Patient medical records are undergoing a seismic shift. But this shift is happening quickly, in many ways too quickly for either physicians or the laws and regulations pertaining to medical records to keep up.
Patient medical records are undergoing a seismic shift. The transition from paper to electronic records has created new opportunities for sharing information among healthcare providers, between physicians and patients, and with third parties. The mobile revolution, meanwhile, has heightened consumers’ expectations about data sharing with physicians, including data generated by mobile health apps.
But this shift is happening quickly, in many ways too quickly for either physicians or the laws and regulations pertaining to medical records to keep up.
“We’re struggling with this in part because of the transitional nature of the technology that we’re using,” says Ira Nash, MD, a Manhattan cardiologist and executive director of the North Shore-LIJ Medical Group. “We have rules that were developed when none of this kind of wide-scale data sharing was possible. And I don’t think the regulatory environment or the general understanding about this has kept pace with the technical capacity to collect huge amounts of data and share it.”
How are these changes in the data environment affecting physicians’ relationships with patients, other healthcare providers, and the many other entities that seek access to healthcare data? Here is how some of your colleagues, healthcare attorneys, and consultants are thinking about these issues.
There is no consensus on who owns medical records. The Health Insurance Portability and Accountability Act (HIPAA) does not specify ownership, and state laws are inconsistent. Only New Hampshire has a law stating that patients own their medical records. In 20 other states, providers own them. The rest of the states have no legislation addressing the matter, according to an analysis of state laws by Health Information & The Law, a project of the George Washington University’s Hirsh Health Law and Policy Program and the Robert Wood Johnson Foundation.
Legal opinions on the matter differ as well. Daniel Shay, JD, an attorney with Alice Gosfield & Associates in Philadelphia, says, “The general understanding of the legal community is that patients own their records, or it’s their interests that are ultimately paramount.”
Michael Bossenbroek, JD, a partner in Wachler & Associates, of Royal Oak, Michigan, says Michigan doesn’t have a clear rule regarding record ownership. “The default setting is that the records belong to the provider who has the control over it,” he says.
One reason for thinking that records belong to a physician or a practice, he adds, is how they’re treated in a practice sale or the sale of a partnership interest. “Implicit in those transactions is that part of the value I’m bringing to the practice are my patient relationships, and the records that come with them.”
Many physicians believe patients ultimately own their health records. While doctors are required to store and protect the records, they don’t own them, Nash says. Especially in light of the increasing quantity of health data that is patient-generated, he notes, “It’s a very narrow and a somewhat paternalistic view for a provider to tell a patient, ‘I own this.’”
Toni Brayer, MD, a San Francisco internist and CEO of the Sutter Pacific Medical Foundation, a 300-doctor multispecialty group, agrees with Nash. “My understanding is that patients have a legal right to their medical records when they request them. The physician is the caretaker and has the responsibility for maintaining those medical records,” she says.
Rob Lamberts, MD, a solo internist/pediatrician in Augusta, Georgia, believes that either physicians or their practices own medical records. His former practice, he notes, believed that it owned his patient records. When he left that group to set up his current concierge practice, he was prohibited from taking any records with him. The 300 patients who followed him to his new practice had to give him permission to request copies of their records.
Record ownership at the practice level is not the only area of uncertainty. There are also questions about how the data in those records can be used outside of practices.
As the industry shifts toward value-based reimbursement, healthcare organizations increasingly are focusing on population health management. As a result, clinical data are being aggregated in data warehouses and sliced and diced using analytic tools. Accountable care organizations (ACOs) and clinically integrated networks obtain these data from their member practices and hospitals; healthcare systems that employ physicians already have the data in their enterprise EHR systems or import it through interfaces with practice EHRs.
Related: Telehealth and the balance between access and ethics
The data may be patient-identifiable or it may be de-identified. Identifiable data frequently is used to create registries that help organizations pinpoint care gaps and alert providers about them so they can deliver better care to their patients. Such data can also be used in care management and patient engagement.
