Nearly a year before passage of the Affordable Care Act, President Obama signed into law another sweeping change to America’s system of health care delivery. As part of the American Recovery and Reinvestment Act of 2009, the federal government appropriated several billion dollars to assist all fifty (50) states implement new electronic medical records systems.

Using these funds, Illinois is implementing an electronic health information exchange with the purpose of improving “the safety, quality and value of health care, to protect and keep health information secure, and to use the health information exchange system to advance and meet population health goals.”

Unquestionably, electronic health information technology (HIT) is transforming health care and promises to improve the effectiveness and the efficiency of the health care system. Better sharing of information can decrease medical error and improve health outcomes for everyone. However, easily sharable electronic medical records also threaten patient privacy and can lead to security breaches, misuse of information, and a loss of patient control over confidential and sensitive health information, thereby undermining the patient well-being.
In 2013, the policies and regulations that will govern the privacy and security of patient medical records will be set and implemented by the Illinois Health Information Exchange (ILHIE). The ACLU of Illinois is advocating a number of principles to ensure that patients have meaningful choices about how and whether their information is shared, and set serious penalties for those who abuse or misuse patient information.

First, patient’s right to consent (or refuse consent) to the sharing of their medical records should be absolute, meaningful and granular. Patients must have a real, informed choice, via a public opt-in policy, about whether or not to share their records – not a footnote buried in very small print on the last page of lengthy document. Moreover, patients should be able to decide which information is shared with which medical providers: your dentist does not need to know that you had an abortion 20 years ago, and the system should allow patients to segment and sequester sensitive information.

Second, there must be strict penalties attached to the sale or misuse of patient data – whether or not such data includes patient’s personal identifiers. Medical information should not be used to target individuals or providers for promotional pitches or advertising campaigns; nor should providers or the ILHIE be allowed to profit from the sales and marketing opportunities created by the release of information in patients’ medical records. The law must also give redress to patients to protect them from that small minority of providers who may abuse information out of fear, prejudice or malice.

These sensible principles not only protect patient’s rights, guaranteed by the U.S. and Illinois State Constitutions, but also improve patient care – safeguarding the essential trust between physician and patient. In the Journal of Law, Medicine & Ethics, Mark A. Rothstein notes that protecting patient privacy has been paramount to the delivery of care since at least the time of Hippocrates, who implores physicians to keep confidential any information obtained in the course of treating a patient. [1]He writes “In effect, physicians and patients enter into a ‘Hippocratic bargain,’” whereby patients tell physicians sensitive information about themselves, and then, consistent with that sharing of information, allow physicians to examine them in a way that no other stranger would be permitted.[2]  Indeed, this sharing of information underlies the informed consent dialogue that conditions patient consent to medical care that would otherwise constitute a battery.[3]

The ACLU recommends that the most effective way to protect patient privacy, consistent with existing statutory protections and the underlying common law and constitutional foundations, is to adopt a system of requiring each patient to specifically consent to the inclusion of their name in the Illinois Health Information Exchange (opt-in) and to further require the development of policies (and technology) that allows each patient to segment and sequester sensitive health information, such that an additional specific consent of the patient would be required before sensitive health information could be exchanged through the ILIHE (opt-in with reservations).[4] Information reserved might include notes about reproductive or sexual health, details about mental health, sexual assault or substance abuse, or the medical records of minor children.

Of course, whatever regulations the ILIHE puts into place, it is well-informed and engaged patients who will best ensure the privacy of their own medical information. Once the system is in place – we will all have choices to make – whether or not to opt in to the system, and what information we want shared and with whom. These decisions are important for each of us to consider before the system becomes operational in 2013.



[1] Mark A. Rothstein, The Hippocratic Bargain and Health Information Technology, 38 Journal of Law, Medicine &Ethics, 7, 7-8 (2010).
[2] Id. at 8.
[3] The right to consent to – or refuse – medical care finds support not only in the common law, see In re E.G., 133 Ill.2d 98, 106, 549 N.E.2d 322 (1989), but also in the Constitution of the United States, Cruzan v. Director, Missouri Department of Health,  497 U.S. 261 (1990). See also Data Segmentation in Electronic Health Information Exchange:  Policy Considerations and Analysis (September 29, 2010) (hereinafter cited as “White Paper: Data Segmentation”), one of two white papers posted at Privacy and Security, Office of the National Coordinator (“ONC”) for Health Information Technology at http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs.  The ONC awarded The George Washington University Department of Health Policy a grant to conduct research and analyze key privacy, security, legal and policy questions presented by the adoption of electronic health records and the creation of health information exchanges.  The other white papers posted on the site is: Consumer Consent Options for Electronic Health Information Exchange:  Policy Considerations and Analysis (March 23, 2010) (hereinafter cited as “White Paper:  Consumer Consent Options”).  Both white papers provide extensive discussion of the consent options and the issues underlying the need for data segmentation.
[4] For a complete discussion of the different consent options, including the advantages pertaining to an opt-in requirement, see Privacy and Security, Office of the National Coordinator (“ONC”) for Health Information Technology at http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs.  The ONC awarded The George Washington University Department of Health Policy a grant to conduct research and analyze key privacy, security, legal and policy questions presented by the adoption of electronic health records and the creation of health information exchanges.  The two white papers posted on the site, Consumer Consent Options for Electronic Health Information Exchange:  Policy Considerations and Analysis (March 23, 2010) (hereinafter cited as “White Paper:  Consumer Consent Options”), and Data Segmentation in Electronic Health Information Exchange:  Policy Considerations and Analysis (September 29, 2010) (hereinafter cited as “White Paper: Data Segmentation”), provide extensive discussion of the consent options and the issues underlying the need for data segmentation.