Designing a Patient-Centered User Interface for Access Decisions about EHR Data: Implications from Patient Interviews
- 2.7k Downloads
Electronic health records change the landscape of patient data sharing and privacy by increasing the amount of information collected and stored and the number of potential recipients. Patients desire granular control over who receives what information in their electronic health record (EHR), but there are no current patient interfaces that allow them to record their preferences for EHR access.
Our aim was to derive the user needs of patients regarding the design of a user interface that records patients’ individual choices about who can access data in their EHRs.
We used semi-structured interviews.
The study was conducted in Central Indiana.
Thirty patients with data stored in an EHR, the majority of whom (70 %) had highly sensitive health EHR data, were included in the study.
We conducted a thematic and quantitative analysis of transcribed interview data.
Patients rarely knew what data were in their EHRs, but would have liked to know. They also wanted to be able to control who could access what information in their EHR and wanted to be notified when their data we re accessed.
We derived six implications for the design of a patient-centered tool to allow individual choice in the disclosure of EHR: easy patient access to their EHRs; an overview of current EHR sharing permissions; granular, hierarchical control over EHR access; EHR access controls based on dates; contextual privacy controls; and notification when their EHRs are accessed.
KEY WORDSprivacy fair information practice electronic health records patient preferences human factors
As a nation, we are making progress toward the goal of seamless, user-transparent, cross-organizational health data exchange.1,2 In 2010, the President’s Council of Advisors on Science and Technology asserted that “The overarching goal is to have a national health information technology (IT) ecosystem in which every consumer, doctor, researcher, and institution has appropriate access to the information they need, and in which these groups are served by a vibrant market of innovators.”3 One technology that has the potential to improve care by providing an integrated view of relevant patient information is the Electronic Health Record (EHR).4
EHRs collect and disperse patient health information to a variety of recipients beyond the provider who collected it. Recipients of data contained in integrated EHRs range from providers who are actively treating a patient, to non-provider members of the health care industry, such as insurance companies or government agencies. Such data sharing has the potential to improve quality of health care by reducing errors and lowering costs.5 However, along with these positive effects, data sharing also has the potential to vastly decrease patient privacy, and in turn affect patients’ openness and relationships with their health care providers (i.e., be a “double edged sword.”)6
Previous research suggests that patients who are concerned about the privacy of their health information engage in risky health behaviors such as being less likely to seek care, refusing to discuss problems openly with their providers, delaying care, and even lying to providers (e.g., 6,7; also see8 for a thorough review). Thus, realizing the potential of Health IT to positively transform health care depends on whether or not new technologies respect patients’ privacy preferences.
In 2010, the Office of the National Coordinator for Health Information Technology (ONC) published a Health Information Exchange Challenge Grant Program that included a call for proposals for “enabling enhanced query for patient care.” One goal was to develop a usable, web-based user interface (UI) for patients to express their preferences about who could access what data in their EHRs. We have previously described an ethics framework to aid development of a patient control tool,9 which is extended in another paper in this JGIM Supplement,10 and how we developed and implemented the revisions to Careweb, a local utility for viewing EHRs.11 In this article, we continue to further privacy-enhanced EHR research by deriving implications for the design of a user-friendly web-based UI from interviews with patients about their needs and desires for controlling who can access personal information in their EHRs. Because we are interested in learning directly from patients what is important to them and why, we used a qualitative approach.12
This study is part of a larger project investigating patient sharing and access preferences to electronic health records. This portion of the study is the interview, which focused on understanding patient preferences for, attitudes about, and strategies for managing the privacy of a patient's EHR and the design implications thereof. In this section, we provide the key items requested by Tong et al.13
Recruitment and Participants
The 30 adult participants in this study are the same as those reported in Caine and Hanania.14 Participants were invited to participate if they fulfilled the following criteria: currently receiving health care in central Indiana and having active health records in the Indiana Health Information Exchange.15 We purposefully oversampled patients whose EHR contained highly sensitive health information as defined by the National Committee on Vital and Health Statistics (NCVHS);16 specifically, one of the following: domestic violence, genetic information, mental health information, reproductive/sexual health, and substance abuse. Patients whose records contained sensitive information were identified by the Indiana Clinical and Translational Sciences Institute (CTSI) for recruitment. No detailed information from the patients’ EHR was accessed by study staff.
