Healthit.gov  /  Health IT Dashboard  /  Health IT Library

Trends in Individuals' Perceptions regarding Privacy and Security of Medical Records and Exchange of Health Information: 2012-2014

ONC Data Brief 33 | February, 2016

Vaishali Patel, PhD MPH, Penelope Hughes, JD MPH, Wesley Barker, MS, Lisa Moon, MPH

Preserving patient trust in the privacy and security of health information is a critical element in achieving an interoperable health IT infrastructure (1). As adoption of certified health IT and electronic exchange of health information grows across hospitals and office-based physicians, it is important to assess the impact of these changes on consumers' perceptions regarding the privacy and security of their health information (2, 3). From 2012 - 2014, ONC conducted a nationwide survey of consumers to examine privacy and security concerns and preferences regarding electronic health records (EHR) and health information exchange (HIE) (4, 5). This data brief summarizes trends from 2012 - 2014 related to individuals' privacy and security concerns and preferences.

Individuals' concerns about the privacy and security of both paper and electronic medical records declined significantly between 2013 and 2014

Figure 1: Proportion of individuals who expressed concerns regarding the privacy and security of their medical record and withheld information from their healthcare provider due to those concerns, 2012-2014

A line chart showing time series trends from 2012 to 2014 of the percentage of individuals who are very of somewhat concerned with privacy of medical records, very or somewhat concerned about security of medical records, and withholding information from health care provider due to privacy or security concerns

NOTE: *Significantly different from 2013 and 2012 (p<.05)

SOURCE: 2012 - 2014 Consumer Survey of Attitudes Toward the Privacy and Security Aspects of Electronic Health Records and Health Information Exchange

In 2014, a similar number of individuals - about one in five - expressed lack of concern about both the privacy and the security of their medical records

Figure 2: Proportion of individuals who expressed concerns regarding the privacy and security of their medical records, 2012-2014

Two bar chart showing time series trends from 2012 to 2014 of the percentage of individuals who are not concerned at all, not very concerned, somewhat concerned, and very concerned about the privacy and security of their medical records

NOTE: *Significantly different from 2013 and 2012 (p<.05)

SOURCE: 2012 - 2014 Consumer Survey of Attitudes Toward the Privacy and Security Aspects of Electronic Health Records and Health Information Exchange

Individuals' concerns regarding the privacy and security of their medical record do not significantly differ by whether they have an electronic versus paper medical record

Figure 3: Proportion of individuals who expressed concerns regarding the privacy and security of their medical record and withheld information from their healthcare provider due to those concerns by whether their provider had a paper or electronic health record (EHR), 2014

A bar chart showing the percent of individuals who are very or somewhat concerned about the security of medical record, very or somewhat concerned about the privacy of medical record, and withholding due to privacy or security concerns by whether or not provider has an electronic health record or paper medical record

NOTE: There were no statistically significant differences between paper vs. electronic health records

SOURCE: 2012 - 2014 Consumer Survey of Attitudes Toward the Privacy and Security Aspects of Electronic Health Records and Health Information Exchange

Between 2012 and 2014, at least three-quarters of individuals supported their health care providers' use of EHRs despite any potential privacy or security concerns

Figure 4: Trends in individuals' perceptions regarding support for providers' use of EHRs in spite of privacy and security concerns and whether health care providers provide a reasonable level of protection for EHRs, 2012-2014

Two bar charts showing time series trends from 2012 to 2014 of the percent of individuals who support their health care providers

NOTE: This graphic reports on the proportion of individuals who strongly agree or agree with statements (See appendix for related survey questions)

SOURCE: 2012 - 2014 Consumer Survey of Attitudes Toward the Privacy and Security Aspects of Electronic Health Records and Health Information Exchange

Individuals' concerns regarding unauthorized viewing of medical records when sent by fax or electronic means declined significantly between 2013 and 2014

Figure 5: Trends in Individuals' Concern regarding Unauthorized Viewing of Medical Record if Medical Record Sent by Fax vs. Electronically for Treatment Purposes, 2012-2014

A line chart showing time series trends from 2012 to 2014 of the percentage of individuals who have concerns regarding the unauthorized viewing of medical record sent by fax or sent electronically

NOTE: *Significantly different from 2013 and 2012 (p<.05)

SOURCE: 2012 - 2014 Consumer Survey of Attitudes Toward the Privacy and Security Aspects of Electronic Health Records and Health Information Exchange

Between 2012 and 2014, at least 7 in 10 individuals have supported electronically exchanging their health records despite potential privacy or security concerns

Figure 6: Trends in individuals support for electronic health information exchange (HIE) in spite of privacy and security concerns, 2012-2014

A bar chart showing a time series trend from 2012 to 2014 of the percent of individuals that support electronic health information exchange in spite of privacy and security concerns

NOTES: No significant differences between years (p<0.05). This graphic reports on the proportion of individuals who strongly agree or agree with statement (See appendix for related survey questions).

