Search Site

 Advanced search
 

Journal Entries

 

Stay Informed

Sign Up Today to stay informed about HINZ events and relevant health informatics news!

*

 

 

Latest News

read more news

 

Upcoming Events

Other health informatics events...
 
 

Supporting Partners for 2012

Major Sponsors

 

 

 

 

 

 


 

 

Supporting Partners

 

 

 

 

 

 

 

 

 

 

 
 

International Events 2012

 

 

 

EHR Security: The New Zealand Public’s Perception

Friday, September 1st, 2006
Prajesh Chhanabhai

Department of Information Science

University of Otago

Dunedin, New Zealand



Alec Holt

Department of Information Science

University of Otago

Dunedin, New Zealand

Abstract
The international push towards Electronic Health Records (EHRs) has engendered many studies that have focused on the impact of EHRs on health care providers and their concerns regarding the use of EHRs in health care provision. This paper looks at a study that was carried out to find the perceptions of the New Zealand health consumer towards EHRs, with a particular focus on the security of an EHR. The study commenced with a survey carried out over four months across four of the five main city centres in New Zealand. The survey encompassed various perceived benefits and perceived disadvantages of EHRs. Our study focused on health consumers who were attending a health care provider, as it was felt that this group would be most concerned with how their health information would be stored, as they would be undergoing some type of treatment. The survey contained 14 questions and each was analysed using t-tests. The key finding from this study was that there is a general concern about the security, privacy and confidentiality of health consumers’ medical records. The main concern is unauthorised access to medical records. This unauthorised access may take many forms, from that of hackers to employers. However, there is only a small difference between health consumers who feel paper records are more secure than EHRs and those who feel otherwise. The survey findings indicate the areas that consumers are most concerned about, as well as the conditions that would allow them to feel that their EHRs are more secure.



Introduction
In the health care industry the patient–doctor relationship is bound by trust. This trust has stemmed from a clause in medical practitioners’ Hippocratic Oath:

All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal.[1]

Currently there is a shift towards regarding patients as consumers. The change in terms has seen a gradual transfer of responsibility for health outcomes from the doctor alone to both the doctor and consumer. This transition, coupled with the emergence of IT into the health care field, has contributed to the shifting of responsibility as the role of IT is increasing in the health sector and consumers are becoming more proactively involved in their healthcare.[2]

The Electronic Health Record (EHR) has resulted from this combination. Pyper et al[3] define EHRs as a longitudinal record of consumers’ health care that has been and is being provided to them. A complete EHR system will include all facets of the healthcare team, of which the consumer becomes a key member. The aim of developing the EHR has been to establish a record that contains all of a health consumer’s information from "the cradle to the grave". However, as with Internet banking, consumers are very tentative about the process of using EHRs. The risks concerning security, privacy, and confidentiality of their medical information are at the forefront of consumers’ concerns.[4]

According to Gillies and Holt,[5] EHRs’ ability to store and retrieve information while allowing flexible queries is its significant benefit. Additionally, EHRs allow consumers to interact with their medical records. Currently, consumers have little or no interaction with their paper records. Hence, there is no method for consumers to check whether their clinicians have stored correct and complete data about them. According to the Institute of Medicine[6] up to 98,000 people in the US die every year from medical errors that have resulted from incomplete or incorrect health records. With a correctly monitored electronic record system, and where more interaction with the consumer is allowed to verify the record content, EHRs are estimated to be able to reduce this by up to 90 percent.[7]

EHRs and the electronic transmission of personal health information can provide a powerful tool to link the isolated islands and fragments of information about individual consumers that currently exist within disparate health care services. It also allows health care providers immediate access to essential clinical data. EHRs will also provide consumers with the capacity to provide essential information about their health care to the providers of their choice at any time.


