NYCLU Demands New York Allow Patient Control in Data Sharing

In a new report, the New York Civil Liberties Union wants to give patients the rights to control which doctors see their medical information or allow them to opt out all together.

The New York Civil Liberties Union has released a report asking policymakers governing the exchange of electronic health records in New York State to allow patients more control over which types of doctors see their medical data.

Sharing EHRs are likely to make the health care system more effective and efficient, yet privacy controls are needed to protect patient information, according to the NYCLU report, called "Protecting Patient Privacy: Strategies for Regulating Electronic Health Records Exchange."

"The New York Civil Liberties Union supports electronic sharing of medical records, but takes the position that patients must be able to control who has access to their medical information," the group wrote in its report. "Patients must also be assured that those who do have access receive only information that is relevant to their treatment."

As NYS continues to develop policies regarding its system of health information exchanges, called Statewide Health Information Network for New York (SHIN-NY)€”connecting medical data among providers, insurance companies and government agencies€”the NYCLU has presented some recommendations on how to maintain privacy in the system.

In the March 6 report, the NYCLU suggests that patients be able to "sort and segregate" medical information so that one doctor may not be able to see the information of another. For instance, patients may not want their podiatrist to have access to data from a gynecologist, said Corinne Carey, NYCLU assistant legislative director and author of the report.

"Systems can be set up to sort and segregate information so that providers and patients have control over what kinds of data flow through the system," Carey told eWEEK. Patients can also flag information that's protected by state or federal law, she noted.

"The vendors that New York works with are not required by state policy to have the capability to sort and segregate information, and New York hasn't made any move to require that capability," said Carey.

"As the systems continue to improve with regards to categorize data, the work of implementing those systems to protect patient rights or patient privacy is something that's always being looked at," David Whitlinger, executive director of the New York eHealth Collaborative (NYeC), told eWEEK. "And that's why we have a statewide collaboration to work on state policy and keep it current to the needs of the community as well as what the vendor community is able to keep up with."

The NYeC runs the state's HIEs, called SHIN-NY, consisting of 12 regional health information organizations (RHIOs).

Doctors are able to upload data without the consent of patients, according to the NYCLU. It requests that patients be able to opt out of HIEs altogether rather than have their data uploaded automatically€”or only allow records to be shared in an emergency.

However, NYeC's Whitlinger noted that a patient must give consent for each individual patient entity that uses their data. "The New York State HIEs are all implementing and have implemented and are following statewide policy," he said.

"The overall position that we seem to continuously try to strive for is giving the patient as much control as possible in who has access to the data while allowing the patient to use that control to enable the health care system to deliver better care," said Whitlinger.

Version 2.2 of the NYS Privacy and Security Policies states: "Except as set forth in Section 1.2, a participant shall not access a patient's Protected Health Information via the SHIN-NY governed by a RHIO unless the patient has provided an affirmative consent authorizing the participant to access such protected health information."

The NYeC is now conducting an annual policy review and will convene in the next few weeks to address gaps in data exchange policies, he said.

"It's an ongoing discussion that takes a lot of different facets," said Whitlinger. "There's not good consensus at times in the health care community with regards to the level of data sharing that is necessary to have a comprehensive view of a patient, as opposed to protecting patient safety."