31-06-Web (detailing American College of Physicians’ call for Medicare to reimburse primary care physicians for using EHRs); Christopher Rowland, Digital Divide Widens in Medicine: Computerized Records Improve Care but Some Doctors Can’t Afford It, BOSTON GLOBE, Feb. 10, 2006, at C1, available at http://www.boston.com/business/technology/articles/2006/02/10/digital_divide_widens_in_medicine/?page=full. Notwithstanding, ONCHIT and its supporters have moved inextricably towards the most complex, professionally disruptive, and, at $400 billion,22 the most expensive EHR architecture.23 Current ONCHIT request for proposals (RFPs) address technical standards, the certification of EMR systems (to guarantee interoperability), and most crucially, prototyping an internet-based NHIN architecture.24 Not surprisingly, a NHIN (or multiple RHIO) architecture also provides the greatest challenge to protecting patient confidentiality, privacy, and security. C. Alternative Models Although the administration has not entered into a public debate over its preferred EHR architecture, there are several alternatives to a fully interoperable electronic record either in use or under development in the United States and further afield. Some of these architectures have different confidentiality and privacy implications, though they may also lack some of the error-reduction and outcomes research benefits of a national EIHR. 1. United States Within the United States, two major alternatives to a fully interoperable EHR architecture have emerged: Continuity of Care Records and Personal EHRs. The Continuity of Care Record (CCR) is an effort to standardize electronic records to ease portability.25 A specification developed by the Health Information Management and Systems Society (HIMSS) and various professional bodies,26 CCR aims to extract data from existing proprietary EMR systems and export it to a common text 21. See discussion infra Part III.B. 22. Rainu Kaushal et al., The Costs of a National Health Information Network, 143 ANNALS OF INTERNAL MEDICINE 165, 165 (2005). In contrast to the expected costs, the 2007 proposed federal budget contains $116 million for the Office of the National Coordinator, $50 million for the Agency for Healthcare Research and Quality, and $3 million for the Office of the Assistant Secretary for Planning and Evaluation. See OFFICE OF MGMT. AND BUDGET, BUDGET OF THE UNITED STATES GOVERNMENT: FISCAL YEAR 2007, at 109 (2006), available at http://www.whitehouse.gov/omb/budget/ fy2007/pdf/budget/hhs.pdf. 23. See generally Press Release, U.S. Dep’t of Health & Human Servs., Thompson Launches “Decade of Health Information Technology” (July 21, 2004), http://www.hhs.gov/news/press/2004pres/ 20040721a.html (explaining the general parameters of the federal HER plan). 24. Fact Sheet, supra note 4. 25. The current specification is E2369-05, Standard Specification for Continuity of Care Record (CCR). See ASTM International, http://www.astm.org/cgi-bin/SoftCart.exe/DATEBASE.CART. REDLINE_PAGES/E2369.htm?L+mystore+jjfs9503 (last visited Oct. 10, 2006); see also AAFP’s Center for Health Information Technology, Essential Similarities and Differences Between the HL7 CDA/CRS and ASTM CCR, http://www.centerforhit.org/PreBuilt/chit_ccrhl7.pdf (last visited Jan. 3, 2007). 26. See Medical Records Institute, Continuity of Care Record (CCR), http://www.medrecinst. com/pages/about.asp?id=54 (last visited Jan. 3, 2007). TERRY.DOC 2/28/2007 4:56:44 PM 688 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 export format (XML27), which would allow portability of summary data28 and enable it to be given to a patient or transferred directly to the patient’s next provider.29 A PHR is a personal database of medical information that is collected and maintained by the patient, who controls whether and to what extent it is shared with providers.30 PHRs are supplied free by, for example, employers or healthcare providers on a subscription basis. They may be web-based or databases created on the patient’s own computer. Recently, the Center for Medicare and Medicaid Services (CMS) issued a request for information (RFI) seeking input on how best it should make data about Medicare beneficiaries available for incorporation into such personal EHRs.31 2. Outside the United States National or regional EIHRs are also gaining attention in the health- care systems of other developed countries. For example, in Canada, Infoway, a nonprofit partnership of federal, provincial, and territorial governments, is coordinating the deployment of a pan-Canadian EHR.32 Currently, Infoway is emphasizing the development of technical interoperability standards.33 New Zealand has announced a wide-ranging Health Information Strategy that includes interoperable EHR event summaries that can be distributed at local, regional, and national levels.34 New Zealand has decided not to create a national EHR database.35 The most advanced EIHR projects, however, are in the United Kingdom and Australia. In 1998, the United Kingdom commenced an ambitious and costly information technology-based makeover of its entire healthcare system. This National Programme for IT in the NHS (NPfIT) involved the in 27. See generally World Wide Web Consortium, Extensible Markup Language (XML), http://www.w3.org/XML/ (last visited Oct. 3, 2006). 28. Medical Records Institute, supra note 26. 29. See David C. Kibbe et al., The Continuity of Care Record, 70 AM. FAM. PHYSICIAN 1220, 1222 (2004). 30. Tracy D. Gunter & Nicolas P. Terry, The Emergence of National Electronic Health Record Architectures in the United States and Australia: Models, Costs, and Questions, J. MED. INTERNET RES., Jan.–Mar. 2005, available at http://www.jmir.org/2005/1/e3; see e.g., CapMed’s Personal Health Record, supra note 12; iHealthRecord, supra note 12. See generally Laura Landro, High-Tech Tools Help Patients Manage Own Medical Records, DESERET NEWS (Salt Lake City, Utah), Feb. 28, 2005, at C1. 31. Federal Business Opportunities, Synopsis of Request for Information-Centers for Medicare & Medicaid Services’ Role in Personal Health Records (July 18, 2005), http://www.fbo.gov/servlet/ Documents/R/1233397. 32. Canada Health Infoway, Overview, http://www.infoway-inforoute.ca/en/WhatWeDo/ Overview.aspx (last visited Jan. 3, 2007). 33. Canada Health Infoway, Infoway Standards Collaboration Process, http://www.infowayinforoute. ca/en/WhatWeDo/StandardsCollaboration.aspx (last visited Oct. 3, 2006). 34. NEW ZEALAND MINISTRY OF HEALTH, HEALTH INFORMATION STRATEGY FOR NEW ZEALAND 2005 (2005), available at http://www.moh.govt.nz/moh.nsf/0/ 1912064EEFEC8EBCCC2570430003DAD1/$File/health-information-strategy.pdf. 35. See id. TERRY.DOC 2/28/2007 4:56:44 PM No. 2] ELECTRONIC HEALTH RECORDS vestment of some $11.1 billion over a ten-year program.36 The NHS Information Authority originally led the United Kingdom program, but after critical reviews, it was renamed NHS Connecting for Health37 and is now directly overseen by the Department of Health.38 A key component of the U.K. program is the NHS Care Records Service (NHS CRS), which aims to provide an electronic NHS Care Record for all U.K. patients. Although the first fully electronic transfer of a patient record between doctors’ offices occurred in November 2005,39 organizational, cultural, and financial woes have slowed considerably the EHR program in the United Kingdom.40 Both providers and patients have seriously criticized the EHR program because of privacy and security concerns.41 The Australian HealthConnect system has completed its initial trials, but recent funding problems and questions about privacy and consent issues have slowed progress.42 These delays have occurred despite the fact that the HealthConnect model supports a robust health confidentiality- privacy system43 by both pushing only “event summaries” to the centralized EIHR and providing for considerable patient data carveouts designed to keep certain data within patient control.44 First, HealthConnect does not create a true longitudinal record, but aggregates elements extracted from a patient’s existing EMR(s).45 These event summaries are defined as “an electronic overview of a visit to a doctor or hospital, or some other health care event . . . contain[ing] only 36. See Editorial, National Programme for Information Technology Is Sorely Needed and Must Succeed—but Is off to a Shaky Start, 328 BMJ 1145, 1145 (2004). 37. History of Our Organisation—NHS Connecting for Health, http://www.connectingforhealth. nhs.uk/about/history (last visited Nov. 10, 2006). 38. Id. 39. NHS Connecting for Health Completes Transfer of a Patient’s Medical Record, EGOV MONITOR, Nov. 8, 2005, http://www.egovmonitor.com/node/3454 (last visited Oct. 12, 2006). 40. See Jane Hendy et al, Challenges to Implementing the National Programme for Information Technology (NPfIT): A Qualitative Study, 331 BMJ 331, 332–34 (2005); see also Brian Robinson, U.K. Lacks Support for Health IT Modernization, GOV’T HEALTH IT, Jan. 12, 2006, available at http://www. govhealthit.com/article91953-01-12-06-Web (reporting that nearly 70% of the doctors surveyed said they would have insufficient funds to properly implement NPfIT, while only 30% of doctors view the program an important priority for the NHS); Nicholas Timmins, NHS and Suppliers Struggle With Basics on Patient Record System, FIN. TIMES UK, Nov. 1, 2006, available at 2006 WLNR 18981715. 41. See Call for Review of NHS IT Upgrade, BBC NEWS, Apr. 10, 2006, http://news.bbc.co.uk/ 1/hi/health/4896198.stm; GPs Fret over Online Records, TIMES (London), June 7, 2005, Public Agenda, at 6; Alice Miles, The Spy in the GP’s Surgery, TIMES (London), Jan. 12, 2005, at 18; Helene Mulholdland, NHS Set to Miss e-Booking Target, GUARDIAN UNLIMITED, Sept. 30, 2005, http://www. guardian.co.uk/uknews/story/0,16559,1582117,00.html; Nicholas Timmins, Doctors’ Debate Delays Patient Record, FIN. TIMES UK, Apr. 27, 2006, available at 2006 WLNR 7068306 (describing additional delays as doctors favor opt-in model); Nick Triggle, Confidentiality Fear over Records, BBC NEWS, June 29, 2005, http://news.bbc.co.uk/2/hi/health/4633213.stm; see also infra text accompanying note 272. 42. Karen Dearne, Feds’ Health Data Project Stalls, AUSTRALIAN, June 7, 2005, at 29. 43. See Australian Government, Office of the Privacy Commissioner, Health, http://www. privacy.gov.au/health/index.html (last visited Jan. 3, 2007). 44. Nicolas P. Terry, Electronic Health Records: International, Structural and Legal Perspectives, 12 J.L. & MED. 26, 33 (2004). 45. Id. at 32–33. TERRY.DOC 2/28/2007 4:56:44 PM 690 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 the information that is relevant to the future health and care of the consumer, rather than the comprehensive notes that a doctor may keep . . . .”46 Additionally, HealthConnect utilizes a “push” model, whereby data is sent from the local EMR to a centralized HealthConnect record, in contrast to the proposed U.S. EIHR model that seems likely to adopt a “pull” model, whereby the centralized system initiates a data request from a provider’s record using a data pointer.47 Finally, Health- Connect not only creates an event summary that is less than a complete record, but it also allows the patient (in consultation with the physician) to control what data are included and who may view it.48 Because of an apparent reduction in Commonwealth (federal) funding, HealthConnect may evolve into a decentralized49 and less EHR- centric project.50 While many Australian patients and physicians have articulated a preference for simple consent models such as a generalized “opt-in” and prospective consent for the pushing of their data to the centralized HealthConnect summary record, many remain uncomfortable with any participation in the system.51 3. RHIOs and the NHIN ONCHIT is publicly encouraging and, to an extent, incentivizing RHIOs while at the same time designing a NHIN.52 The fundamental feature of both RHIOs and a NHIN is that they are not intrinsically electronic records, but networking infrastructures that facilitate interconnectivity between existing systems.53 As such, these systems are premised not only on the widespread deployment of EMR and EHR systems in medical offices, hospitals, and hospital systems, but also on the ability of 46. HealthConnect, Event Summaries, http://www.health.gov.au/internet/hconnect/publishing. nsf/Content/event-summaries (last visited Oct. 12, 2006). 