Whose Medical Record Is It, Anyway?
By Kate Jackson
For The Record
Vol. 17 No. 6 Page 16
Consumers may need to perfect their ad-lib skills to make certain that their personal healthcare information remains in their control. Just what does it mean to have the right to a medical record, and does the answer to that question depend on whether the health information is contained in a paper chart or an electronic file? What happens to personal health information when it is digitized and entered into electronic medical record (EMR) networks? Once it’s in this ethereal form, who controls it? Without control, can it leak out into the electronic networks and be viewed—unbeknownst to those to whom it pertains—by unauthorized prying eyes?
The answer sounds like doublespeak: Patients have records, but their medical providers own the records. Patients have access and control of the information in the medical records but only to the extent that both the law and the providers permit. Patients control the flow of information—more or less—when they’re allowed. And information is not accessible to others without the patient’s knowledge, except when it is. Confusing? You bet.
Who Owns the Health Record?
Whether their records are on charts, disks, or secure Internet servers, consumers have a limited right to view, copy, or amend their health records, but they don’t own their records. (They may, in fact, own personal health records such as smart cards or other forms of personal records, but not the actual record maintained by the healthcare provider.)
It may vary somewhat by state law, but the healthcare record is owned by the healthcare provider that created it, explains Bill Spratt, healthcare partner at Kirkpatrick & Lockhart Nicholson Graham, a Florida board-certified health lawyer, and chair of the Florida Bar Health Law Certification Committee.
“In most states, even prior to HIPAA, patients had a right to access and request a copy of their records,” he says. The privacy rule essentially established a national standard confirming that right, and HIPAA went a little further to also give consumers not only the right to review their records but also to challenge inaccuracies. “The provider is not required to amend the record based upon the consumers’ comments, but the comments at least get inserted into the record,” says Spratt.
What Rights?
According to Divan Da’ve, CEO and founder of OmniMD™, a developer of HIPAA-compliant, Internet-based enterprise clinical solutions, consumers have five general rights with respect to their medical records—rights that will not change once a healthcare infrastructure of EMRs has been established:
• an unconditional right to be informed of the data-handling practices of medical practitioners and providers;
• the right to request, but not necessarily to always obtain completely, the privacy protection of your healthcare information;
• the right to review and copy your medical record;
• the right to request that inaccuracies in your record are corrected; and
• the right to know who has accessed your medical records in the past.
These fundamental rights, agrees Carolyn Hartley, editor and publisher of Physician’s e-Health Report and president and CEO of Physicians EHR, LLC, were delineated in HIPAA’s privacy rule, which, she says, was established with the big picture of electronic records and interoperability in mind.
According to Hartley, lead author of EHR Implementation: A Step-by-Step Guide for the Medical Practice, Notices of Privacy Practices that physicians have adopted and sent to their patients, which spell out the extent of the patients’ rights and the providers’ responsibilities, were developed with a clear awareness of the future of electronic interoperability. As a result, she says, the achievement of interoperable networks will not change consumers’ basic rights. “Patient rights apply in the electronic world just as they do in the paper world.”
Access to Records
Patients, says Spratt, a former healthcare administrator, generally have the right to see and request a copy of their entire medical record. The exceptions to that rule are records pertaining to psychiatric conditions, HIV status, and mental health care, he says, adding that most states consider psychiatric records to be “hyperconfidential.”
In Florida, for example, “if a patient requests a copy of a psychiatrist’s record, the psychiatrist is only required to provide summaries and not the actual records themselves, and that’s to protect the patients and others because there may be some very sensitive information, conclusions, analyses, and hearsay comments in the record that might create issues for the patients if they were to read them,” Spratt says.
Most consumers who request information from their EMRs will get a printout, but Spratt notes that more sophisticated physician groups are adopting systems that allow patients to access their EMRs remotely via the Internet using appropriate passwords, controls, and security safeguards. These providers’ patients can also schedule healthcare via the Internet, as well as receive medical advice and other features through such connections.
“Those Internet-based physician practice systems are still relatively uncommon, but that’s the direction we would expect health information to take in the future,” Spratt says.
Equally important is the consumers’ right to know where their medical information has been released.
“They have the right to request an audit of the places where their medical records have been used or shared—used meaning internally and shared meaning externally,” Hartley says.
The hospital or doctor has 60 days to respond to that request. “If there’s one consumer right that will shake up the healthcare community, that’s it because it takes a lot of system work. But it’s also the checks and balances system that needs to be in place so that people aren’t afraid of their health records being exchanged electronically,” Hartley explains.
Are the Rights All Right?
Da’ve suggests that paper records are more prone to privacy violation than electronic records, noting that the EMR protects the security and confidentiality of medical information in a scientific manner as compared with paper records. “Only authorized personnel can access patient records using secure login ID and passwords,” he explains. Thus, access to records is limited to those medical personnel who have a role in the patient’s care. He believes, however, that patients’ rights need to be strengthened and similar, regardless of what form the records are in—paper or electronic.
Spratt, on the other hand, indicates that consumer rights are quite strong now and suggests that paper records have, in at least one respect, an edge over the EMR when it comes to privacy and security. “Generally,” he says, “there’s a balancing test between the right to access their records and the consumers’ rights to privacy against the efficiencies in the healthcare system that will be created by facilitating an easy and timely interchange of healthcare information.”
