Electronic health record: political issues and privacy

Summary: 1. Keynotes. – 2. What is an electronic health record? – 3. Which values does the balancing test of electronic health record take into account? – 4. The  USA system. –  5. The European Union system. – 6.  Open issues and possible solutions.

1 Keynotes
In my speech concerning the Electronic health record, hereafter EHR, I will focus on four keynotes.  What is an EHR? Which values does the balancing test of an EHR take into account? Which legal systems will be considered here? Are there any questions, still open and unresolved, in those systems?

2 What is an electronic health record?
First of all, we need to clarify what EHR is. It may be defined as a dynamic digital storage of a patient’s medical history, which keeps a record of all his past health data and is continuously updated with all the data related to his medical treatments.
Its benefits consist of cost saving and efficiency of healthcare because every time the patient needs a medical treatment the doctor will not have to reconstruct  his previous medical history. A few clicks are sufficient to have it fully displayed.
We must complete the definition, remembering its potential advantages for patients and public health.
Furthermore, the variability of the health care may be reduced by use of data. In fact, EHR promotes the adoption of a common model of healthcare, that could be delivered to a broad patient base, assuring more informed clinical decisions and improving patient physician communication tracking. In such a way, EHR tends to reduce the probability of human errors in the treatments. It has also been noted that EHR may help in determining provider performance outcomes, monitoring chronic diseases, monitoring medication adherence and promoting safety metrics.
To sum up, EHR is coherent with the public goal of cost saving and increasing the medical system’s efficiency. However, it should be said that cost saving and efficiency could only be obtained if all, or nearly all, health care organizations participate in sharing EHRs.
The benefits described above should be weighed against the risk that the same technology could undermine the guarantees of privacy and decrease of the security to sensitive personal data.
Now I will delve into these disadvantages. The risk concerning privacy is double. First, if the patient’s consent could not be given in absolute freedom and awareness, because he doesn’t pay enough attention or does not fully understand, or fears that a denial of consent may result in a less adequate treatment. The second risk is due to the possibility of medical identity theft, of inadequate systems of security, of widespread data-sharing. To this it must be added that, should the vendors of EHR software go out of business, the patient may ignore what will happen to its data.
I want to attract your attention to this latter circumstance. The vendors of EHR software have a policy of privacy completely inconsistent with the privacy demands of patients. “Only two of thirty vendors describe what would happen to consumers’ data if vendors were sold or went out of business”.
The transition from paper to EHR and the storage of information in electronic databases have exponentially increased the number of patient records exposed to the risk of theft, opening the door to a massive damage to privacy. Therefore, the success of a widespread use of EHR requires that the risks to privacy and security be mitigated, and the patients’ confidence in the digitalization system be strengthened. Only by acting on these two levers, the aforementioned benefits could be likely achieved.

3 Which values does the balancing test of electronic health record take into account?
Moving on to the second point of my reasoning: which values does the balancing test of EHR take into account?
We have before us two competing values: on one side, the right to health, consisting of receiving the best, most efficient and least expensive treatment available.
On the opposite side, the patient’s right to privacy, i.e. that sensitive health data be kept confidential unless data-sharing or data-transfer be permitted upon the patient’s express, free and informed consent, which may at any moment be withdrawn.
There is no doubt that a better and more efficient health care may be provided through EHR. But it is also clear that massive use of EHR may endanger the patients’ privacy. The central issue for a policymaker is therefore the search for an appropriate balance. This is a political choice, even though it is strictly intertwined with technical issues, which may per se be neutral, but are nevertheless oriented by the policymaker.
The solution varies from State to State and this is the confirmation of its nature as a political issue. Some States have strongly privileged the efficiency of the health care system upon the reasons of privacy; other States have chosen an opposite path. I will try later on, in the final steps of my reasoning, to suggest a third way.

