AMA Adopts Principles on EMR Breach

Posted on June 22, 2009 by Colin J. Zick

In what it describes as an effort "[t]o protect the privacy and security of patients," the American Medical Association (AMA) last week adopted a lengthy report and related principles for physicians to follow in the event a patient's electronic medical record were to be breached.  The new AMA guidelines ask physicians to:

  1. ensure patients are properly informed of the breach and the potential for harm;
  2. follow ethically appropriate procedures for disclosure, including:
    a) confidential disclosure of the breach in a timely manner; and
    b) describing what information was subject to the breach, how the breach happened, corrective actions that have been taken, and steps the patient can take to further minimize adverse consequences;
  3. support responses to security breaches that place the interests of patients above those of physician, medical practice or institution; and 
  4. to the extent possible, provide information to patients to enable them to diminish potential adverse consequences of the breach of personal health information.

The report itself states that the "suggestions are not intended to be comprehensive" and its right -- these general rules raise more questions than they answer: 

i) do these suggestions conflict with federal or state law?
ii) might disclosure to a mentally fragile patient not be in the patient's best interest?
iii) how is a physician to know the "potential for harm"?

In particular, that third element -- placing the interests of patients above those of physicians, their practice or hospital -- is going to make this difficult for physicians in the real world to adopt.  What about when the interests are not clear, or the interests of patients conflict?  No answers to these questions are provided by the AMA.

It's not clear why the AMA felt compelled to jump into the EMR fray, given that there's no lack of state or federal regulation or attention at this point.  It's even less clear whether physicians will pay any attention or be able to make sense out of these suggestions.

Tags: , , ,

New Study: Patient Privacy Rules Hamper Adoption of Electronic Medical Records

Posted on April 29, 2009 by Jeff Bone

A recent article from Computerworld reports that, according to a new study conducted by researchers from MIT and the University of Virginia, "EMR [Electronic Medical Record] adoption is often slowest in states with strong regulations for safeguarding the privacy of medical records."   According to the study, in states with "strong privacy laws", the number of hospitals using EMR systems is up to 30% lower than in states with "less stringent privacy requirements."  The study, "which looked at EMR adoption in 19 states over a 10-year period", concludes that the reason for the disparity is that "privacy rules often made it harder and more expensice for hospitals to exchange and transfer patient information, thereby reducing the value of an EMR system."  According to the article, one of the study's authors, Catharine Tucker, stated that "[p]olicy-makers are going to have to choose how much EMR adoption they want and at what cost to patient privacy.

It is worth noting that the study's methodology has been subject to some criticism.  According to the article, Deven McGraw, director of the health privacy project at the Center for Democracy and Technology, said that "the study was based on old data and didn't consider all of the factors that a health care organization would typically look at when deciding whether to adopt an EMR system."  Instead, according to McGraw, the study "looked at whether a state has a medical privacy law and then looked at EMR adoption in that state to draw its conclusions."  Deborah Peel, chair of the Patient Privacy Rights Foundation in Austin, Texas, also criticized the studies conclusions.

Links:

Tags: , , , ,