A few days ago, my colleague Monica Oss asked an important health care data question: Are EHR Vendors Holding Patient Data Hostage? Its an important question for business-to-business relationships in the industry, and it leads to another: what kind of access do consumers have to their own health records? Turns out, not as much as you might think.
As it’s written, the Health Insurance Portability and Accountability Act (HIPAA) (see HIPAA: The Final Act) gives consumers rights over their health information, including the right to get a copy of the information, provide corrections to the information, and know who has seen the information (see Your Health Information Privacy Rights). But according to an increasingly frequent number of news stories, all three of these rights are being turned into an obstacle under the guise of “protecting privacy.”
For example, The New York Times ran a story last fall that found “many hospitals and doctors have created a series of hurdles that must be cleared before patients can get their information” – in some cases these “hurdles” include weeks of repeated requests via mail, e-mail, phone calls, and official consent forms, before requiring the consumer to show up in-person to receive hard-copies instead of electronic copies (see Medical Records: Top Secret). In the article, Harvard Law School professor I. Glenn Cohen, speculated on why provider organizations are holding records hostage: “The reason is often to keep a customer or keep a patient from leaving the practice.”
This problem only increases when access to “medical records” doesn’t include access to health care data, such as the kind collected during remote monitoring. Writing for Slate, Hugo Campos reports that “The high-fidelity data collected by my $30,000 Class III medical device is off limits to me…patients still do not control the health data collected by their implanted medical devices” (see The Heart Of The Matter).
Correcting the information consumers do have access to doesn’t prove easy either. Writing in iHealthBeat, Angela Kennedy records her frustrations at her attempt to gather and correct a copy-pasted error in her child’s medical records, which led to clinicians overlooking an inheritable condition (see Why Health Information Must Be Available Where And When Consumers Need It).
Finally, when it comes to regulating who can see consumer data (and whether consumers can restrict who can see their data), HIPAA rules only govern medical records before they are “de-identified.” Once records are stripped of names and other identifiable data, provider organizations can share it any way they choose. Should a third party manage to re-identify individual patients (which has been proven both possible and likely, see Can You Be Re-Identified?), the information is still no longer covered by HIPAA.
I think this raises a question for the industry moving forward – is HIPAA really working for consumers? While much of this is anecdotal, we are all consumers of health care services, and it takes little recognition to see that addressing the consumer interface with health data is an essential part of protecting the consumer experience (see Learning From The Consumer Experience With Personal Health Data). This protection should include specific rules for medical records that include easier access for actual consumes, increased transparency about who else has access, and prohibitions on the unauthorized re-identification of data.