Lawsuit: HHS’ Patient Record Access Regulations ‘Unlawful’
Case Spotlights Confusion, Hurdles In Providing PHI to Patients
A federal lawsuit alleges that Department of Health and Human Services regulations “unlawfully … and capriciously” restrict the fees healthcare providers and their medical record vendors can charge for gathering and disseminating a variety of health information upon patients’ requests. In court documents, CIOX Health alleges that changes implemented by HIPAA Omnibus regulations in 2013 and modified in 2016 “threaten to bankrupt the dedicated medical-records providers who service the healthcare industry……
Obstacles and Confusion
Complying promptly with patient record requests are complicated by the diverse array of systems that store pieces of the patient’s information, including the records often being maintained in a combination of paper-based and electronic systems, says Joe Gillespie, senior privacy and security consultant at consultancy, tw-Security. “Typically, it is the staff within the health information management or HIM department that responds to requests from patients for their PHI,” Gillespie says.
“The problem I’ve always had with the [HIPAA] term of ‘designated record set’ is that it may include PHI in systems that HIM staff may not have access to where some limited PHI may exist, such as cost-accounting systems, lab information systems and analyzers, radiology systems … and pharmacy systems, etc.,” he says. “And if the facility outsources this disclosure function, that company will likely have even less access. So, if a facility is asked to provide the entire ‘designated record set,’ the HIM staff would have to coordinate that with many other departments and that takes much more time,” Gillespie says. “If electronic, depending upon the electronic medical record vendor used, these requests can be much easier to fulfill than with paper records or hybrid paper/electronic records,” he notes.
The evolution of web-based patient portals is helping to make it more convenient for patients to securely access their digital health information in a timely manner, Gillespie notes.
However, there are limitations with portals as well. “Portals have most certainly been successful in allowing access and engaging patients with their own care,” he says. However, portals – while usually offering secure means to communicate directly with clinicians – typically only provide a subset of a patient’s ‘designated record set,’ such as immunizations, lab results, medical problem list, and medications, Gillespie notes.
Also, “the security of any portal has to be balanced with the ease of use,” he says. If the security is too tight – such as frequent password changes, really strong/complex password rules, etc. – patients will stop using the portal. If the rules are too weak, the portal is more vulnerable to hacking. It’s a difficult balancing act. ”