47. HealthConnect, Privacy, http://www.health.gov.au/internet/hconnect/publishing.nsf/Content/ privacy (last visited Oct. 3, 2006). 48. Id. 49. See, e.g., Karen Dearne, Seniors Corralled for Pilot, AUSTRALIAN IT, Mar. 23, 2006 (on file with author) (detailing New South Wales’ Health’s “shaky start” to trial of a HealthConnect-style electronic record pilot, Healthelink, using an automatic enrollment, opt-out model). 50. See generally HealthConnect Implementation Strategy, Version 2.0 (rev.), June 2005, http://www.healthconnect.gov.au/pdf/implementation.pdf. 51. COMMONWEALTH OF AUSTL., LESSONS LEARNED FROM THE MEDICONNECT FIELD TEST AND HEALTHCONNECT TRIALS 8 (2005), available at http://www.health.gov.au/internet/hconnect/ publishing.nsf/Content/key-reports (follow “Lessons Learned form the MediConnect Field Test and HealthConnect Trials 1–10” hyperlink). 52. See, e.g., Press Release, U.S. Dep’t of Health & Human Servs., HHS Awards Contracts to Develop Nationwide Health Information Network (Nov. 10, 2005), available at http://www.hhs.gov/ news/press/2005pres/20051110.html. 53. The NHIN concept may grow closer to a national EHR if it utilizes a centralized data warehouse rather than a pointer system. It is, however, unlikely that the federal government would be prepared to finance such a centralized model. TERRY.DOC 2/28/2007 4:56:44 PM No. 2] ELECTRONIC HEALTH RECORDS those deployed local systems to interconnect with the network. Neither of those predicates is true.54 Even leaving aside the cultural, professional, legal,55 and financial disincentives to electronic records, interoperable systems face something of a catch-22: RHIOs and the NHIN cannot be built without local EMR or EHR systems, but providers are hesitant to commit to local systems without knowing the RHIO or NHIN to which they may connect. Providers considering involvement in a RHIO additionally face the question of what will happen to their RHIO if, subsequently, a NHIN is constructed. 56 III. WEIGHING THE COSTS AND BENEFITS Many potential benefits of interconnected EHRs seem easily measurable: improved continuity of care, reduced frequency of errors in medication and treatment, and increased potential for outcomes research and public health surveillance.57 Beyond implementation costs, other costs are more intangible: privacy, confidentiality, and security risks; and concerns about the behavior of patients who, wary of the implications of electronic records, attempt to keep their records, or even themselves, out of the healthcare system altogether. These costs are significant, and addressing them by system design at the outset may be necessary to generate the trust in networked EHRs that will enable achievement of their very substantial benefits. If, for example, concerns about security risks result in an architecture that does not permit records to be searchable as part of a common database, opportunities for performance evaluation, outcomes research, and public health surveillance will be lost.58 A. Benefits and Drivers “At its most sophisticated or most infused level, the EHR becomes a hub of all activity, something that permeates every element of the 54. See, e.g., Ford et al., Predicting the Adoption of Electronic Health Records by Physicians: When Will Health Care be Paperless?, 13 J. AM. MED. INFORMATICS ASS’N 106, 108–10 (2006) (concluding that universal EMR/EHR adoption will not be met by 2014 and suggesting a conservative estimate that 86.6% of physicians in small practices will be using EHRs in 2024). 55. See generally Terry, supra note 7, at 160. 56. See Joseph Goedert, Are RHIOs for Real?, HEALTH DATA MGMT., Feb. 6, 2006, at 44, 45. 57. See, e.g., RAND CORP., HEALTH INFORMATION TECHNOLOGY: CAN HIT LOWER COSTS AND IMPROVE QUALITY? (2005), http://www.rand.org/pubs/research_briefs/RB9136/RAND_RB9136. pdf. 58. For a summary of these benefits, costs, and strategies, see Letter Report from Simon P. Cohn, Chairman, Nat’l Comm. on Vital and Health Statistics, to Michael O. Leavitt, Secretary, U.S. Dep’t of Health & Human Servs. (Sept. 9, 2005), available at http://www.ncvhs.hhs.gov/50909lt.htm. For a discussion of the tensions concerning privacy, security, and proprietary information in system design, see Kenneth D. Mandl, Peter Szolovits & Isaac S. Kohane, Public Standards and Patients’ Control: How to Keep Electronic Medical Records Accessible but Private, 322 BMJ 283 (2001). TERRY.DOC 2/28/2007 4:56:44 PM 692 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 workflow and of work life.”59 Although this characterization is somewhat hyperbolic, a comprehensive, longitudinal EHR ideally will: (1) interconnect with and enhance other error-reducing and cost-saving technologies such as decision support systems; (2) streamline healthcare dataflow using an interoperable and standardized nomenclature; (3) improve quality of care by encouraging accurate, timely, and legible communication among providers; (4) automate adverse event and medical error disclosure; and (5) facilitate reliable and reproducible outcomes research and reporting, as well as other public health initiatives.60 One of the most discussed benefits of EHRs is the potential for error reduction. In an electronic format, data are legible, thus minimizing the risks of pharmacists misreading handwriting on prescriptions or subsequent providers struggling to decipher records of earlier treatment. Data are also directly transferable, thus avoiding transcription errors and delays in recording prescriptions or test results communicated by telephone. 61 Functions can be written to flag prior allergic reactions, drug interactions, or other contraindications for contemplated therapy, thus additionally reducing the potential for error.62 Computerized provider order entry systems (CPOEs) linked to EHRs may reduce the incidence of medication errors.63 These apparent advantages, however, are not uncontroversial; there may be risks of additional adverse events, particularly as electronic systems are introduced, and there is much discussion in the literature about how to reduce unanticipated errors due to human/ technology interfaces.64 59. See Ash & Bates, supra note 20. 60. Gunter & Terry, supra note 30. 61. Jan Walker et al., The Value of Health Care Information Exchange and Interoperability, HEALTH AFF. (Jan. 19, 2005), http://content.healthaffairs.org/cgi/reprint/hlthaff.w5.10v1.pdf. 62. E.g. Nadir R. Shah et al., Improving Acceptance of Computerized Prescribing Alerts in Ambulatory Care, 13 J. AM. MED. INFO. ASS’N 5, 5 (2006); Robyn Tamblyn, Improving Patient Safety Through Computerized Drug Management: The Devil Is in the Details, 5 HEALTHCARE PAPERS 52, 54– 56 (2004). For a discussion of the error-reduction potential of EHRs, see David A. Hyman & Charles Silver, The Poor State of Health Care Quality in the U.S.: Is Malpractice Liability Part of the Problem or Part of the Solution?, 90 CORNELL L. REV. 893 (2005). For an overview of the potential cost effectiveness of electronic records systems, see Sarah Klein, Issue of the Month: Who Has $400 Billion to Build a National Health Information Network?, QUALITY MATTERS: SEPTEMBER UPDATE FROM THE COMMONWEALTH FUND, Sept. 2005, available at http://www.cmwf.org/publications/publications_show. htm?doc_id=294918. The Massachusetts eHealth Collaborative and the Massachusetts Medical Society have just begun a demonstration of the use of EHRs in the offices of physicians. Press Release, Mass. e-Health Collaborative, Massachusetts Takes a Giant Step Towards Electronic Health Records (Oct. 5, 2005), available at http://www.maehc.org/documents/HIMMSE-HEALTHfinal_000. pdf. Many healthcare systems have significant experience with electronic records, including the Veterans Health Administration, the New England Healthcare Electronic Data Interchange Network, the Indiana Network for Patient Care, the Santa Barbara County Care Data Exchange, the Patient Safety Institute’s National Benefit Trust Network, and the Markle Foundation’s Healthcare Collaborative Network, Kelsey D. Patterson, Healing Health Care: Fixing a Broken System with Information Technology, 14 KAN. J.L. & PUB. POL’Y 193, 200 (2004). 63. Anne Bobb et al., The Epidemiology of Prescribing Errors: The Potential Impact of Computerized Prescriber Order Entry, 164 ARCHIVES INTERNAL MED. 785, 789–90 (2004). 64. E.g., Margaret Caudill-Slosberg & William B. Weeks, Case Study: Identifying Potential Problems at the Human/Technical Interface in Complex Clinical Systems, 20 AM. J. MED. QUALITY 353 TERRY.DOC 2/28/2007 4:56:44 PM No. 2] ELECTRONIC HEALTH RECORDS An electronic format also permits entries in patients’ records to be checked against programmed guidelines and clinical decision support systems, prompting providers if prescription amounts are out of range, if necessary data have been omitted in the record, or if recommended procedures have not been performed.65 Here, too, there is some dispute about whether use of these support systems will improve outcomes for patients.66 To be sure, these benefits depend on accurate data entry into the electronic record, but even here, electronic records may have advantages over paper records. Some data, such as laboratory test results or digitized scans, can be entered into a record automatically. Software monitoring electronic records can be programmed to flag unusual or inconsistent entries, from a blood pressure or prostrate-specific antigen (PSA) reading much higher or lower than before, to a shift in noted patterns of calcification in a mammography reading.67 Patients who have access to their EHRs, which are more easily transmitted and more portable than paper copies, can also check them for accuracy, just as they can perform online reviews of credit card or banking statements. Other potential advantages of electronic records in patient care are patient education and communication. Physicians or patients can use electronic records to graph progress in easily visualized ways.68 Electronic record systems can be programmed to send patients e-mail reminders for follow-up care. Electronically generated letters or e-mails can be used to contact patients if new and relevant information becomes (2005); Yong Y. Han et al., Unexpected Increased Mortality After Implementation of a Commercially Sold Computerized Physician Order Entry System, 116 PEDIATRICS 1506 (2005); Ross Koppel et al., Role of Computerized Physician Order Entry Systems in Facilitating Medication Errors, 293 JAMA 1197 (2005); Jonathon R. Nebeker et al., High Rates of Adverse Drug Events in a Highly Computerized Hospital, 165 ARCHIVES INTERNAL MED. 1111 (2005). For a response, see Press Release, The Leapfrog Group, Leapfrog Responds to University of Pennsylvania Study on CPOE Errors (Mar. 10, 2005), available at http://www.leapfroggroup.org/media/file/Leapfrog_on_UPenn.CPOE_study.pdf. 65. E.g., Vahid Ebrahiminia et al., Representing the Patient’s Therapeutic History in Medical Records and in Guideline Recommendations for Chronic Diseases Using a Unique Model, 116 STUD. HEALTH TECH. INFORMATICS 101 (2005) (diabetes management); Steven Ornstein et al., A Multimethod Quality Improvement Intervention to Improve Preventive Cardiovascular Care: A Cluster Randomized Trial, 141 MED. 523 (2005) (quality indicators for cardiac disease prevention); Matthew H. Samore et al., Clinical Decision Support and Appropriateness of Antimicrobial Prescribing: A Randomized Trial, 294 JAMA 2305 (2005) (finding significant decline in antibiotic prescriptions for upper respiratory infections in communities using CDSS system). 