Patients who have given consent for parts of their electronic health record to be shared among healthcare providers remain confused and worried about who has access to their personal information, with many calling the perceived lack of privacy “scary” and “horrifying", a study in Canada has found. The study references a recent British Medical Journal editorial that called for patients to have control over who should access which parts of their health record. The paper sets out to evaluate “the feasibility of a tool that seeks to accomplish exactly that purpose" – namely the Health Care Information Directive (HCID), a patient decision aid which instructs clinicians who should have access to certain types of patient data. “Study participants lacked substantial knowledge regarding the fate and use of PHI [personal health information] within a publicly-funded health care system", said the report, published in BioMed Central. “Participants expressed mistrust concerning how their PHI is used and safe-guarded." One respondent told the researchers from the University of Toronto: “It just seems to me that if there’s information online, things are going to be compromised. You know, people make a living doing that stuff." Another was sceptical of how the HCID, if brought into law, could be monitored and enforced: “What power does the patient have to make sure any of this is happening? To me, a pharmaceutical company is way more powerful than the patient." The survey found that a simple blanket opt-in/opt-out approach, NPfIT’s intended method of consent for sharing data on the spine, was dismissed by patients as not being a solution to their fears. Instead, many believed that an online audit system that allows patients to see who has accessed their electronic health record was more transparent. Some also suggested the appointment of a “data ombudsperson" to oversee privacy. “Some have argued that requiring unique individual informed consent for each use of health information would be burdensome; however, there are public opinion data suggesting that legislative initiatives to require such consent would be viewed favourably." Older people were the most sceptical about security, preferring to bypass the online health record entirely and even eschew the postal service, by filling in the form and accessing the data actually at their doctor’s surgery. The report said: “Education and information needs of diverse groups, such as seniors and immigrants who speak English as a second language should be taken into account when considering strategies to enhance individual control over PHI." The researchers concluded that more needed to be done to educate people about where their information was going and who had access to it. The existing approach through the HCID, which gives consent to selective amounts of data being shared, was “appreciated"; but work needed to be done to further revise the consent model and introduce auditors.