4 The  USA system
We will now consider two different approaches to the balancing test we referred to above: USA and EU.
In Whalen v. Roe, 429 U.S. 589, 603-04 (1997) the US Supreme Court recognized a limited constitutional right to individual privacy with respect to information held in governmental databases. More recently, the Supreme Court has moved towards a new dimension and a stronger protection of privacy, applicable to the collection and transmission of digital data (United States v. Jones, 565 U. S. ____ (2012) n. 10-1259, January 23 (2012). In  Rely v. California, n.13-132, June 25 (2014), the Court has held that police may not, without a specific warrant, search digital information on a cell phone seized from an individual who has been arrested. As a general principle, the owner of the data does not lose his right on his personal sphere in virtue of fact that the data are collected or held by a public body, because the focus is concentrated on the expectation of the private owner. We may imply that, if he has a “reasonable expectation” that the public body should keep the data confidential, any transfer without his consent to a third party is a breach of his right to privacy.

The USA federal regulation of EHR must be measured against the basic constitutional requirements as defined above. It must be understood that the federal regulation is also aimed at harmonizing different state regulations, the variation and lack of uniformity of which hinder.
However, the impact of Federal regulation in harmonizing protections throughout the nation has expanded.
In the time, I have been allowed here I can only give you a general overview, without delving into details.  Therefore, I will mention four key points: consent, data sharing, correction of errors and compensation for breaches of privacy.

a) The consent follows an opt out approach; in other words the patient must not necessarily say an explicit yes, because his silence is equivalent ex lege to a tacit consent, which can subsequently be withdrawn.
b) Data sharing is in principle prohibited without consent, but the exceptions are so many that the existence of an effective general rule may be questioned.
c) Correction: should the patient disagree with his EHR data, he is not entitled to a correction, but only has a right that his disagreement be mentioned in the EHR So too much noise for nothing!
d) Compensation: in case of breach of privacy for any reason – theft of data, illegal sharing or other events – the patient has no direct civil action against the person or body infringing his fundamental right. He can apply to the Department of Health, which has jurisdiction to bring a civil action to enforce the law and to seek penalties for violations. We also have to consider that if the vendor of the software has not invested in the security system of the software, and the weak protection of data opens the door to theft, the vendor is not deemed to be liable. Therefore, there is no incentive that the system be made more secure. This framework has been changing thanks to the increased civil and criminal penalties, and the activism of state attorney generals and of the Department of Health. These are clear signs of a growing political and legal attention, but the goal of promoting a new patients’ confidence in the digitalization of sensitive data has yet to be reached.

At the same time, we still have two different approaches competing: one side sustaining the patient’s rights to give an expressed consent, to be informed, to correct the errors because he should have the total control over his personal health record, to ensure that information he wishes to be kept private is really kept confidential; the other side claiming that “too much patient control could hamper a patient’s health in a medical emergency”.
Therefore, although the basic law, HIPAA, has been amended towards a stronger protection of the privacy, the way is still long.  A bill of rights has been set out: it includes the right to fully access the patient’s health data, the right to accurate information about any disclosure, and legal aid in the event that a breach has caused harm. Up to now, it may appear as wishful thinking.

5 The European Union system
Now it is time to give you a comprehensive view of the European approach to EHR.
First of all, we should point out that the USA and EU legal systems are quite different, especially as far as privacy is concerned. We have already seen that the USA has mostly kept privacy within the narrow limits of an immaterial property right; in the European context privacy is considered a fundamental right, as which inalienable and indispensable. Nevertheless, we find significant similarities between the USA and EU approaches to HER.
We may recall the definition adopted by the Working Group art. 29, European Independent advisory board: “A comprehensive medical record or similar documentation of the past and present physical and mental state of health of an individual in electronic form and providing for ready availability of these data for medical treatment and other closely related purposes.” This formula closely resembles the American experience. Also, there are no doubts that all data contained in medical documentation, in electronic health records should be considered “sensitive personal data”. We find here another point of contact with USA. But, as a consequence, in EU such data are not only subject to all the general rules on the protection of personal data in the Directive, but in addition, subject to the special data protection rules on the processing of sensitive information contained in Article 8 of the Directive.
These two different approaches cause different legal regimes and here I will show how the USA and EU models prove to be different as far as significant profiles are concerned.
a) The issue of consent.
In Europe, the consent must be given, freely, specific and informed, but first of all it must be explicit. Opt-out solutions will not meet the requirement of being ‘explicit’ because it lacks a declaration of intent. I want only to remind you the opposite American solution.
Here the owner of health data must be aware that he is renouncing special protection. Written consent is, however, not required. So in the digital contest it could be enough doing click on the box. We have a lot of criticism against this system that does not offer an adequate protection, but for reason of time I will refer to my paper under publication.
For what concerns the ‘Free’ consent, it means a voluntary decision, by an individual in possession of all of his faculties, taken in the absence of coercion of any kind, be it social, financial, psychological or other. Any consent given under the threat of non-treatment or lower quality treatment in a medical situation cannot be considered as ‘free’. Consent given by a data subject who has not had the opportunity to make a genuine choice or has been presented with a fait accompli cannot be considered to be valid.
b) Data sharing.
From the European point of view, if data are utilized by a doctor different from the first who collected it, must the second obtain a new consent? The answer is in the ‘specific’ consent, as required by the Directive 95/46, it means that it must relate to a well-defined, concrete situation in which the processing of medical data is envisaged. Therefore a ‘general agreement’ of the data subject e.g. to the collection of his medical data for an EHR and to subsequent transfers of these medical data of the past and of the future to health professionals involved in treatment would not constitute consent in the terms of Article 2 (h) of the Directive 95/46. Remember the wide possibility to utilize data by any other health professional different from the first that it has been allowed by the USA system, as explained above.

