'Sensitive' Health Data, State Health Information Exchanges: Dilemmas Prevail

osh Taylor is an attorney who is now in his 40s with a history of asthma, borderline hypertension, and bipolar disorder, all of which are stable. He sees a psychiatrist three times per year, who prescribes lithium and gets periodic blood tests. He sees his regular physician every year or 2, especially when he has asthma exacerbations. She prescribes an inhaler and, rarely, steroids. Josh is junior partner in his law firm.

Josh is scared. He’s scared of his state’s Health Information Exchange (HIE).

While Josh is actually a fictional character from my book, his situation is very real. When it comes to making decisions about allowing his personal health information to be shared with others, he is balancing three competing interests – privacy, safety, and convenience. And health information exchanges are in the middle of it all.

What were previously Regional Health Information Organizations have morphed into HIEs, organized by geographic, organizational, and payer-based consortia of individuals working together to share health information in an affordable and desirable manner. Some have statewide, government-sponsored HIEs -- like Chesapeake Regional Information System for our Patients or CRISP, which is the state-designated HIE for Maryland. Others have multiple regional HIEs that are still in the process of forming statewide coalitions, such as the New York eHealth Collaborative (NYeHC).

People like Josh are afraid of losing control of their personal health information (PHI) in the mad rush to connect disparate electronic health records (EHRs) to the health information exchanges. Josh wants to ensure that only his primary care physician can see his psychiatric history, to minimize the risk that the stigma that is still attached to mental illness doesn’t affect his job prospects. But neither Maryland nor New York, for example, give individuals control over which records can be accessed by which providers. In fact, they don’t yet have even a simple audit process that permits a consumer to know who has accessed which records and for what purpose. Very few of the HIEs even have a mechanism that allows one to see what records are available.

So, you don’t know what is in there, you don’t know who has accessed it, and you can’t control access based on type of information. HIEs are generally built for physicians and other health care providers, not patients or “consumers.” You can, however, usually control access via a master switch that either shuts off access to everyone or opens access to everything -- all or nothing. Of course, only those with proper authorization are permitted access to your PHI. But for someone with Josh’s concerns, this is cold comfort. 

This is dilemma #1: making the decision to allow access to all one’s records, versus shutting off all access to maximize privacy, while reducing convenience and safety. This is also called “opting out.” A majority of HIEs default to an automatic opt-in status, requiring one to take an action to opt-out of participation in the HIE. Opting out would mean that Josh’s psychiatrist would not find out that his PCP started him on hydrochlorothiazide for his hypertension unless Josh mentioned it or his PCP sends a note to the psychiatrist. Knowing this could prevent an episode of lithium toxicity due to drug interactions. When he shows up in the ER confused and unable to provide a good history due to lithium toxicity, ER physicians would not be able to access his clinical details via the HIE if he has opted out. If he becomes manic, his psychiatrist might not otherwise become aware of the fact that he had been started on a rapid prednisone taper the week before an ER visit for shortness of breath and pneumonia.

Another strategy that some HIEs have discussed is to establish more restrictive access policies for “sensitive health information.” The idea is that certain categories of information, like mental illness, substance abuse, HIV status, domestic violence, and genetic data, be treated differently, with additional safeguards to prevent unauthorized access.

This brings us to dilemma #2: how to determine which PHI should be considered “sensitive.” Some may want their mental health history to marked “sensitive,” while others may want all their health care providers to be aware of this information. Others may feel that all of their PHI should have maximal safeguards and want it all to be “sensitive.” Categorically making mental health and substance abuse information “sensitive” and subject to excessively restrictive protocols may result in unintended consequences. Such a move would likely add to the stigma of mental illness. It would also make it more difficult to share important information among providers. There is already an identified problem of receiving adequate primary care for individuals in the public mental health system, who die prematurely by 25 years or more (Psychiatr. Serv. 2006;57:1482-7). Requiring consumers with mental illness to choose between opting in and opting out requires them to choose between privacy and safety. Other options must be made available.

One of these options involves granular consent policies for HIEs and EHRs. Such policies would provide consumers with the ability to decide for themselves which types of PHI would have extra access restrictions, such as “only my PCP can see my psychiatrist records, while ED physicians cannot see these unless I am unconscious and cannot provide history.”