66. William M. Tierney et al., Can Computer-Generated Evidence-Based Care Suggestions Enhance Evidence-Based Management of Asthma and Chronic Obstructive Pulmonary Disease? A Randomized, Controlled Trial, 40 HEALTH SERVICES RES. 477, 477 (2005) (finding no relation between care prompts and patient management in a randomized trial of electronic care prompts in asthma patients). 67. For a discussion of these benefits in the VistA system developed by the Veteran Health Administration, see Jonathan B. Perlin et al., The Veterans Health Administration: Quality, Value, Accountability, and Information as Transforming Strategies for Patient-Centered Care, AM. J. MANAGED CARE, Nov. 2004, at 828, 832–36. 68. See Douglas McCarthy, Case Study: Frontline Physicians and Their Patients Reap Benefits from EHRs, QUALITY MATTERS: SEPTEMBER UPDATE FROM THE COMMONWEALTH FUND, Sept. 2005, http://www.cmwf.org/publications/publications_show.htm?doc_id=294918#casestudy. TERRY.DOC 2/28/2007 4:56:44 PM 694 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 available, if they are overdue for an appointment, or if medications are withdrawn from the market.69 The advantages and disadvantages of provider- patient e-mail contact and web-based communication are increasingly discussed in the medical practice literature.70 Perhaps more controversially, patients themselves use the web with increasing frequency to learn about health conditions, therapeutic alternatives, and care providers specializing in their conditions. Armed with their own EHRs, and guided by their physicians, patients may be able to make more informed use of this resource.71 Leaving aside the potential for the improvement of care at the level of the individual patient, several forces relating to healthcare delivery currently drive the U.S. interest in a national system of interoperable electronic records.72 First, major shifts in care venues have accelerated the need for efficient flow of patient medical and billing information between organizationally and geographically distinct providers. Patients now are more likely to receive care in ambulatory care rather than inpatient settings. They are geographically mobile and also tend to change providers as their insurance or preferences change. If test results from prior treatment are readily available in an accurate and secure format, patients may avoid the inconvenience, risk, and expense of reduplicative testing that occurs when they see new providers who are unsure about reports of prior medical evaluations.73 Second, the operational aspects of managed care have increased the need for data transparency.74 “Gate keeping” physicians who authorize referrals, third party payers who want pay-for-performance “report cards,” and system administrators who need sophisticated utilization review and risk management tools all are served by electronic record sets. 69. For a description of some of these uses of EHRs in a primary care practice, see Richard J. Baron et al., Electronic Health Records: Just Around the Corner? Or Just over the Cliff?, 143 ANNALS INTERNAL MED. 222 (2005). 70. E.g., Felicity Goodyear-Smith et al., Pandora’s Electronic Box: GPs Reflect upon Email Communication with Their Patients, 13 INFORMATICS PRIMARY CARE 195 (2005); Steven J. Katz & Cheryl A. Moyer, The Emerging Role of Online Communication Between Patients and Their Providers, 19 J. GEN. INTERNAL MED. 978 (2004); Stephen E. Ross et al., Providing a Web-Based Online Medical Record with Electronic Communication Capabilities to Patients with Congestive Heart Failure: Randomized Trial, 6 J. MED. INTERNET RES., Apr.–June 2004, available at http://www.jmir.org/2004/2/e12/. 71. Alejandro (Alex) R. Jadad, What Will It Take to Bring the Internet into the Consulting Room: We Cannot Remain Oblivious to Our Patients’ Expectations, 20 J. GEN. INTERNAL MED. 787, 787 (2005); S. H. Woolf et al., Promoting Informed Choice: Transforming Health Care to Dispense Knowledge for Decision Making, 143 ANNALS INTERNAL MED. 293, 295 (2005). 72. Terry, supra note 44, at 28–29. 73. One estimate puts these costs of repeat testing at 15% of system costs. MARKLE FOUNDATION, LINKING HEALTH CARE INFORMATION: PROPOSED METHODS FOR IMPROVING CARE AND PROTECTING PRIVACY 3 (2005), http://www.connectingforhealth.org/assets/reports/linking_report_2_ 2005.pdf; see also Michael Weiner et al., Using Information Technology to Improve the Health Care of Older Adults, 139 ANNALS INTERNAL MED. 430, 430 (2003). 74. Dewey Freeman, Pay for Performance: A Win for the NHIN?, 59 HEALTHCARE FIN. MGMT. Aug. 2005, at 120, 120; Paul C. Tang & W. Ed. Hammond, Commentary, A Progress Report on Computer- Based Patient Records in the United States, in THE COMPUTER-BASED PATIENT RECORD: AN ESSENTIAL TECHNOLOGY FOR HEALTH CARE (Richard S. Dick et al. eds., 1997). TERRY.DOC 2/28/2007 4:56:44 PM No. 2] ELECTRONIC HEALTH RECORDS Large-scale third-party payers currently use electronic data sets to compare local variations in utilization and quality of care,75 a trend that can only be expected to continue. Third, the growth of “shared care,” whereby the patient shares responsibility with the care provider and is likely to have increasingly episodic relationships with multiple providers, requires patients to have access to health data generally and, more controversially, to information in their health records.76 Furthermore, “shared care” requires that providers have transparent access to other occasions of treatment received by the patient, particularly pharmacotherapy.77 Thus, “shared care” used in home care settings—among providers or between providers and family members or other means of support—may also benefit from access to electronic records.78 Finally, healthcare consumers and regulators are demanding increasing amounts of data regarding medical errors, quality of care, and treatment outcomes.79 This information is difficult to generate without sophisticated data coding and nearly impossible to analyze without complex database systems. The Health Plan Employer Data and Information Set (HEDIS) measures,80 for example, are more accurate if they are based on chart reviews rather than billing records, but it is expensive and cumbersome to examine paper charts.81 With electronic records, it is far simpler to get an accurate picture of the extent to which providers are meeting performance indicators. Beyond improved coordination of patient care and outcomes measurement, electronic record data sets may serve critical public health goals. The Centers for Disease Control and Prevention have noted the likely usefulness of such records in monitoring immunization rates and 75. See Leonard D. Schaeffer & Dana E. McMurtry, Perspective: Variation in Medical Care: Time for Action, HEALTH AFF. (Nov. 16, 2005), http://content.healthaffairs.org/cgi/content/abstract/ hlthaff.w5.552v1 (follow link to PDF or HTML version of article). 76. See, e.g., Jem Rashbass, Student JAMA, The Patient-Owned, Population-Based Electronic Medical Record: A Revolutionary Resource for Clinical Medicine, 285 JAMA 1769 (2001); Christopher C. Tsai & Justin Starren, Student JAMA, Patient Participation in Electronic Medical Records, 285 JAMA 1765 (2001). 77. See, e.g., TREENA A. CHOMIK, PROVINCIAL HEALTH SERVICES AUTHORITY, A REPORT ON SHARED CARE 40–41 (2005), available at http://www.phsa.ca/NR/rdonleyres/76D687CF_6596_46FE_ AA9A_A536D61FB038/12130/SharedCareReportAug2005.pdf (listing pharmacotherapy as part of a system guideline that would “facilitate the implementation of shared care”). 78. Maria Hagglund et al., Integration Architecture of a Mobile Virtual Health Record for Shared Home Care, 116 STUD. HEALTH TECH. INFORMATICS 340, 340–41 (2005). 79. See, e.g., Laura Landro, Consumers Need Health-Care Data, WALL ST. J., Jan. 29, 2004, at D3. 80. “HEDIS is a set of standardized performance measures designed to ensure that purchasers and consumers have the information they need to reliably compare the performance of managed health care plans.” National Committee for Quality Assistance, The Health Plan Employer Data and Information Set (HEDIS) (2006), http://www.ncqa.org/Programs/HEDIS. 81. Developed by the National Committee for Quality Assurance, HEDIS measures are standard comparisons of the performance of managed care plans. See id. TERRY.DOC 2/28/2007 4:56:44 PM 696 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 supporting efforts to contain outbreaks.82 Electronic records can generate and automatically transmit state-mandated reports such as diagnoses of infectious diseases or prescriptions of controlled substances. They may also help in detecting patterns of disease outbreaks.83 Related arguments have been made in the wake of Hurricane Katrina that EHRs are necessary to better facilitate disaster relief.84 If EHR architecture is designed to facilitate anonymized data sets, these goals can be furthered consistently with the privacy, confidentiality, and security protections we defend in this article. B. Patient Concerns and Perceptions Patients cite privacy, together with security, as their issues of greatest concern about electronic records.85 The International Medical Informatics Association lists patient privacy (and confidentiality) as a core ethical principle: “All persons have a fundamental right to privacy, and hence to control over the collection, storage, access, use, communication, manipulation and disposition of data about themselves.”86 Data from several recent surveys indicate that privacy protection remains highly salient for patients—and that this salience may be even greater among patients with diagnoses of illness and among racial and ethnic minorities. According to a 2005 survey conducted by the California HealthCare Foundation, 67% of Americans are concerned about the privacy of their health records.87 An even greater percentage (73%) of ethnic and racial minority patients in the survey expressed concern about the privacy of health information.88 One in eight respondents reported having engaged 82. See, e.g., Ctrs. for Disease Control & Prevention, Immunization Information System Progress— United States 2003, 54 MORBIDITY & MORTALITY WKLY. REP. 722, 723 (2005); John W. Loonsk, BioSense—a National Initiative for Early Detection and Quantification of Public Health Emergencies, 53 MORBIDITY MORTALITY WKLY REP. Supp. 53, 55 (2004); John W. Loonsk et al., The Public Health Information Network (PHIN) Preparedness Initiative, 13 J. AM. MED. INFORMATICS ASS’N 1, 1 (2006). 83. See, e.g., B. C. H. Ang et al., An Assessment of Electronically Captured Data in the Patient Care Enhancement System (PACES) for Syndromic Surveillance, 34 ANN. ACAD. MED. SINGAPORE 539, 540 (2005); Roger S. Magnusson, Data Linkage, Health Research and Privacy: Regulating Data Flows in Australia’s Health Information System, 24 SYDNEY L. REV. 5, 38–42 (2002). 84. Bob Brewin, Leavitt: Katrina Demonstrates Need for e-Health Records, GOV’T HEALTH IT, Sept. 8, 2005, available at http://www.govhealthit.com/article90691-09-08-05-Web (“If there was ever a case for [EHRs], this disaster underscores the need.” (quoting Mike Leavitt, Sec’y, Dep’t of Health & Human Servs.)). 85. E.g., Laura Zurita & Christian Nohr, Patient Opinion—EHR Assessment from the Users Perspective, 11 MEDINFO 1333 (2004). 86. Eike-Henner W. Kluge, Security and Privacy of EHR Systems—Ethical, Social, and Legal Requirements, 96 STUD. HEALTH TECH. INFORMATICS 121, 122 (2003); Int’l Med. Informatics Ass’n, IMIA Code of Ethics for Health Information Professionals (2002), available at http://www.imia.org/ English_code_of_ethics.html (adopted Oct. 4, 2002). 87. CAL. HEALTH CARE FOUND., NATIONAL CONSUMER HEALTH PRIVACY SURVEY 2005, EXECUTIVE SUMMARY 1 (2005), available at http://www.chcf.org/documents/ihealth/ ConsumerPrivacy2005ExecSum.pdf. 88. Id. TERRY.DOC 2/28/2007 4:56:44 PM No. 2] ELECTRONIC HEALTH RECORDS in actions to protect their privacy that might have compromised their healthcare, including avoiding seeing a physician, asking a physician to fudge a diagnosis, paying to keep information out of insurance records, or avoiding medical testing altogether.89 These behaviors were more frequent among patients with chronic diagnoses, such as cancer or diabetes. 