Is Your EMR Compromising Patient Privacy?

Two prominent physicians this week pointed out a basic but, in the era of information as a commodity, sometimes overlooked truth about EMRs: They increase the number of people with access to your medical data thousands of times over.

Dr. Mary Jane Minkin said in a Wall Street Journal video panel on EMR and privacy that she dropped out of the Yale Medical Group and Medicare because she didn’t want her patients’ information to be part of an EMR.

She gave an example of why: Minkin, a gynecologist, once treated a patient for decreased libido. When the patient later visited a dermatologist in the Yale system, that sensitive bit of history appeared on a summary printout.

“She was outraged,” she told Journal reporter Melinda Beck. “She felt horrible that this dermatologist would know about her problem. She called us enraged for 10 or 15 minutes.”

Dr. Deborah Peel, an Austin psychiatrist and founder of the nonprofit group Patient Privacy Rights, said she’s concerned about the number of employees, vendors and others who can see patient records. Peel is a well-known privacy advocate but has been accused by some health IT leaders of scaremongering.

“What patients should be worried about is that they don’t have any control over the information,” she said. “It’s very different from the paper age where you knew where your records were. They were finite records and one person could look at them at a time.”

She added: “The kind of change in the number of people who can see and use your records is almost uncountable.”

Peel said the lack of privacy causes people to delay or avoid treatment for conditions such as cancer, depression and sexually transmitted infections.

But Dr. James Salwitz, a medical oncologist in New Jersey, said on the panel that the benefits of EMR, including greater coordination of care and reduced likelihood of medical errors, outweigh any risks.

The privacy debate doesn’t have clear answers. Paper records are, of course, not immune to being lost, stolen or mishandled.

In the case of Minkin’s patient, protests aside, it’s reasonable for each physician involved in her care to have access to the complete record. While she might not think certain parts of her history are relevant to particular doctors, spotting non-obvious connections is an astute clinician’s job. At any rate, even without an EMR, the same information might just as easily have landed with the dermatologist via fax.

That said, privacy advocates have legitimate concerns. Since it’s doubtful that healthcare will go back to paper, the best approach is to improve EMR technology and the procedures that go with it.

Plenty of work is underway.

For example, at the University of Texas at Arlington, researchers are leading a National Science Foundation project to keep healthcare data secure while ensuring that the anonymous records can be used for secondary analysis. They hope to produce groundbreaking algorithms and tools for identifying privacy leaks.

“It’s a fine line we’re walking,” Heng Huang, an associate professor at UT’s Arlington Computer Science & Engineering Department, said in a press release this month “We’re trying to preserve and protect sensitive data, but at the same time we’re trying to allow pertinent information to be read.”

When it comes to balancing technology with patient privacy, healthcare professionals will be walking a fine line for some time to come.

About the author

James Ritchie

James Ritchie

James Ritchie is a freelance writer with a focus on health care. His experience includes eight years as a staff writer with the Cincinnati Business Courier, part of the American City Business Journals network. Twitter @HCwriterJames.


  • No kidding, this is one of the many hesitations patients have.

    This can become a de-facto national registry of YOU.

    Anyone who doesn’t think their info could be used against them at some point is living in la la land.

    At a more basic level, when I was sitting in on a meeting of the “hub” in our area early on, the leaders were bragging about how much money they would be able to bring in selling all of this info for research.

    I’m sure they meant to say de-identified info, but still, I asked if they were going to have mention this selling fact on the release form.

    Needless to say I was not asked back to any meetings….

  • “It’s very different from the paper age where you knew where your records were. They were finite records and one person could look at them at a time.”

    I think this is a rather myopic view of things in my opinion. Much of the work our organization does interfaces with the child welfare system, as well as the Family Court system and Local Education Agencies – I can tell you from personal experience that paper information is just as rampantly accessible once it leaves us as the CE, even pursuant to a valid authorization. I am actually more concered about the trajectory of paper records in that at least with ePHI, we can monitor access and releases of information through electronic logs. This doesn’t necessarily solve the issue of re-disemmination, but at least we have somewhat of a line of sight once information leaves our agency.

