The Friends and Family Plan for Online Records
By Selena Chavis
For The Record
Vol. 26 No. 8 P. 14
Expanded access to protected health information has triggered new recommendations on how to deal with the resulting privacy concerns.
HIPAA has heavily guarded and clearly defined the release of information (ROI) function in health care organizations since the law’s inception in 1996, providing specific guidance to protect patient health information. With the introduction and widespread uptake of EHRs in recent years, new complexities have surfaced within the ROI process, leaving many health care entities uncertain about how best to approach the task.
Stage 2 meaningful use criteria require eligible providers to offer patients the opportunity to view, download, and transmit (VDT) their health information via online access. To comply with this edict, many organizations are opting to set up patient portals. How providers approach patient portal implementation and the potpourri of vendor capabilities have raised questions about how to enact privacy controls while still fostering an environment of patient ownership.
“Patient portals are becoming much more routine to patients as providers inform them and encourage them to use them to access their information,” says Laurie Rinehart-Thompson, JD, RHIA, CHP, FAHIMA, interim HIM director for the School of Health and Rehabilitation Sciences at Ohio State University, who points out that the entire concept of electronic patient access signals a paradigm shift. “This shift is further pronounced by the patient’s ability to perform or direct the range of VDT functions so that others can access the patient’s information. To the patient, the provider gatekeeping function becomes much less apparent.”
As a result of these shifting dynamics, the industry urged the Office of the National Coordinator for Health Information Technology (ONC) to develop best practices to direct unsure providers on how to address ROI in a patient portal environment without sacrificing patient access and control and still be HIPAA compliant. The effort was turned over to a public advisory body—the Privacy and Security Tiger Team—composed of providers, vendors, educators, policy executives, and consultants. In April, the workgroup released the Health IT Policy Committee Family, Friends, and Personal Representative Access recommendations, which were approved by the Health Information Technology Policy Committee (HITPC).
“Most providers want this kind of help to base decisions on going forward,” says Micky Tripathi, president and CEO of the Massachusetts eHealth Collaborative and Tiger Team cochair. “Even though these [recommendations] are not requirements, organizations are looking for answers, and there is an opportunity to at least be able to move to the next level of maturity as to how to approach patient portals.”
According to Helen Caton-Peters, MSN, RN, a health information privacy-security technology specialist at the ONC, it’s important to note that the Tiger Team didn’t recommend changes to ROI laws or regulations. “Rather, the recommendations urge HHS [Health and Human Services] to issue what the HITPC considers best practices in implementing ROI through the VDT functionality of a certified EHR,” she explains. “The HITPC focused on the challenges that may surround processing ROI requests coming from friends, families, and others authorized by the patient in this electronic environment.”
As health care models move to a consumer-centric focus, portal technology promises to take on a larger role in helping to reduce barriers to medical record access. Aggressively addressing the associated privacy challenges will be critical to maintaining momentum, says Alisha Smith, RHIA, an HIM educator with HealthPort. “While I do believe the challenges will be heavy in the beginning, the opportunities for more patient engagement, new career paths, and the goal of improving patient outcomes are just a few positives that will far outweigh the challenges,” she says. “Just like any project, if you take the appropriate steps with a change, the challenges seem to gradually fade. Where trouble arises is when an organization rushes change without the appropriate steps.”
Backdrop to the Recommendations
When it comes to patient record access, HIPAA defines three groups: patients, family members and friends, and personal representatives who are authorized to act on behalf of a patient in making health care–related decisions.
Subject to certain exceptions, HIPAA requires covered entities to provide the same rights regarding uses and disclosures of protected health information (PHI) to a personal representative as the individual being represented. HIPAA also permits covered entities to share PHI with family members or other people involved in the patient’s health care.
Tripathi notes that the Tiger Team’s mission was to recommend how to apply these rules in an electronic setting, most notably at the intersection of VDT. Specifically, the committee addressed authorization and authentication questions as they relate to family, friend, and personal representative access through VDT.
In terms of authorization, the committee determined that HIPAA already clearly defined the parameters associated with who was authorized to access PHI. The questions around authentication became “Are you who you claim to be?” and “How do I know that you are who you claim to be?”
The difficulty with VDT, according to Tripathi, is that it’s easy for patients to pass along their username and password to whomever they choose. “From a security standpoint, that’s not a good practice because you can’t track anything,” he says.
Understanding the Recommendations
In terms of friend and family authorization, one recommendation focuses on patients making requests for VDT access. Requests can be made remotely through an out-of-band notification—a dedicated management channel—to notify or confirm. The recommendation also suggests that access by friends or family members must be confirmed with the patient, possibly through an out-of-band confirmation. If the patient is incapacitated, HIPAA permits the sharing of treatment-related information. In those cases, providers must decide whether VDT is the appropriate vehicle.