90 Over half of the respondents surveyed indicated concerns about whether providing health information might compromise their employment or job opportunities.91 This report concludes that protection of data confidentiality and security are critically important if patients are to trust electronic records systems.92 Another recent survey from a group at Johns Hopkins, designed to test whether special privacy concerns attached to genetic information, generated similar findings.93 Patients with several different diagnoses, together with a control group of well patients, were surveyed about their preferences regarding keeping their health information private.94 The survey results indicated that patients with genetic diagnoses were no more inclined to keep information private than patients with other diagnoses, but revealing genetic diagnoses did appear to put patients at greater employment risk than revealing other diagnoses.95 The data did indicate, however, that the extent to which people call themselves “private” about their health conditions varies with gender (males more), race (African Americans more), and disease condition.96 Not unexpectedly, patients with HIV were more concerned to keep their diagnosis private— but so were patients with colon cancer, a finding that suggests that the information patients consider private may not be limited to psychiatric and sexual matters.97 Still other data from the Hopkins group indicate that many patients would prefer not to have their medical records used in research, without separate consent.98 This study attempted to assess the acceptability to 89. See also PEW INTERNET & AM. LIFE PROJECT, EXPOSED ONLINE: WHY THE NEW FEDERAL HEALTH PRIVACY REGULATION DOESN’T OFFER MUCH PROTECTION TO INTERNET USERS (2001), available at http://www.pewinternet.org/pdfs/PIP_HPP_HealthPriv_report.pdf. 90. CAL. HEALTH CARE FOUND., supra note 87. 91. Id. 92. The patient search for privacy is not limited to concerns about technology. See e.g., Single Hospital Rooms Rekindle Debate, BUS. FIRST OF BUFFALO, Feb. 5, 2006, http://www.bizjournals.com/ buffalo/stories/2006/02/06/story1.html (detailing conversion of semiprivate into single rooms in New York in response to patient demands for increased privacy). 93. Nancy E. Kass et al., Medical Privacy and the Disclosure of Personal Medical Information: The Beliefs and Experiences of Those with Genetic and Other Clinical Conditions, 128A AM. J. MED. GENETICS 261 (2004). 94. Id. at 262. 95. Id. 96. Id. at 262. 97. Id. at 264. 98. Nancy E. Kass et al., The Use of Medical Records in Research: What Do Patients Want?, 31 J.L. MED. & ETHICS 429, 430 (2003). TERRY.DOC 2/28/2007 4:56:44 PM 698 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 patients of HIPAA’s99 standards for waiver of consent for the use of medical records in research: that the research is no more than minimal risk, that it could not be conducted without the waiver, and that it has been reviewed and approved by an IRB.100 Previous reported studies appear schizophrenic: in one study, only 18% found the use of medical records in research fully acceptable, and 34% of patients found the use completely unacceptable; but other studies found that, when actually asked, overwhelming majorities of patients tended to give consent.101 The Hopkins group surveyed patients with a variety of disease diagnoses, many who had been involved in research studies at Hopkins. They found 31% willing to allow the use of their records in research if it would improve medical knowledge, but over half unwilling to allow the use of their records without consent.102 A large majority (86%) of those surveyed, however, would be willing to allow anonymous use of their records without consent.103 The Hopkins group concluded that patients should be enlisted as partners in the research enterprise, with more full discussion about the use of records and efforts to obtain consent in advance, even in quite general terms, for future record use.104 Finally, a 2006 survey by Harris Interactive found that 68% of respondents thought that electronic medical records would improve quality of care by reducing the number of redundant or unnecessary tests, 60% thought that EMRs would reduce healthcare costs, and 55% thought that they would reduce medical errors.105 However, 62% of respondents considered that the use of EMRs would make it more difficult to guarantee patient privacy.106 C. Autonomy vs. Instrumentalism The accepted rationale for health privacy and confidentiality is autonomy.107 A patient exercises his autonomy-based right of privacy when he shares (or declines to share) information with his healthcare provider or, for that matter, with anyone else. Any subsequent disclosure by the provider is policed by autonomy-based confidentiality. Constitutional and common law confidentiality protections suggested a 99. Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 29 U.S.C., 42 U.S.C., 26 U.S.C.). 100. 45 C.F.R. § 164.512(i) (2005). 101. Kass et al., supra note 98, at 429–30. These studies indicated that willingness to give consent varied with treatment condition; patients being seen for mental healthcare, eye care, trauma, or gynecology care were less likely to give consent. 102. Id. at 431. 103. Id. 104. Id. at 433. 105. Wall Street Journal Online/Harris Interactive Health-Care Poll, supra note 3. 106. Id. 107. TOM L. BEAUCHAMP & JAMES F. CHILDRESS, PRINCIPLES OF BIOMEDICAL ETHICS 410 (4th ed. 1994). TERRY.DOC 2/28/2007 4:56:44 PM No. 2] ELECTRONIC HEALTH RECORDS rights-based approach108 to legal confidentiality that paralleled the autonomy principle. In contrast, the modern law of medical confidence (particularly the federal code) does not appear to be based on an autonomy model but on a more limited instrumental model. The simplest (and least corrosive) instrumental justification for medical confidentiality is that patients provide information to physicians to further their diagnosis with the correlate that physicians respect confidences in order to encourage patients to disclose personal and medical information that will make diagnosis and treatment more effective. This instrumental approach becomes dangerous when applied to institutional or industrial models of care. In such models, the notion too easily falls prey to arguments that see the generation, dispersal, and processing of longitudinal patient health information primarily as a necessity to reduce overall healthcare costs and to minimize medical error. As the context changes, therefore, the simple and innocuous instrumental approach becomes increasingly problematic.109 This movement to an instrumental rationale for protecting patient information was exacerbated by HIPAA. Congress adopted what was promulgated as the HIPAA-EDI110 model of health transactions to reduce the “back-end,” transactional costs of healthcare delivery.111 The concomitant HIPAA federal confidentiality code112 was enacted to minimize objections to and maximize participation in a transactional model desired by industry and promoted by government. As chillingly confirmed by the Third Circuit Court of Appeals in Citizens for Health v. Leavitt,113 the federal standards have gutted the nascent rights-based ap 108. See, e.g., Humphers v. First Interstate Bank of Or., 684 P.2d 581, 587 (Or. Ct. App. 1984), aff’d in part, rev’d in part, 696 P.2d 527 (Or. 1985). [T]here is widespread public knowledge of the ethical standards of the medical profession and widespread belief that confidences made by a patient to a physician may not be disclosed without the permission of the patient. Patients . . . have the right to rely on this common understanding of the ethical requirements which have been placed on the medical profession and to obtain damages against a physician if he violates such confidentiality. Id.; see also Duquette v. Superior Court ex. rel. County of Maricopa, 778 P.2d 634, 640 (Ariz. Ct. App. 1989) (“[T]he public has a widespread belief that information given to a physician in confidence will not be disclosed to third parties absent legal compulsion, and we further believe that the public has a right to have this expectation realized.”). 109. See generally Nicolas P. Terry, What’s Wrong with Health Privacy?, in THE LAW AND BIOETHICS (Ana Smith Iltis & Sandra H. Johnson eds., forthcoming 2007). 110. Wikipedia offers this definition of EDI: Electronic Data Interchange (EDI) is the computer-to-computer exchange of structured information, by agreed message standards, from one computer application to another by electronic means and with a minimum of human intervention. In common usage, EDI is understood to mean specific interchange methods agreed upon by national or international standards bodies for the transfer of business transaction data, with one typical application being the automated purchase of goods and services. Wikipedia, Electronic Data Interchange, http://en.wikipedia.org/wiki/Electronic_Data_Interchange (last visited Oct. 3, 2006). 111. See Marie C. Pollio, The Inadequacy of HIPAA’s Privacy Rule: The Plain Language Notice of Privacy Practices and Patient Understanding, 60 N.Y.U. ANN. SURV. AM. L. 579, 585–86 (2004). 112. 45 C.F.R. §§ 160, 164 (2005). 113. 428 F.3d 167 (3d Cir. 2005); see infra text accompanying note 209. TERRY.DOC 2/28/2007 4:56:44 PM 700 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 proach to privacy and confidentiality, preferring an instrumental rationale that is almost totally focused on institutions and compliance. This process is being endorsed during the adoption of EHR technologies. Process-driven, technologically enabled healthcare delivery, of which the EHR is a core component, seeks to minimize the role of the individual autonomous physician (and the correlative autonomous patient). These next-generation healthcare technologies replace autonomy and choice with systems that identify while simultaneously commodifying patients (e.g., by positively identifying them with bar codes) and reduce discretion in treatment (e.g., by relying on Clinical Practice Guidelines and Clinical Decision Support Systems). Such technologies have a huge, potentially deleterious impact on individuals’ privacy and confidentiality. “Yet, they are likely to be accompanied by minimalist protections that, as with the federal standards in HIPAA, will be designed so as not to impede the overall error-reduction model, for example, by favoring outcomes research to further the greater good of population-based care.”114 As we argue in this article, the adoption of EHR technologies should be used as an opportunity to reverse this trend and adopt an approach to patient privacy and confidentiality that recognizes an autonomy-based, default position of full patient control over personal information.115 This default should be compromised only in a narrow range of circumstances, such as allowing the information to flow within the “circle of care” or medical teams, to be shared after real and informed consent by the patient, or to be used in cases where the data has been fully stripped of identifiers. An initial clarification, however, should be emphasized at this point: our claims in what follows apply only to EHRs; nothing we say is intended to apply to or to preclude current practices in which patients consent to the sharing of their health information. Our point is only that these processes should continue to take place outside of the development of the EHR architecture, at least in its initial trial period. D. Promoting Privacy, Confidentiality, and Security EHRs are not like paper records writ larger. The differences for patient privacy and confidentiality and data security are matters of kind, not simply matters of degree. The irony is that the more inefficient a health records system, the more it is silo-based and makes interoperability difficult, the fewer confidentiality and security issues it will pose.116 However, such inefficient systems will not realize the potential benefits of an EIHR. Multisite EMRs or EHRs raise the stakes for protection of important values for patients: patient privacy, informed consent about 114. Terry, supra note 109. 