May 2009 | | Issue 5
Health Management Technology

Consumers Need All of the Facts in the Electronic Health Record Privacy Debate

By David St.Clair

If there was any lingering doubt about the importance of healthcare reform in President Obama's plan to revive the American economy, it was swept away when he addressed congress in February. The president stated very clearly that he wants to see reform initiatives launched this year and that he believes electronic health records (EHR) are central to those efforts.

As the president rightly warned Congress, none of this is going to be easy. One of the main hurdles leaders will face in proliferating EHRs is the ongoing debate about privacy. In fact, roughly two weeks before Mr. Obama's congressional address, the issue was already gaining attention in the national media.

In a CNN report, Campbell Brown and Elizabeth Cohen examined how easy it is for someone to obtain private medical information online using just an individual's Social Security number and date of birth. While the analysis may have been accurate, it was also a bit unfair. Brown and Cohen only made a very brief mention of facts like President Obama's plan to appoint a chief privacy officer and to implement unprecedented privacy controls to safeguard the EHR transformation. Instead they emphasized the more sensational angle that electronic health information just isn't safe. They also seemed to downplay the fact that something as simple as creating a password can significantly protect one's private information.

After years of stewing in health information technology circles, I suspect the privacy issue is going to reach a boil on a much larger scale in the coming months. It is essential that Americans have all of the facts. First, it is an unfortunate truth that there are individuals in the world who are going to try to illegally obtain and misuse private health information. But that doesn't mean we should just write off EHRs as a bad idea. We simply need to be vigilant and proactive in incorporating the highest security measures into the planning process - which the president has done. To borrow an analogy from a close colleague: We don't stop building roads because some people drive drunk; we punish the drunk drivers and continue building roads because of the tremendous benefits they bring to the rest of our law-abiding society. That's the key to health privacy: Identify what we deem to be truly damaging misuses of our information, criminalize it and then enforce the laws. There is too much at stake for the healthcare system and the nation's economy to allow over-dramatized and misperceived weaknesses in EHR security to thwart progress.

Additionally, to make the privacy debate a fair one, we must ask what's more dangerous for us: the possibility of misuse of our information, or the real damage of not using our information at all? Should we put the risks of privacy invasion of a very, very small minority of people ahead of safer, more efficient, more affordable and potentially life-saving health care for virtually everyone? In reality, the only people who stand to be harmed by an unlikely EHR privacy breach are celebrities and other high profile individuals. Thankfully, the same isn't necessarily true for average people like you or me. Even if someone were to steal our private health information, there isn't much they could do with it, other than maybe cause us some personal embarrassment among our family and friends. So we must ask ourselves what we value more: the privacy of healthcare information or the potential for that information to save the lives of those we love?

Consider the example of a loved one being rushed into an emergency room while traveling, far from their normal healthcare facility and provider. The treating physician is forced to base critical treatment decisions on immediate observations and whatever background information he or she is able to obtain from the patient (who may not be lucid). Absent the data an EHR would readily provide - a more complete health history, potential drug interactions, previous tests (and results), possible allergic reactions, etc. - the doctor is left to take measures he thinks are right instead of those he knows are right. Who among us wants to be one of those who learn that a family member's life could have been spared if the physician treating them had only known they had a certain condition or couldn't take a specific drug?

Without question, we must make ensuring privacy a top priority in any plans to implement EHRs. I'm confident that the Obama plan does so and, in fact, I think we'll see even stronger controls than we may have previously imagined. No EHR is going to come with guaranteed safety but I would argue that the risk level is less than that associated with online retail and banking transactions. Unlike with individuals' identity and financial information, there are no criminal enterprises that benefit from stealing personal health information. The public needs to understand this. It is up to those of us in the industry to ensure that the facts are clear and readily available. Hopefully the media will choose to report all of them so that Americans can form opinions based on complete information.

David St.Clair founded MEDecision, a provider of collaborative healthcare management solutions, and has served as its chief executive officer since 1988. You can learn more about MEDecision at Contact David at and follow the company on Twitter at @MEDecision.