Purpose of the Study
This study was carried out to examine the perception held by New Zealand health consumers that the security and privacy of their medical information might be vulnerable in an EHR system. Lack of understanding of their perceptions before such a system is set up could lead to negative repercussions, for example, the development of a system that the health consumer would not use because of a lack of understanding and concerns regarding security and privacy issues. Studies have shown that even though people’s reactions to EHRs are positive, the main barrier to acceptance that many individuals face is their perception that lack of security is a major problem with electronic systems.[8] Without education and reassurances about the safety protocols that do exist, there will be a reluctance to move health records into the electronic platform, a reluctance that would be shared by health practitioners.

To date there has been only one small study conducted in New Zealand that has looked at lay perceptions of EHRs.[9] The study attempted to obtain a comprehensive picture of ordinary people’s understanding of the security of EHRs and their health information. That small research project by Ryan and Boustead[9] showed that New Zealand health consumers are not really aware of advances in health IT in New Zealand and, as a consequence, do not understand the rationale behind EHRs. Major concerns about using EHRs were identified, with particular emphasis on security issues such as:

  • Downtime; 
  • System errors; 
  • Viruses; 
  • Vendor access to the system; 
  • Potentially wider distribution of information; 
  • Long-term accessibility and storage of information; 
  • Deliberate acts to harm the systems integrity (hackers, crackers, etc); and 
  • Backup and redundancy.

By looking at how each of these factors weighs on consumers’ minds, we will gain an understanding of the barriers that may be faced in the implementation of EHRs in New Zealand.


The New Zealand Context
According to Helen Glasgow,[11] of the Royal New Zealand College of General Practitioners (RNZCGP), most GPs in New Zealand have been using electronic systems since 1985. She does go on to say that consumer interaction with their own medical records is non-existent.[11] This indicates that the country already has the necessary infrastructure to adopt an EHR approach to medical records. According to Kerr,[12] New Zealand (52 percent) is only second to the UK (59 percent) with regards to EHR use in primary care. Australia (25 percent) was found to have half the penetration rate in its primary care setting of New Zealand and the US had only a 17 percent use of EHR systems in primary care.[12] Although the electronic medial records systems are termed EHRs by Kerr and by the Ministry of Health (MoH),[13] they still lack the consumer aspect and, thus, have been incorrectly defined. Despite the incorrect definition, the ventures in New Zealand that have the backing of the MoH have enabled the health sector to begin to employ IT in health care programs. Didham et al,[14] in a study to determine the state of IT systems in general practice in New Zealand, found that almost all practices in New Zealand utilise an electronic Patient Management System (PMS). They also found that 99.8 percent of practices surveyed had at least one computer. Protti[15] indicated that approximately 50 percent of GPs in New Zealand use the Internet on a regular basis, with a noticeable trend towards communicating with their patients . These studies confirm Kerr’s report that the IT infrastructure in New Zealand is ready to be adapted to an EHR regimen. One clear example of the drive towards the electronic medium is the use of the NHI number.

The NHI number is made up of three letters and four numbers that are uniquely associated with a certain individual. Initially the NHI number was used exclusively in hospitals, to record admissions and to ensure the hospital was aware of any medical warnings. The NHI number is now used for all health care instances involving an individual. Each instance is referenced and recorded by the patient’s NHI number, thus, allowing for the connection of separate records and allowing a patient health summary to be built up.

Apart from the NHI number, which is a core national system requirement, Kerr highlights four other areas that need to be taken into consideration in order for New Zealand to successfully implement a fully integrated EHR. These include:

  1. The consumer;
  2. Regional systems required by District Health Boards and hospitals;
  3. Community and local systems; and
  4. National connectivity and access.
With this in mind, the recently released 2005 Health Information Strategy for New Zealand[14] proposes a model that would cover these areas. The model indicates that the EHR system that would be ideal for New Zealand is based on a distributed system. The strategy aims to achieve connectivity at national, regional and local levels and has mentioned that consumers may have some role to play in this connectivity. However, it does not indicate the level of involvement that the consumer would have. The report does outline the importance of security in the use and collection of personal information.