115. See generally Cass R. Sunstein, Privacy and Medicine: A Comment, 30 J. LEGAL STUD. 709, 711–12 (2001). 116. See generally Hodge et al., supra note 5. TERRY.DOC 2/28/2007 4:56:44 PM No. 2] ELECTRONIC HEALTH RECORDS what will be included in records and with whom these records will be shared, and accuracy of records and resulting quality of care. The basic issues here are accessibility, security, and replicability. Electronic records can be viewed from across the globe; cut, pasted, or otherwise altered; and copied and recopied with a switch of the finger.117 All occur apparently invisibly, though means of tracking changes are of course possible. The prevailing article of faith espoused by policymakers and regulators in the United States is that patient information (be it transactional or safety related) is to be protected by mechanisms to ensure data confidentiality and security.118 Confidentiality (mislabeled by HIPAA as “privacy”) limits access to previously disclosed patient data, thus denying the option to leverage data for secondary uses such as marketing or patient profiling. Security keeps out “hackers” who would misappropriate, damage, or destroy data. In this article, we challenge the effectiveness of this protective model in the EIHR context and defend the importance of both limiting data access to providers within the “circle of care” on a need-to-know basis, and basing the choice of which EHR architecture to implement on the need to maximize data security. Patient privacy refers to the extent to which information about patients is gleaned in the first place. A decision by a patient not to share information with a provider, or to give misleading information, both exercises and protects privacy, but at the sacrifice of timely, accurate diagnosis and treatment. Efforts by patients to obtain healthcare services without having them entered into their medical records—such as anonymous HIV testing—also protect privacy, but at the cost of what may be important omissions in the medical record that can adversely affect patient care. The principal patient privacy question posed by EHRs is whether patient information should be entered into a system of electronic records in the first place. As an interoperable electronic record system is developed, there are a number of options for protecting patient privacy. Patients could enter an interoperable system only on an “opt-in” basis; otherwise, their records would remain silo-ed in the offices of providers. Or, patients could be allowed to specify that records from particular providers or from particular visits be omitted from the electronic record. Still another option would allow patients to specify that certain types of sensitive information be kept out of the electronic record. Patients who do not opt in to a linked records system will lose whatever benefits might attend an interoperable system. Some of the benefits of electronic records, such as the use of clinical decision support tools that can be downloaded to an office computer or automatic generation of 117. See PEW INTERNET & AM. LIFE PROJECT, supra note 89, at 3. 118. See, e.g., MARKLE FOUNDATION, supra note 73, at 43–58. TERRY.DOC 2/28/2007 4:56:44 PM 702 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 reminders and other informational letters to patients, are available with electronic records that are fully isolated from linkages beyond the individual provider’s office. Other benefits, however—including the use of internet-based provider-patient communication systems; off-site access to records; coordination of records among providers; or inclusion of records in larger data sets designed to monitor care quality, patient safety, or patient outcomes—are available only in limited forms or are completely unavailable with fully silo-ed records. It can be expected that, as use of electronic records grows, this option will become increasingly difficult to maintain. A second privacy-protective option would allow patients to specify that entire records from particular providers, or entire records of particular visits, be kept out of any linked electronic record system. Patients might want, for example, to exclude from the electronic record visits to any mental health professionals, treatment for sexual dysfunction, or the fact that an HIV test was performed. Patients may also wish to exclude information gathered in visits for second opinions; they may wish to be able to reconfirm or reevaluate diagnoses or treatment recommendations without informing their original care provider of additional consultation. Exclusion of such records, however, may compromise the accuracy of the electronic record; providers accessing the record may assume that it is complete and, relying on it, make decisions about care based on records that omit critical information. Such omissions can be dangerous; diagnosis and treatment may fail to take account of the use of psychotropic medications or drugs for erectile dysfunction, for example. Providers might remain suspicious of records’ inclusiveness—or records might even be flagged for incompleteness—but as electronic records increasingly become the standard of care, reliance on them is likely to become routine. Despite these difficulties, in order to maintain trust in an electronic record system it may be important to require informed consent on an individual provider basis before patient records are entered into a linked system. A report from the Markle Foundation concludes that this guarantee is necessary to generate trust in linked records systems.119 The report recommends that current providers not enter records into a linked system without consent and that consent be negotiated for the entry of prior records.120 The Markle report also recommends that anonymous or pseudonymous record entry be explored where linked data sets are necessary for outcomes research or public health surveillance.121 Yet another privacy-protective option would allow patients to stipulate exclusion of certain types of information from the medical record: 119. See MARKLE FOUNDATION, supra note 73, at 31–32. 120. See id. 121. Id. at 32. TERRY.DOC 2/28/2007 4:56:44 PM No. 2] ELECTRONIC HEALTH RECORDS information about genetic testing,122 HIV testing, or treatment for conditions such as sexually transmitted diseases, for example. This option also raises difficulties about the integrity of the record for treatment purposes. In addition, it may be costly and impractical, depending on system design. Any system that requires physicians (or office staff) to redact embargoed information from the medical record before it is entered into the linked electronic record will require time-consuming processes of data separation as well as a two-tier medical record system. Primary providers will need to remember to consult the complete record; secondary providers will not know what has been omitted from the linked record. Moreover, it may prove impossible to effectively segregate all of the embargoed information; information left in the linked record may be as revealing of the patient’s condition as redacted information. For example, redaction of an HIV test may not protect the privacy of a patient who does not want information about a diagnosis of HIV/AIDS in the medical record, if the record also contains a note about treatment for an HIV-related fungal infection. Electronic record design that separates data fields at the time of record creation may be less costly to administer. Yet such “pull” systems are flawed because they are limited by the information the patient chooses to include, but may not effectively cull out all the information the patient wishes to exclude. A “pull” system that enters all prescription data, for example, may be as revealing of a diagnosis of HIV/AIDS as the actual HIV test itself. Patients are justly concerned about what an EIHR may mean for their privacy. On the other hand, records system designs that attempt to protect privacy by choosing the information entered into the record in the first place are potentially both misleading and difficult to maintain. At present, therefore, it seems that the best way to protect patient privacy is to provide for patients to join an EIHR on an opt-in basis, rather than being entered into such a system automatically. If larger data sets are needed for outcomes research or for disease surveillance, they could be constructed with anonymous or with pseudonymous records. Complete records would be entered into the system for patients who opt in. As a national EIHR is developed, safeguards also will need to be put into place to protect patient confidentiality; downstream limitations on the disclosure of patient information should be included in the EIHR. The most protective standards would ensure that health records are not shared without patient consent except within the “circle of care”—that is, with practitioners who are immediately and directly involved in the care of the patient—and on an as-needed basis with another member of a patient’s medical team. This assurance is one of the most important guarantees for patients. Given patient attitudes towards the privacy of their 122. See generally David E. Winickoff, Isaac S. Kohane & Russ B. Altman, Health-Information Altruists, 354 NEW ENG. J. MED. 530, 530–31 (2006). TERRY.DOC 2/28/2007 4:56:44 PM 704 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 healthcare information, suspicion of electronic records, and the disadvantages detailed above of protecting patients by excluding information from the record, these confidentiality guarantees are essential. Just as with paper records, there will be situations in which electronic health information cannot be kept confidential. The format of the record will not change state reporting requirements for conditions as varied as gunshot wounds, abuse, infectious diseases, or factors that impair driving capacity. Providers should discuss limits on confidentiality with patients before giving care, as providers ideally do now when there is a likelihood of required reporting. What may be changed are the ease, speed, and certainty of reporting. Record architecture could be designed so that providers enter data only once, but that reportable data is transferred automatically as it is entered into the record, without implicating other information in the record. For example, some states require reporting of controlled substance prescriptions to state agencies; providers then search the database before prescribing controlled substances to guard against drug abuse or diversion.123 This entire process can be electronic. In advance of receiving such prescriptions, patients can be informed both of the requirement that the medications be entered into databases and of their providers’ protocols for searching databases. Patients who do not want their information entered into the database could reject the prescription. The ease and speed of electronic transmissions intensify the importance of informing the patient when reporting is anticipated. A similar structure of single entry/copied data could be utilized when patients consent to the sharing of particular information outside of the circle of care, such as for billing purposes. Our point here is not to reject current structures by which patients consent to sharing healthcare information; it is that such means for sharing should be built in at the point of data entry, not at the point of the full EHR. Serious questions of accuracy and fraud attend any electronic records system. EHRs can be erased, cut, or