EHRs need to improve teens' privacy, say pediatricians

EHR technology requires changes to protect the medical privacy of adolescent patients, the American Academy of Pediatrics says in a new policy statement.

The problem is that the Health IT for Economic and Clinical Health Act ties privacy requirements for EHRs to compliance with the Health Insurance Portability and Accountability Act, which does not address adolescent privacy, according to the statement.

"Although HIPAA rules defer to state law regarding minors with 'exceptional circumstances' (e.g, adolescents seeking care for sexually transmitted infections) and gives the minor and not the parent the right to this protected health information, the rules have not led to commercial health information technology systems having the capability to protect this information," the paper said.

Because EHRs can't filter or compartmentalize health information, the statement says, it's been up to states to identify ways to safely exchange health information for adolescents without violating their privacy.

"Continued lack of privacy protection in EHRs risks diminishing adolescent access to care, potentially resulting in higher adolescent pregnancy and STI (including HIV) rates, and unraveling significant gains that have been achieved," according to the statement.

The academy identified problems including lack of standards for: electronic medical technology when rights of minors are protected by state law or legal precedent; what adults have access to teens' medical records; protection of sensitive information including lab results and prescriptions; and shielding protected information during billing. The fact that privacy standards vary by state poses another challenge.

Their recommendations included:

• Developing criteria for EHRs that meet federal and state standards for adolescent privacy and determining who has access to or the ability to control access to the medical record.
• Developing criteria and EHR technology allowing adolescents to record consent for care and treatment, as well as explicit consent for the release of protected health information.
• Building flexibility into development standards to shield the release of diagnoses, test results, prescriptions and other documentation containing confidential data--a requirement the paper calls "the most difficult to attain and control."
• Creating EHR systems that can flag, isolate and potentially shield confidential information being exchanged among providers and other healthcare organizations.
• Developing EHR-related billing systems that can suppress protected information.

"Continued lack of privacy protection in EHRs risks diminishing adolescent access to care, potentially resulting in higher adolescent pregnancy and STI (including HIV) rates, and unraveling significant gains that have been achieved," the statement read. "Even if these technical capacities exist in software, the privacy and security of the adolescent’s healthcare will require educating pediatricians and staff to the specific issues outlined in this policy."

Access the entire policy statement online.