Time to take a position on universal patient access to medical records
Patients have a right to view their medical history and providers should encourage them to do so.
The Health Insurance Portability and Accountability Act (HIPAA) requires it. So does Meaningful Use. Yet for most people, it’s an arduous process to collect and view their own medical records. If they want a copy, many providers will charge patients a fee for each page, even in electronic format. This runs completely counter to all the buzz in healthcare today about patient “empowerment” and “engagement”—and also makes little sense in an age of rising healthcare data breaches. People need to know when their personal health data is being looked at and by whom (another right under HIPAA), and giving them this access adds an extra pair of eyes to monitor for medical records or fraudulent activity.
Incidentally, patient medical records are now 10 times more lucrative on the black market than a stolen credit card number. But while getting a credit report is easy, a similar process to regularly review one’s own health records is non-existent. Providers should join the campaign to make it easier and to educate patients on the importance of checking their own medical records, just like all of us are encouraged to regularly check our credit scores.
What’s at stake: lives stolen and lost
Healthcare data breaches are happening at an unprecedented scale and frequency. Would-be hackers are continuously testing network perimeters for an entry point, and in the absence of adequate security, their persistence is practically guaranteed to pay off. In turn, this can spark a chain of events that end in the patient’s loss of control over his or her own medical identity—or if medical records are harmfully altered, even end the patient’s life. Then there are the preventable medical errors, like the infamous 2008 incident when a hospital removed a patient’s healthy kidney while leaving the cancer-ridden kidney inside the patient’s body.
Clearly, preventing medical record hacks and errors depends in great deal on frequent review of these records. Yet one of the people most eager to sleuth the data for unusual activity or other anomalies—the patient—is effectively shut out of the process. More providers are coming around to the idea of inviting patients in, but some old barriers cause others to hesitate.
Interoperability, worries over security still two major hold ups
In an interesting twist, the biggest effort to date to create a central repository for consumers’ personal health information actually failed to win widespread adoption among consumers. It turns out that Google Health’s “volunteer” model required people to take on too much of the work themselves in aggregating and uploading their own information. (Either that, or they had qualms that one day someone could “Google” their private medical records—not an entirely invalid concern.)
As is often the case with big failures, big lessons can be gained. And the failure of Google Health to launch reveals that data aggregation and security are the top two challenges to overcome to achieve universal patient access to medical records. Electronic Health Records, of course, were supposed to usher in the easy exchange of health information, but this objective has been repeatedly deferred because of well-known issues with differing data standards among the hundreds of EHR systems in existence.
A reluctance to hand over patient access—i.e. control—of their health information is also still present among some providers. At the same time, a number (albeit one that is diminishing) of EHR vendors have yet to embrace the idea of sharing free Application Programming Interface with each other to hasten the exchange of patient data.
A place for consumer health data in the cloud
The rise of analytics may usher in the solution, as large data sets from disparate sources have found their home in a managed healthcare cloud that can easily scale to receive, secure and merge continuous streams of data. The same can be done for patient health records arriving from hundreds or even thousands of different providers, EHR systems and medical devices.
That said, providers shouldn’t wait until this day arrives before they activate a full patient access policy and campaign. They can start by—surprise—not charging patients to view their own records.
Circling back to our comparison of health records with credit reports, yes, credit bureaus charge for such reports and scores. However, the law states that consumers are entitled to a free credit report once a year. Consumers should be entitled to review their own health information for free more frequently than that, and granting this access may very well prevent a harmful medical error or catch medical fraud much sooner (especially in light of the reality that most breaches aren’t detected by healthcare organizations for months, if not years).
Providers could also make a point of asking patients at each encounter if they would like a hard copy of their records and place visible signs reminding patients of their right to this information. And they should press their EHR vendors for promotional help with the systems’ patient portals, including complimentary signage and brochures. In a related step, joining ONC’s “Blue Button” initiative can also help patients access their records.
Finally, providers should take these and other actions now instead of waiting much longer. Universal patient access to their own medical records is poised to become a very public rights campaign—and one that providers and vendors alike have just a narrow window of time left to lead instead of oppose.
Chris Bowen is founder and chief privacy and security officer at ClearDATA, a HIPAA Compliant Cloud Computing provider. He is a Certified Information Privacy Professional, Certified Information Systems Security Professional and Certified Information Privacy Technologist.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker’s Hospital Review/Becker’s Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.
Written by Chris Bowen, founder and chief privacy and security officer, ClearDATA
May 26, 2015