Abstract
PURPOSE Consumer buy-in is important for the success of widespread federal initiatives to promote the use of health information exchange (HIE). Little is known, however, of consumers’ preferences around the storing and sharing of electronic health information. We conducted a study to better understand consumer preferences regarding the privacy and security of HIE.
METHODS In 2008 we conducted a cross-sectional, random digit dial telephone survey of residents in the Hudson Valley of New York State, a state where patients must affirmatively consent to having their data accessed through HIE.
RESULTS There was an 85% response rate (N = 170) for the survey. Most consumers would prefer that permission be obtained before various parties, including their clinician, could view their health information through HIE. Most consumers wanted any method of sharing their health information to have safeguards in place to protect against unauthorized viewing (86%). They also wanted to be able to see who has viewed their information (86%), to stop electronic storage of their data (84%), to stop all viewing (83%), and to select which parts of their health information are shared (78%). Among the approximately one-third (n = 54) of consumers who were uncomfortable with automatic inclusion of their health information in an electronic database for HIE, 78% wished to approve all information explicitly, and most preferred restricting information by clinician (83%), visit (81%), or information type (88%).
CONCLUSION Consumers in a state with an opt-in consent policy are interested in having greater control over the privacy and security of their electronic health information. These preferences should be considered when developing and implementing systems, standards and policies.
INTRODUCTION
Health information exchange (HIE), the exchange of electronic health information across health care clinicians and organizations, has the potential to improve health care quality delivered by the US health care system.1 The federal government has undertaken an approximately $30 billion initiative to promote the adoption and meaningful use of electronic health records (EHRs) capable of HIE.2,3 For HIE to be effective, physicians must use a HIE to look up their patients. Because many states require consent before any personal health information can be disclosed or electronically accessed,4,5 it is equally important that patients are comfortable with an HIE. Studies have shown that although American consumers are supportive of HIE and believe it has the potential to improve health care delivery, they have concerns regarding the privacy and security of their health data.6–8 Little is known, however, about what features, safeguards, and policies would help consumers to feel more comfortable with the privacy and security of their electronic health information.
To be able to describe consumer’s detailed preferences for the privacy and security of their health information, we conducted a survey of consumers’ attitudes toward the use of EHRs and HIE in a community that is a national leader in EHR adoption and HIE initiatives9,10 and has high levels of consumer support of HIE.11
METHODS
Study Design and Population
We conducted a cross-sectional survey of consumers’ opinions on EHRs and HIE among 170 health care consumers in the Hudson Valley region of New York State, a state where patients must consent to having their data accessed through HIE.12 Eligible participants included English-speaking residents of the 8 counties immediately north of Manhattan. This study was approved by the Institutional Review Board of Weill Cornell Medical College.
Data Collection
Details of the sampling methods have been described previously.11 A random digit dial telephone survey restricted to landline numbers was administered by the Cornell Survey Research Institute in January-April 2008. The target sample size was 150 based on power calculations regarding the expected precision of the rate of support for HIE (71.5% ± 7.25%). Respondents provided verbal consent and received $10 for completing the survey.
Questionnaire
The structured questionnaire was developed with input from a team with expertise in medical informatics, health services research, and consumer advocacy.11 Questions assessing consumer’s attitudes were modeled after existing national consumer surveys on HIE.13–16 The questionnaire was pilot tested among 25 ambulatory patients in the outpatient clinics of the Cornell Internal Medicine Associates.11 The full questionnaire consisted of 42 questions11 that assessed respondents’ demographic characteristics, self-reported health, use of health care services, use of the Internet, and perceptions and opinions regarding the use of EHRs and HIE, including privacy and security preferences for HIE, as well as perceptions and experiences of accessing personal health information online. A subset of 13 questions from the full 42-question survey was analyzed for this study.
In our survey questionnaire (Supplemental Appendix, available at http://annfammed.org/content/10/5/428/suppl/DC1), an EHR was described as a record that can be created, stored, and viewed on a computer and that contains a patient’s medical information, including notes from health care visits, laboratory and radiology tests, prescribed medications, health insurance, and information to allow for correct patient identification. HIE was described to respondents as having one’s EHR (or information that would be contained in an EHR) shared and viewed electronically by different clinicians involved in their care. We described 3 potential HIE architecture models and asked respondents whether they were comfortable with each (yes/ no). The options described were as follows: (1) health information stored on a small card that could be carried by patients to medical visits and read by clinicians using special machines; (2) health information kept at the different locations where the patient was seen that could be sent individually over a secure connection directly from one doctor to another; and (3) health information kept electronically in one central database that the patients’ clinicians could access to read and add to using a password-protected, secure connection. To assess preferences about the storage of health information for the purpose of HIE, respondents were asked whether they would want all their health information to be stored automatically in a password-protected, secure central repository that their clinician could access, similar to option 3 above. Respondents who indicated that they would not want automatic storage of their information in this manner were asked follow-up questions about the types of restrictions they would want to regulate what information gets included in the database.
