[ Thursday, January 13, 2005 ]
Patient access to PHI in EHRs:
One driving goal of HIPAA is to allow individuals greater rights with regard to, and "ownership" of, their medical records. There are several salutary reasons for this: it makes sure the individual is involved in his own care decisions, so that good decisions are made and medical advice is followed; it increases the likelihood that the individual will understand what medical decisions his doctor(s) are making and why, thereby possibly preventing future problems if different doctors are making contrary decisions with regard to the patient; and it gives the patient a greater sense of self-direction and self-involvement, which should lead ultimately to better outcomes. It also helps to ensure that the individual, rather than the provider, is at least in a position to be the ultimate decision-maker and driver of the individual's own healthcare.
With that goal in mind, HIPAA sets our some specific rights individuals have with regard to their own PHI, the greatest of which is access. In paper-based records, giving a patient a copy of his own records is fairly easy: fire up the Xerox and shoot out some copies. X-rays are harder, but can still be copied. But what happens when medical records are in electronic format?
On the website of the American Health Information Management Association is a case study
of a group of Boston-area clinics that maintain EHRs for their patients and allow the patients access to certain info in the EHRs via secure web portals.
Interesting reading. But almost hidden or assumed in the story are a lot of HIPAA hints: the requirement of granting access; security of access to the information (entity authentication) via the secure portal, password requirements, etc.; security of the information from alteration (integrity) by patient viewers (i.e., "read-only" format); you get the idea.
Also, note how limited the access is; what the practices give the patients over the secure portal isn't nearly what is required for access under HIPAA. Patients can get allergy and current medication information, but most of their EHR isn't available via this route. Patients can also use the portal for email and other communication with the practice, but won't be able to use such communication pathways if they are not capable of some level of encryption (SSL).
This is an interesting step in the right direction of making EHRs compatable with patient access and control, but it certainly doesn't reach the final destination.
Jeff [8:48 AM]
Blogger: HIPAA Blog - Edit your Template