Privacy Issue: Proxy Access to EHRs

Advisers Looking For Public Input on Patient Reps Accessing Data
Privacy Issue: Proxy Access to EHRs

A federal advisory panel is seeking feedback as it prepares to evaluate security and privacy policy recommendations for patient representatives authorized to view, download and transmit electronic health records on behalf of patients.

See Also: OnDemand | Driving Security, Privacy, & Compliance Goals by Accelerating HITRUST Certification

"The Health IT Policy Committee's Privacy and Security Tiger Team is considering potential privacy and security policy issues that could arise when a family member, friend or legal designee is given access to patient information through the certified electronic health record technology 'view/download/transmit,' or V/D/T capabilities," Deven McGraw, team chair, writes in a Feb. 3 blog co-authored with Micky Tripathi, who co-chairs the team.

The team is aiming to gather the comments in the coming days to kick off discussion about personal representative access to patient electronic health records during its Feb. 10 meeting, McGraw says.

In particular, the tiger team is seeking input from healthcare providers that already grant view, download and transmit capabilities to patient's personal representatives. The workgroup wants to learn more about how healthcare providers confirm that an individual is, in fact, a personal representative; how patients' friends and family are provided with credentials to access to view/download/transmit accounts of patients; and whether access is "all or nothing," or whether there more granular options offered, according to the blog.

The tiger team makes security and privacy recommendations to the HIT Policy Committee for consideration by the Office of the National Coordinator for Health IT, which creates guidelines for the HITECH Act electronic health record incentive program and national health information exchange.

HIPAA Guidelines

"HIPAA permits covered entities to share identifiable health information relevant to a patient's care with family members or friends involved in a patient's care, unless the patient objects," the blog explains.

"It also requires covered entities to treat a 'personal representative' - a person authorized under state or other applicable law to act on behalf of the individual in making healthcare-related decisions - the same as they would treat the patient," the blog says. As a result, personal representatives have the same rights of access to medical record information as the patient would have.

"Because patients can access relevant health care information through V/D/T, the tiger team is considering whether there are additional privacy and security policy issues that need to be resolved when family or friends access the data."

Access to Records

McGraw tells Information Security Media Group that the tiger team has decided to take on the topic because "view, download and transmit is likely to become a predominant vehicle for getting patients rapid access to downloadable, relevant health information."

In fact, providing patients with the ability to access their electronic health information is a requirement for healthcare providers participating in Stage 2 of HITECH Act EHR financial incentive program.

"A person who serves as a personal representative is similarly going to find this access valuable," McGraw says.

"Since HIPAA requires covered entities to treat personal representatives as patients with respect to rights to data, the Tiger Team is interested in hearing whether there are policy issues with respect to personal representative access through VDT - and if so, how could we help resolve them?"

Other Hot Topics

While the tiger team is gearing up to tackle the personal representative issue, the topic will likely be weaved through much of the group's work in 2014.

In the third quarter, the team is slated to discuss similar issues tied to access to records of minors (see Tiger Team Sets 2014 Privacy Agenda).

Other issues on the team's 2014 agenda include security issues related to certain business associates under HIPAA and ways to improve patients' secure access to electronic information, including "pulling" data from provider systems using methods such as Blue Button Plus.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.