Today I’m thinking about access to healthcare data and how much has changed over the past decade with the adoption of EHRs. If I put on my Mom/caregiver hat, my children’s vaccinations are a good example of Health IT progress. When my children started school I had to go to the pediatrician’s office and collect a copy of their vaccination records. The nurse copied the vaccinations from the office paper medical record into a paper list. I picked up the paper copy and returned it to the school with other required forms. I think I had to update and submit this vaccination list for elementary, middle, and high school as well as college. My children are now young adults managing their own healthcare, but I still have their vaccination list tucked away in my files.
Patient access: What the law says vs what patients do
Good news for all parents who do not have time to run back and forth to the pediatrician’s office, or any doctor’s office for that matter. The Health Insurance Portability and Accountability Act (HIPAA) requires HIPAA-covered entities to give individuals access to personal healthcare data. The P in HIPAA stands for portability of health information. Health and Human Services (HHS) has recently published guidance on patient access to personal health data. According to HHS, “the HIPAA Privacy Rule (the Privacy Rule) provides individuals with a legal, enforceable right to see and receive copies upon request of the information in their medical and other health records maintained by their health care providers and health plans.” Portability policy is matched to health IT capability through EHR adoption and Stage 2 Meaningful Use (MU) requirements for patient access to view, download, and transmit healthcare data.
As a patient or provider, if you are interested in the facts about your rights to healthcare data or your requirements for providing access to data for patients, let me suggest a visit to the Get My Health Data website. I spoke to Erin Mackay from the Health IT team at the National Partnership for Women and Families, which is a sponsoring partner for the Get My Health Data Campaign. Erin noted that this campaign started in 2015 at Health Data Palooza following reports that a large had successfully attested to Meaningful Use because no patients had requested their data in an electronic format. The Get My Health Data organization website is a great resource for information about individual rights to healthcare data. The group has published real life “Tracer Stories” that demonstrate consumer desire for data access. Research and survey data confirms that almost 80% of Americans believe that online access to health data improves health knowledge and the ability to communicate with their doctors.
Data portability: The unintended consequences
Erin Mackay notes that there is still a big difference between access to data and usable data. A Stage 2 MU requirement is that patients have the ability to view, download, and transmit personal healthcare data. This MU requirement is often met by providing a patient portal. One unintended consequence of Stage 2 Meaningful Use (MU) is that patients with multiple providers may have to manage multiple portals. In real life this can mean that personal health data is fragmented. It may be hard to pull together a comprehensive view of your overall care when it sits in multiple sites, even if it is electronic.
By policy if your provider has electronic data, then you have a right to an electronic copy as a Word doc, an Excel file, a Portable Document Format (PDF), or a structured digital data file. There are computer applications (apps) designed to help consolidate healthcare records that can accept a digital file directly from a healthcare provider. Such apps can improve usability of the data by displaying all medications on one page and all diagnoses on another, for example. The Get My Health Data website provides information about some of these apps, but it is notable that these app entities are not bound by the privacy and security of HIPAA, so they may release de-identified data to other entities.
Information transfer: What’s the provider’s role
As a physician, my HIPAA experience has been all about privacy and security for protected health information (PHI), but regulations provide significant patient guarantees around releasing information. Patients have the right to request and receive digital data in any format: USB, CD ROM, or as a structured data Consolidated Clinical Document Architecture (CCDA) transmission. Patients can even request that providers send personal health data through unsecured email, although providers should advise about the risk before sending data though email, text, or other unsecure data-exchange methods. The “provider” page of the Get My Health Data website offers a very good HIPAA infographic and details what providers are required by regulation to provide to patients.
Erin Mackay notes that consumer reports document significant gaps between data portability policy and consumer access to usable data. Meaningful use has made patient portals more common, but consumer stories show that patients often have to collect data from multiple providers each with unique data request forms and often fees. Frequently patients are trying to collect and consolidate this data at a time when they are sick, in need of urgent care, or seeking a second opinion for a serious health issue, which are tough times for a complex system. In addition medical record copies can be costly. Recent HHS guidance encourages providers to provide free access to records, especially electronic records, and to post any fees for common requests online. The guidance also states that providers may not charge a fee for access to patient portals.
Are we there yet?
Even if the complexity and cost of personal health data access can be managed, the data is often not very usable. Having a static PDF document is not as useful as having standard format data collected from multiple sources that can be sorted into med lists, problem lists, and lab results. In addition, online electronic storage of personal health data instead of paper or CD ROM copies improves anytime, anywhere access. It isn’t that helpful to have your medical records in a box in the basement when you end up in the emergency department.
I probably need to scan those childhood vaccination lists for my children. Otherwise at some point they will surely have questions about what vaccines they’ve had and I’ll have to go to my file cabinet to find their records. The scanned document will at least be electronic, so I can email it to them at their request once I have a signed document confirming that they acknowledge the unsecure transmission of PHI.
As a Mom/caregiver and a patient, I hope we will all benefit from the P for Portability part of HIPAA, with simple, safe, anytime access to our data. As a provider, I am anxious for all the data standards and interoperability tools to make it easy for me to transmit data as requested by patients. Data portability is daunting, but if you need a fun way to learn some key facts about the topic check out this Get My Health Data blog with 9 facts about digital health records as illustrated by super cute kittens!
Do you have stories about getting your own records or trying to provide records for patients? Feel free to share a comment below.
Dugan Maddux, MD, FACP, is the Vice President for CKD Initiatives for FMC-NA. Before her foray into the business side of medicine, Dr. Maddux spent 18 years practicing nephrology in Danville, Virginia. During this time, she and her husband, Dr. Frank Maddux, developed a nephrology-focused Electronic Health Record. She and Frank also developed Voice Expeditions, which features the Nephrology Oral History project, a collection of interviews of the early dialysis pioneers.