"Instant and electronic access by patients to the electronic health record upends some long-established physician-centric traditions of medical practice and documentation and raises some concerns," writes Robert A. Dowling, MD.
Patient access to health care information continues to evolve and change the shape of patients’ relationships with physicians, hospitals, testing facilities, and insurers. The issue has the focused attention of the Office for Civil Rights (OCR) at the US Department of Health & Human Services (HHS), as demonstrated in recent enforcement actions of the Health Insurance Portability and Accountability Act (HIPAA) Right of Access.1 Most of the settlements or actions arising from OCR enforcement involve allegations that patients were not granted access (their right under HIPAA) to their medical records and typically are resolved for tens of thousands of dollars—most paid by dentists and physicians.
In 2020, the Office of the National Coordinator for Health Information Technology (ONC) issued a final rule implementing Section 4004 of the 21st Century Cures Act. Among other things, this rule implements interoperability requirements, defines information blocking, and seeks to give patients “more power in their health care.” Slowly but surely, the standard for personal access to health care information is evolving to become instant and electronic—just as individuals now expect from banks, airlines, local government, and other important third parties in their everyday lives. The transition is not without challenges, and some resistance from the health care system.
What exactly constitutes the information that patients have rights to access? The key terms are electronic protected health information (ePHI), designated record set (DRS), and information blocking. Here’s how they work together. ePHI is “any information, including genetic information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” and is “transmitted or maintained in electronic media or transmitted or maintained in any other form or medium” and would be included in a DRS. When the Cures Act was implemented, a DRS was limited to a subset of health information until October 6, 2022. After that date, a DRS is simply defined as “a group of records maintained by or for a covered entity that is the medical records and billing records about individuals maintained by or for a covered health care provider or used, in whole or in part, by or for the covered entity to make decisions about individuals.”2-4 HIPAA and the Cures Act grant patients the rights to that access, and information blocking defines those practices that would interfere with that access, including but not limited to delaying the release of progress notes, laboratory results, or pathology results in order to permit clinician review.5
Why is patients’ access to their information controversial? Instant and electronic access by patients to the electronic health record upends some long-established physician-centric traditions of medical practice and documentation and raises some concerns. First, physicians may no longer have the first pass at test results nor control over how and when those results are interpreted. Physicians who previously scheduled office visits solely to disclose and review results—especially if they are normal—may find patients challenging the need for that service, the timeliness, or the propriety of “paying for their results.”
One area of particular concern is pathology results and a new cancer diagnosis. In a recent article, Gabrielson et al highlighted these concerns in the context of prostate biopsy results and presented several ideas for addressing communication, including making pathology reports more patient friendly.6 Second, the primary audience for medical record documentation has grown bigger and now includes anyone who might at any point access the record: physicians in the practice, consultants outside the practice, support staff, hospitals, insurance companies, patient assistance organizations, attorneys, and patients. It is challenging to create and maintain a record that optimally serves all of these interests, but at a minimum, physician authors should document with the full expectation that the patient can and will access their record or possibly challenge its veracity. One example that could be problematic is a lengthy informed consent paragraph—documentation that was designed for an attorney audience, but a discussion remembered very differently by the patient. Another example might be a long review of systems—perhaps copied forward—where the patient “denied” symptoms but doesn’t recall being asked or in fact does have those symptoms. Finally, remember that regulations define the designated record set as information that is used to make decisions about patients. Contemporary systems include features such as alerts, sticky notes, messages, telephone notes, and appointment notes. If you are using these features to store or communicate information used to make decisions about patients, then, according to regulatory definitions, patients have the right to access those notes.
What are the penalties for interfering with patients’ access to their health information? The OCR has brought HIPAA enforcement actions in at least 41 cases that have resulted in monetary penalties and/or corrective action plans primarily involving medical and dental practices.1 The ONC receives and processes claims of possible information blocking from the public. As of September 30, 2022, ONC has received 511 such complaints, which included 391 concerning providers, 73 involving heatlh information technology (HIT) developers; most originated from patients.7 ONC triages and forwards complaints it determines to be possible information blocking to the Office of the Inspector General (OIG) for HHS, who is responsible for formally investigating and, in the case of HIT developers or health information exchanges, assessing any penalty. (ONC has dual authority to investigate complaints against HIT developers.)
In a proposed rule dated April 2020, the OIG noted that its civil monetary policy authority “does not extend to health care providers. If OIG determines that a health care provider has committed information blocking, it shall refer such health care provider to the appropriate agency for appropriate disincentives. The appropriate agency and appropriate disincentives will be established by the Secretary in future notice and comment rulemaking.”8 This rule has not been finalized as of October 2022. So at this time, it is unclear who will enforce information blocking by providers and what the “disincentives” look like.
The traditional information asymmetry in medicine is changing. Patients are empowered by federal laws and regulations to have timely and unrestricted access to their health information, including but not limited to almost everything in the electronic health record. There may be physician concerns about and unintended consequences of such access and transparency, but they can be mitigated by a new paradigm—the shared record. Take a moment to imagine how this can help you and your patients. Encouraging patients to review your/their notes may reinforce the short discussions you had in the exam room or uncover important omissions in the history. Reminding patients to review their test results can create shared responsibility and be a risk-management strategy. Setting advanced expectations about patients’ access to pathology reports, and your typical time and place to review, can prevent misunderstandings and improve communications. Portal access can eliminate time-consuming phone calls and letters to patients. These are just a few examples outlining how the new information paradigm anchored in patients’ access to their information can be leveraged to improve, not complicate, the physician-patient relationship.
1. HIPAA compliance and enforcement actions: resolution agreements. US Department of Health and Human Services. Updated September 20, 2022. Accessed November 8, 2022. http://bit.ly/3EkroRd
2. Code of Federal Regulations Title 45, §160.103. National Archives and Records Administration. Updated October 25, 2022. Accessed November 8, 2022. https://bit.ly/3O4nHFf
3. Code of Federal Regulations Title 45, §164.501. National Archives and Records Administration. Updated October 25, 2022. Accessed November 8, 2022. https://bit.ly/3hlja4N
4. Code of Federal Regulations Title 45, §171.102. National Archives and Records Administration. Updated October 25, 2022. Accessed November 8, 2022. https://bit.ly/3hqepHg
5. Information blocking. HealthIT.gov. Updated October 31, 2022. Accessed November 8, 2022. http://bit.ly/3daOuxO
6. Gabrielson AT, Choi U, Fletcher SA, Pavlovich CP. Lost in transparency: the 21st Century Cures Act (“Open Notes”) and prostate cancer care. J Urol. 2022;208(5):948-951. doi:10.1097/JU.0000000000002924
7. Information blocking claims: by the numbers. HealthIT.gov. Accessed November 8, 2022. http://bit.ly/3EhrOKP
8. Grants, contracts, and other agreements: fraud and abuse; information blocking; Office of Inspector General's civil money penalty rules. Federal Register. April 24, 2020. Accessed November 8, 2022. https://bit.ly/3FWiDAA