Changing Policies Changes Practices: Patient Access and Input to Their Health Record
One of the promises of health IT is to provide patients easier access to their health information. This is a focus of ONC’s consumer e-health efforts and CMS’ meaningful use regulations. But this isn’t a new policy for HHS. In fact, we have ensured that patients have had a right to access their health information since 2002.
In 2000, patient access was one of the very first issues I worked on at HHS, as part of the drafting of the HIPAA Privacy Rules. There was a patchwork of state laws that addressed patients getting copies of their records, but there was no consistent right for patients to have access to their health records. It was humbling to be involved in drafting the federal requirement for patients to have the right to see and obtain a copy of the records held by their health care providers and health insurers. Being new to the federal government, I didn’t fully appreciate the impact of the regulations. It seemed logical that a patient could see what was in her medical record. However, this wasn’t always the case.
Shortly after the HIPAA Privacy Rules were published (but before they became effective), I explained the new rules at a conference of physicians. While some of the physicians supported the new policy, there were many in the audience who were surprised and concerned about the release of what they viewed as their private notes. It became clear to me that the patient access policy shifted expectations and altered the relationships of some providers and their patients. As one of the authors of this policy, I realized that this access policy challenged conventional thinking about medical records.
Over time, those expectations have changed. Today, people aren’t talking about whether patients should be able to have access to their medical records, but how they should have access, using what tools, and over what period of time. Meaningful use policies, outlined in the Stage 1 regulation, include provisions to allow patient access to their health information electronically and reduce the time for them to gain access to their health information from weeks to days (the amount of time that a health care provider needs to provide records after the patient has asked for them). And, there is a strong support for these policies. More than 375 organizations have signed the pledge to empower consumers to be partners in their care enabled by secure, timely, electronic patient access to their health information.
Now, the conversation has gone beyond patient access. We are having policy discussions in our advisory committee and across ONC about the health information that patients provide to their doctors and whether and how that information should become part of the medical record.
For example, if I weigh myself every day:
- Can I send this information electronically to my provider?
- Does she need to incorporate that into my medical record? If so – how would the information be incorporated in the record?
- Does the weight that I report have equal value to the weight recorded by a nurse?
Similar questions are raised about symptoms—headaches/back pain/potential side effects from medications. Historically, providers have interviewed us, and the medical record reflects an abbreviated, filtered version of this interview. The difference is that patients may soon be able to make sure that information is put directly into their medical record in their own words.
This raises similar reactions from some health care providers because it again changes the way we think about a patient’s medical record. We have heard from some providers who think this information is similar to what they are already collecting from their patients and there are ways to manage the flow. From others, we hear that the information may be unreliable or voluminous and may affect their ability to manage the health information contained in the medical record—or they just might not understand it. We’re once again considering related policy that challenges conventional thinking about the role of patients and their information and the role of the medical record. There are opinions on both sides.
The policy regarding patients and their medical records has been shifting over the years. To help folks understand the evolving policy developments and to understand some of the open discussions, ONC has posted a policy issue brief that focuses on patient access to their health information.
ONC Wants to Hear From You
Please let us know what you think by commenting in the section below. Also, let us know if there are other topics that would benefit from a similar briefing document.
For More Information
An analogy: If I want my college transcript, can I get it without jumping through regulatory hoops, after verifying my identity?
Another analogy: If I want my credit report, I can get it now due to regulatory requirements. I can also challenge data that’s on it, or provide supplementary information.
So what’s the difference between these examples and a medical record?
There are clear similarities. An error or omission in any of them can do real harm. The procedures to correct them are of equivalent difficulty. The sources of data are not subject to dependable quality controls. Errors are made by the professional sources of data as well as the subjects of that data, and who is to say which errors are more or less harmful?
Providing patient access to their own medical data is a means to improve the quality of the data in much the same way as a student can verify and challenge their transcript or a person their credit report. I strongly prefer that the policies for access to *all* data about oneself be uniform, without much regard (if any) for the nature of the data or its sources. Why? Because pre-categorization, segmentation, and labeling of data would be made without knowledge of the uses it may have, including possible future uses that cannot be anticipated. What we need are standards that enable post-categorization and the discovery of new information.
