A fair amount of attention is appropriately being focused on the need to maintain appropriate access controls on electronic health record systems and other sources containing personal health information. Among the HIPAA privacy provisions that were strengthened by the Health Information Technology for Clinical and Economic Health (HITECH) Act portion of the Recovery Act is the requirement that covered entities be able to provide an "accounting of disclosures" of personal health information to patients that request one. Prior to HITECH, the rules for recording disclosures included an exception for data disclosures associated with routine uses such as treatment and payment, meaning for instance that a provider didn't have to record the fact a patient's health record was being looked at in order to make a diagnosis or evaluate a treatment option, or to work out reimbursement details with an insurance provider covering the patient's care. HITECH removed these exceptions so that now an accounting of disclosures must include those for all purposes. There remains some concern however that unless comprehensive record logging is used, that instances where a record is accessed (viewed) and merely read, rather than used in some type of transaction, may not be recorded. A big driver for concerns about incomplete tracking of accesses of patient data is the fear that personal information will be viewed by individuals other than the practitioners, billing administrators, or others who have a valid reason for accessing the records. Public opinion polls cited by health privacy advocates suggest that a majority of Americans are not confident that their health records will remain confidential if they are stored online.
What is lost in much of this discussion is that the problem of inappropriate access to personal health information is not only not limited to electronic forms of record keeping, but is just as relevant to paper-based records. BBC News reported this week the results of a British National Health Service (NHS) inquiry made by the privacy and civil liberties advocacy group Big Brother Watch, which suggested that more than 100,000 non-medical staff currently have access to personal medical records stored by the NHS trusts in the U.K. The records involved include those in both paper and electronic form, but the British Department of Health implied in its response to Big Brother Watch claims that the growing use of EHR systems will enable stricter access controls. It is a plausible argument, depending on the record-keeping environment in question, that by digitizing health records and applying access controls to the electronic systems, data can be more protected than if it is kept in paper form. For records maintained in used only in local provider environments, electronic access controls might be preferable to physical security mechanisms used to secure paper records. However, once an electronic records are put online or made available for health information exchange, the population of individuals potentially gaining access to the data in EHRs will far exceed the number of employees and other individuals who might feasibly gain physical access to paper records.