Impact of Security on EHRs
Security of health records primarily encompasses privacy and confidentiality of health information. These are a problem for both paper- and electronic-based records. The nature of paper-based storage makes it more difficult for unauthorised people to access a large number of records without being caught. However, with electronic based records, involving centralised and distributed databases and linkages between various electronic systems, the ability to gain unsanctioned access to large volumes of patient information increases significantly. This is where consumers’ inherent fear about EHRs stems from. Silverman backs this up:[16] "Unauthorised access to paper records was always feasible, but the computer takes a small problem and magnifies it enormously" (p29).

Many types of people have tried and will try to obtain health information. Each type will use different ways to try to obtain this information. These methods can be grouped into five distinct categories, as identified by the Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure.[17]

  1. Insiders who make "innocent" mistakes and cause accidental disclosures.
  2. Insiders who abuse their record access privileges.
  3. Insiders who knowingly access information for spite or for profit.
  4. The unauthorised physical intruder.
  5. Vengeful employees and outsiders.
These categories are not clear cut; an intruder may fall into all categories at different times and or in different situations. The unauthorised physical intruder makes up one of the five categories; the other four categories indicate that the people that one should fear are those on the inside. Unlike other attackers, who might be more interested in the actual breaking of the system, the insider who is a trusted individual is after the information.[18]

Computer systems by their nature are prone to many problems other than intrusion. As a system based on software and various pieces of hardware, an EHR system is vulnerable to both software bugs and hardware failures. These failures have the potential to corrupt medical records and, thus, diminish the integrity of the record system. When the postal, fax or telephone system fails, there is a clearly evident impact on the message which is meant to be delivered.[19] In an EHR, this corruption may not be as easily noticeable. Examples include altering numbers in a laboratory report, or deleting large amounts of important information. Unlike the case in other systems, where an error would mean a financial disadvantage, an error in the health care system, due to badly designed software or poor hardware construction, may have a detrimental effect on both the care giver and the patient

Health care organisations continually look to technology for solutions and to enhance productivity. Their primary objective is to bring information to staff when and where they need it. Whether in front of patients or in the back office, secure access to the right information is vital to getting the job done. An EHR system would ensure that the flow of information occurs in a smooth manner. By assisting information flow, this solution would improve patient care, worker productivity, employee satisfaction and, ultimately, increase profitability. Thus, security measures are very important to ensure that a system is reliable and holds information that is correct and valid. The five major threats noted above indicate that security of health information is essential. A security system provides five key functions. It allows for:[20]
  1. Authentication;
  2. Access control;
  3. Authorisation;
  4. Accountability; and
  5. Availability.

Maintained at high levels, these functions ensure that the data can be kept confidential and their integrity maintained.

Privacy is the main concern that health consumers have about any record system. In 1995, the Louis Harris Poll found that 100 percent of Americans surveyed saw the benefits of having their health records computerised. However, 74 percent expressed concern about the negative effects of a computer-based system. Their concern was based on the following:[21]

  • Lack of understanding the dynamics of information gathering; 
  • Fear of having a lack of control over the use of their personal information; 
  • Not understanding the privacy protection laws and regulations that do or do not exist; and
  • Fear of errors, carelessness and poor judgement by those who may handle their personal information.

These concerns stemmed from their previous experiences with computerised systems. Ten years later, in 2005, the Harris Interactive survey found that 48 percent of American adults claimed that the benefits to patients and their wellbeing outweighed any risks to privacy.[22] Nevertheless, almost 70 percent of these individuals were worried that sensitive health information might leak because of weak data security. The concerns at the time of the 2005 survey were:

  • Sharing of medical information without a consumer’s knowledge; 
  • An increase in medical errors rather than a decrease with the use of computers; 
  • Reduction of any existing privacy rules; and 
  • Consumers not revealing all necessary information to their health care provider, because of the fear of having their details being made available electronically.[22]

The trend for New Zealand health consumers seems to be the same. However, there have been few national studies to verify the perceptions of New Zealand consumers. One small focus group study (conducted on a group of only 20 people ) in Dunedin in 2004 found that the security of an EHR database is the main cause for low public support for the database. It also found that the misuse of information and its disclosure to people other than health professionals was a major concern in the group.[9] This is in line with US and UK findings. The concerns that were raised by Ryan and Boustead were reated to:[9]

  • Confidence in the privacy and security of creation and sharing of records; 
  • The security aspects with regard to control of data; and 
  • The risks that individuals that use the record may face.