Patients were either (1) approached by recruiters during outpatient appointments, told about the study, and invited to participate; or (2) recruited from a volunteer recruitment registry for residents in Central Indiana called INResearch.17 Patients who expressed interest were contacted for scheduling. Four additional participants were recruited through flyers posted on the Indiana University campus. The Institutional Review Board at Indiana University and the Indiana Network for Patient Care15 Management Committee approved this study, and each participant provided written informed consent.
The procedure was identical for all 30 participants: after filling out paper questionnaires, participants completed two information-architecture card-sorting tasks (see 18), a semi-structured interview, and a sharing-preferences card-sorting task (see 14). This paper reports on the results of the semi-structured interview, as well as demographics from relevant questionnaires.
We created a semi-structured script to elicit information from patients about their understanding of their current medical records, what methods they were aware of to view and exert control over the sharing of their health information, aspirations for future data sharing capabilities, as well as specific privacy concerns related to the sharing of health information.
While we employed guided questioning to facilitate consistent information elicitation across participants, the semi-structured interview format allowed the interviewer flexibility to follow up on themes we had not identified prior to creating the interview guide. The interview guide was pilot tested with three participants prior to beginning data collection to ensure that it was comprehensible and comprehensive. The interview script is available as an online Appendix.
Data Capture and Transcription
Interviews were video-recorded and audio-recorded and transcribed verbatim by a professional transcriptionist prior to the analyses.
In preparation for analysis, all transcripts were entered into MAXQDA,19 a computer program for qualitative data analysis. Following initial familiarization with the data, we performed a thematic analysis. We developed an initial coding scheme and performed indexing though constant comparison within and between interviews. Then, an independent meta-analysis was conducted using the coding scheme to synthesize the initial findings.20 Transcripts were initially coded by a researcher (CL) with expertise in qualitative inquiry and health behavior, then categories were developed and refined based on previously reported quantitative data and in discussion with the project team. Two investigators (CL & SK) then independently coded all quotations from participants. Any disagreements in coding were settled by a third researcher (KC).
The 30 participants in this study were the same as reported in Caine and Hanania.14 Enrolled patients were 73 % women, 30 % minority (African-American or Multiracial), and had a mean age of 46 ± 12 (SD) years. Patients ranged in educational attainment between less than high school to having graduated from college; represented a large range in household income, from those earning less than $5,000 per year to over $100,000 per year; represented a large range of self-reported health statuses, and a range of computer and internet experience. Seventy percent of participants had highly sensitive information in one or more of the five categories considered to be highly sensitive by the National Committee on Vital and Health Statistics.16
Patient Knowledge, Access and Preferences for EHRs
Overall (N = 30) (%)
Know what is in EHR
Have access to information in EHR
Believes they knows who can view EHR
Desire access to one's Medical Record
Desire control over access to health information
Would like notification when EHR is accessed
Methods of access control§
Restricting/blocking specific information
Time limits/temporal control
Access on “need to know” basis
Stated that they do not know what doctors need to access
Ideally, I’d like to have the same access to see what the doctors see. You know, and to see all the history and results, even the notes they’ve written. (P4)
In a nirvana situation, I would have control over what he would look at, whether, and ask why would he want to look at that. (P15)
It’s my body, that’s my information and how you handle it, it should be decided by me… Your medical record is you, I want to be the curator. I want to be the person who decides how it’s maintained, what’s put in it, what’s preserved and how it’s shared. (P25)
You’re not wanting everyone to know your sexual history even if it isn’t bad. That’s private, personal stuff. You aren’t going to want everybody to have access to that. (P20)
don’t want him [physician] to know. (P12)
I’d like to be notified anytime anybody accesses my medical records. Even if it’s my primary care physician… I’d either be notified through email or whenever you log on…. When you log on, you should be able to see a list of everybody who’s accessed your file. (P23)
If it's electronic, you'd be notified if they're trying to access something that's more confidential. (P5).