pasted without the kind of physical trail left when offices are broken into and paper records are tampered with. EHRs are also searchable, and such searches are quick and cheap. This raises the stakes about what is included in a record. A note or an unauthorized alteration, dating from many years in the past, can be brought back to notice more quickly than in a paper record. With paper, it is far more likely that old or inaccurate records will simply remain buried and unremarked; unearthing the records would take a long read through the paper file and might be regarded as irrelevant. To be sure, paper records can also be altered. But conventions have been developed to guard against such malfeasance: records must be dated, en 123. See, e.g., Office of Health Professionals Regulation, Board of Pharmacy: Controlled Substance Reporting Update, http://www.health.ri.gov/hsr/professions/csr_reporting.php (last visited Oct. 3, 2006); Utah Dep’t of Commerce, Utah’s Controlled Substance Database, http://csdb.utah.gov/ (last visited Feb. 1, 2007). TERRY.DOC 2/28/2007 4:56:44 PM No. 2] ELECTRONIC HEALTH RECORDS tered in ink, etc. Erasures can be apparent visually. With electronic records, similar conventions must be developed to ensure data integrity and facilitate audit.124 Data integrity will require a method for authentication. With electronic records, there must be a method in place to ensure that entries are dated and signed. Unique identifiers that are difficult to steal will be needed to authorize entries, and penalties should attach to unauthorized sharing of identifiers. Methods will also need to be implemented to track and prevent any entry changes. Records should be correctable, but there should be a method of noting that a correction has been made and what the correction entailed. Otherwise, the integrity of all electronic records will be suspect. Still another difficulty is the need to guard against careless copying of records and the possibility that errors will be introduced thereby. The Veterans Health Administration has found that one in ten electronic records contains plagiarized text and has implemented detection software as a result.125 Conventions for data entry and authentication need to be commonly used and understood among all providers. One of the most difficult issues for data security is to ensure that records are not subject to inappropriate access that is either inadvertent or deliberate.126 In order to gain access to paper records, someone must be physically present with the record. By contrast, inadvertent release of records and computer hacking are notorious problems with certain electronic records—credit card information, for example.127 Courts have wrestled with the risks of identity theft raised by electronic records such as financial statements involved in divorce proceedings; they have responded with solutions such as keeping the records in encrypted PDF files on silo-ed local networks without outside access.128 Medical information is at least as sensitive as information of these kinds, and before it is assembled in a linkable, accessible fashion, these issues of protection 124. For a criticism of the data integrity and security mechanisms in Australia’s HealthConnect record system, see Livia Iacovino, Trustworthy Shared Electronic Health Records: Recordkeeping Requirements and HealthConnect, 12 J.L. & MED. 40 (2004). 125. Kenric W. Hammond et al., Are Electronic Medical Records Trustworthy? Observations on Copying, Pasting and Duplication, AM. MED. INFORMATICS ASS’N ANN. SYMP. PROC. 269 (2003). 126. See, e.g., Dan Richman, Hacker at UW Medicine Revealed, SEATTLE POST-INTELLIGENCER, Feb. 16, 2006, available at http://seattlepi.nwsource.com/local/259725_computer16.html (disclosing that hacker had opportunity to access two million patient records for eighteen months before security hole discovered); Jaikumar Viyayan, FBI Probes Hacking Incident at Indiana Clinic, COMPUTERWORLD, Feb. 10, 2006, http://www.computerworld.com/securitytopics/security/story/0,10801,108585,00.html. 127. For a discussion of technical issues in data security, see Mike Boniface & Paul Wilkin, ARTEMIS: Towards a Secure Interoperability Infrastructure for Healthcare Information Systems, 112 STUD. HEALTH TECH. & INFORMATICS 181 (2005). 128. For discussions of the difficulties courts have faced in implementing electronic records systems, see, for example, Peter A. Winn, Online Court Records: Balancing Judicial Accountability and Privacy in an Age of Electronic Information, 79 WASH. L. REV. 307 (2004); Kristen M. Blankley, Note, Are Public Records Too Public? Why Personally Identifying Information Should Be Removed from Both Online and Print Versions of Court Documents, 65 OHIO ST. L.J. 413 (2004). In the view of one court, paper records languished in “practical obscurity,” an unlikely fate for electronic records. U.S. Dep’t of Justice v. Reporters Comm. for Freedom of the Press, 489 U.S. 749, 762 (1989). TERRY.DOC 2/28/2007 4:56:44 PM 706 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 must be solved.129 Records of any unauthorized access must be kept, and patients must be assured that they will be notified if their records have become subject to unauthorized examination.130 Such record-keeping and notification systems can be inexpensive if the default mechanism is an e-mail to the patient of an unauthorized record access, combined with general publicity about large-scale breaches of data security.131 Another difficult issue with electronic records is the ease with which they can be duplicated and multiplied. Of course, paper records can be copied too. But with electronic records, multiple copies can be generated at the flick of a key, more readily than the brooms in The Sorcerer’s Apprentice. These copies can materialize as e-mail attachments, burned CDs, easily transported diskettes or portable hardware devices, among other forms. As with paper records, copies of EHRs should not be made or shared without patient permission, except as within ordinary provider office practice. Electronic safeguards should be in place to detect when copying has taken place. Once “out,” electronic copies of an electronic record cannot be easily traced or retrieved. Indeed, it may not be clear where all the copies have gone. Information that should not have been included in the record, that was inaccurate and has been corrected in the record by the original provider, or that was inappropriately linked, may never be corrected in copies that have been released. The analogous problem arises for copies of paper records that were made at a given point in time, but it is exacerbated with the ease of transmission of electronic records. In addition to the risks of confidentiality, this ease of transmission poses real risks for the care of mobile patients; if the “wrong” electronic record is accessed, patient injury may be the result. Finally, methods must be developed for tracking what is done with electronic records that have been properly released and for redacting information that should not have been released. For example, providers sometimes include information in records that is not medically related, such as social security numbers. This type of information should not be released in the first place, but if it is, it should be subject to tracing and redaction. Information in a record is sometimes corrected or updated, and there must be ways to ensure that these additions are made to records that were previously released. If updated information, such as a diagnostic test that reveals a prior false positive, is not included in all copies, this omission creates the risk that accuracy will be falsely assumed and that care will be directed inappropriately. 129. See generally Joseph Menn, ID Theft Infects Medical Records, L.A. TIMES, Sept. 25, 2006, at A1 (describing the consequences of and difficulties in preventing medical identity theft). 130. Ethan Preston and Paul Turner note that disclosure regimes are required in California and in the European Union. Ethan Preston & Paul Turner, The Global Rise of a Duty to Disclose Information Security Breaches, 22 J. MARSHALL J. COMPUTER & INFO. L. 457 (2004). 131. This is the default regime in California. CAL. CIV. CODE § 1798.82(g)(3) (West Supp. 2006). TERRY.DOC 2/28/2007 4:56:44 PM No. 2] ELECTRONIC HEALTH RECORDS These concerns about privacy, data confidentiality, and data security place special pressures on the creation, maintenance, and use of electronic records. They raise difficulties that must be solved before linkable, searchable, and accessible electronic records are generalized to the population. Many of these issues raise complex technical questions. Others require the development of practices such as informed consent before identifiable information about patients is entered into databases or linked with other records. We return to these issues in the discussion of strategies for record development, patient choice, and regulation below. IV. THE LEGAL LANDSCAPE As already noted, the Bush administration has framed the privacy- confidentiality “issue” as one involving state laws whose divergence creates a barrier to the successful implementation of a national EIHR.132 The apparent conclusion is that the HIPAA Privacy of Individually Identifiable Health Information (PIHI)133 savings clause for more stringent state laws134 should be rescinded.135 In contrast, we argue that the issue should be framed as how to resolve the serious privacy-confidentiality issues raised by a national EIHR system.136 Part of that analysis depends on an examination of the extent to which patient privacy-confidentiality under such a system would be protected by existing legal controls. A fundamental terminological problem obscures comprehension of the current state of the protection of health information in the United States. The media, commentators, courts, and legislators frequently refer to health “privacy” issues or protective models. In fact, two distinct issues must be addressed, issues that find articulation in two separate legal doctrines. Personal health information may be under threat either by its collection or its disclosure. The law has responded to those threats sepa 132. See supra note 4 and accompanying text. 133. See OFFICE FOR CIVIL RIGHTS, U.S. DEP’T OF HEALTH & HUMAN SERVS., STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION (2003), available at http://www.hhs.gov/ocr/combinedregtext.pdf. 134. 45 C.F.R. § 160.202 (2005). 135. See, e.g., Health Information Technology Promotion Act of 2006, H.R. 4157, 109th Cong. § 205 (2006) (contemplating national uniform standards on confidentiality and security and with preemptive effect). 