Because the central HIE database model would theoretically pose the greatest privacy and security risk to their electronic health information, patients were asked to consider this model when answering the following questions. Respondents were asked which of the following parties they would trust the most to regulate the database and keep it secure: health plan, office practices or doctors’ organizations, hospitals, government, or other. Respondents were also asked whether they would want various parties to view their information in the database and whether their permission would be required for viewing. Respondents were then asked how long a doctor should have access to their health information once permission was granted (forever, until permission is taken away, for 1 year, or for 1 week after my visit).
Respondents were asked to rate the importance of the following protections: “safeguards against unauthorized viewing of my medical record,” “the ability to see who has viewed my electronic medical record,” “the ability to choose which parts of my medical record would be shared electronically,” “the ability to stop my information from being stored electronically,” and “the ability to stop all viewing of my electronic information.”
Statistical Analysis
Univariate statistics were used to describe the distribution of respondent’s demographic characteristics and their preferences for the storage, sharing, and safeguarding of their medical information. During analyses, we dichotomized question responses that assessed importance of various safeguards of HIE into “essential or important” and “somewhat or not important.” We explored bivariate associations between respondent characteristics and willingness to have data automatically stored in a central repository using Fischer’s exact test. Variables significantly associated with the outcome were selected for inclusion in the multivariable logistic regression model. We used backward stepwise elimination to determine the final model. Data analysis was performed using SAS statistical software (SAS 9.3, SAS Institute).
RESULTS
Study Population
Of the 199 people reached by telephone, 170 (85%) completed the survey.11 Age within this group varied, with 36% of respondents reporting they were aged between 25 and 44 years, and 40% were aged between 45 to 64 years. Most respondents were white (81%) and had at least 2 years of education beyond high school (82%). One-third had an annual household income of $100,000 or higher, and 82% had Internet access at either their home or work (Table 1). As reported in a previous study that examined a separate topic from the same survey, the demographic characteristics of our study sample are fairly similar to the entire Hudson Valley population, as reported through 2009 census data, in terms of race, age and income.11,17
Preferences for Storing and Sharing Health Information
Respondents were generally comfortable with the 3 HIE architecture models described (Table 2). Most were comfortable with storage of health information on an editable, readable portable device (83%) and at different locations with data shared over a secure Internet connection (79%). Fewer were comfortable with storage of information on a single, central database that can be accessed over a secure password-protected connection (68%) when compared with a portable device (68% vs 83%, P = .02) and when compared with different locations (68% vs 79%, P = .003).
Preferences for Including Health Information in an HIE
Two-thirds of consumers (n = 111) indicated that they were comfortable with automatic storage of their health information in a central database so that it may be accessed by clinicians through an HIE (Table 2). Among the one-third of respondents who would not want automatic storage of their information, most wanted to restrict the storage of their information by visit type, information type, and by clinician (Table 2). Results of multivariable logistic regression showed that male respondents (odds ratio [OR] = 2.2; 95% confidence interval [CI], 1.1–4.6) and those who believed that a secure Internet connection is secure (OR = 3.0; 95% CI, 1.3–6.9) were more likely to be willing to have their health information stored automatically in a central database.
Entity Responsible for Health Information Storage, Maintenance, and Security
About one-half of the respondents (51%) said they would trust their physicians’ practice or organization to regulate the privacy and security of a database that contains their health information (Table 2). Far fewer indicated that they would trust their health plan, hospitals, or the government. Among those who answered “other,” a few respondents (10%) indicated that they would not trust anyone other than themselves.
Protections Against Unauthorized Viewing of Health Information
More than three-quarters of all respondents considered every safeguard feature around HIE either essential or important (Figure 1). Many of these safeguards related to preventing unauthorized viewing and sharing of their health information. When asked whom they would allow to view their health information through HIE and whether their permission should be required for viewing by that party, consumers were more likely than not to indicate that their permission would be required (Figure 2). Respondents were most comfortable with having their primary care doctor view their health information without their permission (35%) and least comfortable with government officials (4%) and employers (2%). When asked about the length of time their doctor should be able to access their health information through HIE once that doctor has been given permission to view it (Table 2), more than one-half of respondents said that they would want their doctor to have continuous access until they revoke permission. Less than one-quarter would want their doctor to have access for 1 week after their visit with them, or for 1 year after permission was given. Less than 5% of consumers would want their doctor to have indefinite access. In the case of a medical emergency for which their permission could not be obtained, most respondents would allow their primary care doctor (93%), their designated family members or friends (93%), and other doctors or clinicians who care for them (82%) to view their health information (Table 2).
DISCUSSION
We found that more than two-thirds of people surveyed in this community were supportive of HIE and willing to have their health information automatically stored in an HIE. Men and those who felt secure using a secure Internet connection were more likely to be supportive of automatic inclusion of their health information. One-third of respondents were not willing to have their data stored automatically and expressed a preference for a high degree of control over their data, including control over the type of information stored. Most respondents wanted safeguards against unauthorized viewing of their information. We also found that most respondents indicated comfort with all 3 described HIE architecture models (portable device, data residing in multiple locations, and a centralized database).