Table 1 shows the similar concerns that the were raised by the focus groups in both the Bury Knowle study and the Dunedin study.[3, 9]

Table 1. Comparison of some of the concerns raised by health consumers in the Dunedin and Bury Knowle studies[3, 9]

Ryan and Boustead[9] Pyper Amery, Watson and Cook[3]
"I don’t think there is anybody who can absolutely guarantee any information on a computer is totally secure" "Everyone has concerns about computer security Nothing is really secure whether paper or computer"
"You hear of them hacking into the likes of the US Pentagon Security thing. . . if they can do that, I’m sure they can break a simple password on a medical record in little old New Zealand" "I’m worried about hackers, you hear all sorts of horror stories don’t you"


This simple comparison shows that, irrespective of country, the concerns of the health consumer are the same. Nonetheless, Pyper et al[3] also found that before using an electronic system, 47 percent of people interviewed were worried about the security of an EHR. This number dropped significantly to 4 percent after respondents had used the system and were made aware of the various security measures in place. This drop in security concern was also found by Brenner.[23] Brenner conducted a survey to determine the perceptions of patients who utilise an Internet-based system to obtain laboratory results. Brenner found that security was not a primary concern for users of the system. The system utilised a PIN to access it and users felt this provided sufficient protection. However, this study was limited to women patients and it may be that the findings cannot be generalised to a broader population.[23] The significance of these two findings is that after actually using EHR systems, consumers found that their fears regarding security decreased. Denton[24] also conducted a study on 330 patients. In this study the patients were all given access to an EHR for a year and then were asked about their insights. Denton found that after this period, the privacy and security concerns were split closely, with 60 percent registering concerns and the remainder feeling that security was not an issue. Once again, when patients were allowed to use and understand the EHR, their security worries were not as prominent as for those who have not used such a system. Yet, the lack of knowledge concerning security measures that can be and are used remains a barrier towards use. Hunter[10] found only one person in her study that had an idea of the security measures being used to protect electronic information, and they too were not convinced of the overall strength of these measures.


Method
The sample population for the study that is the subject of this report was health consumers visiting small- to medium-sized health care practices. Hence, the consumers targeted were in the process of either receiving health care or accompanying someone who was. These people were considered to be more concerned and aware of their health information than the public generally.

A minimum sample size of 300 participants to allow statistical significance was determined by University of Otago Statistician, Brian Niven.[25] Participants were obtained through a two-step process. The first step involved locating suitable practices and obtaining consent to their being used as a survey point. This was achieved by going through the phone book and identifying a number of practices in four major city centres, (Auckland, Wellington, Christchurch and Dunedin). Sixty-six letters were sent to chosen practices outlining the study and requesting their involvement. The letters were standardised and noted that the time required by the practice would be minimal, as participants would fill out the survey as they waited to be seen by the doctor. Each had a readily identifiable reply form, printed on blue paper, and a prepaid envelope to facilitate easier communication. Step two involved those practices that agreed to be involved in the survey. The step involved preparing the survey packs. Each pack was made up of an information sheet, a consent form and a two-page questionnaire. A letter which acknowledged the practice and included more details about the survey process was sent to participating practice managers. Each practice received a minimum of 30 survey packs. The packs were sent out with a postage paid return envelope and a request to the practice managers or doctors to return the surveys as soon as all the surveys had all been completed.

Survey Design
The survey was designed iteratively over a period of three months. In that time, the survey was narrowed down to target the specific area that was being studied, using the rules outlined by Leedy and Ormrod (2001). Questions used in previous studies[3,8,22] were modified and used in this study. Questions from the previous studies were used as they included questions targeting a number of specific areas relevant to this study. These other studies’ primary focus was not just on security, and a number of their questions are adapted and used in this questionnaire to strengthen the results from the survey. Other questions were developed with the help of the statistics department at the University of Otago and others involved in the health informatics field. Feedback was obtained from both the NZHIS (the New Zealand Health Information Service) and the RNZCGP and their recommendations and suggestions were included in the survey.

