Too Much or Too Little? How Much Control Should Patients Have Over EHR Data?

Electronic health records (EHRs) have been promoted as a mechanism to overcome the fragmented healthcare system in the United States. The challenge that is being discussed is the rights of the patient to control the access to their EHRs' data and the needs of healthcare professionals to know health data to make the best treatment decisions for their patients. The Federal Trade Commission has asked those who store consumer information to comply with the Fair Information Practice Principles. In the EHR context, these principles give the rights to the patient to control who can see their health data and what components of the data are restricted from view. Control is not limited to patients, as it also includes parents of adolescent children. We suggest that the ongoing policy discussion include consideration of the precise questions patients will be asked when a need for data sharing arises. Further, patients should understand the relative risks that they face, and the degree to which their decisions will (or will not) significantly reduce the risk of a data breach. As various approaches are considered, it is important to address the relative resource requirements and the associated costs of each option.