These concerns echo those voiced by twenty-two independent advocates in the attached letter sent to OHS over a year ago. We’ve received no response to our concerns, which have only grown with development of OHS’s plans to finance the Health Information Exchange (HIE).
For fifteen years, the CT Health Policy Project has been a strong supporter of safe, effective exchange of health information. Ideally, an appropriate and useful HIE allows clinicians treating a patient to share medical records, so they are all on the same page. It should reduce medical errors, end fragmented care, and help control healthcare costs.
But as they are entrusted with our most sensitive information, HIEs have an enormous responsibility to protect patients. Americans want their providers to have access to their electronic medical records, but they are very concerned about privacy and inappropriate access.
Unfortunately, OHS and Connie, the nonprofit set up to operate the HIE, are selling access to our medical records through subscriptions. So far only insurers and large health systems, that make money by reducing our healthcare costs, are able to buy subscriptions to the system. Access to other entities may be coming; researchers studying suicide risk and app developers have already expressed interest. Connie’s board of directors has only representatives from insurers, large health systems, and state agencies. While insurers and large health systems have access to the system now, patients can’t access their own records on Connie.
Unfortunately, larger hacks of inappropriate access to our medical records at Connecticut insurers, health systems, and others are not uncommon. The most recent publicly-disclosed example happened just last month at Trinity Health. From documents obtained through a Freedom of Information request, we now understand that Connie will store personal health information, placing Connecticut patients at even greater risk.
As all providers will soon be legally required to participate in Connie, we are very concerned about creating more mistrust of the medical system and Connecticut health policymakers. The foundation of effective medical care is that patients can tell their providers anything, no matter how sensitive, and it stays confidential. Providers can give the best care because patients can be honest about their history, needs, and risks. Access beyond that trusted relationship compromises the quality of care and undermines patient trust in their providers. The challenges of COVID vaccine resistance underscore the already deep, and often deserved mistrust, of the medical system in many communities. Connecticut’s health information exchange shouldn’t make health inequities worse.
While consumers can opt-out of Connie, that is irrelevant if they are unaware of the change in access to their records and don’t know how to exercise their rights. No one should ever find out that someone beyond their provider has gotten access to their medical record in a breach notification or through the media. It is even worse if consumers never find out but suffer the consequences of denied credit, denied employment, are unable to rent an apartment, pay more for utility and internet services, experience denials or higher interest rates on loans, or higher auto, home or life insurance premiums, depending on which entities pay for Connie subscriptions.
Even when people opt-out, Connie acknowledges that some information will be disclosed anyway. Connie has not answered advocates’ questions about how much will be available and who will have access.
The state has no meaningful plan or resources devoted to a consumer engagement or education campaign to let people know that this is happening. A robust public education campaign is essential as, under state law, Connie will have access to every Connecticut resident’s medical records. This campaign is essential despite the fact that letting people know about and exercising their rights to opt-out of the system would lower the value of paid subscriptions that Connie is selling.
Unfortunately, this sort of deception is not new for Connecticut state government. It worked when Connecticut Medicaid placed hundreds of thousands of members into PCMH Plus, a new payment model that gives large health systems half of any savings they are able to generate by reducing members’ costs of care. Under political pressure, the notices sent to members were edited to remove any reference to that risk. As members weren’t told about the dangers, very few opt-ed out of the system. In an absurd circular argument, the state then argued that the low opt-out numbers are evidence that members like the program.
Connie says that they comply with all federal and state laws governing privacy and access to medical records. However the main law that covers medical record privacy, HIPAA, is badly out-of-date. It was signed into law by President Clinton in 1996, long before electronic medical records or big data existed.
While hacks into medical record systems are too common, OHS and Connie are inviting the scariest players in, for a price. The state needs to reconsider Connie’s costs and their financing plan. To improve, not jeopardize, the health of Connecticut residents, we urge you in the strongest terms not to sell access to the system and limit access to medical records only to providers treating that patient and only as long as they are treating them. Selling our medical records is a poison pill that undermines any potential benefit of the HIE, erodes the provider-patient relationship, and adds to mistrust of the entire healthcare system.