The laws that apply to patients’ access to their health information are complex but extremely important to know. Patients have rights to their health information and physician practices have obligations to provide patients with that access. In this discussion, we’ll dispel myths around HIPAA, talk about the importance of access for patients, caregivers, and care teams, and explore innovative ways to streamline the process for all stakeholders to ensure timely access to records and care.
What type of information does the patient have access to/ability to request?
Physicians have to comply with an assortment of laws governing patient access to health information, including HIPAA, state laws, and the federal law governing substance use disorder treatment records. There are also federal regulations prohibiting what’s known as “information blocking” and giving patients the right to request access to their records using a smartphone app of their choosing.
It is best to think of HIPAA as a floor, with other laws providing greater rights. HIPAA provides patients a right to access most of their health information, limits how much the patient can be charged for access, and provides deadlines for providing access. On top of HIPAA are state laws. If a physician's state law provides a greater right of access to a patient, then they must comply with both HIPAA and the state law’s additional obligations. State laws making it harder for a patient to obtain access to health information are preempted by HIPAA. Put simply, physicians must comply with whichever law gives the patient more access. Of note, states often have unique rules around access for some types of adolescent care (e.g., sexual/repro health services), behavioral health, HIV/AIDS and other STDs, and substance use disorder, so it's critical to know what your state law requires.
Finally, there is a federal rule (referred to as "Part 2") governing certain programs that hold themselves out as providing treatment, diagnosis, or referral for treatment for substance use disorders. It is important to know whether this rule applies to your practice. This rule requires a special consent form if a patient directs that a copy of substance use disorder information go to a third party, such as a caregiver or attorney. Unlike under HIPAA, a patient must also sign a consent form to share substance use disorder information for treatment and payment purposes. Note that some of these requirements are likely to change as a result of the CARES Act, passed earlier this year.
To complicate things, there are 50+ state laws that govern medical record retention, preservation, destruction and release. There are entire statutes that deal with records for minors and dependent persons, custody of children, child welfare, emergency situations, research, civil claims and law enforcement investigations, fraud, abuse and payment demands, etc. All of these need to be considered when someone "asks for a copy of the chart."
Just as every other service sector has a way to reach individuals, how can we formalize the best approaches for a Healthcare Consumer Contact Center (HC3) before a patient becomes a patient or “Patient Contact Center” (PCC) after a consumer becomes a patient?
Given patients regularly access easy to use e-commerce systems, online shopping, and related systems that provide a good user experience, what systems are in place today to support patients longitudinally, across providers, online?
No single EHR, no single patient portal, or even institution-focused systems can do the job that patients expect so it seems this might be a different class of software. What are some common “contact management systems” for patients to get support from clinicians and healthcare institutions?
This is tricky. A ton of CRM systems are marketed to providers. Most are for generating visits -- the same purpose as in other industries that can afford SalesForce. Most docs can't begin to afford SF, so there are many (hundreds?) cheaper apps tailored to smaller practices. The bigger EHRs have a "population health" module that is really CRM disguised as compliance. Most EHR "portals" have bilateral secure communications functionality, although plain-old email is far better. There are stand-alone, encrypted email systems that keep docs on the good side of HIPAA. Texting with patients is extremely popular; many OB's give their cell number to patients toward the end of pregnancy; surgeons sometimes do this post-op. Of course, Telemedicine is utterly upsetting the channels of doc/patient communication right now. So, I would say that traditional CRM is mainly used for lead generation in healthcare; whereas various other channels for e-Communication are much better and more popular.
How many platforms/software does a physician use on average to run their practice? (Billing, appointments, EHR, etc..)
If a physician is employed by and works within a single acute care setting about a dozen platforms could be in place. If a physician works across acute institutions and ambulatory settings it could easily be twice to three times that count.
