Building patient trust in EHRs can’t be about security controls

The emphasis on security and privacy in electronic health record (EHR) systems as a prerequisite for building consumer trust in these systems both overstates the extent to which security controls can in fact provide trust, and understates the importance of the provider-to-patient relationship. Recent consumer polls certainly seem to indicate that individuals have a lot of concerns about their medical records being stored and used in digital form, loss, theft, and misuse of information chief among them. Practically speaking however, it is unrealistic to think that typical consumers will be able to learn or understand enough technical information about the EHR systems that their providers or hospitals or insurance companies use to be able to make an independent determination as to whether the security and privacy measures afforded by such a system are sufficient to make them confident that their personal health data is protected. Instead, most people will rely on their doctors or other providers (the actual users of the EHR systems), and their relative comfort level with digitizing their health records will likely be strongly correlated to the level of trust they put in their providers.

The point is not to diminish the importance of having strong security and privacy protections for health data stored in EHR systems, but instead to reiterate that patient trust (or lack thereof) in health information technology cannot be provided through technical means alone. I suspect that few patients today have much of a feel for how their medical records are stored (paper files, computer, or some combination) or for the physical, technical, or administrative measures in place to secure them. With the prospect of easier and more frequent sharing of health data enabled by EHR systems, patients might be expected to be more interested to know how their records are being handled, but consumer acceptance of health IT should be influenced by the benefits (purported and, over time, actually realized) to themselves, their health care providers, and the health care system (not necessarily in that order). Health information is of course usually considered to be far more sensitive that other personal data, but as supermarket and other retailer loyalty programs have illustrated for years, lots of people are willing to disclose some personal information in return for perceived tangible benefits, and this pattern should apply to health data as well. To help individuals make informed decisions about EHRs and other health IT, there needs to be more education and outreach to consumers about EHRs, their intended and permitted uses and benefits, and also the ways in which personal health data is protected against loss, theft, misuse, and unauthorized disclosure. The best way to deliver these messages is to leverage the (hopefully) trusting relationship that already exists between patients and providers, since from the patient perspective, their doctors are much more likely to take on patient interests as their own than EHR software vendors, insurance companies, or even government health agencies.