Risking OCR and Patient Ire, Many CEs Don’t Comply With Patient Access Rules

June 2014 Volume 14 Issue 6
aishealth.com

REPORT ON PATIENT PRIVACY delivers timely news and business strategies for safeguarding patient privacy and data security.

In apparent defiance of final HITECH regulations, many HIPAA covered entities (CEs) are not offering patients the option of receiving an electronic copy of their medical records, let alone in the “form and format” of their choosing, as has been required since January 2013.

Some are imposing fees for copies and applying limits on what they will provide that do not appear to be in line with regulations. Health systems with multiple hospitals have implemented the access requirements inconsistently across their medical centers, meaning some may be in compliance while others are not.

All of this is evident on the websites of covered entities, in their pages that outline the policies and procedures for patients to obtain their protected health information (PHI) — so officials from the Office for Civil Rights (OCR) can readily see it also. An OCR spokeswoman tells RPP “we can and we have” brought enforcement actions against CEs who violate the access requirements.

Patient advocates, medical records providers, privacy experts and others also tell RPP of a multitude of likely unlawful hoops imposed by CEs that people are jumping through to try to get their records.
“Unless you are behind the curtain like I am or unless you start finding the right stones to turn over, you don’t ever get to see the horror show that really exists in various degrees across the country,” says Chris Carpenter, director of operations for Diversified Medical Record Services, Inc. (DMRS), a business associate that processes records requests for hospitals and physicians offices nationwide.

To view the full article, please visit Risking OCR and Patient Ire, Many CEs Don’t Comply With Patient Access Rules

New CLIA rule talks the talk, but it doesn’t walk the walk

Deborah Peel, MD, Founder and Chair of Patient Privacy Rights

The federal government released an update to the CLIA rule this week that will require all labs to send test results directly to patients. But the regulations fail to achieve the stated intent to help patients. The rule allows labs to delay patient access to test results up to 30 days, and the process for directly obtaining personal test results from labs is not automated.

The new rule also fails to help patients in significant ways:

  • Real-time, online test results are not required. The federal government should have required all labs to use technology that benefits patients by enabling easy, automatic access to test results via the Internet in real-time. Unless we can obtain real-time access to test results, we can’t get a timely second opinion or verify the appropriate tests were ordered at the right time for our symptoms and diseases.
  • Labs are allowed to charge fees for providing test results to patients.  If labs can charge fees, they will not automate the process for patients to obtain results. Labs that automate patient access to test results online would incur a one-time cost.  After labs automate the process, human ‘work’ or time is no longer needed to provide patients their test results, so the labs would have no ongoing costs to recoup from patients.
  • Labs should be banned from selling, sharing, or disclosing patient test results without meaningful informed consent to anyone, except the physician who ordered the tests. This unfair and deceptive trade practice should be stopped. No patient expects labs to sell or share their test results with any other person or company except the physician who ordered the test(s).

This rule raises a question: why do so many federal rules for improving the healthcare system fail to require technologies that benefit patients?

Technology could provide enormous benefits to patients, but the US government caters to the healthcare and technology industries, instead of protecting patients.

Current US health IT systems actually facilitate the exploitation of patients’ records via technology. When HHS eliminated patient control over personal health data from HIPAA in 2002, it created a massive hidden US data broker industry that sells, shares , aggregates and discloses longitudinal patient profiles (for an example, see IMS’ SEC filing with details about selling 400M longitudinal patient profiles to 5K clients, including the U.S. government.

Meanwhile, even the most mundane, annoying, repetitive tasks patients must perform today–like filling out new paper forms with personal information every time we visit a doctor–are not automated for our convenience or to improve data quality and accuracy.

Shouldn’t IT improve patients’ experiences, treatment, and restore personal control over sensitive health information?

deb

You can also view a copy of this blog post here