Wednesday, June 23, 2010

Physicians Right to Privacy

As we move to Electronic Health Records (EHR), the debates over security and privacy are becoming more frequent and more poignant. We of course have HIPAA laws on the books and ONC has a Tiger team assembled to recommend privacy and security policies to Secretary Sebelius. CIOs and entire IT departments are all focused on protecting the privacy of patients and their Personal Health Information (PHI). This is, of course, as it should be, but how about privacy of those taking care of patients? Do physicians have a right to privacy too?

As EHRs become more prevalent and interconnected, increasing amounts of clinical and administrative data will be flowing out of doctors’ offices and into the great beyond. Most of this data is indeed patient data, but some of it could be combined, sliced and diced to derive pretty extensive information about doctors. For example, and in no particular order:

  1. Prescribing patterns – Prescription data has been collected and sold to pharmaceutical companies for decades. EHRs will make this much easier to accomplish and the data will become richer and more granular, since it will contain the exact nature of the visit where a particular drug was prescribed or discontinued, including physician notes on the subject. Of course, such information finding its way to public websites would present a novel difficulty if, say, we can look up Dr. X and see that she wrote 30 prescriptions for contraceptives last month, half of which were for girls under 16 years of age.
  2. In the interest of informing patients on physicians’ expertise, a company may decide to publish names and frequencies of procedures performed by physicians. In addition to the fact that the raw number of performed procedures is not indicative of proficiency if not accompanied by outcomes data which is almost impossible to obtain, our beleaguered Dr. X may find a web listing of the number of abortions she performed on teenage girls right next to her name and home address.
  3. Administrative data can provide average times spent with patients, with no differentiation between the 5 minutes required for allergy meds renewal and the half hour you spent with elderly complex patients. Schedule data can also be manipulated to deduce when you take vacations. Is anybody watching your house while you’re enjoying those exquisite Hawaiian sunsets?
  4. Of course the call for greater transparency will create numerous websites trying to provide patients with a Consumer Reports style rating of doctors. Quality measures similar, or identical, to the ones submitted to CMS will come in very handy. If you report that only 20% of your patients have an acceptable Hb1Ac level and I am a diabetic looking for a good doctor, I’d probably pick one with better “outcomes”. The fact that most of your patients are underserved, poor and even homeless and you are pretty much a saint is not evident in your outcomes. Sorry.
  5. EHR progress note data can indicate how thorough you are. If you routinely document only a handful of Exam and Histories elements, maybe I should find a doctor that takes more time and is more thorough, or one who has an EHR that documents all negatives by exception, whether he looked at it or not. There will be very few patients savvy enough to know the difference.
  6. Here is a more interesting possibility. By examining your SOAP notes, computers can figure out your decision making patterns. These patterns can be cross aggregated and will make for very interesting research. However, these patterns, once established, could also become admissible evidence in a court of law.
As data becomes richer and more liquid, more possibilities to monetize physician data will emerge, just like monetization of patient data will become rampant. Fortunately, patient privacy is central to all new standards and policies being created by the Government. By contrast, physician privacy is not even an afterthought. While physicians have always been morally and legally obligated to protect their patients’ privacy, perhaps the time has come to also consider the doctor’s privacy in this brave new digital world.


  1. Truly, this is the first time I've seen anyone speak on physician privacy as such, and it's certainly an issue I hadn't concerned too deeply. I'm torn on the issue: on the one hand, ever since there have been doctors there's been word-of-mouth recommendations/warnings passed between patients. I remember the area pediatrics clinic my family used, and how we quickly figured out who to ask for (and who to dread).

    But on the other hand, having such a system codified and going into such detail, based on actual medical records, presents a new paradigm; while patients who's privacy has been violated have the right to challenge their violators in court, providers may find the opposite is true: their violated privacy may be used against them in court. Certainly, judging a provider completely by patient health is a short-sighted strategy.

  2. Yes, word of mouth is pretty powerful, but on the web, this could be amplified by orders of magnitude and backed by seemingly objective measurements, it could become a serious problem.

    I would hope the ONC Tiger team expands its horizons to include at least some protection for doctors too. Not sure how realistic this is though, considering the huge patient privacy issues they are dealing with right now.

  3. Excellent post Margalit. While the EMR-based privacy issues for providers are a growing concern for most doctors, a present problem for Provider privacy currently exists in Social Media.

    In a recent survey of the Health 2.0 NYC community ranked this as the most important topic to study further. To do this we are holding a discussion panel including two prominent HCSM Physicians, a HCSM CEO, and a HCSM Journalist. It is entitled "Healthcare and Social Media - Connubial Bliss or Collision Course?" The agenda is to discuss how social media impacts patients and Providers in many areas, especially privacy. More info at the health20nyc meetup site if you are interested. Link:

    I also agree that Word of Mouth online is the faster, amplified version of traditional over the hedge version. It potentially can be faster, better and deeper than the traditional approach. Evidence and outcomes based data would be great for users, but the data is complex. A real challenge that exists is the need to create easily understood and fair metrics. Another is Provider adoption of the systems. For example, several sites have created provider verified review systems that allow for higher quality data and some degree of provider control. These sites have the potential to change the online word of mouth we have experienced to date - ensuring patients were actually seen and that the providers approve of the comments to be published - with limitations. Will providers adopt these systems? That remains to be seen. You can lead doctors to Health 2.0 solutions, but if they do not interact with them there is no positive change.

  4. This distinction between patient privacy and physician privacy is primarily a US issue. In Europe and elsewhere, the regulations cover personal privacy, and the staff privacy is just as important as the patient privacy. This is important for anyone who operates internationally.

    Even within the US, you have states like Massachusetts where there a privacy laws that apply to all persons, not just to patients. These particular issues will not come under the Massachusetts law. It deals with privacy of financial information.