EHR Proxy Access Best Practices OK'd

Committee Recommends Patients Being Informed of Privacy Risks
EHR Proxy Access Best Practices OK'd
Paul Egerman

A federal advisory committee has endorsed recommendations that the Office of the National Coordinator for Health IT develop and disseminate best practices to healthcare providers regarding proxies, such as family members and friends, accessing patients' electronic health information.

See Also: The Application Security Team's Framework For Upgrading Legacy Applications

At its April 8 meeting, the HIT Policy Committee, which advises ONC, approved several recommendations from its privacy and security Tiger Team about best practices for health entities providing patients' personal representatives, or proxies, the ability to view, download and transmit (or "VDT") the patients' electronic protected health information, such as through a patient web-portal.

The best practice recommendations address a variety of situations, including those when patients authorize proxy access, as well as scenarios when proxies request access to the records of incapacitated patients.

Tiger Team chair Deven McGraw notes that the recommendations focus on ONC developing and disseminating the best practices to healthcare providers, rather than creating additional formal policies about proxy access. "We didn't think we should be too prescriptive," she says.

The recommendations, which the team had been crafting over the last couple of months, also highlight the need for healthcare providers to educate patients about the benefits and risks of proxy access to protected health information (see Best Practices for Proxy Access to EHRs).

Proxy Best Practices

Among recommendations approved by the committee are best practices for "easiest case" scenarios, such as when a patient makes the request for records access for a friend or family member. Patients should be enabled to make those requests in person, over the phone or via e-mail. However, whenever possible, healthcare providers should document these requests and, preferably, store the requests electronically.

The recommendations also address best practices for more difficult proxy cases, such as when friends or family members make requests to access a patient's information. The team recommends that such access be confirmed with the patient whenever possible. However, if a patient is incapacitated, providers need to be aware that HIPAA permits sharing of treatment-related information with friends or family limited to information relevant to treatment or payment. In these cases, providers need to consider whether providing proxy access to relevant treatment information through VDT function is appropriate.

One challenge posed by granting proxy access to patient PHI is that many patient web portals currently offer "all or nothing" access to data, noted McGraw.

That means granting a proxy VDT access to a patient's health data could unintentionally give access to a trove of private health information, such as family medical history, that is not immediately relevant to the patient's current condition or treatment, noted HIT Policy Committee member Paul Egerman during the meeting's discussions about the recommendations' pros and cons.

Privacy risks such as those need to be communicated to patients and should be noted in the best practice material disseminated by ONC to healthcare providers, Egerman urged.

McGraw explained that in crafting its recommendations, the tiger team discussed data "granularity" for proxy access as a possible HITECH Act software certification requirement for electronic health records, but decided against that approach for several reasons.

That includes a preference for "market demand" to fuel the development of granularity in VDT functionality, she says. Also, Tiger Team decided that technical standards aren't "sufficiently mature" enough to make VDT granularity an EHR software certification requirement, McGraw told the committee members.

Besides that, already some "vendors are on the path" for allowing varying levels data access granularity via their various portal configurations, noted team co-chair Micky Tripathi.

Another best practice recommended is that healthcare providers put into place a process and capability to cut off VDT access by proxies due to patient's change in preferences or changes in personal representative legal status.

McGraw says the "transmittal letter" that the HIT Policy Committee will soon send to formally convey its best practice recommendations to ONC will note the importance of healthcare providers, including their workforce members, such as office staff or nurses, educating patients about the benefits and risks of granting proxy access to PHI.

The best practices approved by the HIT Policy Committee concern proxy access to electronic health information of adult patients only. Tiger team plans to discuss issues involving proxy access to the electronic health information of minor patients - such as parents accessing a child's records - later this year, McGraw says.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.