The answer depends on whether you're talking about "independent" physician practices or practices integrated with large delivery systems or hospitals. There are huge differences in budget, I.T. staff and complexity of the informatics environment. These systems often represent "plug-ins" and "extensions" so it's very difficult from a technical standpoint to count them. It would not be wrong to say there were a thousand individual software applications at work in a given large care system. In a small office, if you include email, word processing, accounting, security etc., you would probably have to list several score at least.
To all: Welcome to this discussion focused on patient access to medical records! Thank you experts for participating! We look forward to an insightful and impactful conversation!
From a health information professional’s perspective, there are a number of barriers associated with patients being able to access their medical records including but not limited to continued confusion as to certain aspects of OCR’s HIPAA right of access guidance and cumbersome workflows and processes that not only make it difficult to pull the record(s) and but can unnecessarily delay access to that information for a patient or their caregiver.
I agree with Lauren's answer above. At times, concern about violating HIPAA can lead to medical professionals restricting access when it is not appropriate to do so. We attempted to address some of these common myths and misunderstandings in the AMA's Patient Access Playbook, released earlier this year (available here: ama-assn.org/press-center/pres...).
It might also be worth pointing out that some patients anticipate being able to see their entire medical record in patient portals, which is highly unlikely--portals only show a subset of information in a medical record. Accordingly, while practices can of course suggest that patients check out what's in the patient portal, practices should work with their patients and their caregivers to ensure they receive all of the information they want and need, even if it's not in the portal and must be provided in a different form/format.
Problem 1: most practice portals are cumbersome to use & access; the information contained is often limited or incomplete; they lack uniformity due to lack of standards.
Problem 2: HIPPA. This grew out of the HIV crisis that evolved in the 1980's. While well indented to prevent discriminatory practices against those who might be diagnosed, the law of unintended consequences has come into play. How? As we have rapidly moved to the need to actually use technology in health care for telemedicine etc, it is clear that concerns about HIPPA continue to stifle these initiatives.
Problem 3: EMR systems. They were never designed for medical record needs. They were encouraged by government funding programs for data documentation & billing purposes. They are proprietary, not interoperable & time consuming for physicians and medical staff to use.
Solution 1: Patient medical record. Give patients access to copies of lab, x-ray & other test and procedure reports to maintain their own records. This should also be allowed for care givers so they can compile accurate records for elderly or ill family members. This should become routine practice.
Solution 2: Create real standards for patient/practitioner portals that create uniform data entry & documentation. Allow ease of access and downloading of data from the record to patients files. Allow patients to at least suggest additions or edits if they feel the information they see is incorrect or incomplete.
Solution 3: Although Congress has attempted to address this in some fashion, we need a simple directive that allows for common EMR/EHR standards with mandated interoperability so that hospitals, physicians, clinics & other health entities can easily transfer data on patients. This is of particular importance in a mobile society, as well as one that is moving to ever increasing use of virtual care & virtual data collection.
The AMA Playbook referenced above is a start at navigating these problems.
Patient barriers to accessing their medical records include: lack of access to reliable internet; records with different HCP's are not interoperable; navigation is clunky and not intuitive.
A patient's right to access their records under HIPAA can be difficult for patients to access. Agree some physicians worry about violating HIPAA by giving patients access to their records, but turns out the opposite is true: refusal to provide patients with their records is a potential HIPAA violation (and OCR reached financial settlements with two health care providers last year for failure to give patients records). Patients have a legal right to much more than what is available in EHR portals - they have the right to a copy of the entire medical record (any information used to make decisions about the patient), including the notes and images. There are some exceptions to this right - but they are rare. Most patients can get what they need from portals - but physicians must have processes for getting patients the entire record if that's what the patient wants (also can't force the patient to use the portal) - and these patients cannot be overly burdensome for the patient (for example, you CAN'T require the patient come in person to make a request for records or to get the copies). HIPAA's requirements also limit the fees that can be charged to patients (probably less than what your state law says you can charge third parties who request records) and require the production of copies requested by the patient within 30 days of the request.