The boundaries among data are also fuzzy. For example, longitudinal academic performance in a transcript or life-style choices in a credit report may be useful to for a differential to diagnose and treat mental illness. Less speculatively, the privacy and data-access controls we all encounter almost daily are a patchwork that prevents creating a uniform set of one’s own privacy preferences. Preconceived boundaries among data lead to duplication, errors, and missing information. Moreover, disjoint standards (or lack of them) about the format, syntax, and semantics of data make harmful errors far more likely. Policies need to remedy this problem, not reinforce it.
With just health data in mind, every person has a clear right — some might say an obligation — to make informed choices about care. This includes the ability to choose alternatives as well as refuse care, and accept the consequences of those choices. That is basic human dignity.
Of course people need education to be better consumers and sources of data about themselves. Let’s not empower the prejudicial assumption that people are undependable, untrustworthy, ignorant, or lazy. Failure to educate them fulfills the prejudice, not the people.
There should be tremendous lessons learned from the growing, highly successful My HealtheVet PHR system implemented by the U.S. Department of Veterans Affairs (VA). Also, when My HealtheMountaineer (now known as HealtheMe) was implemented in West Virginia, many of these type of questions about what doctors wanted to see were also addressed. And of course, there’s always lessons to be learned from failures, e.g. Google Health.
Actually in many practices where you can email your doctor your comments become part of your record already..
I for example often send in a follow-up note to my doctor to confirm that she heard my concerns correctly during the visit and to clarify any remaining questions. My doctors use one of the largest EHR’s in the country (1 in 4 docs use Epic) so this is really already happening for millions of people.
When we implemented the EHR at Group Health (not where I currently get my care) we started with this functionality and the result is the highest rates of EHR use by patients and 100% adoption by the providers.
The real challenge is the payment system that either supports or discourages this. Many providers balk when they realize it will take time to read and answer email (if they aren’t on salary) and don’t have time in their schedule set aside to respond to them. Those practices that expect providers to respond are now seeing up to 50% of all patient encounters happening via the phone or email and both providers and patients are more satisfied (Health Affairs Study at GHC)
It doesn’t stand alone however.. It requires changes in roles, workflows, schedules and expectations
Exellent article! Thank you!
Consider the situation of people with implanted cardiac defibrillators and insulin pumps. These devices generate reams of data and send the data to the manufacturer who forwards some of it to the doctor. Some patients want this data for all sorts of reasons but they’re caught in a regulatory and market no-man’s-land. Vendors point to FDA, FDA points to OCR (HIPAA), CMS (CLIA) is improving access to laboratory results but does not cover implants, FTC is somewhere in the picture, etc…
Meanwhile, connected implants are becoming commonplace. Patients need to be the first stop for intimate personal data. Their doctor(s) might be the second if they choose. Vendors need to be responsible to the patient regardless of who the prescriber is.
I truly believe that the easier it is for a patient to interact with their healthcare provider, update their information, and access reliable health education materials, the better. Imagine a world where mobile apps that are tracking a patient’s physical activities, vitals, and/or dietary habits are continuously being fed into their medical record, which their doctor can reference during the point of care. The benefits of relying on dynamic data, as opposed to static data (when a patient’s notes are logged by their doctor once every six months for instance) far outweigh the potential drawbacks that come with them, like whether the updates are 100% accurate or contain a slight bias. Including patients in the healthcare process is key to managing their expectations, increasing their compliance, and making more educated, timely clinical recommendations, which should result in improved patient outcomes and higher patient satisfaction.
I can’t wait to hear more about this. I’m an insulin dependent type 1 diabetic using a proprietary insulin pump. Without access to the raw data the pump generates, only the vendor can provide any analysis, unnecessarily and dangerously increasing the surface area for adverse events to take place.
https://github.com/bewest/insulaudit/wiki/Advocacy-openhardware
I guess an interesting question for open source, and for society is: will the open principles we take for granted in the architecture of the web and internet also apply to the internet of things that is coming? Most devices in the web of things that exists today are locked behind walls, because they are old and lack connectivity. No one but the vendor knows how to debug or audit the behavior of too many devices, not just medical.
