On Wednesday, December 5, 2018, I visited Capitol Hill with colleagues from AHIMA and the American Medical Informatics Association (AMIA) to address challenges around patient access to health information and to propose ways to modernize HIPAA to better support patient care. As HIM and privacy professionals are aware, the Office for Civil Rights (OCR) released guidance on patient access to health information in February 2016. However, healthcare leaders have been calling for an upgrade to the 22-year-old HIPAA regulation for some time. The recommendations from AHIMA and AMIA were as follows.
Converge HIPAA with Health IT Certification
We recommended creating a new term, Health Data Set (HDS), which would encompass all clinical, biomedical and claims data maintained by the covered entity (CE) or business associate (BA). The data set would be supported through the certification program at the federal Office of the National Coordinator for Health Information Technology (ONCHIT), enabling individuals to view, download or transmit this information electronically to a third party and access this information via API.
We also suggested the revision of the HIPAA Designated Record Set (DRS) and the requirement that Certified Health IT provide the amended DRS to patients electronically while maintaining computability. This revision would give providers and patients greater clarity and predictability regarding what constitutes the DRS.
Extend the HIPAA Individual Right of Access to Non-Covered Entities
In an effort to provide uniformity of health data access, we suggested establishing a uniform health data access policy that would apply not only to CEs and BAs, but also to non-covered entities such as developers of applications/technologies including mHealth and healthcare-based social media.
Encourage Note Sharing with Patients in Real Time
To enhance patient access to health information, we recommended promoting communications efforts such as OpenNotes through Medicare and Medicaid payment programs, such as the Merit-based Incentive Payment System.
Clarify Existing Regulatory Guidance on Third-Party Access to Patient Data
This especially relates to third-party legal requests that seek information without appropriate patient direction and beyond what is part of the DRS. I reported that ROI vendors and providers continue to be challenged with the discernment of third-party versus patient requests for transmittal to a third party. Third-party requesters demand the patient pricing, and the documentation does not always provide assurances that the requester is the patient or that the patient is aware of the request.
Our experience with some high-volume third-party requesters includes their demand for patient pricing and threats of, or actual submission of, OCR complaints. While we are steadfast in our commitment to patients’ privacy, the ongoing dispute by third-party requesters declining to provide reimbursement for healthcare costs in responding to these requests increases the administrative burden on both the health systems and the OCR.
We are asking that the 2016 guidance be updated to specify the original intent that a patient may direct their information to a third party who is specifically “acting on their behalf regarding a healthcare decision.”
MRO is presently working alongside industry experts to construct a white paper that will delve deeper into this topic and provide recommendations. We will share the paper on our blog once it is released.
Additional Resources and Media Coverage:
HealthIT Security – AHIMA, AMIA Call for HIPAA Upgrade to Support Patient Access
MedPage Today – Rules Needed for Better Patient Record Access, Say Experts
AHIMA and AMIA – Full Recommendation