Patient access to healthcare information continues to evolve and change the shape of patient relationships with doctors, hospitals, testing centers and insurers. The issue is receiving the attention of the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR), as evidenced by recent Health Insurance Portability right-of-access enforcement actions. and Accountability Act (HIPAA).1 Most settlements or actions arising from the application of OCR involve allegations that patients were denied access (their right under HIPAA) to their medical records and are typically resolved for dozens thousands of dollars, mostly paid for by dentists and doctors.
In 2020, the Office of the National Health Information Technology Coordinator (ONC) released a final rule implementing Section 4004 of the 21st Century Cures Act. Among other things, this rule implements interoperability requirements, defines information blocking, and seeks to give patients “more power in their healthcare”. Slowly but surely, the norm for personal access to health information is changing to become instantaneous and electronic, just as individuals now expect from banks, airlines, local governments and other important third parties in their daily lives. The transition is not without challenges and some resistance from the health care system.
What exactly is the information to which patients have a right of access? Key terms are Electronic Protected Health Information (ePHI), Designated Record Set (DRS), and Information Blocking. Here’s how they work together. ePHI is “any information, including genetic information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, regulatory authority, public health, employer, life insurance company, school or university, or healthcare clearinghouse organization; and relates to past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or past, present or future payment for the provision of health care to an individual” and is “transmitted or stored electronically or transmitted or stored in any other form or medium” and would be included in a DRS. When the Cures Act was implemented, a DRS was limited to a subset of health information until October 6, 2022. After that date, a DRS is simply defined as “a group of records maintained by or for a covered entity which is the medical record”. and billing records about individuals maintained by or for a Covered Healthcare Provider or used, in whole or in part, by or for the Covered Entity to make decisions about individuals.2-4 HIPAA and the Cures Act grant patients the right to access that access, and information blocking defines practices that would interfere with that access, including, but not limited to, delaying the release of grades. progress, laboratory results, or pathology results to allow for review by the clinician. .5
Why is patient access to their information controversial? Instant, electronic patient access to the electronic health record upends some longstanding physician-centric traditions of medical practice and documentation and raises some concerns. First, physicians may no longer have first pass rights over test results or control over how and when those results are interpreted. Physicians who previously scheduled office visits only to disclose and review results, particularly if normal, may find patients questioning the need for this service, the timeliness, or the propriety of “paying for their results” .
One area of particular concern is pathology findings and a new diagnosis of cancer. In a recent article, Gabrielson et al highlighted these concerns in the context of prostate biopsy results and presented several ideas for addressing communication, including making pathology reporting more patient-friendly.6 Second, the primary audience for medical record documentation has expanded to include anyone who can access the record at any time: physicians in the practice, consultants outside the practice, support staff, hospitals, insurance companies, patient support organizations, lawyers and patients. It is difficult to create and maintain a record that optimally serves all of these interests, but at a minimum, authoring physicians should document with the full expectation that the patient can and will access their record or possibly challenge its veracity. One example that could be problematic is a long paragraph on informed consent – material designed for an attorney audience, but a discussion that the patient remembers very differently. Another example might be a long systems review – perhaps copied in advance – where the patient has “denied” the symptoms but does not recall being asked or in fact having these symptoms. Finally, remember that regulations define the designated set of records as information used to make decisions about patients. Contemporary systems include features such as alerts, sticky notes, messages, phone notes, and appointment notes. If you use these features to store or communicate information used to make decisions about patients, then, by regulatory definitions, patients have the right to access these notes.
What are the penalties for obstructing patients’ access to their health information? The OCR has initiated HIPAA enforcement actions in at least 41 cases that have resulted in monetary penalties and/or corrective action plans primarily involving medical and dental practices.1 The ONC receives and processes complaints about possible blocking of information from the public. As of September 30, 2022, the ONC has received 511 such complaints, including 391 involving vendors, 73 involving health information technology (HIT) developers; most were from patients.seven The ONC triages and escalates complaints it deems to be a possible blocking of information to the HHS Office of Inspector General (OIG), which is responsible for formally investigating and, in the case of HIT developers or exchanges of health information, to assess any sanctions. (ONC has dual powers to investigate complaints against HIT developers.)
In a proposed rule dated April 2020, the OIG noted that its authority over civil monetary policy “does not extend to healthcare providers. If the OIG determines that a healthcare provider health has committed information blocking, they should refer that health care provider to the appropriate agency for appropriate deterrents.The appropriate agency and appropriate deterrents will be determined by the Secretary at the next development of notice and comment rules.8 This rule has not been finalized as of October 2022. So at this time it is unclear who will enforce vendor blocking of information and what the “deterrents” look like.
What matters and why it matters
The traditional information asymmetry in medicine is changing. Federal laws and regulations allow patients quick and unrestricted access to their health information, including, but not limited to, almost everything in the electronic health record. Physicians may worry about the unintended consequences of this access and transparency, but they can be mitigated by a new paradigm: the shared record. Take a moment to imagine how this can help you and your patients. Encouraging patients to review your/their notes may reinforce brief discussions you had in the exam room or uncover important omissions in the history. Reminding patients to review their test results can create shared responsibility and be a risk management strategy. Setting advanced expectations for patient access to pathology reports, as well as the usual time and place to review them, can avoid misunderstandings and improve communications. Portal access can eliminate time-consuming phone calls and letters to patients. These are just a few examples of how the new information paradigm rooted in patient access to their information can be leveraged to improve, not complicate, the doctor-patient relationship.
1. HIPAA Compliance and Enforcement Measures: Resolution Agreements. US Department of Health and Human Services. Updated September 20, 2022. Accessed November 8, 2022. http://bit.ly/3EkroRd
2. Code of Federal Regulations Title 45, §160.103. National Administration of Archives and Documents. Updated October 25, 2022. Accessed November 8, 2022. https://bit.ly/3O4nHFf
3. Code of Federal Regulations Title 45, §164.501. National Archives and Records Administration. Updated October 25, 2022. Accessed November 8, 2022. https://bit.ly/3hlja4N
4. Code of Federal Regulations Title 45, §171.102. National Archives and Records Administration. Updated October 25, 2022. Accessed November 8, 2022. https://bit.ly/3hqepHg
5. Blocking of information. HealthIT.gov. Updated October 31, 2022. Accessed November 8, 2022. http://bit.ly/3daOuxO
6. Gabrielson AT, Choi U, Fletcher SA, Pavlovich CP. Lost in Transparency: The 21st Century Cures Act (“Open Notes”) and Prostate Cancer Care. J Urol. 2022;208(5):948-951. doi:10.1097/JU.0000000000002924
7. Information blocking claims: in numbers. HealthIT.gov. Accessed November 8, 2022. http://bit.ly/3EhrOKP
8. Grants, Contracts and Other Agreements: Fraud and Abuse; blocking of information; Office of Inspector General Civil Monetary Penalty Rules. Federal Register. April 24, 2020. Accessed November 8, 2022. https://bit.ly/3FWiDAA
#access #records #good #patients #good