Agree Lauren! The majority of medical record requests are paper-based, manually done, rely on fax machines, with limited to no communication between HIM staff/professionals and actual patients and carepartners. The workflows are outdated, tedious, and incredibly frustrating, especially for patients who have multiple comorbidities or have an earth-shattering diagnosis and need records to make educated, informed decisions about their care quickly.
The Patient Access Playbook is a terrific resource that can help to level the playing field on dispelling HIPAA myths, providing streamlined workflows, as well as various templates to standardize medical records request processes. Highly recommend!
Great points Joseph! Will add that individuals need to be taught about the power of their medical records and how the information can be made actionable, from coordinating one's care, shopping for more affordable care, or using the information to file a insurance appeal or disability application. Patients and their carepartners need more support for the intricate and essential work they need to do in their respective health care journeys.
Deven raises the important point that access to medical records is a patient's right. HIPAA only *requires* covered entities to provide access in two instances: to HHS and to the patient him or herself. Think about that! For all of the talk about HIPAA among lawyers, technology developers/vendors, payers, and policy makers, how often do we focus on one of the only two required disclosures? It should be an enduring priority for the healthcare community to ensure that one's own health information is always made available -- easily -- to the patient. Information access and data privacy aren't mutually exclusive. The patient must always be the central priority.
The biggest barrier is that providers and patients don't have the same goals and perceptions about medical records. Patients are seeking resolutions to their medical problems or specific answers to health related questions across longitudinal multiple providers and think that there's a unified medical record across their clinicians and institutions.
Providers are looking for the best way to safely support multiple patients in the least time possible per patient while ensuring that they can get paid for their services and meet all the administrative requirements of the encounters without access to longitudinal medial records. To make matters worse, providers often don't have control over other providers in the care chain but patients want to believe providers all are fully connected and work together to resolve patient support issues using a common medical record.
In my experience and in many of the studies we've done we've learned that patients aren't really that concerned about medical records -- they just want support from whichever clinician or staff can answer their questions and solve their problems.
If we think that access to medical records is the key problem patients face then we might be focusing on the wrong issue and the goals mismatch barriers will remain in place.
If we look at major classes of patient support and why they want their medical records then we can design our workflows to meet their expectations.
Dr. Shah, I agree that many people don't prioritize accessing their medical records - particularly if they are healthy. I am actually one of those people - fortunately I enjoy good health, so just consult my portal from time to time to check test results or re-order prescriptions. But people who are very sick - or who have multiple co-morbidities or challenging chronic conditions - have greater needs for their records, and more often than not have a caregiver who needs access to those records to help their loved one navigate their care and stay as healthy as possible. So the data should be accessible when the patient needs or wants it - even if that need is not present all the time.
Thank you, Laura! When patients can easily access their data, they feel more connected to their care and it can enhance the doctor-patient relationship.
Right on Deven! Access to medical records for those that are in need of multi-institution or multi-provider medical attention is crucial and there's no doubt that it's a necessity.
Whether we call it a "right" or just "good customer service", patients must have access to their full medical records. But, the idea of health institutions providing good patient support is orthogonal to whether patients want or should have access to their records (that's a "must").
Access to medical records is needed today because the patient is often the health information exchange mechanism between care providers and that's the barrier -- institutions don't know how nor do they have tools to coordinate care across multiple providers so the gaps in care create the need for patients to fill in the gaps on their own: but patients cannot fill the gaps without access to the medical records so they're left spinning their wheels. That's why it's crucial for patients to have access to their medical records; but...
If we can help care providers with proper patient support tools so that they coordinate care and fill gaps on behalf of the patients then the patient's access to their medical records is less important. This means that providers need proper compensation, business models, and tools so that patients aren't left on their own.
Great point, Shahid Shah. Patients do serve as the health information exchange hub. I would add that--as a patient and a patient advocate--access to medical records is a right. One of the foundational principles of patient advocacy is "nothing about me without me" (first coined by the disability rights community). If patients don't have access to their health information, they cannot participate in their health and care.