Identifiable data is protected health information (PHI), and as such, is covered by HIPAA. But HIPAA has exceptions for treatment, payment, and business operations. The lawyers agree that the use of identifiable data in population health management can be justified as quality improvement activities that are part of operations. But Bossenbroek cautions that physicians must still follow the “minimum necessary” rule, which in this case would require the exchange of information to be limited to what is needed for business operations.
In addition, HIPAA prescribes that mental health information, such as therapist notes, can be shared with other providers only with the patient’s permission. State laws also govern the sharing of sensitive health data, including mental health information. These caveats apply to health information exchanges (HIEs) as well.
Identifiable data cannot be sold or used in marketing or research without patient permission, but de-identified data can. De-identified data is not subject to HIPAA because it’s not PHI, the attorneys say. ACOs, health plans, and independent researchers use de-identified clinical and/or claims data in population health studies. Drug companies use de-identified pharmacy data to target their marketing to individual physicians. None of those uses requires patient permission.
Less well known is that electronic health record (EHR) vendors, which are increasingly getting into population health management, also use de-identified patient data and that they may require practices to yield that information.
“When a physician signs a license agreement with a vendor, there’s almost always a clause that gives the vendor the right to use that data,” attorney Daniel Shay says. “In fact, the vendor or the developer is ultimately the one who is de-identifying and aggregating the data.”
In some cases, Shay notes, the developer might have created a package that gives the EHR user access to other providers’ de-identified data, perhaps in the form of quality benchmarks. In return, the practice must agree to provide its data. But the contract provisions often go far beyond that.
Included in the software license, he says, “there’s usually a clause about data or intellectual property ownership. The clause typically has the physician saying you give up rights to de-identified, aggregated data and give us the right to commercialize it.” Sometimes the provisions explain what the vendor intends to do with the data, but often they just give the EHR vendor the right to use it, he adds.
This may come as a surprise to physicians. Both Nash and Brayer say they were sure that their organizations would not sign an EHR contract with such a provision in it. Nash says allowing vendors to use de-identified data in research might be acceptable, but he can’t stomach the idea of them commercializing it. Brayer, who spent many years in private practice before joining Sutter, notes that some smaller practices might not notice this data provision or might not be able to negotiate it out of the contract.
The HIPAA privacy rule gives patients the right to inspect, review, and receive copies of their medical records. In addition, Stage 2 of the Meaningful Use program requires eligible professionals (EPs) to provide at least 50% of the patients they see during a reporting period with the ability to view online, download and transmit their health information within four business days of the information being made available to the EP.
Those requirements leave a number of questions unanswered, however. It’s not clear how much of the health record must be accessible to patients online, how that information must be provided, or how much the provider may charge for making it available.
The default position for many practices has been to supply the same kind of clinical summary that they use in exchanging patient information with other providers. Certified EHRs can generate this snapshot of care, which includes problems, medications, allergies, and lab results, among other things. If a practice has a patient portal attached to its EHR, a physician can easily send the summary to the portal or have it automatically sent when it’s updated.
Lamberts makes all of his electronic records available to his patients when they request them. Either he prints them out or, more commonly, he sends them to patients as PDFs attached to secure messages. In addition, he sends them lab and imaging results automatically as they come in.
Nash says he can’t think of a reason to deny his patients access to any part of their medical record, including his notes. “I don’t think there are parts of the record that should be shielded from patients,” he says. “I believe that patients should have access to everything that’s in there.” The only exception, he adds, would be notes regarding “unique therapeutic issues,” such as mental health.
Many doctors still are reluctant to share their progress notes with patients, Nash says, “but the sky doesn’t fall when you do that. It’s generally something that patients like, and it improves the accuracy of the information in the medical record.”