Another option allows consumers to see what information is available for other providers to view. This, along with robust audit log reporting, might provide a greater sense of trust in the system. Both of these options would hopefully result in lower opt-out rates and a greater sense of involvement in ones own medical care. 

What can you do to help bring about these changes? First, learn about the HIE policies in your region and in your state. Learn about the governance structure, read the meeting minutes, and participate in the decision-making process by writing letters or attending meetings and speaking up. Also let your legislators know that this is an important issue. Second, educate your patients about the privacy and safety issues around HIEs, and discuss their participation status with them. Third, provide clear information to your patients about your participation status with the HIE and understand what their wishes and fears are. Finally, if you have access to your state’s HIE, sit down with your patients and show them how it works and what information is available about them. You are a patient, too, so use the opportunity to understand what your rights and responsibilities are as an HIE participant.

Share your experiences with your HIE by commenting on this article below.

-- Steven R. Daviss, M.D., DFAPA

Dr. Daviss is chair of the department of psychiatry at Baltimore Washington Medical Center, chair of the APA Committee on Electronic Health Records, co-chair of the CCHIT Behavioral Health Work Group, and co-author of Shrink Rap: Three Psychiatrists Explain Their Work, published by Johns Hopkins University Press. He is available on Twitter @HITshrink and at drdaviss@gmail.com.

osh Taylor is an attorney who is now in his 40s with a history of asthma, borderline hypertension, and bipolar disorder, all of which are stable. He sees a psychiatrist three times per year, who prescribes lithium and gets periodic blood tests. He sees his regular physician every year or 2, especially when he has asthma exacerbations. She prescribes an inhaler and, rarely, steroids. Josh is junior partner in his law firm.

Josh is scared. He’s scared of his state’s Health Information Exchange (HIE).

While Josh is actually a fictional character from my book, his situation is very real. When it comes to making decisions about allowing his personal health information to be shared with others, he is balancing three competing interests – privacy, safety, and convenience. And health information exchanges are in the middle of it all.

What were previously Regional Health Information Organizations have morphed into HIEs, organized by geographic, organizational, and payer-based consortia of individuals working together to share health information in an affordable and desirable manner. Some have statewide, government-sponsored HIEs -- like Chesapeake Regional Information System for our Patients or CRISP, which is the state-designated HIE for Maryland. Others have multiple regional HIEs that are still in the process of forming statewide coalitions, such as the New York eHealth Collaborative (NYeHC).

People like Josh are afraid of losing control of their personal health information (PHI) in the mad rush to connect disparate electronic health records (EHRs) to the health information exchanges. Josh wants to ensure that only his primary care physician can see his psychiatric history, to minimize the risk that the stigma that is still attached to mental illness doesn’t affect his job prospects. But neither Maryland nor New York, for example, give individuals control over which records can be accessed by which providers. In fact, they don’t yet have even a simple audit process that permits a consumer to know who has accessed which records and for what purpose. Very few of the HIEs even have a mechanism that allows one to see what records are available.

So, you don’t know what is in there, you don’t know who has accessed it, and you can’t control access based on type of information. HIEs are generally built for physicians and other health care providers, not patients or “consumers.” You can, however, usually control access via a master switch that either shuts off access to everyone or opens access to everything -- all or nothing. Of course, only those with proper authorization are permitted access to your PHI. But for someone with Josh’s concerns, this is cold comfort. 

This is dilemma #1: making the decision to allow access to all one’s records, versus shutting off all access to maximize privacy, while reducing convenience and safety. This is also called “opting out.” A majority of HIEs default to an automatic opt-in status, requiring one to take an action to opt-out of participation in the HIE. Opting out would mean that Josh’s psychiatrist would not find out that his PCP started him on hydrochlorothiazide for his hypertension unless Josh mentioned it or his PCP sends a note to the psychiatrist. Knowing this could prevent an episode of lithium toxicity due to drug interactions. When he shows up in the ER confused and unable to provide a good history due to lithium toxicity, ER physicians would not be able to access his clinical details via the HIE if he has opted out. If he becomes manic, his psychiatrist might not otherwise become aware of the fact that he had been started on a rapid prednisone taper the week before an ER visit for shortness of breath and pneumonia.

