- Updates to HIPAA, the decades old statute that regulates the flow of patient health information, could enable better patient data access and engaged use of that data, according to the American Health Information Management Association (AHIMA) and the American Medical Informatics Association (AMIA).
“Congress has long prioritized patients’ right to access their data as a key lever to improve care, enable research, and empower patients to live healthy lifestyles,” AMIA president and CEO Douglas B. Fridsma, MD, PhD, FACP, FACMI, said at a health IT briefing on Capitol Hill. “But enacting these policies into regulations and translating these regulations to practice has proven more difficult than Congress imagined.”
HIPAA regulations include numerous specific provisions dictating how patients can access their own medical information. The law clearly states that patients are the owners of this data and that hospitals must disclose that data at patient request in the medium the patient desires, all within a reasonable amount of time and for a reasonable fee.
But those promises have not necessarily come to fruition, as more stakeholders maintain that HIPAA can restrict patient data access, according to AHIMA CEO Wylecia Wiggs Harris, PhD, CAE.
“AHIMA’s members are most aware of patient challenges in accessing their data as they operationalize the process for access across the healthcare landscape,” Wiggs Harris said during the briefing. “The language in HIPAA complicates these efforts in an electronic world.”
The briefing included health informatics and data management experts as well as the representatives from AHIMA and AMIA. Specifically, the stakeholders discussed federal laws and how they impact patient data management and patient access to health data.
Data management systems and federal regulations have revolutionized how individuals go about their business, impacting the travel, leisure, banking, and other key industries. However, healthcare has not kept up to speed, and data regulations are seen as severely limiting patient engagement in care.
Specifically, AHIMA and AMIA recommended policymakers modernize the term “health data set” to include clinical, biomedical, and claims data gathered by a covered entity. The new definition should emphasize patient ownership of data and influence future health IT certification processes. Specifically, patients should be able to view, download, and transmit health data to any party they desire using an application programming interface (API).
Additionally, the groups suggested revising the HIPAA term “designated record set” and requiring Certified Health IT allow providers to disclose this data in a way that a patient can use and reuse the data.
The work group also pointed out needed advances for data sharing on mHealth apps and health social media platforms. These tools, which often generate and store patient data, have long gone somewhat unregulated. HIPAA and other privacy standards need to account for these systems to protect patient data.
Specifically, AMIA and AHIMA said that Congress should “extend the HIPAA individual right of access and amendment to non-HIPAA Covered Entities that manage individual health data, such as mHealth and health social media applications. The goal is uniformity of data access policy, regardless of covered entity, business associate, or other commercial status.”
Further clarifications are also needed for third-party individuals who have not necessarily been cleared by patients to obtain patient data. This largely refers to legal counsel seeking information.
“HIM professionals continue to struggle with the existing Office for Civil Rights guidance that enables third-party attorneys to request a patient’s PHI,” said Harris. “We recognize there are necessary circumstances in which a patient has the right and need to direct their health information to an attorney. However, AHIMA members increasingly face instances in which an attorney forwards a request for PHI on behalf of the patient but lacks the information required to validate the identity of the patient. As a result, the HIM professional is challenged as to whether to treat it as an authorization or patient access request, which has HIPAA enforcement implications.”
The workgroup also commended efforts that have enabled the free flow patient information, specifically between patient and provider. The OpenNotes movement, for example, has successfully driven patient data access in participating organizations.
As of October 2018, 30 million patients have gained access to their clinician notes through OpenNotes.
Federal policies can continue this work by creating Medicare and Medicaid incentives for adopting OpenNotes, Thomas Payne, MD, FACP, FACMI, Medical Director, IT Services, UW Medicine, said.
“More than two decades after Congress declared access a right guaranteed by law, patients continue to face barriers,” Payne noted. “We need a focused look at both the technical as well as social barriers.”