c) The issue of the transfer of data to a third country.
Here the art. 25, par. 2, of the same Directive provides the system of transfer provided that the receiving Country provides adequate safeguards. Provided that in legal terms adequate can mean less than equivalent or better the same safeguards, the basic issue is that the European Commission is charged to evaluate the degree of this adequacy. To close the reasoning, recently the Court of Justice has stated that this evaluation can be challenged before a Judge (Court of Justice, C-362/14 Maximillian Schrems v. Data Protection Commissioner ).
d) Correction of error on data.
Remaining in the European context, article 12 of the Directive quoted above provides data subjects with the ability to check on the accuracy of the data and to ensure that the data are kept up to date. These rights fully apply to the collection of personal data in EHR systems of course. Therefore, all the information related to how to collect data, the specific purpose and the person legitimated to access to them is functional to allow the owner to access to his date in order to control its accuracy. In the case of error, the owner has the right to have his date rectified. It is evident that  Europe also on this issue has chosen the opposite solution of the American one; the latter allows the patient to include its dissent in the record, that remains unchanged. This makes the patient’s annotation completely useless for the purposes of its right to self-determination.
e) Compensation for break of privacy.
In case of break of privacy, for any cause, the European Directive provides a complete system of compensation. It is composed of civil, criminal remedies and also the recourse to an Independent Authority. The Directive in line with its nature does not chose which kind of action are available for the patient, but it charges each State member to fulfill this obligation. In other words, the States are mandated to drawn a complete and efficient system of restoration of the patrimonial damages and also actions able prevent and avoid further breaks of privacy. The distance from the above mentioned USA solution is so evident that it is nearly useless to further underline it.

6 Open issues and possible solutions
A new regulation is in the process of being approved instead of the Directive 95/46. To sum up the core of the new corpus of norms, they have stated the ambitious intention to strengthen the protection of privacy connected to digital society, but they have left this intention to the Consideranda, while the new norms go in the opposite direction. As an example, sharing medical data is not possible now without a new consent of the patient. This would become possible with the new regulation because art. 5 provides that the data can be used not only for the specific initial purpose, but also for further medical purposes, provided that they are compatible with the original one.
I think the two systems, although considerably different, share a common problem. They do not provide efficient security systems for data, especially now that the data are collected in the cloud. It follows that an unsecure cloud results in a massive risk for privacy.
This may well undermine the success of the entire operation because patients will not have confidence in the system and therefore will refuse their consent. Since the benefits of EHR depend on a generalized use of it, if a significant number of patients lose confidence and deny their consent the whole system of digitized medical history may turn into a failure.
Thus, two different ideological concepts of privacy between USA and EU may not be a real problem. Rather I think that both systems still face three major issues that remain unresolved.
The question of confidentiality refers to the process that ensures that information is accessible only to those authorised to have access to it.
The question of integrity calls for the duty to ensure that information is accurate and is not modified in an unauthorised fashion.
The question of availability requires that information is accessible and useable only upon demand by an authorised entity.
On both sides of the ocean the debate has been focused on privacy. But the profile of the CIA  (confidentiality, integrity and availability)  and the issue whether CIA standards should be regulated by industries or policy makers have been underestimated.
These are the real issues upon which the success of EHR depends rather than a different theoretical construction of the right to privacy.