The questionnaire was presented in four sections:

  1. About you.
  2. Your computer use.
  3. Electronic health records.
  4. Security and your records.
This paper focuses on section 4: Security and your records.

When the questions were finalised, a pilot study was conducted to ensure that the responses that would be obtained from the survey would be sufficient to answer the research question and to determine whether the survey could be easily understood or contained ambiguous language. The pilot study was conducted over two days with 20 participants drawn from a university hall of residence. Participants in the pilot study came from a wide range of backgrounds, ages and from both genders. The pilot study identified a number of items that should be changed to ensure the survey was better understood as well as a number of necessary format changes. The responses to the pilot study were also an indication of the type of results the survey would get. All these changes were made and the revised survey was tested on a small group of participants. This survey was found to be easy to understand and it was subsequently employed to obtain the data required for this study.


Results
Requests to take part in this study were sent to 66 small- to medium-sized health care practices around New Zealand. Responses were received from 45 practices. Ten practices agreed to take part in the study. Packs were prepared as set out under "Method" above. A total of 400 surveys were sent out over a period of four months. At the end of four months, 300 surveys had been returned fully completed. The remaining 100 were not completed in the allotted time frame. With the response rate of 75 percent, the decision was made to proceed with the analyses using 300 as the final number. This number was the minimum sample size to allow statistical significance.

Demographically, women made up 66 percent of the sample population completing the questionnaire (n=200). The distribution of the sample population was evenly divided between the two islands, the split being North Island 147 (Auckland 66, Wellington 81) and South Island 153 (Christchurch 52, Dunedin 101). A number of questions were asked regarding computer use, Internet trading and knowledge of the EHR; the responses to these questions are not covered in this paper.

Answers to the question "Are you concerned about the privacy and security of your medical information?" showed that 73 percent of the sample were concerned about the privacy and security of their medical information. This was further highlighted when participants were given a number of scenarios that could occur as a result of using EHRs. The results showed that most participants perceived that the EHR would lead to their medical information being shared easily. They felt that EHRs would lead to sensitive medical information leaking out (40.3 percent) as well as allowing the sharing of their medical information without their knowledge (42 percent). Figure 1 is a graphical representation of the spread of answers given to the various problems that could result from the introduction of the EHR.

The participants did not appear to feel strongly about the statement "Electronic Health Records could increase medical errors", with only a small difference between those who agreed with it (41 percent) and those who did not (38 percent). This could indicate that the perception regarding medical errors is not the major concern that health consumers have with EHRs. The next two statements highlight this fact. Participants felt that access is an issue with EHRs. Access is the basis of the security concerns. These results do concur with that perception. Overall 53 percent of the people surveyed believe that EHRs would have an inherent weakness in their security systems, while 29 percent thought that the EHRs would have a strong security system built in.

Having being given a list of potential problems, participants were then given a list of problems that affect other electronic systems. They were then asked to rank how strongly they agreed that each of these problems would be transferred to the EHR domain. Figure 1 clearly shows that most participants perceive that each of the problems would affect EHRs. The two main problems are vendor access to the system and the actions of hackers and crackers who will harm the system deliberately: 72.7 percent of participants felt that vendor access would be a real problem with EHRs, while 79.4 percent are worried about hackers. This fits in with the strong concern regarding access that was found by the earlier question. Malicious software (68 percent) was also a concern to participants. On the other hand, only 56 percent and 53.6 percent respectively felt that long-term accessibility and failure to backup would be a problem, indicating that the primary concern is with unregulated access to the system.

Each security measure had been explained in easy-to-understand terms before the participant answered the question. This was to give all participants, irrespective of age, gender and computer understanding, the basic concept of how each of the security measures work. Initially, the question was designed without the explanation, but it was felt that without an explanation, many people would probably not understand the terms. This would, thus, introduce a bias in the results. The security measures given were the ones most likely to be implemented in a secure EHR. By introducing the participants to these ideas, the question aimed to show that despite the perceived problems that have been mentioned earlier with security measures in place, participants would accept the EHR concept. This was shown in the studies by Pyper et al[3]

When informed about the various mechanisms that would be implemented with EHRs, the results show that participants then felt EHRs would be more secure.