SOURCE: 2012 - 2014 Consumer Survey of Attitudes Toward the Privacy and Security Aspects of Electronic Health Records and Health Information Exchange

Summary

Patient trust in the privacy and security of health information is considered foundational to the development of an interoperable health IT infrastructure. In 2014, a little over half of individuals had concerns regarding the privacy and security of their medical records, and about half expressed concerns regarding unauthorized viewing of their medical records when sent electronically or by fax. This represents a significant decrease from the prior year. However, there were no significant differences in individuals' withholding information from their health care provider due to privacy or security concerns during this period. In 2014, five percent of individuals nationwide withheld information from their health care provider due to privacy or security concerns.

Consistent with prior analyses, in 2014, individuals' privacy and security concerns regarding their medical records, and withholding of information from health care providers due to those concerns, did not differ by whether individuals had paper versus electronic medical records (4). Similarly, in 2014, individuals' concerns did not differ by whether a health care provider would send their medical record to another health care provider treating them by either electronic means or fax.

Between 2012 and 2014, individuals expressed high levels of support for providers using EHRs and engaging in HIE for treatment purposes despite any potential privacy or security concerns. HIPAA, the general federal health privacy law, supports HIE for treatment and care planning (6). Individuals' high level of support for EHRs and HIE may be related to their belief that their health care providers were already taking the steps necessary to protect their medical records (5). Between 2012 and 2014, 80% or more of individuals believed health care providers had measures in place to reasonably protect EHRs. Providing ongoing guidance to health care providers on cybersecurity and other issues to protect EHRs may help ensure that health care providers implement the most up-to-date measures to protect health information (7).

In summary, as EHR adoption and HIE increased among hospitals and physicians, consumers' concerns regarding HIE and the privacy and security of medical records declined. However, it is important to note that these perceptions reflect individuals' points of view prior to announcement in 2015 of several large health care information breaches (8). Whether these recent breaches may negatively impact individuals' perceptions related to the privacy and security of their medical records and exchange of their health information is unclear and warrants monitoring. Additionally, it is unclear as to whether the significant decreases in concerns between 2013 and 2014 are an anomaly or whether this represents the beginning of a trend towards decreasing privacy and security concerns.

Definitions

The definitions for the items related to security and privacy were developed from the National Committee on Vital and Health Statistics (NCVHS). According to NCVHS, health information privacy is an individual's right to control the acquisition, uses, or disclosures of his or her identifiable health data. Security refers to physical, technological, or administrative safeguards or tools used to protect identifiable health data from unwarranted access or disclosure.

Privacy of Medical Record: Privacy concerns were assessed with the question "Privacy means you have a say in who can collect, use, and share your medical record. How concerned are you about the privacy of your medical record?" Individuals were considered concerned if they reported they were either very or somewhat concerned.

Security of Medical Record: Security concerns were assessed with the question "Security means having safeguards to keep your medical record from being seen by people who aren't permitted to see them. Safeguards may include technology. How concerned are you about the security of your medical record?" Individuals were considered concerned if they reported they were either very or somewhat concerned.

Withholding of information was assessed by asking: "Have you ever kept information from your healthcare provider because you were concerned about the privacy or security of your medical record?" Individuals were considered to have withheld information from their healthcare provider if they reported "Yes."

Electronically was defined as "from computer to computer, instead of by telephone, mail, or fax machine."

Data Source and Methods

Data are from The Office of the National Coordinator for Health Information Technology's (ONC) Consumer Survey of Attitudes Toward the Privacy and Security Aspects of Electronic Health Records and Health Information Exchange. The survey was conducted by NORC at the University of Chicago with MITRE.

The respondent universe for the survey was the civilian, non-institutionalized population ages 18 years old and older within the 50 states and the District of Columbia. This survey utilized a dual random digit dialing (RDD) frame of landline phone numbers and wireless/mobile phone numbers developed by Survey Sampling International (SSI). In order to reduce sampling variability and to represent the nation, NORC stratified the landline RDD frame by Census Region. The 2013 survey oversampled Hispanic, Asian and Black populations, and the 2012 and 2014 oversampled for Hispanic and Black populations. A total of 2,123 were completed in 2014; 2,107 surveys were completed in 2013; and 2,050 surveys were completed in 2012. Data presented in this data brief are weighted national estimates.

