EHR technology falls short on protecting teens' privacy

American Academy of Pediatricians calls for development standards
Tools

Electronic health record technology should be retooled to protect the medical privacy of adolescent patients, the American Academy of Pediatrics says in a new policy statement.

The problem is that the Health Information Technology for Economic and Clinical Health Act ties privacy requirements for EHRs to compliance with the Health Insurance Portability and Accountability Act, which does not address adolescent privacy, according to the policy statement.

"Although HIPAA rules defer to state law regarding minors with 'exceptional circumstances' (e.g, adolescents seeking care for STIs) and gives the minor and not the parent the right to this protected health information, the rules have not led to commercial health information technology systems having the capability to protect this information," the paper notes.

Because EHRs can't filter or compartmentalize health information, the statement says, it's been up to states to identify ways to safely exchange health information for adolescents without violating their privacy.

"Continued lack of privacy protection in EHRs risks diminishing adolescent access to care, potentially resulting in higher adolescent pregnancy and STI (including HIV) rates, and unraveling significant gains that have been achieved," according to the paper.

The academy identifies problems including lack of standards for: electronic medical technology when rights of minors are protected by state law or legal precedent; for what adults have access to teens' medical records; for protection of sensitive information including lab results and prescriptions; and for shielding protected information during billing. Another challenge: Privacy standards vary by state.

Recommendations include:

  • Developing criteria for EHRs that meet federal and state standards for adolescent privacy and determining has access to or the ability to control access to the medical record.

  • Developing criteria and EHR technology allowing adolescents to record consent for care and treatment, as well as explicit consent for the release of protected health information.

  • Building flexibility into development standards to shield the release of diagnoses, test results, prescriptions and other documentation containing confidential data – a requirement the paper calls "the most difficult to attain and control."

  • Creating EHR systems that can flag, isolate and potentially shield confidential information being exchanged among providers and other healthcare organizations.

  • Developing EHR-related billing systems that can suppress protected information.

Patient confidentiality was identified as an issue in a recent study of teens engaging in high-risk behaviors, with 90 percent of teens interviewed in a detention facility expressing interest in accessing their health records online. The vast majority said they would be willing to share those records with physicians, but only half said they would want to share them with parents.

Those preferences would be hard to meet, the researchers noted, because California law allows parents to see some parts of their children's medical records.

To learn more:
- read the policy statement

Related Articles:
Balancing health privacy concerns with a need to reach young people
Behavioral health coordination requires better EHRs, instruction on data sharing
OCR's Leon Rodriguez: HIPAA enforcement more critical with transition to EHRs
Patients open to data sharing if they control access