Given the highly sensitive nature of health information and the consequences that can occur in the event of its disclosure,18 it is not surprising that consumers in this study expressed strong concerns regarding the unauthorized viewing of their electronic health information. Consent policies that would allow consumers to control what, by whom, and for how long their health information could be accessed may allay these concerns. New York State, in which this study took place, has an opt-in approach to consent.12 That is, patients must actively provide informed consent for clinicians to access to their HIE data.4 Some health information organizations across the nation have adopted opt-out patient consent models, in which patients are included in an HIE unless they specifically request otherwise. The views of those patients are not clear, and future studies should seek to understand them better. Our findings, including having one-third of respondents preferring a high degree of control over data, are consistent with this state’s opt-in approach.
Implementing appropriate consent policies and technical guidelines regarding use of EHRs and an HIE could potentially improve the security of patients’ health information compared with traditional paper records.19 There are state and federal organizations engaged in identifying technical standards and consistent privacy policies to facilitate and protect HIE, such as the Standards and Interoperability Framework committee.20 Ensuring that HIE standards and policies incorporate consumer preferences, and expanding the scope of consumer engagement and education campaigns around an HIE will be key in gaining the public’s trust.
Our findings suggest that consumers support any of 3 HIE architectural models. Although centralized database systems may be the most user-friendly,21 they were slightly less popular among consumers than storage on a portable device or at different locations, perhaps because centralized databases were believed to have the highest likelihood of security breaches.22 The portable device model has not been widely implemented in the United States,21 although a portable electronic health card was pilot tested in Germany but stalled when providers were unwilling to buy the necessary equipment to read the cards.23,24 Similar obstacles might prevent such a model from being implemented in the United States despite our study showing consumers’ interest in it. Most respondents were comfortable with storage of health information at the site where care was received with transmission over a secure connection. This finding is an encouraging, as this model is similar to the architecture model of the Direct Project, an HIE service being developed by the federal government that involves sending encrypted health information directly to known, authenticated recipients over the Internet.25 Those consumers who were not willing to have all of their data automatically stored in a central repository expressed a willingness to have some specific types of data shared. This finding may have undesirable implications for the utility of HIE, because if many consumers request many different restrictions, then the HIE is less complete, less useful, and possibly harmful (if the missing data are clinically important). Willingness to have data automatically stored was associated with being male and believing a the Internet connection is secure. These results are surprising because in previous studies sex has not been significantly associated with support of physician or personal use of HIE.11,26
Most consumers indicated that they would want their doctors to have access to their health information in an emergency, even if they cannot give permission. In New York, this preference is addressed by “break the glass” provisions that allow for health information to be accessed by a clinician who is treating a patient during an emergency.12 High levels of support of HIE use by physicians during emergencies may be related to advertising campaigns launched across the country to educate consumers about the importance and utility of an HIE during emergencies.27 Consumers expressed greatest trust in their own doctor’s practice to regulate the privacy and security of their electronic health information. In New York, a statewide collaboration process resulted in a white paper with recommendations for standard policies around HIE privacy and security.12 According to these recommendations, establishment and enforcement of these policies are the responsibility of health information organizations as opposed to individual physicians or practices.12 Health information organizations across the country are also taking on responsibilities of governing the privacy and security of data within an HIE.4 Because our survey did not explicitly ask respondents about health information organizations, future studies should explore further consumers’ trust in these organizations.
Study Limitations
Our survey was conducted in a fairly homogenous community, with a population that may not be generalizable to all health care consumers. Given the current federal initiatives to promote health information technology, however, more communities will likely be adopting EHRs and engaging in an HIE, and they may benefit from these findings. Second, although random digit dialing was used to minimize selection bias, unlisted or cellular telephone numbers were not included in our sample. Additionally, although our response rate was high, we were unable to collect any information on nonrespondents, limiting our ability to comment on the extent of any response bias. Third, our survey was conducted before the release of New York Health Information Security and Privacy Collaboration’s recommended standard privacy and security policies.12 Finally, our survey described an EHR as including both patient identifiers and medical information, because the patient identifiers are often required for patient matching. This description could have contributed to respondents’ concerns around security of an HIE and may or may not have introduced bias. Future studies could determine whether alternate wording would elicit similar or different responses.
Consumer buy-in is necessary for the success of national HIE initiatives. Our study, among the first to examine the privacy and security-related preferences of consumers in a community where HIE is underway, found that consumers desire greater control over their electronic health information. To address consumers’ concerns about the exchange of their health information, their preferences should be incorporated into future iterations of HIE standards and consent policies.
Footnotes
-
Conflicts of interest: authors report none.
-
Funding support: This work was funded by the Taconic Independent Practice Association.
-
Previous presentation: This work was previously presented as a poster at the American Medical Informatics Association Annual Symposium, November 14–18, 2009, San Francisco, California.
- Received for publication June 12, 2011.
- Revision received January 6, 2012.
- Accepted for publication January 13, 2012.
- © 2012 Annals of Family Medicine, Inc.