One of the biggest challenges, if not the biggest challenge, of EMRs and EHRs is ensuring that the data is secure and patient privacy honored. There will always be a camp that thinks EMRs and EHRs can never be secured and we ought not use them. That's not the reality today, so we as an industry and a society need to keep the discussion going on how we can trust electronic patient data.

So long as technology has IT experts to continually work on security issues, technology is not something the rest of us need to focus on. Policy issues are something else altogether. Lack of policy, in fact, was the driver for many of the data breaches that have been reported. There was no policy in place barring electronic equipment bearing personal health information from leaving the facilities in some instances. At the very least, creating policies around sensitive data stored in portable hardware or drives and educating employees in theory would lower the risk of these kinds of breaches. More complex policies - who gets to see what data, for instance - would raise the bar a little higher. Those are policies that can be done within the four walls of an organization.

The more difficult problems arise when you expand the net to include communities, regions, states and the nation. The ARRA amendments to HIPAA were designed to update the privacy controls in a world that is increasingly becoming more electronic. That’s a start on the national level.

Then there is the issue of patient control. How much is too much? How much impedes the ability of healthcare providers to deliver safe and effective care? That's a hot button. No matter how you feel about Deborah Peel, MD, founder and chair of Patient Privacy Rights, she's good for the industry. She and other privacy advocates will keep the industry and the government on topic. If we're to succeed in connecting EMRs and EHRs and eventually connecting HIEs and RHIOs into the Nationwide Health Information Network, we have to find acceptable solutions.

Personally, I'm divided on the patient control issue. Whereas Peel believes that patient control over their medical records must be complete, Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS), said that consent puts a burden on the patient, requiring the patient to be involved in every transaction and having the knowledge to make an informed decision. Are some decisions over whether to release patient data too complex for patients to grasp? I think there are scads of instances that probably fit in this category.

Whose responsibility is it to educate the patients, then? Who is going to make them aware of the dangers of omitting parts of their medical record when having to deal with multiple providers? Take, for instance, the commonly referenced case in which a patient is prescribed an anti-depressant. Ideally, the prescribing provider would already educate the patient about the drug's risks. With EMRs and EHRs in the picture, would the prescribing provider now be tasked with counselling the patient about the importance of disclosing this piece of personal health information to any other provider the patient may see? Would it actually happen in the real world? I have no idea. But for some patients, it may not matter; they simply won't share that information. If another provider prescribes a medication that creates an adverse medical event, who is to blame? Would the patient or patient's family hold the patient responsible? Probably not.

I'd be curious to know if healthcare organizations that have EMRs or EHRs have a policy regarding medical liability. This is a slippery slope to be sure, and no doubt as EMR and EHR implementations rise, we'll likely see the legal side of privacy and security issues of computerized records. It's going to have to be one of those issues that have a painful transition until there is some sort of broad agreement or mandate that creates an equilibrium of sorts.