Should patients be able to limit doctor access to medical records?

by Vadim Shteyler 

The growing accessibility of Electronic Health Records (EHRs) across hospitals and practitioners raises new concerns about patient privacy. Before EHRs, patients had control over how much information they shared with each healthcare provider. Receiving patient information from other practitioners has required a signed consent form specifying the information patients are comfortable sharing (e.g., radiological studies, mental health history, sexual history, etc.). And hospitalists have been expected to request the minimal necessary information to provide good care. With growing networks and increasing compatibility across EHRs, more providers now have access to information without the patients’ express permission or even awareness.

Recent works published in the Journal of General Internal Medicine reported the results of a study that designed and recorded patient and provider experiences with a patient-controlled EHR (in which patients chose which providers could access which data in their medical records). A preliminary survey showed that, before the study, only 10 percent of patients had access to their medical records. Half of surveyed patients did not know what information their EHR contained. However, all patients wanted access to their EHRs. Meanwhile, another study reported that only one-third of physicians thought patients should have EHR access.

Beyond wanting access to the data in their EHRs, patients also wanted granular control over who else has access to specific information within their EHR. About 93 percent thought it was acceptable to limit EHR access. And 94 percent thought it was good to control who sees specific electronic health information. The study also showed that a significant fraction of patients studied, 43 percent, chose to limit at least one provider’s access to their EHR (usually limiting access to personal information). About one-third of those patients blocked all healthcare staff from seeing personal information. About one-quarter only blocked doctors and nurses from accessing personal information. And about five percent blocked all healthcare staff from accessing all EHR data.

The study indicated that providers’ views on the issue are controversial. While 54 percent of providers thought patients should have control over EHR access, 71 percent simultaneously believed that quality of care would suffer. Further, 58 percent believed EHR restrictions would harm the patient-provider relationship. Though about half of providers felt comfortable with EHR restrictions, one-quarter strongly felt otherwise.

This tension between patient preferences for more EHR control and doctors’ concerns about having incomplete information raises the question of whether patients should be able to control providers’ access. Proponents of incorporating and respecting restrictions argue that privacy is a patient right—that ignoring their wishes for what providers perceive to be improved outcomes would be paternalistic. Instead of digging up information in EHRs, proponents recommend focusing on improving communication skills and creating a safer environment. As long as patients understand that incomplete information may impact the outcomes of their care, patients should have full access to whatever their doctors know.

Opponents argue that certain providers, such as primary care and emergency physicians, should always have access to all of the information available so they can feel that they can provide the best care. Some believe that, without an understanding of the interrelatedness of social and biological diseases, patients may not know exactly how much withholding certain pieces of information could impact their care. From a medicolegal perspective, opponents fear that if doctors would be held liable, they would always choose the emergency option to bypass patient restrictions, and if they would not be held liable, patient care would suffer.

This study was conducted on a relatively small sample, in one healthcare system, and on a population skewed towards lower SES. Nevertheless, the results still raise some issues. Granted, a fraction of the patients restricting access to all sensitive or all medical information may have just done so out of ease of pressing one button rather than sifting through all of the EHR data. But the sizable fraction of patients choosing to restrict provider access may be symptomatic of incomplete trust that their information will only be used for the benefit of their care or that they will not be stigmatized for certain conditions. Consistent with this concern, 58 percent of patients thought their medical information had not been sufficiently protected by state or federal law. It also raises concerns that patients may not be completely aware of the uses of EHR information. For instance, patients may not have known that blocking all EHR access may prevent nurses in hospitals from seeing and filling physicians’ prescriptions. Though more data is needed to describing why patients chose the restrictions they did, this study spotlights a power, information, and communication gap in the clinic that needs further attention.