A good system would be able to track who accesses it and determine whether or not they had a reason to do so. (P19)
I would like there to be a permission system that nobody else has access unless they are an authorized health care provider or you’ve granted them access.(P17)
There are certain things that I don’t want just anybody to have access to unless I grant it. Just because North Carolina’s doctor would want that information doesn’t necessarily mean that I would want North Carolina’s doctor to have that information. (P30)
Let’s talk about my care… I think the doctors too have to use the patient as his first resource… If there’s something that needs to be put on the record, doctor says to the patient, ‘Okay, we need to update your record. Do I have your permission to add this information to your master record, to your medical file, your medical history?’ (P25)
Then, you can check that select all button when you're not wanting to see it, to block them from having any new access. (P27)
It goes back to the relevance of it… What if that was when I was fifteen? … why does he need to know that, especially if it’s something that has never come up before. (P30)
I don’t really think they necessarily have to have that in order to do their job… To schedule or bill something, I don’t think they need to know what’s happened in the past. (P6)
See it all but then turn it off later when they're no longer your doctor. (P27)
A nurse practitioner that I’m going in to see about migraine headaches doesn’t need to know if I had an STD 3 or 4 years ago. Doesn’t need to know sexual orientation. Doesn’t need to know I had a colonoscopy a couple of years ago. I’m there to see her about migraines. She just needs to be able to access information pertinent to my migraine history. (P23)
This is irrelevant information to them, I think…Yes. I would say, that’s my personality. They don’t get any information they don’t need. (P13)
Why they were having access to it when I am getting treated for a broken leg or whatever it might be. If I am in the hospital for an appendectomy why are they getting this kind of stuff? So I really wouldn't want them to have it because I don't think they need to have it. So I'd feel that is was a kind of violation. That is too strong a word but I don't know what… I just don't know why they would need to see any deeper than this. (P4)
Is there anything that lab technician has to know?… Let’s say you had something they needed to know. Then they would have limited access to that health information, but they wouldn’t have to see everything. (P18)
I’m not in a position to determine whether or not, what information is or is not exactly medically appropriate for them to see. (P17)
…if it’s up to the individual to limit access to different doctors, as I said, the individual is not a doctor. They don’t know what information the doctor might need. (P23)
[if a specialist needs information] They have to see my [primary] doctor (P14)
There should be like a team that’s in the medical records that’s responsible for granting the access for emergency situations… they would have to say what they're needing it for and determine if they would need just this particular area or if they need everything.
Our results, when viewed in combination with the ONC for Health Information Technology (HIT)’s privacy and security framework—eight principles that serve as a data collection framework for the protection of consumer privacy21—suggest six implications for the design of a patient-centered22 tool allowing patients to control disclosure of their EHR data. These six design implications are: 1) easy patient access to their EHR data, 2) reports of what is currently shared with whom, 3) granular, hierarchical control, 4) time-based controls, 5) contextual privacy controls, and 6) access notification.
Easy Patient Access to EHR Data
Individual access, or ensuring that people have access to data collected about them, is a core principle of fair information practice,23 and is a requirement for patients to be able to effectively control the privacy of their EHR data. Furthermore, patient access to one's EHR data may improve the patient–provider relationship and engage patients in their own care.24,25 Despite these benefits, only one-third of US physicians think patients should have full access to their EHR information.26
Fifty percent of patients in our study reported that they had no idea what was stored in their medical record and 90 % reported that they did not have access to their EHR. When patients gain access to their entire health record, they want to continue to access it, even though their privacy concerns about the data shared online increase.27 To be able to make informed decisions about sharing EHR data and personal privacy, patients must first be able to see what data about them are stored. Ideally, patients should be able to access their information in a variety of ways, including online, in the provider’s office and via paper letters and reports.