This paper intends to delineate the differences between the legal regimes applicable to the electronic health record in the U.S. and Europe.
In the U.S. notice and awareness of data collection can be satisfied through the privacy practices statement which the company collecting the information sets out in its web site. In the EU, otices to the patient must state that information has been collected, how the information will be used, the entity’s obligation to protect privacy, and the contact for complaints by the patient.
Thus, in the U.S. patient rights are more limited than in Europe. Furthermore, the distance is a policy question. U.S. legislation and doctrine are talking about the second stage of EHR, in which the privacy problem recedes before other issues, such as confidentiality, integrity and availability (CIA).
Confidentiality refers to the process that ensures that information is accessible only to those authorised to have access to it.
Integrity calls for the duty to ensure that information is accurate and is not modified in an unauthorised fashion.
Availability requires that information is accessible and useable only upon demand by an authorised entity.
Europe, having focused the whole debate on the privacy question, has underestimated the profile of the CIA and the question whether CIA standards should be regulated by industries or policy makers.
The author thinks that these are the real open questions.

Brief index bibliographic
Caine K. – Kohn S. – Lawrence C. – Hanania R. – Meslin E. M. – Tierney W. M., Designing a Patient-Centered User Interface for Access Decisions about EHR Data: Implications from Patient Interviews, in Journal of General Internal Medicine, vol. 30:7-16, 2014;
Francis L. P., When patients interact with ehrs: problems of privacy and confidentiality, in Hous. J. Health L. & Pol’y, vol. 12:171-200, 2012;
Harman L. B. – Flite C. A. – Bond K., Electronic Health Records: Privacy, Confidentiality, and Security, in Virtual Mentor, September, vol. 14, 9:712-719, 2012;
Levin A. – Nicholson M.J., Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground, in University of Ottawa Law & Technology Journal, n. 2/2005;
Manos D., Privacy Experts Debate Patient Consent, HEALTHCARE IT NEWS (Sept. 21, 2009), in http://www.healthcareitnews.com/news/privacy-experts-debatepatient-consent;
Miron-Shatz T. – Elwyn G., To serve and protect? Electronic health records pose challenges for privacy, autonomy and person-centered medicine, in The International Journal of Person Centered Medicine, vol. 1:405-409, 14 may 2011;
Moore I. N. – Snyder S. L. – Miller C. – An A. Q. – Blackford J. U. – Zhou C. –Hickson G. B., Confidentiality and privacy in health care from the patient’s perspective: does HIPAA help?, in Health matrix (Cleveland, Ohio : 1991) vol. 17(2):215-72.
Nelson G. S., Practical Implications of Sharing Data: A Primer on Data Privacy, Anonymization, and De-Identification, Paper 1884-2015, in http://support.sas.com/resources/papers/proceedings15/1884-2015.pdf;
Pasquale F. – Ragone T. A., Protecting health privacy in an era of big data processing and cloud computing, in Stanford Technology Law Review, vol. 17:595 (2014);
Prins J.E.J., Property and privacy: European perspectives and the commodification of our identity, in Information Law Series, vol. 16: 223-257, 2006;
Schwartz P.M. – Solove D.J., Reconciling personal information in the United States and European Union, in California Law Review, n. 102/2014;
Turk M., How to suture the gap between privacy and efficient delivery of healthcare, in Brooklyn Law review, vol. 80 n. 3, 2015;
Whitman J.Q., The Two Western Cultures of Privacy: Dignity versus Liberty, Faculty Scholarship Series, Paper 649, 2004, in http://digitalcommons.law.yale.edu/fss_papers/649.

Materiali correlati:
Telemedicina: linee guida nazionali
Parere del Garante per la protezione dei dati personali sullo schema di Linee guida in tema di Fascicolo sanitario elettronico (Fse) e di dossier sanitario
Fascicolo Sanitario Elettronico: linee guida nazionali
Parere del Garante per la protezione dei dati personali su Dossier sanitario e trattamento dei dati personali dei pazienti
Parere del Garante per la protezione dei dati personali sullo schema di DPCM in materia di fascicolo sanitario elettronico
Regolamento (DPCM) in materia di fascicolo sanitario elettronico