From my professional background in public policy/public health and in working with underserved patient populations and my own patient experience, I break down the issue of access barriers to medical records into two buckets: First being regulatory/policy and second, being cost/infrastructure. Namely many of these issues stem from HIPAA regulations from a policy standpoint. On the flip side to that is the lack of interoperability. And, last but not least, the issue around not having the technological infrastructure for internet connectivity to access health records digitally.
In my own experience as a person living with chronic pain issues, the quality of care I received was hindered tremendously for a multitude of reasons, including bias in medicine, and the lack of interoperability. Interoperability or a lack, therefore, hindered my care as the different health systems I was seen at, were not corresponding my health records with each other. That left me the patient in the position of having to communicate my issues and treatment based on my own recollection. But the problem surrounding the lack of interoperability is quite complex from a patient rights perspective. I once demanded that I be provided with my medical records and was told that I needed to physically arrive at the practice of which I was treated in order to receive paper printouts of my medical record. And, while I had the time and physical ability to do that, many people that are critically ill and/or unaware of their rights to obtain their medical records and/or do not have a healthcare proxy in place to act on their behalf, do not have the same privileges.
Then there's the issue of cost. Many patients and health equity experts that I’ve worked with in the past have spoken about the issue of digital redlining. Digital redlining is when a group of people live outside of access points to receive internet connectivity as they are discriminated against by internet providers. In 2017 Cleveland residents brought complaints against AT&T to the FCC around this issue. It is important to note that areas that face digital redlining are often those where people of color or lower income individuals reside. Similarly, smaller medical practices in rural American may not have the technological infrastructure or bandwidth to provide patients with their medical records electronically. In essence, both geographic and regulatory factors account for the unique barriers patients will face in accessing their medical records.
While some leading institutions already provide access to visit notes, a broader adoption of open notes will greatly benefit patients and caregivers who do not recall much of what is said by the provider during a visit. The notes also provide education on one's condition and next steps including giving reasons for new prescriptions or procedures.
So many great points made here! What especially resonates from the patient and carepartner perspective is the the fact that "patients have a legal right to much more than what is available in EHR portals". Patients and their carepartners are introduced to portals as if they are the magic repository that holds all their longitudinal information. People need to be informed that they are legally entitled to so much more than what's in there.
This is especially true for patients living with chronic illness(es), multiple comorbidities, and life-altering/life-limiting diagnoses such as cancer, rare disease, disability, etc. Seamless access to information is essential to well coordinated, safe, continuous care. Will add that patients' carepartners often play a signficant role in managing health records and manually create longitudinal records to have a comprehensive picture of an individual's health. Patients and their carepartners are some of the best aggregators and curators of medical records and health information that I have seen. This meticulous work makes a difference, not only from an outcomes and cost perspective, but from an engagement, autonomy, and safety perspective as well.
Yes Gwen! I will push further to say that patients and their carepartners need access to medical records and health information not only to participate in health care, but also to push back against an ecosystem that is clearly stacked against them. For example, records are needed to file disability claims and to appeal insurance denials. As a patient, patient advocate, and the primary carepartner to 2 disabled adults, I can confidently say the strongest patient engagement initiative we have yet to unlock is the power and impact of seamless, actionable access to medical records.
Kistein, there are so many patients who have such extensive records that carrying them would require boxes on a handtruck. I know too many famillies, my own included, that carry heavy binders and bags of records to appointments "just in case". This literally creates an accessibility barrier in itself. As Deven pointed out, no patient should be required to pick up their information in person. I recently saw a practice advertise that they were offering curbside records pickup due to COVID19. Too say I was disappointed is an understatement. We have work to do. We must meet ALL people where they are in their local communities.
Great points Kistein. The pandemic has clearly shown that access to WiFi, from a public health standpoint, is essential. If our public sectors aren't going to improve access, perhaps the health care ecosystem needs to push for WiFi as a prescription. Interconnectedness is essential for access, interoperability, equity, and pursuit of health.