Summary of What is Currently Shared With Whom
Another core principle of the ONC’s privacy framework is “openness and transparency.” No patients in our study expressed knowledge of the reality of how widely their health information is actually shared (e.g.,28; see29 for a visualization). Indeed, EHR information can be shared quite widely. For example, Indiana has a health information exchange, the INPC15, which contains updated information from more than 90 Indiana hospitals and their affiliated outpatient practices. Physicians and other health care providers from these hospitals have access to patient data from all INPC hospitals. The INPC maintains a log of who accesses each patient’s record, and when, but does not record what information is displayed to users.
Each category of health information is expressed as a column along the semi-circle and each recipient group is represented as a row. In this concept, existing sharing settings are reflected via colored blocks: a colored block at the intersection of the Mental Health column and the Specialists row indicates that health specialists currently have access to Mental Health information. Health care providers are positioned closer to the center, while non-providers (e.g., Government) are positioned on the outskirts of the semi-circle. Overall, the concept is meant to provide a fast and intuitive glimpse of how a patient’s data are currently shared.
Provide Granular, Hierarchical Control
Similar to previous research (e.g.,30,31), participants in our study expressed a wide variety of preferences for what information they would like to share with whom,14 and how they would like to achieve this control (see Table 1). While all participants wanted to control who could view information contained in their EHRs at some level of granularity, the level at which participants wanted to exert regular control varied. Furthermore, there were differences in how users thought they could most effectively achieve this control. For example, some conceptualized allowing access to information (similar to findings reported in30 and32), while others talked about restricting access to information.
One user interface (UI) approach for supporting diverse preferences at a variety of levels of granularity simultaneously is to provide hierarchical control. Hierarchical control allows patients to select the level of granularity at which they make decisions and also allows patients to both allow and restrict access. For example, for those patients who prefer to share their entire EHR with all providers, they can affect this at a very high level in the UI. On the other hand, patients who would like to share all but selected sensitive categories of information with all providers can move down a level in the hierarchy. Finally, patients who would like to exclude one test from being shared with a provider or providers, or vice versa, could access this level of detail to make this choice.
A hierarchically based user interface for patient-directed control over access to EHR information with drag-and-drop functionality is shown in Fig. 2. Groups of health information are in the left column, and groups of recipients are on the right. Access is granted or rescinded by dragging a health information group such as Test/Lab results into a recipient group such as Primary Care. Individual elements (e.g., a specific lab result) are accessed by clicking on the category level and can be dragged in or out, thus granting or restricting just at the category level. Provider groups are created by dragging provider circles together. The colored dots within each provider circle represent the information categories currently shared with each provider group.
Contextual Privacy Controls
In addition to providing patients control through a hierarchical user interface, and offering them the ability to set limits to information access based on the time it was collected, we also suggest that the user interface should allow patients to make sharing and privacy decisions in context, i.e., during a medical encounter, in the context of the appointment, or in the context of the health information display itself while viewing their EHR. Privacy decisions are difficult across domains, especially when de-contextualized, and may not match actual privacy behaviors.33 Providing contextual privacy controls would increase the likelihood that privacy choices match with privacy preferences.
A majority of study patients (80 %) would like to know when their EHR information had been accessed and by whom, but varied in their desires for frequency of notification. Some patients wanted to be notified about every EHR access, while others wanted to know only when sensitive or confidential information was viewed. Importantly, patients suggested that having this kind of notification would enhance their trust in their provider and in the health system, which is notable, since previous research has pointed to the importance of patient trust in their care team on willingness to share personal health information (e.g.,31).
Patients overwhelmingly expressed a desire to have access to their own medical records, as well as a desire to control who views their health care data. Without being able to view their data and understand with whom it is shared, controlling access is impossible. Therefore, fulfilling these needs requires both guidelines mandating patient access to and control over their own data, as well as effective and usable design to enable that control.
We have identified UI elements that fulfill the needs we identified. A granular, hierarchical system permits a wide range of customizability while permitting users to allow or restrict access. A time-based access system equips users to restrict information based on collection date. Contextual privacy controls allow users to make sharing decisions in context. Finally, notifying users when their data is accessed and informing them what was accessed has the potential to improve trust in the system, while providing accountability for those who receive patient data.