The United States, Spratt continues, has generally been highly protective of patients’ right to privacy with respect to their health information—an approach that has worked well in a paper system, in which it has not been easy to efficiently transfer information from one provider to another. Thus, he says, the paper system has helped to protect the confidentiality and privacy of that information, but at the same time, it has also caused the healthcare industry to lag behind information technology and to be relatively inefficient in the processing, use, and exchange of critical information. As a result, physicians tend to duplicate tests and procedures because it’s easier than obtaining the necessary information from other providers.
One of the purposes of HIPAA that most people overlook, says Spratt, is to facilitate the transition of hard copy healthcare records into electronic forms by standardizing the data sets that will be used and by creating rules for when and under what circumstances health information can be provided to other healthcare providers without the patients’ express authorization.
On the other hand, HIPAA creates rules and procedures that dictate when and how patients can access their health information and provides for patients to request amendment of their records. It also provides for the auditing of access and release of records, he says, noting that physicians must keep a record of all disclosures in case there’s a concern about improper release of information. Spratt says HIPAA demands that the provider “keep a record of what information was disclosed to whom and pursuant to what authorization.”
Spratt is aware that many view HIPAA as a burden on healthcare providers and facilities, but in his perspective, it’s addressed critical issues and helped healthcare information technology move forward.
Consumer Education
In this era of HIPAA regulations, consumer education is more critical than ever. Consumers may not have all the rights they think they have, but if they take an active and informed role in controlling their own and others’ access to their health information, they can protect sensitive information to the highest degree possible. Spratt says consumers can’t be assured that their health information won’t go somewhere without their knowledge, but they should understand the rules so they’ll know where they have an expectation of privacy.
For example, suppose a patient sees his cardiologist every five years. The physician is interested in his cholesterol levels and asks when he last had lab work done. “If I say that I went to my internist a couple of years ago and he drew blood, as a sophisticated consumer, I’m going to understand and expect that my cardiologist may well call my internist and ask for a copy of my record, particularly with respect to my last visit, and I’m going to know that my internist is going to send the record to the cardiologist,” Spratt says.
He suggests that most consumers don’t realize that when they go to one doctor, that doctor has the right to request medical information from other treating physicians to make sure he or she has the complete picture of the patient. In the future, Spratt predicts, EMRs will be “zapped” from one physician office to another via encryption systems, the Internet, or virtual private networks. “As more and more of this protected health information goes online or becomes electronic, it will facilitate the exchange of that information, and I think most patients may not be aware of the extent to which their information may be transmitted from one practitioner to another or from a hospital to a physician.”
Sometimes, he notes, that information may be incorrect, or the patient may not want another practitioner to know about some aspect of his or her care or history. It’s important, therefore, that patients understand their rights to access and amend their records and to be aware of and control the release of protected information.
Take Notice
The key to being informed is the Notice of Privacy Practices. Sure, you’ve probably seen lots of them from your physicians or creditors. But have you ever read one?
If you’re like most people, you haven’t. It’s a mistake, say the experts, much like not knowing what’s in your credit report. The language of the notice, says Spratt, is fairly simple, clear, and direct. It spells out the nature of the way in which your medical information will be handled by that particular provider, and it will reveal the perhaps unexpected ways in which your information may be released—ways you may not have imagined. This, he explains, imposes a responsibility on the patients to police the handling of their records.
Beyond reading the notices, says Spratt, consumers can ask questions of their healthcare providers’ privacy officers or log on to the Internet, which has numerous sites devoted to HIPAA and other privacy matters.
Opting Out
Not only can patients be aware of the extent to which their information can be shared, but they can also provide authorization for disclosure of only certain parts of their records.
When patients authorize a release of information, says Spratt, the authorization form should have a number of different record categories from which the patient can pick and choose which category they want to authorize the provider to disclose and to whom specifically they authorize disclosure.
The consumer should sit down with the healthcare providers’ privacy officer and specify the parameters of release of information, make sure that the policies are clear, and understand the providers’ responses to the consumer’s requests. “Even in the interoperable future, the patients are going to need to monitor that and make sure the releases happen as they want them to happen,” Spratt says.
Suppose, for example, a patient wishes to limit release of information pertaining to an HIV diagnosis. Sometimes, says Spratt, patients can be very specific about their requests, but it may not be possible for the provider to accommodate the request. The patients have the right to know whether their instructions will be honored. If the patient makes a request to limit disclosure, the provider is required to tell the patient if they cannot honor the patient’s request. The patient may then seek services from another provider or rescind the request.
Although the notices delineate the process and give the consumer the right to opt out of having records shared in certain ways, the problem, says Hartley, is that people just aren’t reading them.
Taking Responsibility
"It’s a consumer’s prerogative to dictate who is allowed to look at his or her medical information, insists Da’ve. But as records become electronic and thus easier to share, consumers will have to become more educated. “They will have to know that every coin has two sides,” he advises. “There are great benefits to electronic records, but if patients aren’t educated and careful, their information can leak out of the system.”
“The message is clear,” agrees Spratt, “that patients are going to have to become better educated as we move from a paper system to a more electronic system, and the healthcare system is going to have to be able to more freely exchange an appropriate amount of healthcare information about patients in order to reduce the cost of healthcare in this country.”
People paid a great deal of attention to the HIPAA privacy rule and less to its security standards, but the latter, he says, are going to safeguard protected health information from being abused, misused, or appropriated for an improper purpose.
“It’s all technical stuff that makes people’s eyes glaze over, but understanding it is extremely important because if information is too easy to get, it’s going to be gotten,” Spratt says.
To avoid being casualties of the system, these experts suggest today’s healthcare consumers need to be more sophisticated and increasingly vigilant.
— Kate Jackson is a staff writer at For The Record. |