  • Benefits/Risks of EHRs Can’t be Weighed Without Map of Hidden Flows of PHI

    Hi James: It is impossible to weigh the ‘benefits’ of unlimited, hidden health data disclosures via EHRs and HIT vs. the ‘risks’ of using electronic health systems and data exchanges when we have no way of knowing what all the risks are!

    We have no map that tracks all the hidden disclosures of health data to secondary, tertiary, quaternary, etc, etc users. It’s crazy that we have no ‘chain of custody’ for our personal health data.

    How can anyone make an informed decision about using EHRs/HIT when there is no map to track the 100s-1000s-1,000,000s of places our personal health information, from prescriptions to DNA to diagnoses, ends up?

    Take a look at and explore this website:
    • Harvard Professor Latanya Sweeney is leading this project to map the hidden flows of health data.
    • Patient Privacy Rights is a sponsor. Not only is it impossible for individuals to make an informed decision about the risks and benefits of using electronic health systems, but it’s ALSO impossible for Congress to create sane health reform and healthcare laws, formulate appropriate health and privacy policies that provide ironclad data privacy and security protections when we have no idea where PHI goes, who uses and sells it, or what it’s used for.
    • One example of not knowing where/how our personal health data ends up: Identifiable diabetic patient records are sold online for $14-$25 each. See:

    If you think about this privacy-destructive situation, it is the exact opposite of what patients expect (single use of PHI) and violates their very strong existing rights to health information privacy (ie to control PHI for routine uses).

    One example: Patients give pharmacies a prescription for only one purpose: to fill their prescription. They do not expect that all 55,000 pharmacies in the US sell every prescription every night. The industry that sells our identifiable or easily re-identifiable prescription records brings in revenues in the 10s-100s of billions of dollars every year.

    Another example: Patients expect their physicians to keep records private. They don’t expect their physicians’ EHRs to sell their sensitive data for profit to them or to EHR vendors. But that is the business model of almost all EHRs, including Practice Fusion, Greenway, Cerner, Athena, GE Centricity, etc, etc. Patients give doctors information for one purpose only: to treat them. They do not expect it to be used by BAs, subcontractors, and subcontractors of the subcontractors for other purposes. Again in the US patients have had a very long history of rights to health information privacy in law and ethics (the Hippocratic Oath).


  • It’s a huge issue. These days in many areas one large medical practice may have many specialties covering most of the areas a person might need help with over decades. It can well be argued that an internist might need access to MOST of the data. Perhaps not psychiatric data – except meds, yet even that does offer hints. Then imagine that this practice is part of a hospital system, and the ER may need access to most of it if the patient shows up. Yet the podiatry part of the practice tends to need a lot less (unless a medical condition or treatment could affect that area too). Same with orthopedic – yet we know that even that might be affected by diet and med and other health issues. And all this is inside one system. It just gets even harder when the data is available to other practices or hospitals via an HIE.

    Yet one could argue that a combination of HIPAA and common sense should prevail; that there are already safeguards to privacy, and that common sense should dictate that access to a provider to specific detail should be based on need (at the time), and review-able afterwards for possible abuse. Plus when the data does travel outside the original system – or even another provider in the system, the patient (or guardian) should be consulted about what data is to be viewable.

  • Dr. Peel, I’m glad you’ve contributed your thoughts here! I just realized that we crossed paths before, when I quoted you in the Cincinnati Business Courier.

    What do you think is the best route for patients right now if they want to maintain privacy of their data?

  • My hopes is that more reject EMR’s as they are an invasion of privacy. Those of you who work in the EMR industry better get with it. In the typical pro-active stance of those of you that advocate that it prevents errors and subtle issues arise that may be gleaned from someones entry is clearly your own opinion and not fact. Privacy is not a defined entity is consistent with the belief structure of the individual. Attempts to compare the reduction in privacy for the sake of less medical errors is a straw argument…where are the facts to support this claim. In the information age we need to reclaim what is important…our patients privacy, and what I believe is very low risk of medical errors if you cant see someones complete record….and if the provider is worth their salt they can ask the proper questions to get to the bottom of any problem without having the department of redundancy department (intended error) give me reams of useless data that should serve only be available to the treating practitioner and the patient…really… why does everyone have to know everything? Efficiency at what price?

Click here to post a comment