The semi-structured interview method provided the flexibility to explore topics that participants mentioned during the discussion. However, this flexibility necessarily limits the standardization of the interview protocol across participants and generalization of the findings. The benefits of this approach outweigh its associated limitations in that it allowed participants to discuss topics they thought were important, thus providing a patient/data-driven perspective. Future work should seek to refine and corroborate these findings using more structured approaches (e.g., a large-scale survey).
Second, the participant sample is not representative of the US population of patients or patients across the world. Although broad in sociodemographic terms, participants in our sample were all from one hospital system in one geographic area. Furthermore, we oversampled patients with sensitive health conditions because understanding how patients feel about sharing sensitive health information was a goal of our project. Future work should seek to evaluate these findings with a geographically representative sample.
Participants discussed many issues that cannot be addressed via a patient-facing interface alone. For example, patients spontaneously expressed the desire for providers to access only information that was necessary for their immediate care, a finding echoed in similar research (e.g.,30) and implied in3; “every consumer, doctor, researcher, and institution has appropriate access”). What constitutes “appropriate” access, or better yet, what is optimal for providers to view during any specific care event is an open question. A “data deluge” is not desirable because providers can become overwhelmed by irrelevant details. Previous research has addressed the “minimum data set” necessary to support care,35 but this concept has not been extended to other populations. Future research should investigate whether the concept of the “minimum data set,” which provides the optimal amount and type of information providers need in different medical situations, is feasible across medical conditions. From both a patient and provider perspective, an EHR that provides only necessary information at the right time (i.e., “just-in-time” information) would be ideal.
Similarly, future work must measure the effects of giving patients access control. On the one hand, giving patients control may mean they are more willing to disclose health information. On the other hand, giving patients control may mean that they restrict the sharing of health information in a way that reduces the benefits of EHRs as a coordination/communication tool as well as a tool for health research. A previous study indicated that most patients wanted to be asked for consent before sharing their health information with health researchers.14 Research is needed to understand how giving patients access and control affects the balance of how much information they provide and share (e.g., EHRs can be double edged swords6).
While we have suggested designs that may fulfill patients needs regarding access and control, there is still much research to be done in ensuring thatthese tools are easy to use by patients and serve a useful purpose in the clinical encounter. Towards this end, we intend to explore the effectiveness of privacy “presets” or “templates”, i.e., configuration patterns for privacy settings. These can be generated using data from experts in privacy, health care delivery, and government agencies, along with “expert” or trusted patients, and using aggregate decisions from other patients in similar situations or who have a similar privacy profile. These templates would provide scaffolding, making it easier for users to make fast, meaningful privacy decisions about their EHR data (for a related discussion, see14).
This paper presents the results of formative user research, intended to generate user needs. The user interfaces presented in this paper resulted from a user-centered approach focusing on usability, ease of use, and usefulness. However, as with all user interfaces, usability can be evaluated and improved— areas in which we continue to work.
Our study suggests the need for and key characteristics of design of a patient-accessible EHR that places privacy control in the users’ hands. We have identified three interaction methods that enable information access control, as well as two specific features that promise to aid the user: contextual privacy controls and access notifications. Patients’ preferences were in line with suggestions from ONC HIT and PCAST, a majority of providers (c.f.,18) and existing research on patient preferences for the sharing of their electronically stored health information. This suggests that there may be a growing consensus for the need for policies mandating patients’ control over their own data, and the need to provide interfaces that allow users to exert control/express their preferences. To meet patient needs, future EHRs must consider these requirements during design. Identifying how patients conceptualize medical records and control access to those records is the first step towards creating an EHR that can preserve and enhance patient privacy by allowing users to express their privacy preferences.
We are grateful to Sheri Alpert, Peter Schwartz, Aaron Carroll, Jere Odell, Mike Barnes, Jon Duke, Jeff Friedlin, Doug Martin, Michele Degges, Morgan Soladine, Denise Anthony, Kay Connelly, Crystal Boston, Nathan Mihalik, Brenda Hudson, Jane Anne French, Patrick McGuire, Laura Yorger, Bedellion Armstrong, Kelli Givens, Genesis Thomas, Jennifer Hutchenson, Allison Stieneker, Theda Miller, Chris Power and Marc Overhage. We are also grateful to Laurel Stanley, Dana O’Dell and Andy Van Solkema of VisualHero for their assistance with UI design. We also thank the participants who enthusiastically participated in this study.
