Proxy Access to EHRS
The Health IT Policy Committee‚Ä™s Privacy and Security Tiger Team is considering potential¬ privacy¬ and security policy issues that could arise when a family member, friend or legal designee is given access to patient information through the certified electronic health record technology ‚Äėview/download/transmit,‚Ä™ or V/D/T capabilities. The team is aiming to gather the comments in the coming days to kick off discussion about personal representative access to patient electronic health records.
In particular, the Tiger Team is seeking input from healthcare providers that already grant view, download and transmit capabilities to patient‚Ä™s personal representatives. The workgroup wants to learn more about how healthcare providers confirm that an individual is, in fact, a personal representative; how patients‚Ä™ friends and family are provided with credentials to access to view/download/transmit accounts of patients; and whether access is ‚Äúall or nothing,‚ÄĚ or whether there more granular options offered.
The Tiger Team makes security and privacy recommendations to the HIT Policy Committee for consideration by the Office of the National Coordinator for Health IT, which creates guidelines for the HITECH Act electronic health record incentive program and national¬ health information exchange.
HIPAA¬ permits covered entities to share identifiable health information relevant to a patient‚Ä™s care with family members or friends involved in a patient‚Ä™s care, unless the patient objects.
It also requires covered entities to treat a ‚Äėpersonal representative‚Ä™ ‚Ä" a person authorized under state or other applicable law to act on behalf of the individual in making healthcare-related decisions ‚Ä" the same as they would treat the patient. As a result, personal representatives have the same rights of access to medical record information as the patient would have.
Because patients can access relevant health care information through V/D/T, the Tiger Team is considering whether there are additional privacy and security policy issues that need to be resolved when family or friends access the data.
Access to Records
The Tiger Team has decided to take on the topic because to view, download and transmit is likely to become a predominant vehicle for getting patients rapid access to downloadable, relevant health information.
In fact, providing patients with the ability to access their electronic health information is a requirement for healthcare providers participating in Stage 2 of¬ HITECH Act¬ EHR financial incentive program.
A person who serves as a personal representative is similarly going to find this access valuable.
Since HIPAA requires covered entities to treat personal representatives as patients with respect to rights to data, the Tiger Team is interested in hearing whether there are policy issues with respect to personal representative access through VDT ‚Ä" and if so, how could they help resolve them?
We at HCP will watch for developments on this possible change for HIPAA. We will keep you informed on any progress.