Figure 1: Partipcants’ responses to the statements regarding potential EHR problems


Table 2: Participants’ perceptions on whether security would increase if there are various security mechanisms in place

Table 2 shows that there was a strong sentiment that with the addition of antivirus software, firewalls, restricted system access, audit trails and encryption, EHRs would be more secure. In each case, more than 80 percent of the respondents agreed that the security mechanism would make the EHR more secure.

The final quantitative question asked if participants felt that EHRs were more secure than paper-based records. It was hypothesised that participants would feel that paper records were still more secure. Initially, it was also thought that there would be a large difference between the two answers in favour of paper records, however, the results from this study indicated otherwise. The difference between those who felt EHRs were more secure than paper records and those who felt paper records were more secure is only 9.8 percent. One hundred and sixty-three (54.9 percent) participants answered that they felt paper records were more secure. The most common reason given was that "I don’t trust computers as they tend to crash", which was followed up by a more security relevant comment "I am scared of hackers". Hackers were mentioned 100 times in the comments section of the questionnaires, showing 61 percent of the total number of people surveyed felt paper records were safer. This is a clear indication that participants felt security was still not strong enough to prevent hack attacks. Of those surveyed, 45.1 percent (134) agreed that EHRs were a more secure method of storing health records. The most common comment was to do with the fact that "papers get lost, damaged and misplaced", which has been described as one of the reasons to move to an electronic system.

Analysis using SPSS statistical analysis software in collaboration with the Statistics Department from the University of Otago indicated that the survey returned the following statistically significant results:

  • Younger age groups will have less security concerns as they will have a greater understanding of computers. 
  • Females will be more concerned about the security of health information on EHRs as they are greater users of health care. 
  • Those who buy items over the Internet will be less apprehensive over security concerns.
  • Many people in New Zealand will not have heard about EHRs and this would influence their feelings about them.
  • The benefits are all consumer focused, thus consumers would agree that EHRs will provide most of the benefits that have been proposed.
  • Consumers, when given a list of the negative aspects of the EHR, would agree that the EHR may raise a number of concerns for them. 
  • When consumers are made aware of the security measures that may be in place they will feel that their record is more secure.

Conclusion
This study aimed to obtain an overview of the perceptions that New Zealand health consumers have about EHRs, with a specific look at the areas of privacy and security. The main hypothesis of the study was that:

The New Zealand health consumer will be apprehensive at the thought of their health records becoming electronic. Their main concern will be the fear of their records being accessed by unauthorised persons. However, if they understand the available electronic security they will embrace the new form of health records.

The issues of privacy and security have been a major concern of consumers worldwide. These issues have limited the progress of EHRs and their uptake by consumers. Studies by Westin,[22] Pyper et al[3] and the NHS[8] have shown that health consumers feel that EHRs pose a problem when it comes to keeping their health information private and confidential. Ryan and Boustead[9] and Hunter[10] showed, in their smaller studies, that New Zealand health consumers have voiced similar concerns. The results from this study indicate similar opinions from a larger sample group. As well as being concerned about the privacy and security of their medical records, the participants’ greatest fear was that their information might be accessed by unauthorised people. Westin[22] reported that in July 2004, 66 percent of the American public showed concern about the privacy and security of their health information on electronic systems. A report by the California Healthcare Foundation[26] published in November 2005 indicated that 67 percent of participants surveyed were concerned about the privacy and security of their health information. This study also confirms this finding, with 73 percent of the participants showing concern about the privacy and security of their health information. These findings illustrate that there is an identifiable concern within the health care consumer population. The findings from this study showed a greater percentage of people concerned about the privacy and security of their health information, compared with the findings of the American studies. This may be because of the smaller sample size of this study. However, the numbers show that the concerns surrounding security and privacy have to be addressed to ensure the health consumer is comfortable with the transition towards EHRs.