Another strategy that some HIEs have discussed is to establish more restrictive access policies for “sensitive health information.” The idea is that certain categories of information, like mental illness, substance abuse, HIV status, domestic violence, and genetic data, be treated differently, with additional safeguards to prevent unauthorized access.

This brings us to dilemma #2: how to determine which PHI should be considered “sensitive.” Some may want their mental health history to marked “sensitive,” while others may want all their health care providers to be aware of this information. Others may feel that all of their PHI should have maximal safeguards and want it all to be “sensitive.” Categorically making mental health and substance abuse information “sensitive” and subject to excessively restrictive protocols may result in unintended consequences. Such a move would likely add to the stigma of mental illness. It would also make it more difficult to share important information among providers. There is already an identified problem of receiving adequate primary care for individuals in the public mental health system, who die prematurely by 25 years or more (Psychiatr. Serv. 2006;57:1482-7). Requiring consumers with mental illness to choose between opting in and opting out requires them to choose between privacy and safety. Other options must be made available.

One of these options involves granular consent policies for HIEs and EHRs. Such policies would provide consumers with the ability to decide for themselves which types of PHI would have extra access restrictions, such as “only my PCP can see my psychiatrist records, while ED physicians cannot see these unless I am unconscious and cannot provide history.”

Another option allows consumers to see what information is available for other providers to view. This, along with robust audit log reporting, might provide a greater sense of trust in the system. Both of these options would hopefully result in lower opt-out rates and a greater sense of involvement in ones own medical care. 

What can you do to help bring about these changes? First, learn about the HIE policies in your region and in your state. Learn about the governance structure, read the meeting minutes, and participate in the decision-making process by writing letters or attending meetings and speaking up. Also let your legislators know that this is an important issue. Second, educate your patients about the privacy and safety issues around HIEs, and discuss their participation status with them. Third, provide clear information to your patients about your participation status with the HIE and understand what their wishes and fears are. Finally, if you have access to your state’s HIE, sit down with your patients and show them how it works and what information is available about them. You are a patient, too, so use the opportunity to understand what your rights and responsibilities are as an HIE participant.

Share your experiences with your HIE by commenting on this article below.

-- Steven R. Daviss, M.D., DFAPA

Dr. Daviss is chair of the department of psychiatry at Baltimore Washington Medical Center, chair of the APA Committee on Electronic Health Records, co-chair of the CCHIT Behavioral Health Work Group, and co-author of Shrink Rap: Three Psychiatrists Explain Their Work, published by Johns Hopkins University Press. He is available on Twitter @HITshrink and at drdaviss@gmail.com.

osh Taylor is an attorney who is now in his 40s with a history of asthma, borderline hypertension, and bipolar disorder, all of which are stable. He sees a psychiatrist three times per year, who prescribes lithium and gets periodic blood tests. He sees his regular physician every year or 2, especially when he has asthma exacerbations. She prescribes an inhaler and, rarely, steroids. Josh is junior partner in his law firm.

Josh is scared. He’s scared of his state’s Health Information Exchange (HIE).

While Josh is actually a fictional character from my book, his situation is very real. When it comes to making decisions about allowing his personal health information to be shared with others, he is balancing three competing interests – privacy, safety, and convenience. And health information exchanges are in the middle of it all.

What were previously Regional Health Information Organizations have morphed into HIEs, organized by geographic, organizational, and payer-based consortia of individuals working together to share health information in an affordable and desirable manner. Some have statewide, government-sponsored HIEs -- like Chesapeake Regional Information System for our Patients or CRISP, which is the state-designated HIE for Maryland. Others have multiple regional HIEs that are still in the process of forming statewide coalitions, such as the New York eHealth Collaborative (NYeHC).