Brayer agrees. Her group has piloted the note-sharing approach known as “Open Notes,” and the results have been encouraging. At first she and her colleagues worried that when patients saw the notes on their portal, they wouldn’t understand them, or the “obsessive” ones would ask additional questions. But these concerns proved groundless. Moreover, note sharing pleased patients and increased their engagement in their care. So now Sutter is rolling out this approach across the group.
The HIPAA privacy rule allows covered entities to impose “reasonable, cost-based fees” for copying paper records, limited to the cost of copying and postage. But it is silent about how much can be charged for providing electronic records to patients.
Some healthcare providers reportedly have taken advantage of that loophole. A contractor hired by one hospital system, for example, reportedly charged a basic fee of $23, plus “shipping and handling fees” of $16 per page for electronic copies, according to a recent media report. Another report said that the Office of Civil Rights (OCR), which handles HIPAA compliance, planned to issue guidance on the right to access and allowable charges.
It can be argued that practices should be allowed to charge something for providing this access. Although it takes very little time to send an automatically generated care summary to a patient portal, “getting the data into the system involves a cost,” says Kenneth Hertz, a consultant with the Medical Group Management Association (MGMA), points out.
“Certainly if I’m using scribes and have people other than doctors doing data entry, that might be a basis for people to say, ‘We’ve got to charge for providing records to patients and others.’ But in terms of hard costs, it’s hard to justify that.”
Brayer believes there is a justification for charging for access to electronic records “in the current state of healthcare, where electronic records are not easily interchangeable.” There is a cost to exchanging records with other providers and patients should bear some of it, she says, adding that she is not speaking for Sutter.
But Shay warns that it doesn’t make sense to overcharge patients for electronic copies. Not only could gouging patients invite an OCR audit, it could also create bad publicity. “It’s something that will really annoy patients and will run you into all kinds of hassles, whether with the press or with patients contacting OCR,” he says.
Patients frequently request records when they switch physicians. When that happens, Brayer says, she usually provides just the key information she would like to see herself, such as “their recent lab tests, their problem list, any screening tests they’ve had, surgical reports-those things that are important for a new doctor to know.” She doesn’t need to see every note for the past 30 years, she points out.
In Lamberts’ view, the biggest problem with electronic records is that they’re full of redundant and inaccurate information that was generated for billing or compliance purposes and has little clinical value. In many cases, the charts include old problems that are no longer active and medications that patients no longer take.
“The vast majority of the information I get from consultants or from the hospital is not oriented to clinical care,” he says. “It’s just checking boxes. I get notes from urologists saying they counseled patients on smoking cessation or on their obesity.”
Aside from the utility of exchanging these kinds of records, there are also privacy issues that arise in health information exchanges (HIEs) designed to facilitate the movement of patient data between providers. To protect privacy, some states require that patients grant permission for the use of their data in HIEs; other states mandate that they be given the opportunity to opt out.
“New York is an opt-in state, and it has limited the utility of HIEs,” Nash says. Not only is this approach too labor-intensive for providers, but it has led to varying interpretations of HIPAA obligations. “If somebody opts in, do they opt in for all information and all access [by everybody]?”
Nash favors having physicians export clinical data to a health data bank such as Microsoft HealthVault. Then patients could share their data with other providers, he says.
Lamberts would go a step further by creating online “collaborative records.” This technological solution would give patients anytime, anywhere access to their records and would allow them to add data, such as vital signs from mobile devices, and keep their medication lists up to date. With such a platform available, he says, patients could share information with other physicians, and consultants could share their reports with primary care doctors.
This kind of approach would sidestep the concerns about patient privacy that have been an impediment to HIEs. But until collaborative records become real and widespread, physicians can allay patients’ fears about their data privacy by explaining what HIEs are all about, Hertz notes.
“Given that a lot of this is about patients’ participation in their own healthcare, access to information and engagement with docs, I think we’re going to have to spend more time explaining to patients what’s happening,” he advises. “We have to educate patients on this. We want them to be savvy and to understand. And we have to create a greater amount of trust by patients about all of this information that’s residing in the cloud and its level of protection and security.”