“I expect that organizations will put policies in place to guide their employees on how to handle these types of situations,” Smith says. “Just because it is recommended doesn’t mean organizations will implement this way of processing.”
In the case of personal representative authorizations, organizations must follow state laws, which vary, making it difficult to suggest national best practice recommendations. Such nuances make it vital to train staff on how ROI state laws work. “Does it have an all-or-nothing approach or will it allow different access profiles to be developed like many organizations have done with an EHR?” Smith asks.
A previous recommendation regarding identity spoofing and authentication received additional attention, according to Smith. “With the rise of identity theft and computer hacking, it’s important to determine how to identify the person trying to access the information,” she says, noting that it’s often best to employ a two-factor security link featuring a username, password, and a question (or questions). “Maybe after answering the question, if information is being accessed from a device that it hasn’t been accessed from before, a security e-mail, text, or phone call is sent to the patient to alert them of someone accessing their account.”
Also noted was the need for processes and capabilities that cut off VDT access to friends, family, and personal representatives when patients edit preferences or there’s a change in the personal representative’s legal status. Tripathi says VDT access should go beyond all or nothing with respect to data content and functions performed. “Patient portals have a lot of functions,” he notes. “Do you want everyone to have access to everything?”
For providers, perhaps the most difficult aspect is determining whether to grant access to friends, family members, and others claiming a legal right. “The right of access must be confirmed with the patient,” Reinhart-Thompson explains. “There must also be a process for a patient to be able to stop access if the patient no longer wants an individual to have access or if a person is no longer authorized by law to have access.”
Additionally, the recommendations encourage providers to educate patients about VDT risks and benefits, including those involving proxy access.
Effect on HIM
According to Rinehart-Thompson, the Tiger Team recommendations ease the strain of ROI operations in the sense that access, once granted, becomes an active process assumed by the requester and no longer falls on the shoulders of ROI personnel.
Smith says the recommendations underscore the need for ROI ambassadors who can assist patients in better understanding their health care documentation. “ROI personnel are already familiar with present-day processes, so I see this change from familiar territory as an opportunity to utilize and advance current knowledge,” she notes. “We are gradually leaving the paper world and altering our processes to fit into the electronic era. And while in some cases that means we are developing new skills altogether, we are often converting processes from an old way to a new way.”
While technology can help ease the burden of electronic record requests, it also can create new complexities if the appropriate preimplementation steps aren’t followed or hasty decisions rule the day. “Look at meaningful use stage 1,” Smith says. “Many organizations rushed to meet the criteria only to receive the incentive, and now those organizations are struggling with a poor system that they did not take the time to implement.”
Under stage 2 meaningful use, more than 50% of all unique patients seen by the eligible provider during the EHR reporting period must be provided timely online access to their health information. Also, more than 5% of all unique patients (or their authorized representatives) seen by the eligible provider during the EHR reporting period must VDT their health information to a third party. Patient portals are obvious tools to help health care organizations comply, but Smith notes that authentication concerns make it imperative to choose a technology wisely. “I believe technology can help ease the burden of these two measures only if the proper steps have been taken,” she says. “Otherwise, I believe there will be an abundance of issues for an organization to tackle.”
To avoid missteps, Smith recommends organizations adopt policies and procedures, train staff, discuss all changes with business associates, meet with vendors, and educate providers, employees, and patients.
Rinehart-Thompson favors technology that can provide automatic access tracking while at the same time not allowing the process to operate on autopilot. “Technology does not eliminate the need for human intervention, particularly at the outset where a determination about a requester’s right of access has to be made,” she says. “While routine day-to-day operations are simplified by technology, there will always be the need for higher-level health information management functions to ensure the right information is accessed by the right people at the right time.”
Caton-Peters notes that the HITPC previously made recommendations on how best to use technology to help verify patients when they open an online account (identification) and when they actually gain access (authentication). “The ONC is working with the National Institute of Standards and Technology to forward this technical approach under the National Strategy for Trusted Identities in Cyberspace Initiative, which includes some pilot projects in the health care sector,” she says. “Simplifying existing ROI procedures for patients and providers is a technological goal that we are all striving to accomplish.”
While patients enjoying electronic access to their PHI has become standard practice, Rinehart-Thompson says the Tiger Team recommendations are significant because they advance the process to the next level: encouraging electronic access by other authorized individuals. As noted in the report, however, this new level of access requires more diligence by health care organizations that now must ensure only those authorized by law or directly by the patient view the data.
“This additional access can be a very good thing for the patient and for patient care, but it must be managed appropriately,” she says.
— Selena Chavis is a Florida-based freelance journalist whose writing appears regularly in various trade and consumer publications covering everything from corporate and managerial topics to health care and travel.