The biggest concern raised was about hackers. Overall, 79 percent of the participants of this study felt that hackers would pose a big problem for EHRs, while 61 percent of the participants who preferred the paper medium chose that medium because of their concern about hackers. Cyber Dialogue[27] reported that 59 percent of American health consumers were concerned about hackers, while in 2005 an increased percentage of 62 percent was reported.[22] This fear of hackers and of unauthorised access may be due to the media hype that surrounds such intrusions when they do occur. Health consumers only need to tune in to their local news channels or read the newspaper to learn of privacy breaches and cases of hackers stealing health information. When individuals learn of such incidences they are further alarmed as they are already fearful that their information is not adequately protected. Also, such situations strengthen the convictions of those who believe that it is not possible to provide sufficient assurances of privacy and security of electronic health information.[28] This study did not address the impact of the media on the perceptions of electronic security, but an early hypothesis for a further study may indicate that there is a strong relationship between the two. The fear that individuals have about the possibility of their information being accessed by unauthorised people such as hackers, employers and insurance companies will be heightened when they hear of any incidents when the security of an electronic system has been compromised.[29]

Venkatesh et al[30] have also reported on the Unified Theory of Acceptance and Use of Technology (UTAUT) model. The study looked at a number of variables and factors that may affect an individual’s intentions of using technology. Social anxiety was one of the variables measured and was found to be insignificant in the uptake of technology. However, this model was not tested in the health sector and, as indicated by these results, social anxiety in the form of concerns about security and privacy, is an influencing factor in the uptake of technology by the health consumer. Thus, a model that is independent of other sectors is required specifically for the health sector. Once an understanding can be reached as to why the health consumer is averse to the use of EHRs, proper measures can be implemented to alleviate the fears and increase health consumers’ acceptance of them. These fears may result from cultural differences, including ethnic background, lack of understanding of technology, or simply from a feeling that health information is too confidential to be shared with a wider community.

This study has highlighted the fact that security, privacy and confidentiality are the major concerns connected with health information. These concerns are further heightened when a traditional paper-based record is transferred to the electronic medium. They become the major barriers to health consumers’ acceptance of the move to an EHR system. If the system is not accepted by the health consumer, it will not serve the purpose for which it has been established. There are a number of limitations of the study, these have all been documented in Chhanabhai.[31]


Acknowledgements
This study would not have taken place without the help of all the practices that agreed to take part in the study as well as all the participants of the survey. Further thanks are extended to Inga Hunter and Kalash Mohan for their role in this study.