References

1. Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap version 1.0 (Roadmap). https://www.healthit.gov/policy-researchers-implementers/interoperability

2. Heisey-Grove D. & Patel V. (September 2015) Physician electronic exchange of patient health information, 2014. ONC Data Brief, no. 31. Office of the National Coordinator for Health Information Technology: Washington DC. http://dashboard.healthit.gov/evaluations/data-briefs/physician-electronic-exchange-patient-health-information.php

3. Charles D, Swain M, & Patel V. (August 2015) Interoperability among U.S. Non-federal Acute Care Hospitals. ONC Data Brief, No. 25 Office of the National Coordinator for Health Information Technology: Washington DC. https://www.healthit.gov/sites/default/files/briefs/onc_databrief25_interoperabilityv16final_081115.pdf

4. Patel V, Hughes P, Savage L, Barker W. (June 2015). Individuals' Perceptions of the Privacy and Security of Medical Records and the Sharing of Medical Records between Health Care Providers. ONC Data Brief no. 27. Office of the National Coordinator for Health Information Technology: Washington DC. https://www.healthit.gov/sites/default/files/briefs/oncdatabrief27june2015privacyandsecurity.pdf

5. Penelope Hughes JD MPH, Vaishali Patel PhD MPH, Joy Pritts JD. "Health care providers' role in protecting EHRs: Implications for consumer support of EHRs, HIE and patient-provider communication." ONC Data Brief, no 15 Washington, DC: Office of the National Coordinator for Health Information Technology. February 2014. https://www.healthit.gov/sites/default/files/022414_hit_attitudesaboutprivacydatabrief.pdf

6. Health Information Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), and their implementing regulations: 45 CFR Parts 160 and 164 (the HIPAA Privacy, Security, and Breach Notification Rules).

7. Office of the National Coordinator for Health Information Technology. Guide to Privacy and Security of Electronic Health Information version 2.0 April 2015. www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf

8. Office of the National Coordinator for Health Information Technology. 'Breaches of Unsecured Protected Health Information,' Health IT Quick-Stat #53. http://dashboard.healthit.gov/quickstats/pages/breaches-protected-health-information.php. February 2016.

About the Authors

The authors are with the Office of the National Coordinator for Health Information Technology, Office of Planning, Evaluation, and Analysis and the Office of the Chief Privacy Officer. Lisa Moon, MPH is a graduate student at the University of Minnesota.

Acknowledgements

MITRE and NORC at the University of Chicago contributed to the development of the survey instrument, survey administration, and data analysis.

Suggested Citation

Patel V., Hughes P, Barker W. & Moon L. (February 2016). Trends in Individuals' Perceptions regarding Privacy and Security of Medical Records and Exchange of Health Information: 2012-2014. ONC Data Brief, no.33. Office of the National Coordinator for Health Information Technology: Washington DC.

Appendix

Table A1. Selected Items used for this analysis, 2014

Question Text Response Options
1. Privacy means you have a say in who can collect, use, and share your medical record. How concerned are you about the privacy of your medical record? Very Concerned, Somewhat Concerned, Not Very Concerned, Not Concerned at All
2. Security means having safeguards to keep your medical record from being seen by people who aren't permitted to see them. Safeguards may include technology. How concerned are you about the security of your medical record? Very Concerned, Somewhat Concerned, Not Very Concerned, Not Concerned at All
3. Have you ever kept information from your health care provider because you were concerned about the privacy or security of your medical record? Yes/No
4. If your medical record is sent by fax from one health care provider to another, how concerned are you that an unauthorized person would see it? Very Concerned, Somewhat Concerned, Not Very Concerned, Not Concerned at All
5. If your medical record is sent electronically from one health care provider to another, how concerned are you that an unauthorized person would see it? Electronically means from computer to computer, instead of by telephone, mail, or fax machine. Very Concerned, Somewhat Concerned, Not Very Concerned, Not Concerned at All
6. I want my health care providers to use an electronic medical record to store and manage my health information despite any concerns I might have about privacy and security. Strongly Agree, Agree, Disagree, Strongly Disagree
7. I want my health care providers to use a computer to share my medical record with other providers treating me despite any concerns I might have about privacy and security. Strongly Agree, Agree, Disagree, Strongly Disagree
8. As far as you know, do any of your health care providers maintain your medical records in an electronic system? Yes/No
9. Health care providers have measures in place that provide a reasonable level of protection for electronic medical records today. Strongly Agree, Agree, Disagree, Strongly Disagree