Pending
In short, "information blocking" is an illegal practice that occurs when a healthcare provider unreasonably withholds medical data from someone who has a legitimate interest in having it. The term became popular when the fantasy of "information interoperability" gained momentum. There are 3 formidable barriers to having every EHR "talk to" every other one. The first is purely technical. You have to "map the fields" in EHR-a to those in EHR-b. This means you have to put the same data in the corresponding spot. It's staggeringly hard, because each EHR defines its data differently, despite decades of standard development. The second barrier is economic and practical. Creating and maintaining (because of regular changes) the data map between 2 systems is very labor intensive. Trying to do this for 1,000 different EHRs is insane. The third giant barrier is simply conflict of interest. The custodian of the patient record has huge power. They can essentially hold the patient record hostage (information blocking), to insure that the patient finds it easier to return to the last provider rather than move their care to a new one.
Connect
Information blocking ("IB") can be something as simple using HIPAA as an excuse to not share medical records with a patient or delegated/consented care partner. Or, IB can be as egregious as an EHR or other software vendor preventing data sharing by charging beyond a reasonable cost for a feature/function that would encourage data sharing. Information blocking should be seen as any process that limits legal data sharing due to technical impediments, procedural impediments, or bad business practices (e.g. making up rules that aren't in the regulations).
If a tool, technique, process, or person is not promoting legal, ethical, privacy-safe, and secure data transfer then they're probably engaging in information blocking.
Pending
Information blocking is a massive hurdle patients need to overcome to be able to receive the care they need. Patients may request more than just traditional records that may appear in a portal: images on CD, pathology slides, pathology tissue blocks, billing records, the entire designated record set, etc. Patients are also requesting data from digital health tech such as an implantable cardiac monitoring device or pace maker. We need to think beyond traditional paper-based records requests and also think about the digital information blocking that patients are already facing. The digital app economy must have a digital records request solution as well.
Pending
I don't think patients have an understanding that information is blocked. We know how difficult it can be to navigate our records, but not what is being withheld. Grace, Deven do you concur that patients generally are not aware this is happening?
Pending
There are many facilities that consider the "visit summary" to be actual patient information. In most cases, it truly isn't. What's published on most EHR portals is highly filtered and can be complete nonsense. Let us contrast what true "open records" would be, compared to the insipid and often clinically useless "visit summary." My metric is, "What would the ED doc need to see, if I was carried in unconscious?"
Pending
Gwen, you are spot on - I don't think most patients realize the full scope of information they have a right to under HIPAA, and presume that what is provided to them in the portal is all they can get (and sometimes that is very little information). The information blocking rules should change that - and clinical notes is an example of where that should change. Notes are part of the "designated record set" which HIPAA requires be made available to patients upon request -- yet notes are often not available in the portal. I understand that for most (if not all) certified electronic health information systems purchased by doctors and hospitals, the capability exists to make notes available to patients in the portal -- but many doctors and hospitals have not yet turned on that functionality. One could make an argument that refusing to turn on existing functionality in an EHR system is "information blocking" in terms of getting the patient access to those notes. And clinical notes are part of the information subject to the information blocking rules.
Pending
Gwen, absolutely agree that the vast majority of patients do not know that so much information is being withheld. For many, the 1st time logging in to an EHR is very eye-opening. Patients are shocked, frustrated, and disappointed by how little is often readily available. As I work with patients and families through records request processes, we go through the basics of HIPAA, how care coordination works, and how to be a heat-seeking missile for information. Once you teach a patient about information blocking, they know exactly what it is and often have a personal story or many stories of examples they have lived through. Hospitals, health care delivery organizations, practices, and individual physicians should prioritize patient access and celebrate their efforts to liberate the information and data as well as actively denounce information blocking so all are aware of its prevalence. Elevating patient access needs to be recognized as the innovative, equitable, and futuristic strategy to implement.