References

  1. Massachusetts Institute of Technology. Hippocratic oath [online] 2000. http://classics.mit.edu/Hippocrates/hippooath.html . 15 March 2005.
  2. Dhillon AS, Albersheim SG, Alsaad S, Pargass NS, Zupancic JAF. Internet use and perceptions of information reliability by parents in a neonatal intensive care unit. J Perinat 2003; 23:420–4.
  3. Pyper C, Amery J, Watson M, Crook C. Patients’ experiences when accessing their on-line electronic patient records in primary care. Br J Gen Pract 2004;54:38–43.
  4. Mandl KD, Szolovits P, Kohane IS. Public standards and patients’ control: how to keep electronic medical records accessible but private. Br Med J 2001; 322:283–7.
  5. Gillies J, Holt A. Anxious about electronic health records? No need to be. N Z Med J [online] 2003; 116. http://www.nzma.org.nz/journal/116-1182/604/. Accessed 20 March 2005.
  6. Kohn LT, Corrigan JM, Donaldson MS. To err is human: building a safer health system. Washington, DC: National Academy Press; 1999.
  7. Still T. Electronic health records can save lives and improve medical care [online].  http://wistechnology.com/printarticle.php?id=1545. Accessed 18 Feb 2005.
  8. National Health Service. The public view on electronic health records [online] 2003. http://www.doh.gov.uk/ipu/programme/research.pdf. Accessed 4 September 2005.
  9. Ryan KM and Boustead AJ. Universal electronic health records: A qualitative study of lay perspectives. N Z Fam Physician 2004; 31(3):149–154.
  10. Hunter I. Patient attitudes to electronic medical records. Privacy Issues Forum 28th March 2003, Office of the Privacy Commissioner: Auckland, New Zealand.
  11. Glasgow H. Pers comm, 16 August 2005.
  12. Kerr K. The electronic health record in New Zealand. Health Care and Informatics Online [online] 2004. /journal/index.cfm?fuseaction=articledisplay&FeatureID=040304. Accessed 25 May 2005.
  13. Ministry of Health. Health information strategy for New Zealand. Wellington: Health Information Strategy Steering Committee; 2005.
  14. Didham R, Martin I, Wood R, Harrison K. Information technology systems in general practice medicine in New Zealand. N Z Med J [online] 2004; 117. http://www.nzma.org.nz/journal/117-1198/977/. Accessed 15 March 2005.
  15. Protti D. Local clinician involvement in clinical information systems: luxury or necessity? – a review of two international experiences. At ASSIST, Harrogate, Preston [online] 2003. http://northwest.assist.org.uk/resources/ ASSIST%20-%20Clinician%20Involvement%20-%20Necessity%20or%20Luxury.ppt. Accessed 20 June 2005.
  16. Silverman DD. The electronic medical record system: health care marvel or morass? Physician Exec 1998;24(3):26–36.
  17. National Research Council. For the record: protecting electronic health information. Washington DC: National Academy Press; 1997.
  18. Spitzner L. Honeypots: catching the insider threat. Proceedings of the 19th Annual Computer Security Applications Conference. Washington D. C. 2003:170–80.
  19. Anderson RJ. Security in clinical information systems. Cambridge University Press; 1996.
  20. Department of Health and Human Services. Health insurance reform: security standards, final rule. Federal Register Reg 8334 [online] 2003. http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2003/pdf/03-3877.pdf. Accessed 18 October 2005.
  21. Givens P. Medical records privacy: fears and expectations of patients. At Toward an Electronic Patient Record Conference. San Diego [online] 1996. http://www.privacyrights.org/ar/speech2.htm. Accessed 17 August 2005.
  22. Westin AF. US public sharply divided on privacy risks of electronic medical records. At the Hearing on Privacy and Health Information Technology [online] 2005. Washington DC. http://www.pandab.org/. Accessed 17 March 2005.
  23. Brenner B. Is the provision of laboratory results via the Internet acceptable to patients? A survey of private patients in a large, specialist gynaecology practice. N Z M J [online] 2003; 116. http://www.nzma.org.nz/journal/116-1187/711/. Accessed 15 July 2005.
  24. Denton IC. Will patients use electronic personal health records? Responses from a real-life experience. JHIM 2001;15:251–9.
  25. Niven B. Pers Comm. 5 May 2005.
  26. Bishop L, Holmes BJ, Kelley CM. National consumer health privacy survey 2005. California Healthcare Foundation [online] 2005. http://www.chcf.org/documents/ihealth/ConsumerPrivacy2005ExecSum.pdf. Accessed 13 November 2005.
  27. Cyber Dialogue. Ethics survey of consumer attitudes about health web sites. 2000. http://ehealth.chcf.org/view.cfm?section=Consumer&itemID=1740. Accessed 22 August 2005.
  28. Dubow J. National survey on consumers’ experiences with patient safety and quality information. At the Hearing on Privacy and Health Information Technology [online] 2005. http://www.ncvhs.hhs.gov/050224p4.htm. Accessed 17 March 2005.
  29. Donohue K. Is your personal health information really safe? Blueprint [online] 2000. http://www.dlc.org/ndol_ci.cfm?kaid=140&subid=288&contentid=1043. Accessed 24 July 2005.
  30. Venkatesh V, Morris MG, Davis GB, Davis FD. User acceptance of information technology: Toward a unified view. MIS Quarterly, 2003;273:425–78.
  31. Chhanabhai P. EHRs: Fear of breach? The New Zealand public’s opinion. Unpublished Masters Thesis. University of Otago Library. Call Number 7LT C.

Back