osh Taylor is an attorney who is now in his 40s with a history of asthma, borderline hypertension, and bipolar disorder, all of which are stable. He sees a psychiatrist three times per year, who prescribes lithium and gets periodic blood tests. He sees his regular physician every year or 2, especially when he has asthma exacerbations. She prescribes an inhaler and, rarely, steroids. Josh is junior partner in his law firm.
Josh is scared. He’s scared of his state’s Health Information Exchange (HIE).
While Josh is actually a fictional character from my book, his situation is very real. When it comes to making decisions about allowing his personal health information to be shared with others, he is balancing three competing interests – privacy, safety, and convenience. And health information exchanges are in the middle of it all.
What were previously Regional Health Information Organizations have morphed into HIEs, organized by geographic, organizational, and payer-based consortia of individuals working together to share health information in an affordable and desirable manner. Some have statewide, government-sponsored HIEs -- like Chesapeake Regional Information System for our Patients or CRISP, which is the state-designated HIE for Maryland. Others have multiple regional HIEs that are still in the process of forming statewide coalitions, such as the New York eHealth Collaborative (NYeHC).
People like Josh are afraid of losing control of their personal health information (PHI) in the mad rush to connect disparate electronic health records (EHRs) to the health information exchanges. Josh wants to ensure that only his primary care physician can see his psychiatric history, to minimize the risk that the stigma that is still attached to mental illness doesn’t affect his job prospects. But neither Maryland nor New York, for example, give individuals control over which records can be accessed by which providers. In fact, they don’t yet have even a simple audit process that permits a consumer to know who has accessed which records and for what purpose. Very few of the HIEs even have a mechanism that allows one to see what records are available.
So, you don’t know what is in there, you don’t know who has accessed it, and you can’t control access based on type of information. HIEs are generally built for physicians and other health care providers, not patients or “consumers.” You can, however, usually control access via a master switch that either shuts off access to everyone or opens access to everything -- all or nothing. Of course, only those with proper authorization are permitted access to your PHI. But for someone with Josh’s concerns, this is cold comfort.
This is dilemma #1: making the decision to allow access to all one’s records, versus shutting off all access to maximize privacy, while reducing convenience and safety. This is also called “opting out.” A majority of HIEs default to an automatic opt-in status, requiring one to take an action to opt-out of participation in the HIE. Opting out would mean that Josh’s psychiatrist would not find out that his PCP started him on hydrochlorothiazide for his hypertension unless Josh mentioned it or his PCP sends a note to the psychiatrist. Knowing this could prevent an episode of lithium toxicity due to drug interactions. When he shows up in the ER confused and unable to provide a good history due to lithium toxicity, ER physicians would not be able to access his clinical details via the HIE if he has opted out. If he becomes manic, his psychiatrist might not otherwise become aware of the fact that he had been started on a rapid prednisone taper the week before an ER visit for shortness of breath and pneumonia.
Another strategy that some HIEs have discussed is to establish more restrictive access policies for “sensitive health information.” The idea is that certain categories of information, like mental illness, substance abuse, HIV status, domestic violence, and genetic data, be treated differently, with additional safeguards to prevent unauthorized access.
This brings us to dilemma #2: how to determine which PHI should be considered “sensitive.” Some may want their mental health history to marked “sensitive,” while others may want all their health care providers to be aware of this information. Others may feel that all of their PHI should have maximal safeguards and want it all to be “sensitive.” Categorically making mental health and substance abuse information “sensitive” and subject to excessively restrictive protocols may result in unintended consequences. Such a move would likely add to the stigma of mental illness. It would also make it more difficult to share important information among providers. There is already an identified problem of receiving adequate primary care for individuals in the public mental health system, who die prematurely by 25 years or more (Psychiatr. Serv. 2006;57:1482-7). Requiring consumers with mental illness to choose between opting in and opting out requires them to choose between privacy and safety. Other options must be made available.