Privacy Issue: Proxy Access to EHRsAdvisers Looking For Public Input on Patient Reps Accessing Data
"The Health IT Policy Committee's Privacy and Security Tiger Team is considering potential privacy and security policy issues that could arise when a family member, friend or legal designee is given access to patient information through the certified electronic health record technology 'view/download/transmit,' or V/D/T capabilities," Deven McGraw, team chair, writes in a Feb. 3 blog co-authored with Micky Tripathi, who co-chairs the team.
The team is aiming to gather the comments in the coming days to kick off discussion about personal representative access to patient electronic health records during its Feb. 10 meeting, McGraw says.
In particular, the tiger team is seeking input from healthcare providers that already grant view, download and transmit capabilities to patient's personal representatives. The workgroup wants to learn more about how healthcare providers confirm that an individual is, in fact, a personal representative; how patients' friends and family are provided with credentials to access to view/download/transmit accounts of patients; and whether access is "all or nothing," or whether there more granular options offered, according to the blog.
The tiger team makes security and privacy recommendations to the HIT Policy Committee for consideration by the Office of the National Coordinator for Health IT, which creates guidelines for the HITECH Act electronic health record incentive program and national health information exchange.
"HIPAA permits covered entities to share identifiable health information relevant to a patient's care with family members or friends involved in a patient's care, unless the patient objects," the blog explains.
"It also requires covered entities to treat a 'personal representative' - a person authorized under state or other applicable law to act on behalf of the individual in making healthcare-related decisions - the same as they would treat the patient," the blog says. As a result, personal representatives have the same rights of access to medical record information as the patient would have.
"Because patients can access relevant health care information through V/D/T, the tiger team is considering whether there are additional privacy and security policy issues that need to be resolved when family or friends access the data."
Access to Records
McGraw tells Information Security Media Group that the tiger team has decided to take on the topic because "view, download and transmit is likely to become a predominant vehicle for getting patients rapid access to downloadable, relevant health information."
In fact, providing patients with the ability to access their electronic health information is a requirement for healthcare providers participating in Stage 2 of HITECH Act EHR financial incentive program.
"A person who serves as a personal representative is similarly going to find this access valuable," McGraw says.
"Since HIPAA requires covered entities to treat personal representatives as patients with respect to rights to data, the Tiger Team is interested in hearing whether there are policy issues with respect to personal representative access through VDT - and if so, how could we help resolve them?"
Other Hot Topics
While the tiger team is gearing up to tackle the personal representative issue, the topic will likely be weaved through much of the group's work in 2014.
In the third quarter, the team is slated to discuss similar issues tied to access to records of minors (see Tiger Team Sets 2014 Privacy Agenda).
Other issues on the team's 2014 agenda include security issues related to certain business associates under HIPAA and ways to improve patients' secure access to electronic information, including "pulling" data from provider systems using methods such as Blue Button Plus.