136. See also Letter from Consumer Coalition for Health Privacy (CCHP) to Scott Wallace, Chairman, Comm’n on Systemic Interoperability (Oct. 7, 2005), available at http://www.healthprivacy. org/usr_doc/Commission_Letter.pdf. In this letter, the CCHP strongly urge[s Chairman Wallace] to abandon any recommendation that takes privacy rights away from patients. In fact, instead of disabling protections, there should be a serious effort to bolster and extend established privacy rights. While the HIPAA Privacy Rule serves as a solid foundation for protecting privacy, it does not address many of the issues health information technology raises. For instance, many entities collecting and sharing electronic health information are not covered by the law. In this context, stripping consumers of current safeguards is not just misguided but dangerous, and would undoubtedly have a drastic impact on the extent to which patients are willing to engage in health information technology initiatives. Id. TERRY.DOC 2/28/2007 4:56:44 PM 708 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 rately, expressed as the distinct models of privacy and confidentiality.137 A privacy model places limitations on data collection.138 Such a model could, for example, prohibit all collection in certain circumstances or limit collection via a proportionality rule (e.g., only information necessary for treatment). The confidentiality model places limitations on data disclosure (e.g., hospital records may be disclosed to physicians, but not drug companies). Related protective models are either ancillary or corollary. For example, a right of anonymity provides the patient with a method to ensure privacy,139 while security systems create the technical environment to limit access to information to those records subject to confidentiality-based disclosure control. Although frequently described in terms of privacy and privacy law, the legal protections applied to patient health information by the common law, state statutes, or the HIPAA federal standards have very little to do with either. As will be seen, the law of privacy (or collection- centric legal models) is narrowly circumscribed and underdeveloped. In contrast, the confidentiality protective model, whereby limitations are placed on data disclosure, is well established in U.S. law.140 Contemporary U.S. confidentiality and privacy models (particularly as applied to an EIHR) are shaped and constrained by several persistent features. First, the regulation of medical records is primarily a creature of state law.141 Second, the law relating to the privacy of medical information is woefully underdeveloped.142 Third, while comparatively mature, state common law and statutory medical confidentiality regulations provide few solutions to the threats posed by an EIHR.143 Fourth, the more recent HIPAA Privacy Regulations144 have created a (frequently parallel) federal confidentiality code whose flaws become considerably more obvious when mapped to an EIHR. Finally, U.S. law generally permits patients to waive or sign away almost all controls on the collection or dissemination of their personal health information.145 In only very limited circumstances are there bright-line rules rendering health information inalienable.146 137. Health Record Hearings, supra note 6, at 5. 138. Id. 139. See infra text accompanying notes 239–44. 140. See Hodge et al., supra note 5, at 1468 (1999). 141. See id. 142. See id. at 1467. 143. See id. at 1468. 144. Security and Privacy, 45 C.F.R. § 164 (2005). 145. See, e.g., 45 C.F.R. § 164.503. 146. See Hodge et al., supra note 5, at 1468. TERRY.DOC 2/28/2007 4:56:44 PM No. 2] ELECTRONIC HEALTH RECORDS A. State Law Paradigms Historically, the governance of medical records has been a matter of state law.147 As a result, ownership of records, access to records, mandatory reporting, and data protection rules vary by state. The HIPAA transactional standards represent one very important exception to this general rule, but an incomplete and flawed exception because the so- called privacy provisions (but not the security or transactional rules) are subject to a savings clause preserving some state protections.148 State- centricity is inconsistent with the proposed U.S. EIHR system. Whether truly national or regionally based, the EIHR will be an interstate creature. And, for the promise of the EIHR to be fulfilled, data must be entered only one time and must be accessible from any part of the country. It is generally accepted that doctors own the medical records they keep about patients.149 State statutes have extended that default position to hospital records.150 In addition to federal regulatory151 and Joint Commission on Accreditation of Healthcare Organizations (JCAHO) accreditation rules,152 state law (state statutory, licensing, or even common law malpractice requirements) imposes duties of accuracy, completeness, legibility, and timeliness.153 State statutes may prohibit the alteration of records,154 while diverse common law remedies for spoliation create disincentives to their concealment or destruction.155 Although 147. See id. 148. 42 U.S.C. § 1320d-2 (2000); see also Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, Sec. 264(c)(2) (codified as amended in scattered sections of 29 U.S.C. and 42 U.S.C.). 149. See, e.g., American Medical Association, E-7.04 Sale of a Medical Practice, http://www.amaassn. org/ama/pub/category/8381.html (last visited Oct. 3, 2006); see also Breen v. Williams (1996) 186 C.L.R. 71 (Austl.); Regensdorfer v. Orange Reg’l Med. Ctr., 799 N.Y.S.2d 571 (2005) (dealing with ownership, transfer, and lending of mammography and pathology films). 150. See, e.g., TENN. CODE ANN. § 68-11-304(a)(1) (1995) (“Hospital records are and shall remain the property of the various hospitals . . . .”). 151. Medicare Conditions of Participation: Medical Record Services, 42 C.F.R. § 482.24(b)(c) (1999). 152. “The medical record contains sufficient information to identify the patient; support the diagnosis/ condition; justify the care, treatment, and services; document the course and results of care, treatment, and services; and promote continuity of care among providers.” 2005 CRITICAL ACCESS HOSPITAL STANDARDS: MANAGEMENT OF INFORMATION IM.6.10.6, at 14 (Joint Commission on Accreditation of Healthcare Organizations ed., 2005). 153. See, e.g., N.M. STAT. § 61-6-15 D (1978) (“‘Unprofessional or dishonorable conduct’ . . . includes . . . (33) improper management of medical records, including failure to maintain timely, accurate, legible and complete medical records”); NEV. REV. STAT. § 630.3062(1) (2003); WYO. STAT. ANN. § 33-26-402(a) (xxvii) (G) (2005); Nieves v. Chassin, 625 N.Y.S.2d 344. (N.Y. App. Div. 3d 1995); Schwarz v. Bd. of Regents, 453 N.Y.S.2d 836, 836–37 (N.Y. App. Div. 3d 1982); see also Thomas v. United States, 660 F. Supp. 216, 218. (D.D.C. 1987) (keeping inadequate summary records may constitute malpractice). 154. See, e.g., NEV. REV. STAT. ANN. § 630.3062-2. 155. See, e.g., Rosenblit v. Zimmerman, 766 A.2d 749, 754–58 (N.J. 2001) (canvassing various remedies and adopting independent tort remedy); cf. Brown v. Hamid, 856 S.W.2d 51, 57 (Mo. 1993) (“The Missouri cases, statutes, and common law address a physician’s duty to let the patient inspect and copy medical records. They do not create an independent duty to maintain medical records. To be sure, in another case, failure to maintain medical records may contribute to, or constitute, medical TERRY.DOC 2/28/2007 4:56:44 PM 710 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 supplemented by Federal Medicare rules,156 state statutory rules generally continue to govern records retention.157 B. Privacy Although the U.S. Constitution does not contain any generalized right of privacy, the Supreme Court has recognized limited privacy rights derived from various constitutional provisions.158 Whalen v. Roe is the foundational case, recognizing not only autonomy or decisional privacy (“independence in making certain kinds of important decisions”),159 but also informational privacy (“the individual interest in avoiding disclosure of personal matters”).160 Whalen concerned the validity of a state statute requiring computerized record keeping (including patient identification) of scheduled prescription drugs. The Court held that, on the record as presented, arguments of potential breach of security or confidentiality by IT, medical, or judicial actors did not “pose a sufficiently grievous threat to either interest to establish a constitutional violation.”161 The Whalen court recognized “a host of . . . unpleasant invasions of privacy that are associated with many facets of health care,” while noting that such disclosures “are often an essential part of modern medical practice.” 162 Although Whalen did not decide the issue,163 the court hinted that such an invasion would rise to the level of a constitutional violation only if such a scheme failed to “evidence a proper concern with, and protection of, the individual’s interest in privacy.”164 Since Whalen, several federal courts have recognized constitutionally protected privacy rights in connection with medical165 and prescrip malpractice. . . . There is no need, in this case, to recognize an independent tort of negligent maintenance of medical records.”). 156. See, e.g., 42 C.F.R. § 482.24(b)(1) (2005) (“Medical records must be retained in their original or legally reproduced form for a period of at least 5 years.”). 157. See, e.g., LA. REV. STAT. ANN. § 40:2144(F) (2001 & Supp. 2006); N.M. Stat. Ann. § 14-6-2 (LexisNexis 2003). 158. See Griswold v. Connecticut, 381 U.S. 479, 484–85 (1965). See generally Roe v. Wade, 410 U.S. 113, 152 (1973) (“[A] right of personal privacy, or a guarantee of certain areas or zones of privacy” is rooted in “the First Amendment; in the Fourth and Fifth Amendments; in the penumbras of the Bill of Rights; in the Ninth Amendment; or in the concept of liberty guaranteed by the first section of the Fourteenth Amendment.” (citations omitted)). 159. Whalen v. Roe, 429 U.S. 589, 599–600 (1977). 160. Id. at 599. 161. Id. at 600–02. 162. Id. at 602. 163. “We therefore need not, and do not, decide any question which might be presented by the unwarranted disclosure of accumulated private data—whether intentional or unintentional—or by a system that did not contain comparable security provisions.” Id. at 605–06. 164. Id. 165. See, e.g., Herring v. Keenan, 218 F.3d 1171, 1175 (10th Cir. 2000); F.E.R. v. Valdez, 58 F.3d 1530, 1535 (10th Cir. 1995); Lankford v. City of Hobart, 27 F.3d 477, 479 (10th Cir. 1994); A.L.A. v. W. Valley City, 26 F.3d 989, 990 (10th Cir. 1994); United States v. Westinghouse Elec. Corp., 638 F.2d 570, 580 (3d Cir. 1980). TERRY.DOC 2/28/2007 4:56:44 PM No. 2] ELECTRONIC HEALTH RECORDS tion records.166 Although recognized, this informational privacy right is not absolute. For example, in Douglas v. Dobbs,167 a recent Tenth Circuit case stemming from a court-authorized police search of pharmacy records, the court noted: “We have no difficulty concluding that protection of a right to privacy in a person’s prescription drug records . . . is sufficiently similar to other areas already protected within the ambit of privacy.” 168 However, this abstract right was insufficient given that the plaintiff failed her burden of showing that the right has been violated by the defendant of record.169 Several state constitutions explicitly protect privacy.170 Typically this privacy right has been applied to medical records. For example, one state high court opined: “Because Georgia recognizes an even broader concept of privacy [than the federal constitution], the personal medical records of this state’s citizens clearly are protected by that right as guaranteed by our constitution.”171 However, as with its recognition by the federal courts, this right of informational privacy is not absolute and is subject to typical public health, law enforcement, and other exceptions.172 At common law, it is beyond cavil that, as one court has stated, “[i]f there is any right of privacy at all, it should include the right to obtain medical treatment at home or in a hospital for an individual personal condition (at least if it is not contagious or dangerous to others) without personal publicity.”173 Such a broad statement notwithstanding, U.S. privacy law limitations on data collection in the healthcare domain are less than robust. The Restatement’s black-letter law of “privacy”174 fails to provide any general or comprehensive “right of privacy.” Rather, the “right” is a bundle of discrete tort actions and is highly qualified at that.175 The patient must rely on factually restricted,176 doctrinally lim 166. See, e.g., United States v. Sutherland, 143 F. Supp. 2d 609, 610 (W.D. Va. 2001). 167. Douglas v. Dobbs, 419 F.3d 1097 (10th Cir. 2005). 168. Id. at 1102. 169. Id. at 1103. The defendant in this § 1983 action was an assistant district attorney who had approved a police officer’s decision to request authorization from the court to conduct a warrantless investigation of pharmacy records. 170. See, e.g., ALASKA CONST. art. I, § 22; FLA. CONST. art. I, § 23; GA. CONST. art. I, § 1, ¶ 1. 171. King v. State, 535 S.E.2d 492, 494 (Ga. 2000). 