Ethically Managing Your Patients’ Digital Health Information



You are a general otolaryngologist in a large suburban community, a partner in a three-otolaryngologist practice. Over the past 10 years, your practice has transitioned from paper records to an electronic health record (EHR) system, which now includes the scanned paper records from the past.

Transition to EHR was difficult in the busy practice, but now you and the other otolaryngologists and your staff are utilizing it efficiently. At first, however, you employed a scribe to assist you in data management, which was such a help that you

continue to use a scribe even though the transition to EHR is complete. While you interact with the patient and perform the physical examination, the scribe enters the data elicited—including present illness, past medical history, and physical examination findings. From time to time, you indicate certain information that needs to be input in a particular manner, including diagnosis, treatment plan, and medications to be prescribed. It has been your practice to review the data immediately after the patient leaves the examination room for accuracy and completeness, making your own revisions as indicated, and electronically signing the encounter. The scribe utilizes your password to sign into the system each day.

As with any busy otolaryngology practice, there is a delicate balance between attention to the patient and attention to the data being recorded in real time, but you feel the use of the scribe has allowed you to pay more attention to the patient, which you know is important for a healthy patient-physician relationship. You believe you achieve that balance pretty regularly, but with complex patient histories and examination findings, you may communicate with the scribe more than you care to in order to assure the capture of important data. On particularly busy days, you may not have time to completely review all of the information input by the scribe, but you focus primarily on the critical elements.

Recently, one of your patients, whom you have treated for years for complicated chronic ear disease, tinnitus, and vertigo, stopped by the office to request his records. These were his demands:

  1. Provide all records within 72 hours, including scanned records from pre-EHR visits in the format of a USB drive;
  2. Provide a list of all individuals, organizations, government entities, and health information exchanges that had access to his protected health information (PHI);
  3. Provide a record of any breaches of EHR security in your office during his time as your patient;
  4. Remove his personal health information from your EHR system to ensure the safety of his PHI;
  5. Provide a typed translation of your handwritten notes from the old paper records if he deems your handwriting to be illegible, and provide the original paper documents if available; and
  6. Provide information on the background investigation and certification of the scribe who entered his PHI into his EHR.

You have begun to hear of similar requests to other physicians in your community from patients who are exceptionally worried about the security of their PHI, but this is the most extensive request so far in your practice. While you are aware of the risks of security breaches in EHR systems and appreciate concerns about information technology hacking, you believe this patient’s requests are excessive. How should you handle this situation?