Privacy or savings?

Americans have less control, says new study comparing U.S. and EU health care privacy laws

Pamplin College of Business professor Janine Hiller
Pamplin College of Business professor Janine Hiller

Electronic health records can potentially save billions of dollars in health care costs and increase patient safety, but have considerable risks to individual privacy in the United States, more so than the European Union, says a new study co-authored by Pamplin business law professor Janine Hiller.

“EU countries have adopted electronic health records and systems, or EHRs, and legally protected privacy at the same time,” Hiller says. EHRs include a wide range of patient medical information collected in digital format and accessible via computer, most often over a network.

Fixing a troubled system

Strengthening the legal and technical safeguards, she says, would significantly minimize the privacy and security risks and address public concerns in the U.S. about EHRs. Her study examines their benefits and drawbacks, the adequacy of U.S. laws to meet the challenges posed by the privacy risks and concerns, and compares the EU’s legal approach to EHRs.

The U.S. legal framework for health care privacy, she says, is “a hodgepodge of constitutional, statutory, and regulatory law at the federal and state levels.” Differing and conflicting state privacy laws led to the enactment of the federal Health Insurance Portability and Accountability Act of 1996, which was amended by the Health Information Technology for Economic and Clinical Health Act of 2009.

Working at the intersection of complex issues

Hiller and her co-authors believe that though federal efforts to protect privacy seem to be a step up from inconsistent state laws, Americans currently still “have no real control over the collection of sensitive medical information if they want to be treated,” in contrast to the choice accorded to EU residents.

Hiller, a business law professor, does research that is at the intersection of electronic communications technologies, law, public policy, and privacy, security, and trust issues. She is the lead author of the comparative study, which was co-written with Matthew McMullen, a former program director of the Office of International Research, Education, and Development at Virginia Tech; Wade Chumney, of the Georgia Institute of Technology; and David Baumer, of North Carolina State University.

Pamplin College of Business professor Janine Hiller
At Lund University in Sweden on a Fulbright, Janine Hiller furthered her research on EHR systems in Sweden and the EU.

Getting the broad perspective

Their study, she stresses, is the “30,000-foot perspective,” an effort to understand a very complex issue by starting at the broad goals and principles.

“The main difference between the two approaches is with the locus of control. In the U.S. system, the patient has little, if any, power in reality. Our legal framework facilitates sharing without empowering the patient.”

Americans have access to their medical records, she notes, and can request that errors be corrected. But they have limited individual power to require corrections or prohibit information sharing and must rely on the good intentions and decisions of the health organization.

Patient rights vary among countries, regions

In contrast, Hiller points out, the EU emphasizes patient control — “the individual has the almost absolute right not to allow sharing of personal health information across systems.” Moreover, she says, “the EU places emphasis on pursuing ways to protect personal privacy — such as creating modules for information that can be segregated from particularly sensitive information.”

Her study also found similarities between the U.S. and EU. One is in the area of patient redress. As individuals, patients in the U.S. have no legal recourse if their health information is lost, stolen, or misused. They may complain to the Department of Health and Human Services, she says, but “that is not much consolation.”

EU patients also cannot take legal action individually, and though they can call on “data inspectors” to act on their behalf, she notes that this is not a simple process. In both the U.S. and the EU, she says, “a stronger accountability framework is needed.”

Role of EHRs will grow

Hiller notes that recent studies suggest that EHRs are currently used in less than one fifth of doctor’s offices in the U.S.; however, a 2004 government plan proposed implementing EHRs for the majority of Americans by 2014. “The current emphasis on and incentives to use health information technologies suggest that the timetable for implementing EHRs could be moved up.”

EHRs, she says, may offer many benefits: significant cost savings in storing, processing, and transmitting health care records; fewer medical errors; and improved quality of care.

Patient trust is at stake

“But do those promised benefits mean we should overlook the potential threats to individual privacy? Health information is considered by most people to be among the most private kind of information. If individuals do not feel that they have control over the sharing of their medical information, they may be less inclined to trust their doctor or health system and therefore could decide not to be completely honest — which would be detrimental to their own health and the purpose of an EHR.”

While at Lund University in Sweden on a Fulbright professorship last year, Hiller had the opportunity to expand her research and study EHR systems in Sweden and the EU. Patients in Sweden, she learned, would not give health information to their doctors if they felt that they had no control over the sharing of their records.


Privacy must be part of the debate

Coauthor Matthew McMullen notes that weak privacy and security controls can encourage medical identity theft, considered by some government officials to be the fastest growing form of identity theft. “Medical identity theft harms not only patients, but all taxpayers and citizens, as it is the foundation for many false claims filed for reimbursement under various government and private insurance plans,” he says.

Their study, Hiller says, makes it clear that the privacy issue should be central to any discussion of EHR implementation in the U.S. and the technical and policy framework that guides it. Her recent research in Sweden, she says, showed her “that the legal and technical frameworks cannot stand alone; that they should be developed hand in hand in order to design systems that will effectively protect patient privacy.”

Until then, she says, “public confidence and trust in EHRs is unlikely.”

Privacy and Security in the Implementation of Health Information Technology (Electronic Health Records): U.S. and EU Compared” is in the current (winter 2011) issue of the Journal of Science & Technology Law.

Shadow for bottom of page