172. See, e.g., Limbaugh v. State, 887 So. 2d 387 (Fla. Dist. Ct. App. 4th Dist. 2004); Frank v. State, 912 So. 2d 329 (Fla. Dist. Ct. App. 5th Dist. 2005); Rollins v. Ulmer, 15 P.3d 749, 750 (Alaska 2001). 173. Barber v. Time, Inc., 159 S.W.2d 291, 295 (Mo. 1942). 174. RESTATEMENT (SECOND) OF TORTS § 652 (1965); see also Afro-Am. Publ’g Co. v. Jaffe, 366 F.2d 649, 653 (D.C. Cir. 1966) (recognizing common law tort); Reid v. Pierce County, 961 P.2d 333 (Wash. 1998) (adopting § 652). 175. See, e.g., Gilbert v. Med. Econ. Co., 665 F.2d 305, 310 (10th Cir. 1981) (outlining incidents of malpractice by doctor and including her psychiatric history was protected First Amendment). For further discussion of privacy rights, see Lee v. Calhoun, 948 F.2d 1162 (10th Cir. 1991), where a doctor publicly defended himself against a high profile malpractice claim by arguing in a newspaper that the misdiagnosis occurred because the patient had not disclosed that he had AIDS. Id. at 1164. The court dismissed the subsequent invasion of privacy claim by the patient on the basis that the patient had become a public figure and malpractice was a matter of public interest. Id. at 1165. TERRY.DOC 2/28/2007 4:56:44 PM 712 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 ited,177 and somewhat clumsy protections against “unreasonable intrusion upon the seclusion of another”178 or “public disclosure of private facts.”179 As a result, common law privacy actions tend to be successful in only a few extreme or outlying cases of medical intrusions180 or publications.181 C. Confidentiality Prior to the promulgation of the federal standards, most states had developed robust common law and statutory protections applicable to the confidentiality of health information. For example, there is now considerable consistency across the states in recognizing an “independent” or torts-based remedy for breach of confidence.182 The cause of action is theoretically (and variously) based on licensing statutes, the physician’s evidentiary privilege, common law principles of trust, the Hippocratic oath, and general principles of medical ethics.183 Only a handful of states reject the general proposition,184 although some persist in grounding it on an outmoded doctrinal basis such as implied contract or breach of a fiduciary relationship.185 The common law action for breach of confidence differs from the less-developed common law tort of privacy. One court has stated the most practical difference: “Only one who holds information in confi 176. See, e.g., Knight v. Penobscot Bay Med. Ctr., 420 A.2d 915 (Me. 1980) (finding no evidence that a hospital worker’s husband who observed a stranger’s labor and delivery had intended the intrusion); Corcoran v. Sw. Bell Tel. Co., 572 S.W.2d 212 (Mo. Ct. App. 1978) (requiring that defendant intended or permitted unreasonable publication); Fisher v. State, 106 P.3d 836 (Wash. Ct. App. 2005) (requiring deliberate intrusion); see also Mikel v. Abrams, 541 F. Supp. 591, 597, aff’d 716 F.2d 907 (8th Cir. 1983) (breach of privacy not applicable to doctor’s disclosure to plaintiff’s spouse); Tooley v. Provident Life & Accident Ins. Co., 154 So. 2d 617 (La. Ct. App. 1963); Curry v. Corn, 277 N.Y.S.2d 470 (N.Y. Special Term 1966); cf. Colleen M. v. Fertility & Surgical Assocs. of Thousand Oaks, 34 Cal. Rptr. 3d 439 (Cal. Ct. App. 2005) (patient had reasonable expectation of privacy that clinic would not disclose specific nature of her treatment to ex-fiancé, notwithstanding her charging of treatment on his credit card). 177. See, e.g., Tureen v. Equifax, 571 F.2d 411, 419 (8th Cir. 1978) (requiring “disclosure to the general public or likely to reach the general public”); see also RESTATEMENT (SECOND) OF TORTS § 652D cmt. c. (1977) (discussing “highly offensive” requirement). 178. RESTATEMENT (SECOND) OF TORTS § 652(A)(2)(a) (1977). 179. PROSSER AND KEETON ON TORTS 856 (W. Page Keeton et al. eds., 5th ed. 1984). 180. See, e.g., Estate of Berthiaume v. Pratt, 365 A.2d 792 (Me. 1976) (physician intruded into a dying cancer patient’s “physical or mental solitude or seclusion” when he took unauthorized photographs); see also Swarthout v. Mut. Serv. Life Ins., 632 N.W.2d 741 (Minn. Ct. App. 2001) (doctrine applicable when a life insurance company altered an applicant’s medical information release, used it to obtain information from other sources, and transmitted the information to a medical records database, which was available to other insurers). 181. See, e.g., Vassiliades v. Garfinckel’s, 492 A.2d 580, 585 (D.C. 1985) (upholding verdicts of invasion of privacy based on publicity of private facts and breach of fiduciary duty against plastic surgeon for use of “before” and “after” photographs of patient). 182. See, e.g., id. at 592; Biddle v. Warren Gen. Hosp., 715 N.E.2d 518, 523 (Ohio 1999); McCormick v. England, 494 S.E.2d 431 (S.C. Ct. App. 1997). See generally Alan B. Vickery, Note, Breach of Confidence: An Emerging Tort, 82 COLUM. L. REV. 1426 (1982). 183. See, e.g., Vassiliades, 492 A.2d at 590. 184. See, e.g., Quarles v. Sutherland, 389 S.W.2d 249, 252 (Tenn. 1965). 185. See, e.g., Fierstein v. DePaul Health Ctr., 24 S.W.3d 220, 223 (Mo. Ct. App. 2000). TERRY.DOC 2/28/2007 4:56:44 PM No. 2] ELECTRONIC HEALTH RECORDS dence can be charged with a breach of confidence. If an act qualifies as a tortious invasion of privacy, it theoretically could be committed by anyone.” 186 The converse is also true: if information that is not secret or private is entrusted in confidence, its subsequent disclosure may be actionable. 187 Many states now also have some form of legislation that protects medical information against disclosure, though few contain a comprehensive prohibition against the disclosure of confidential medical information. Rather, and similar to the HIPAA code, state statutes tend to create a provider “disclosure” code detailing the large number of “safe harbor” occasions and circumstances in which healthcare and other actors are permitted to disclose confidential medical information.188 Also, like HIPAA, the legislation in most states does not permit a private right of action by patients.189 Some state laws protect only health information in the hands of the state, not in the offices of private providers.190 Both federal191 and state courts192 have denied any implied private cause of action for HIPAA breaches. As a result, the importance of the common law action for breach of confidence and similar causes of action193 remains, notwithstanding HIPAA, unless and until the federal government legislatively preempts all “more stringent” state laws. D. Limitations of HIPAA “Privacy” The HIPAA federal standards apply to a broad range of “covered entities”194 that transmit health information in electronic form, but by no means to all entities that maintain health information in electronic form. 186. Humphers v. First Interstate Bank, 696 P.2d 527, 530 (Or. 1985). 187. See id. at 528–29. 188. See, e.g., Colleen M. v. Fertility & Surgical Assocs. of Thousand Oaks, 34 Cal. Rptr. 3d 439, 443 (Cal. Ct. App. 2005) (applying California statute’s general and specific disclosure exceptions). See also the savings provisions in Missouri’s S.B. No. 1041, 93d General Assemb. (Mo. 2006) (2006) (otherwise criminalizing “knowingly obtaining, receiving, or selling personal health information without consent”). 189. Cf. WASH. REV. CODE ANN. § 70.02.170 (West 2002). 190. Hodge et al., supra note 5, at 1468. 191. See, e.g., Poli v. Mountain Valleys Health Ctrs., Inc., No. 2:05-2015-GEB-KJM, 2006 WL 83378, at *3 (E.D. Cal. Jan. 11, 2006); Univ. of Colo. Hosp. v. Denver Publ’g Co., 340 F. Supp. 2d 1142, 1144–45 (D. Colo. 2004); O’Donnell v. Blue Cross Blue Shield of Wyo., 173 F. Supp. 2d 1176, 1180 (D. Wyo. 2001). 192. See, e.g., Cmty. Hosp. Group, Inc. v. Blume Goldfaden Berkowitz Donnelly Fried & Forte, P.C., 885 A.2d 18 (N.J. Super. Ct. App. Div. 2005), modified on other grounds, 894 A.2d 702 (N.J. Super. Ct. App. Div. 2006). 193. See, e.g., Doe v. Smith, 913 So. 2d 140, 143 (La. Ct. App. 2005) (finding patient stated claim for negligence when medical center violated state law by leaving patient records in parking lot where they could have been copied or disseminated); Foster ex rel. J.L. v. Hillcrest Baptist Med. Ctr., No. 1002- 143-CV, 2004 WL 254713, at *3 (Tex. App. Feb. 11, 2004) (holding negligence action could be brought against hospital for failure to exercise reasonable care in formulation of confidentiality policies); see also Poli, 2006 WL 83378, at *3 (denying motion to dismiss a negligence claim based on the release of medical information). 194. 45 C.F.R. § 160.103 (2005). TERRY.DOC 2/28/2007 4:56:44 PM 714 UNIVERSITY OF ILLINOIS LAW REVIEW [Vol. 2007 These providers,195 such as hospitals, physicians, and health plans, are subject to the regulations if they transmit health information “in electronic form in connection with a [HIPAA-EDI transaction].”196 The federal standards place limitations on the disclosure of “protected health information,” 197 including information that “relates to the past, present, or future physical or mental health or condition of an individual”198 and identifies or could identify the individual.199 Thereafter, the provider may disclose private health information (PHI) only as permitted by the federal standards.200 Modeled as they are on existing state statutory protections, the HIPAA standards do not protect health privacy. The standards are in essence a federal confidentiality code based around a regulatory compliance model rather than one that creates patient rights.201 HIPAA’s principal achievements are to require that the entities it covers give patients notice of “privacy practices”202 and protect EHRs from access outside of the entity without patient consent.203 Privacy notices and patient consent are relatively pro forma, in the views of some critics.204 Although HIPAA has made it less likely that, for example, employers will access employee health records from insurance claims, it contains limited safeguards. For example, covered entities are not required to inform patients about unauthorized access to their records, although entities are required to provide an accounting of such access upon request.205 Unfortunately the federal standards are flawed and, as currently written, will do little to create patient trust or physician participation in an EIHR. In the words of one editorial: “With an Orwellian turn of phrase, the ‘privacy rule’ has little to do with patient confidentiality. In fact, it permits the widespread sharing of medical data among 800,000 or so health, business and government entities.”206 First, the standards con 195. Defined in 45 C.F.R. § 160.103. 196. 45 C.F.R. § 160.102. 197. Id. § 160.103. 198. Id. But see Rogers v. NYU Hosp. Ctr., 795 N.Y.S.2d 438, 441 (Sup. Ct. 2005) (disclosing identity of patient’s roommate in general rehabilitation where hospital would not disclose roommate’s medical condition). 199. 45 C.F.R. § 160.103. 200. Id. § 164.502(a). 201. “[The legislation] does not focus on individuals whose privacy may be at risk, but instead on regulating persons who might have access to individuals’ health information.” Univ. of Colo. Hosp. Auth. v. Denver Publ’g Co., 340 F. Supp. 2d 1142, 1145 (D. Colo. 2004); see also Logan v. Dep’t of Veterans Affairs, 357 F. Supp. 2d 149, 155 (D.D.C. 2004). 202. 45 C.F.R. § 164.520. 203. 45 C.F.R. § 164.306 (requiring protection of the confidentiality, integrity, and availability of all protected electronic health information). For a discussion of what HIPAA does and does not accomplish, see Mark Rothstein, Currents in Contemporary Ethics: Research Privacy Under HIPAA and the Common Rule, 33 J.L. MED. & ETHICS 154 (2005). 204. E.g., Pollio, supra note 111; Mitchelle C. Pierre, Note: New Technology, Old Issues: The All- Digital Hospital and Medical Information Privacy, 56 RUTGERS L. REV. 541 (2004). 205. 45 C.F.R. § 164.528. 206. A Dose of Bad Medicine, PHILA. |