The right of access to one’s own health information is not a new concept. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) grants each person “a right of access to inspect and obtain a copy of” any individually identifiable health information contained in a health care provider’s medical or billing records. The Office for Civil Rights of the U.S. Department of Health and Human Services (OCR) has not been shy about enforcing this right of access. And numerous states have enacted laws on the subject, often imposing more stringent deadlines on providers for the release of health records than the 60-day time frame set forth in HIPAA.
Yet the health record access issue has received renewed attention. With the proliferation of consumer-facing digital health technologies, such as wearable devices and wellness “apps,” patients increasingly see themselves as active participants in their health care. More and more, individual access to health information is seen as a means of enhancing patient engagement, and, in turn, improving clinical outcomes and saving money. Moreover, the ongoing shift towards value-based healthcare incentivizes providers to foster patient engagement, collaborate with one another, and avoid duplicative or unnecessary medical procedures – all objectives facilitated by better provider and patient access to health information.
All of this is in addition to what we might think of as the more “traditional” reasons why individual access to health information is important. Among the reasons are that it can facilitate continuity of care when a patient has an appointment with a specialist or a new physician. It can also help a caregiver looking after a patient after hospitalization, or even to assist a patient who is contemplating litigation in respect of their medical care.
Much has happened on this issue in the last few months. Congress enacted the 21st Century Cures Act, which articulates the goal of having patient records in a single longitudinal format. The HHS deputy assistant secretary for health technology reform recently posited that every American should have a single, unified electronic health record that is accessible to him from anywhere, and under his full control.
Last month, OCR released a video training module for physicians that, in its words, teaches them about “the components of the HIPAA right of access and ways in which it enables individuals to be more involved in their own care.” And OCR, in conjunction with the Office of the National Coordinator for Health Information Technology (ONC), has published recent patient-facing guidance on HIPAA access rights.
Perhaps most significantly, there is growing recognition that the record request and release process is unwieldy, both for patients and providers. The ONC voices this concern clearly in its recent report, “Improving the Health Records Request Process for Patients.”
As ONC observes in its report, the record request process is almost entirely paper-based. A patient must complete and submit a paper HIPAA Authorization Form, specifying, among other things, what information they would like disclosed, from which provider(s), and in respect of which time frame. Patients may be able to electronically download the Authorization Form, but generally they will have to print it, complete it by hand, and fax or mail it in. It may take some “back and forth” with their provider’s office in order for them to correctly and completely fill it out. When they do finally submit it, they will likely have to wait for the records, often with little sense of the likely timing for receipt.
This process is also unwieldy for the providers involved. The disclosing provider has to receive, review, organize, and track high numbers of paper requests for large volumes of information. It has to locate and compile the requested records, parts of which may be stored in a separate part of the facility or even off-site. And as ONC points out, it often has to release the records in hard copy via fax or mail, or through a series of PDF files stored on a CD. The provider who receives the records from the patient, meanwhile, has to manually enter them into the patient’s existing health record. These steps can be time-consuming, fussy, and prone to error.
ONC urges the creation of a “streamlined, transparent, and electronic records request process”. Ironically, it observes, even though providers are increasingly turning to digital portals to communicate securely with their patients, these advances are of little benefit in the record access context. A portal may enable a patient to view portions of their health information, but generally will not allow them to view or electronically request a complete set of records.
Instead of being overly prescriptive, the ONC describes the features that an improved record request process “may” include:
- Ways for patients to request and receive their records through the portal;
- Electronic means of requesting records outside of the portal;
- The use of “user-friendly, plain language” in the request process;
- A “status bar” explaining the progress of the record request.
The ONC’s suggestions may raise operational and legal questions, such as how to verify electronic signatures appropriately, and how to assuage the potential concerns of patient portal developers that such direct involvement in the record request process may expose them to liability or greater regulatory oversight. To be sure, these issues warrant careful thought. One hopes that such a discussion can at least get started among regulators, the industry, and consumer groups, now that the ONC has thoughtfully, and urgently, put the issue of patient access back into the spotlight.