People like Josh are afraid of losing control of their personal health information (PHI) in the mad rush to connect disparate electronic health records (EHRs) to the health information exchanges. Josh wants to ensure that only his primary care physician can see his psychiatric history, to minimize the risk that the stigma that is still attached to mental illness doesn’t affect his job prospects. But neither Maryland nor New York, for example, give individuals control over which records can be accessed by which providers. In fact, they don’t yet have even a simple audit process that permits a consumer to know who has accessed which records and for what purpose. Very few of the HIEs even have a mechanism that allows one to see what records are available.

So, you don’t know what is in there, you don’t know who has accessed it, and you can’t control access based on type of information. HIEs are generally built for physicians and other health care providers, not patients or “consumers.” You can, however, usually control access via a master switch that either shuts off access to everyone or opens access to everything -- all or nothing. Of course, only those with proper authorization are permitted access to your PHI. But for someone with Josh’s concerns, this is cold comfort. 

This is dilemma #1: making the decision to allow access to all one’s records, versus shutting off all access to maximize privacy, while reducing convenience and safety. This is also called “opting out.” A majority of HIEs default to an automatic opt-in status, requiring one to take an action to opt-out of participation in the HIE. Opting out would mean that Josh’s psychiatrist would not find out that his PCP started him on hydrochlorothiazide for his hypertension unless Josh mentioned it or his PCP sends a note to the psychiatrist. Knowing this could prevent an episode of lithium toxicity due to drug interactions. When he shows up in the ER confused and unable to provide a good history due to lithium toxicity, ER physicians would not be able to access his clinical details via the HIE if he has opted out. If he becomes manic, his psychiatrist might not otherwise become aware of the fact that he had been started on a rapid prednisone taper the week before an ER visit for shortness of breath and pneumonia.

Another strategy that some HIEs have discussed is to establish more restrictive access policies for “sensitive health information.” The idea is that certain categories of information, like mental illness, substance abuse, HIV status, domestic violence, and genetic data, be treated differently, with additional safeguards to prevent unauthorized access.

This brings us to dilemma #2: how to determine which PHI should be considered “sensitive.” Some may want their mental health history to marked “sensitive,” while others may want all their health care providers to be aware of this information. Others may feel that all of their PHI should have maximal safeguards and want it all to be “sensitive.” Categorically making mental health and substance abuse information “sensitive” and subject to excessively restrictive protocols may result in unintended consequences. Such a move would likely add to the stigma of mental illness. It would also make it more difficult to share important information among providers. There is already an identified problem of receiving adequate primary care for individuals in the public mental health system, who die prematurely by 25 years or more (Psychiatr. Serv. 2006;57:1482-7). Requiring consumers with mental illness to choose between opting in and opting out requires them to choose between privacy and safety. Other options must be made available.

One of these options involves granular consent policies for HIEs and EHRs. Such policies would provide consumers with the ability to decide for themselves which types of PHI would have extra access restrictions, such as “only my PCP can see my psychiatrist records, while ED physicians cannot see these unless I am unconscious and cannot provide history.”

Another option allows consumers to see what information is available for other providers to view. This, along with robust audit log reporting, might provide a greater sense of trust in the system. Both of these options would hopefully result in lower opt-out rates and a greater sense of involvement in ones own medical care. 

What can you do to help bring about these changes? First, learn about the HIE policies in your region and in your state. Learn about the governance structure, read the meeting minutes, and participate in the decision-making process by writing letters or attending meetings and speaking up. Also let your legislators know that this is an important issue. Second, educate your patients about the privacy and safety issues around HIEs, and discuss their participation status with them. Third, provide clear information to your patients about your participation status with the HIE and understand what their wishes and fears are. Finally, if you have access to your state’s HIE, sit down with your patients and show them how it works and what information is available about them. You are a patient, too, so use the opportunity to understand what your rights and responsibilities are as an HIE participant.

Share your experiences with your HIE by commenting on this article below.

-- Steven R. Daviss, M.D., DFAPA

Dr. Daviss is chair of the department of psychiatry at Baltimore Washington Medical Center, chair of the APA Committee on Electronic Health Records, co-chair of the CCHIT Behavioral Health Work Group, and co-author of Shrink Rap: Three Psychiatrists Explain Their Work, published by Johns Hopkins University Press. He is available on Twitter @HITshrink and at drdaviss@gmail.com.