I would go a step farther to say that we need open hardware implementations of these so that we can run them in qemu or similar emulators along side our current therapy. The analysis of deviations between the observations of simulated therapy emulated in our tools (the predicted behavior of the pump), and the observed therapy (our analysis of the raw data) can be compared with the vendor’s analysis of the raw data (eg, Carelink) at whim. If the question is “how do we know this technology is safe?” then the answer lies in how well the users can debug and improve it: how much empirical access do they have to the technology governing their lives?
Asking the business associate who sold you a device to analyze the raw data for safety reports is like the fox guarding the hen house.
Thank you Jodi both for the blog post and the link to the well written “policy issue brief.” Much has been done through the meaningful use incentive program, but there is much left to do. I was happy to see that you touched on several of the very same issues that I blogged about in a three-part series recently (link to part 3 ==> http://harmonious-healthit.blogspot.com/2012/07/patient-engagement-as-two-way-street_25.html). The “patient input” side of the equation has not gotten as much emphasis up till now. So I welcome your comments about the “patient’s own words” and the considerations of how to “weight” the value of patient-reported data relative to provider-generated data, and provider concerns about potentially voluminous information. We need approaches suitable to their purposes. For example, Blue Button has been successful to grant patients access to their information. Yet we also need a more structured, standard (Consolidated CDA) for interoperable data that can be consumed by EHRs and PHRs for reconciliation, analytics, decision support, quality measures, etc.Similarly, we need unstructured data (including “patient’s own words”) and structured data, to and from patients.
As Glen wrote, we should be careful not to rigidly precategorize (segment) data,in ways that may exclude the information that would be most useful to you or me as a patient. This is new ground, and IMHO “we don’t know what we don’t know” yet.
The thing I’m wondering is the relationship with HIPAA, EHR, and computer technicians. Obviously under HIPAA there is extreme privacy for the patient. However, there will also be the need for computer technicians to keep servers and IT systems at medical offices working.
The issue I’m having is that any disgruntle hacker could copy massive databases of patient information in the blink of an eye and transfer/publish this information making it available to insurance companies or the general public.
The thing is, the government can make that highly illegal (and has) so there is actually charges to a person doing this.
Now, if patients have access and input into their health records, they will need to be absolutely certain the platform they are using is incredibly secure. I can imagine some type of maleware/virus that looks for EHR records and dumps them on offshore servers.
As great as EHR is, and I really do like it, the hacking aspect is incredibly scary to me. Security is an absolute, because 1 simple breach on a high level, and all of HIPAA is out the window.
Here at Dr. Scarsdale’s office, we keep all our EHR extremely secure in a vaulted room.
It is going to be interesting not entirely on the server end of secure EHR records, but especially on the patient end. Just because a server may be secure, doesn’t mean that somebody’s computer may not be infected with something that could breach security.
I just can imagine some drooling health insurance companies waiting for an “underground” health list specifying the people who are in poor health. As much potential as the EHR system has, I hope there will be a very secure venue for people to access their health records.
On a more positive note, EHR and personal access could make it a breeze at a doctor’s office. We’ve all sat there filling out family health information for long periods of time. It would be simple to just copy and paste it, or simply just “bluetooth” it to a doctor’s computer systems. That would be wonderful because the check in process could be so quick.
The main thing is the security, that’s what I’m concerned about.
My Experience: Last month I went back to the doctor and things went much faster ; the doctor read from the computer and followed up on all the thing I had before, I even forgot some stuff that he reminded me about, great having the record on the computer ,, its about time!!
Today’s nurses face the challenge of how to position themselves to be most effective in orchestrating policy changes in their surrounding communities and workplace. But we can look to one of our most effective leaders and political activists for inspiration: Florence Nightingale. We should emulate and develop the skills practiced by Nightingale and other leaders of the past, and with their collective power, modern nurses can make a huge difference in our society’s health care system by participating in policymaking.
Because of persistent high unemployment rates and reform, the health care industry has had a tumultuous past few years. Families that once had commercial insurance are faced with difficult choices regarding compliance with primary, dental, and preventative care decisions. Many nurses recognize the severity of the problem, yet, due to lack of experience in the political realm, often take a backseat on such issues.