This work was supported in part by grant number 90HT005 from the Office of the National Coordinator for Health Information Technology (ONC), to the Indiana Health Information Technology Corporation, the Center for Law, Ethics and Applied Research in Health Information and the School of Informatics and Computing at Indiana University. EMM is supported by grant #UL1TR001108 from the National Institutes of Health. The opinions expressed in this work are the authors’ and do not necessarily reflect the positions of ONC, IHIT, Indiana University, Indiana State University or the Regenstrief Institute, Inc.
Conflict of Interest
Eric Meslin had a consulting contract within the last 3 years with Eli Lilly & Company on unrelated topics. The remaining authors declare no conflicts of interest.
- 3.President’s Council of Advisors on Science and Technology. Report to the President Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward [Internet]. White House Office of Science and Technology Policy; 2010 Dec [cited 2014 Sep 15] Available at: http://www.whitehouse.gov/sites/default/files/microsites/ostp/pcast-health-it-report.pdf
- 7.Bishop L, Holms B. National Consumer Heath Privacy Survey. Oakland, CA: California HealthCare Foundation; 2005.Google Scholar
- 10.Meslin E, Schwartz P. On the sufficiency of using bioethics principles to design patient control of electronic health records. J Gen Intern Med (submitted for publication)Google Scholar
- 11.Leventhal JC, Cummins JA, Schwartz PH, Martin DK, Tierney WM. Patient control of provider access to their electronic health records: Technical and organizational challenges (in press).Google Scholar
- 15.Biondich PG, Grannis SJ. The Indiana network for patient care: an integrated clinical information system informed by over 30 years of experience. J Public Health Manag Pract 2004; Suppl:S81-6.Google Scholar
- 16.Carr J. Recommendations regarding sensitive health information [Internet]. National Committee on Vital and Health Statistics; 2010 Nov 10 [cited 2014 Mar 28]. Available at: http://www.ncvhs.hhs.gov/101110lt.pdf.
- 17.INReseearch. Available at: https://www.inresearch.org/home. Accessed 2014 Sep 12.
- 18.Tierney WM, Alpert SA, Byrket A, Caine K, Leventhal JC, Meslin EM, Schwartz PH. Patient Control of Access to their Electronic Health Records: A Real World Demonstration in Primary Care. (in prep)Google Scholar
- 19.MAXQDA [computer program]. Berlin, Germany: VERBI GmbH; 1995.Google Scholar
- 20.Creswell JW, Plano Clark VL, Garrett AL. Methodological issues in conducting mixed methods research designs. Advances in mixed methods research. 2008:66–83. doi: 10.4135/9780857024329
- 21.Office of the National Coordinator for Health Information Technology. Nationwide privacy and security framework for electronic exchange of individually identifiable health information [Internet]. U.S. Department of Health and Human Services; 2008 Dec 15 [cited 2014 Sep 15]. Available at: http://www.healthit.gov/sites/default/files/nationwide-ps-framework-5.pdf
- 26.Accenture. Doctors Survey: How Do US Doctors Perceive Healthcare IT [Internet]. Accenture. 2013 May 8. [cited 2014 Sep 15]. Available at: http://www.accenture.com/us-en/Pages/insight-acn-doctors-survey-how-us-doctors-perceive-healthcare-it.aspx
- 29.Data Privacy Lab. theDataMap. Available at: http://thedatamap.org. Accessed 2014 Sep 12.
- 33.Spiekermann S, Grossklags J, Berendt B. E-privacy in 2nd Generation E-Commerce: Privacy Preferences versus actual Behavior. Proceedings of the 3rd ACM conference on Electronic Commerce. 2001 Oct 14–17.Google Scholar
- 34.Office of the National Coordinator of Health Information Technology and the Department of Veterans Affairs [Internet]. Health Design Challenge; c2012 [cited 2014 Sep 15]. Available from: http://healthdesignchallenge.com/