Accompanying these concerns about the stigma associated with mental health conditions, patients and clinicians may also question the security of psychiatric records. Worries center on numbers and qualifications of people who have access, whether records can be exported or stolen, whether medical center and clinic personnel who are uninvolved with immediate care can access the records, and whether rules regarding released records will apply to re-release by third-party payers or other recipients. When inadequately addressed, these concerns may keep patients going secretly to psychiatrists unknown to anyone else, making them highly preoccupied with privacy concerns during mental health visits, limiting their revelations, and altering the accuracy of events and feelings they disclose to their mental health providers.
Patients' and mental health providers' perceptions of psychiatric record security are affected by occasional but very high-profile reports of EHR system breaches. For example, a 2001 JAMA
editorial pointed out that a privacy researcher was able to access the medical record of the then governor of Massachusetts by using an “anonymous” database of State Employee Health Insurance Claims, his town of residence and zip code, his birth date, and his gender.2
The same editorial quoted a past president of the American Psychiatric Association, Daniel Borenstein, as saying, “In the internet age, some wonder if privacy exists.” It is evident to these and other observers that people who see psychiatrists must feel secure that their revelations will remain private.
A number of efforts have addressed the problem of privacy and security for EHR systems, especially for mental health records. These include federal standards demarcating the boundary between a patient's general medical record and psychotherapy notes, such as those that went into effect in April 2003 as part of HIPAA rule 45 CFR §164.501.13
The new standards clarify that psychotherapy notes must not be kept with the general medical record and may only be released with the written authorization of the patient. Standards for the privacy of psychotherapy notes were inspired, in part, by the landmark court case, Jaffee v Redmond
in 1996. In that decision, the court suppressed a request for access, by the decedent's family, to the psychiatric record of a police officer who had shot a man involved in an altercation.14
In addition, numerous technical approaches have been developed to enhance privacy and security across medical records; examples include integrating disparate approaches to privacy, improving access audits, performing in-depth analyses of privacy breaches, and improving models for access controls.17
At Vanderbilt Medical Center (VMC), an EHR system was developed for outpatient psychiatric records and deployed in 2003. Reasons given for the switch from paper charts included patient safety, with improved access to records in emergencies, lower costs of maintaining records, improved legibility and general convenience, and lower costs of providing responses to increasingly frequent and detailed requirements for copies of records for third-party payers. The latter is especially important in environments where frequent changes in insurance coverage are encountered. In our large medical center, where patients receive care from many different departments across a multi-facility campus, the transportation of paper charts had become unreliable and costly. The VMC EHR system was designed to assure that healthcare providers across the institution could access needed clinical records. For mental health services, all notes, appointments, and phone communications were sequestered in a separate database accessible only to psychiatric clinicians and staff. This continued the previous policy in that the paper psychiatric charts, similarly kept only in the charting rooms of each psychiatric clinic, were not available to most medical center clinicians. Internists and surgeons, for example, see no charted evidence in the EHR system that a given patient is under the care of a psychiatrist, even if seeking the record after the patient has revealed such information directly. Unless patients request that their note at a specific visit be recorded by the mental health provider in the database open to all clinicians, healthcare providers who are not established mental health providers cannot read psychiatric notes in the EHR systems. Only laboratory results, a list of diagnoses and medical problems, and the medication list are not sequestered and are currently available to all healthcare providers.
In order to obtain impressions regarding changes incurred by an EHR system it was important to survey clinicians after a carefully determined period following their transition from a paper-based psychiatric record to an EHR system-stored psychiatric record. An instrument was developed for use with clinicians who would still accurately recall their experiences with paper, but would also have passed beyond any initial and transient impressions regarding EHR use. Survey questions assessed the perceptions and beliefs of a sample of mental health professionals for quality, confidentiality, and security of the two forms of psychiatric records. A factor analysis was conducted to assess the quality of responses to the instrument by comparing the items in generated factors to a priori groups of survey topics.