A survey of 1,000 U.S. patients who had recently visited both a doctor's office and a hospital found that half of the respondents were concerned that electronic health records (EHRs) will harm the privacy of their health data. The top concern was that their personal health information would end up on the Internet.
In the survey, which will be released next month by CDW Healthcare, a technology products and services company, 49% of respondents thought that EHRs will have a negative impact on the privacy of their health data and personal information.
Their top concern (35%) was that their personal health information (PHI) would end up widely available on the Internet. In addition, 22% were worried that criminals may use their PHI for blackmail or identification theft.
All 1,000 of those surveyed had been to both a doctor's office and a hospital or outpatient facility in the previous 18 months; the age and gender distribution of the sample mirrors that of the overall population, according to CDW.
— Ben Shneiderman, PhD
"This year, many healthcare organizations are driving to implement EHRs in order to capture early-adoption incentive payments from the federal government," Bob Rossi, vice president of CDW Healthcare, told DrBicuspid.com. "We wanted to understand who patients trust to manage their personal health information, how they perceive EHRs, and what healthcare organizations need to do to prepare for the new security requirements created by the transition to EHRs."
While many are wary of EHRs, fewer have reservations about the trustworthiness of their doctors and healthcare facilities when it comes to handling and protecting their information.
"The good news is that most patients trust their doctors to use their information in the patient's best interest," Rossi explained.
Indeed, 83% of those surveyed responded this way, but they also expect healthcare organizations to protect information: 86% hold these organizations primarily responsible for safeguarding their data. At 89%, confidence in hospitals and outpatient facilities' ability to secure information is high.
The number is curious in light of how many think that EHRs will negatively impact privacy, and it may reveal a lack of understanding about the technology among the general public. But are the doubts they harbor about security justified?
"Violations are possible and a legitimate concern, as much as you would be concerned about your banking data or any other information such as your e-mail or Facebook account," Ben Shneiderman, PhD, a University of Maryland computer science professor and founding director of the Human Computer Interaction Laboratory, told DrBicuspid.com. "But there are strong legal and technical protections in place, so much so that it makes it difficult for researchers to use the data."
Some of those legal protections could impact practitioners. The Health Information Technology for Economic and Clinical Health (HITECH) Act, an aspect of the American Recovery and Reinvestment Act, gives state attorneys general the ability to bring action, including substantial fines and criminal liability, against healthcare organizations on behalf of citizens for data breaches.
The survey found that many individuals have been impacted by breaches in other industries. "Fifty percent indicated that a business or other organization had already notified them about the potential or actual loss or theft of their personal data," Rossi noted.
When it comes to the security of their electronic data, many medical practices still have a long way to go, he added.
"According to CDW Healthcare's December report, the 'Physician Practice EHR Price Tag,' 30% of practices do not use basic antivirus software and 34% do not use firewalls," Rossi said. "These technologies are baseline requirements for the protection of patient data."
Rossi recommends immediately addressing those requirements, then working with a trusted partner to gain an understanding of what a practice's security profile currently is. The next step is to implement IT security policies and practices specific to the practice's EHR solution.
"This ensures that as patient data go digital, security protections are already in place," Rossi explained.
Medicaid or Medicare penalties for not implementing EHR systems begin in 2015.