Mar 262015
 
 March 26, 2015  Breaches, Featured News, Healthcare

Clinical psychologist Peter Zelles had a commentary in the Star Tribune last week with which I wholeheartedly agree.

Minnesota is one of the first two states to mandate that all health care providers use an “interoperable” electronic health care record (EHR), allowing all doctors to view every other doctor’s notes — supposedly privately and with a purpose. Since 2014 has been dubbed “The Year of the Hack,” we can presume this medical data will be invaded.

It is including psychological records that concerns me most. With decades of experience as a clinical psychologist, a consultant and a teacher, I have to believe this mandate can easily mean the end of psychotherapy as a useful treatment.

As a practicing psychologist who has spent the last decade reporting on healthcare sector breaches, I freely admit that I have had more than a few nightmares about patient data getting hacked. During my very first session with patients, I discuss the use of e-mail with them and caution them that they should be prudent and not reveal sensitive information in e-mails to me. If I had to upload therapy notes to a system that could be hacked, I think the nightmares would become a daily event.

Proponents of the law suggest that we can limit what we post by keeping a separate record that details more delicate information. If being a forensic consultant has taught me anything, it’s that there are no private medical records. For psychotherapists, posting any information about patients is wrong, because it violates our duty to protect privacy in this most vulnerable setting. As the U.S. Supreme Court’s decision in Jaffee vs. Redmond said that without confidentiality, there cannot be psychotherapy. There aren’t crises requiring immediate access to psychotherapy records; they can be accessed more securely, in plenty of time if needed.

I don’t know that I’d go so far as to say that posting any information is “wrong,” but I do think it fraught with risks that we should not be taking.

The law as written apparently allows no one to opt out of the EHR. Anyone who wants out must opt out completely. No health care provider can opt out. Patients who pay cash for their medical care may be able to avoid having their records posted, circumventing a loss of confidentiality, but not most of us.

Dr. Zelles goes on to argue that we must allow individual patients “to decide what they do and do not want posted to their electronic record. If we don’t want a particularly sensitive medical concern in the EHR, we should have the right to exclude it. If a physician believes it is important to include, let them counsel us — just as they would about a medicine we may not want to use.”

Patients deciding what can go into their EHR on an issue-by-issue or session-by-session basis might pretty much defeat the purpose of interoperability of EHR. So why not just exclude psychotherapy records from EHR requirements altogether? In a psychiatric emergency, the ER doctors will call the treating psychologist or mental health provider to get background and details. I’ve gotten calls like that, and I’d bet Dr. Zelles has, too. And there’s so much more we can share in that type of interaction than we’d be likely to record in any online therapy notes.

Dr. Zelles concludes:

Talk to your legislators and the Minnesota Department of Health before it is too late. The rules for EHR are still being formed. Now is when we can be national leaders in forging a system in which the sharing of health records is both meaningful and reasonable.

If you are a mental health services client (private or public) in Minnesota, I also encourage you to contact your legislators and tell them you want psychotherapy records excluded from any mandated sharing.

And if you are a provider or a patient in any other state, pay close attention to what’s going on here, as it could impact you/us next.

This post originally appeared on DataBreaches.net.

Sorry, the comment form is closed at this time.