Important addition 7/16/09 6:40 pm EDT:
Be sure to read the HIPAA clarification by commenter “SLC” below, and any subsequent discussion. Dorothy Tillman was requesting her aunt’s records, not her own. This doesn’t change the need (IMO), but it does put a different light on the event.
This is a tiny item, which we might normally put in our “Found On The Net” sidebar. But this is a big one, and a sign of things to come.
We missed it at the time, but Vince Kuraitis’s must-read blog related in March that a year ago…
Frustrated after an overnight stay in the ER which she said yielded “little treatment”, she requested a copy of her aunt’s medical records before leaving. When she was told that it was hospital policy to request records “in writing”, Dorothy escalated her requests for the records. Refusing to leave without the records, she was brought to the floor by security guards and arrested on charges of criminal trespassing….
Vince relates how today’s HIPAA regulations, written in the stone age (relatively), says providers must give you your records, but they can take a month to do it. (And if they want, they can say that’s not enough and take another month.) When someone needs care, that’s not enough.
Significantly, last Friday the Health Data Rights movement gained its 1,000th endorsement. A movement has started. Add your name!
HIPAA strikes again! I have expounded on this problem many times on the e-patient blog but I cannot stress enough how important this issue is: that a hospital would go to the extent to physically restrain someone who is asking for copies of their own data underscores the problem. ELECTRONIC MEDICAL RECORDS ARE TERRIFYING TO HEALTH PROVIDERS because of the liability issue, which stems from HIPAA.
There is absolutely no point in discussing access to your own data if hospitals can’t (because the information is only in a paper chart) or won’t (because their lawyers said not to) release it.
Being at this point fairly knowledgeable about HIPAA and its impact on hospitals and research institutes, I can say unequivocally that the federal guidelines passed to protect patient privacy have absolutely impacted treatment. Let me give a concrete example:
Say I am a doctor, and I diagnose one of my patients with a rare form of osteocarcoma, which is in a late-stage. There is no standard of care treatment for this disease, but I happen to know that my colleague who works at a local research hospital has an experimental treatment protocol for which my patient is eligible. What would be the most rational action for me to take?
1) Call my doctor friend, and give him the name and phone number of my patient so that their office can call my patient and get him screened and enrolled on study as quickly as possible?
2) Give my doctor friend’s name and phone number to my patient and hope that the patient makes the call?
Having worked with MANY doctors, most of them would choose option 1, which just so happens to be disallowed under HIPAA. I cannot release ANY patient-identifying information to another doctor without SIGNED PATIENT CONSENT, which would have to be stored forever in case the patient (or his family) decides to sue. Now, I understand that patients (rightly) don’t want just anyone looking at their information, or doctors sharing all kinds of health/treatment data with their friends for any reason. But the regulatory environment has become so restrictive that it actually harms the patients!
Do we need a “health data rights HOT LINE” ? People could call in and get assistance getting their medical records from recalcitrant hospital administrators. DCK
Well now THAT’s an interesting idea, David! Who would staff that hotline, and what would they say?
My (weak) understanding is that a provider really isn’t required to hand ’em over. Are you talking about a “regulatory reminder” person or a persuader who convinces staff to go beyond the minimum required?
While HIPAA generally grants individuals a right of access to their protected health information, Ms. Tillman was not requesting her own records, but those of her aunt. Under the HIPAA Privacy Rules, the hospital would have to obtain a signed consent from Ms. Tillman’s aunt before releasing the records to Ms. Tillman.
The process of releasing records is generally handled centrally through a health information management or medical records department to ensure that patient records are protected and are not disclosed in violation of the law. It would not be appropriate for care providers such as nurses and doctors to hand over patient medical records without established processes being followed.
However, those caring for Ms. Tillman’s aunt could have discussed the aunt’s treatment with Ms. Tillman provided her aunt did not object and the care providers felt in their professional judgment that it was in the aunt’s best interest to do so. This sort of discussion is treated differently under the HIPAA Privacy rule than releasing the medical records themselves.
SLC,
Thank you so much for that clarification. I hadn’t thought of that aspect myself.
So, what happens in the case where the patient is incapacitated, e.g. unconscious?
(If you’re who I think you are, you’re something of a HIPAA expert, which is why I’m asking.)
Wow, Dave…just heard about all this and read it. Thanks for the info…
There is a big difference between discussing someone’s health conditions with immediate family and releasing paper or electronic copies of patient data. The first activity involves nothing that could be copied, lost, or misused and is directly involved with patient care…
Unconscious patients are unable to provide consent, and so typically hospitals are only allowed to release patient information that is medically necessary to improve the patient’s health. If the patient has stated previous preferences for health information release (eg: stated at the last visit that her daughter should be allowed to see anything about her health information) then those can be followed.
The main issue for HIPAA is that everything be documented. Typically, a hospital is covered best when a patient signs something. So in the parenthetical example above, if the woman signed a piece of paper saying “my daughter is allowed to see my medical information” then the hospital is much safer (from a liability and compliance perspective) than if the patient expressed her preferences verbally ONLY.
This of course does not rule out other wrinkles, such as how does the fact that the daughter is allowed to look at the medical information STORED and the staff made aware of this preference (in a note? in a chart? will an admitting nurse spend the time to check to see that preference has been recorded?), or how can the hospital staff be assured that the person claiming to be the patient’s daughter actually is. Ok maybe this last one is a bit of a stretch, but I spend enough time with compliance auditors for HIPAA to know that this topic will get raised during an audit or lawsuit…
Ben (July 17) has got it right. For more information on what can be disclosed if a patient is incapacitated, check out Health & Human Services website frequently asked questions:
http://www.hhs.gov/hipaafaq/notice/488.html
The test is basically whether the covered entity (hospital in this case), exercising professional judgment, determines that sharing information would be in the patient’s best interest.
SLC,
I am SO glad to read (on the HHS page you provided) that HIPAA does allow providers to tell family that the patient had a heart attack. :–)
Total sanity may soon be available throughout healthcare! Hallelujah!
Seriously, though, thanks for your contribution.
Why is it a surprise to anyone that someone would be arrested for demanding medical records? Just a few years ago you needed a judge to even ask for them. Of course, this is absurd – all medical records should be available immediately to all patients or their designees as care is given.
Perhaps as part of healthcare reform, a federal statute could be added requiring observance of Bachman’s Law: patients should recieve a copy of their medical records at the end of a medical encounter. This postulate proposed by John Bachman of Mayo Clinic (in Gartee, Richard; Electronic Health Records, Prentice Hall: 2007, page 423) insures that the data is recorded in the medical record in real time for information accuracy and appropriate decision support at the point of care for patient safety.
The side effect of requiring Bachman’s Law is that it 1) guarantees patient safety; 2) requires use of electronic medical records; 3) improves patient understanding of the care rendered; and 4) facilitates transparency. Patients can immediately correct the medical record. If a patient is unhappy with treatment or wants a second opinion, real time data would allow that process as well.
The beneficiaries of the Thalidomide Trust in the UK are currently developing such a system to work prospectively to insure the highest quality of healthcare is delivered. These individuals are the most empowered in healthcare since they are the largest group of people who have suffered an iatrogenic disorder.
Ben, I want to address the consent for research issue you raised on your post of July 15th.
HIPAA is far from perfect – but it is often misconstrued or incompletely understood by both providers and patients, and misconceptions and lack of knowledge are often more harmful than the law itself.
In your post you also give the example of a patient with late-stage cancer whose treating physician (you, in this post) has a colleague at a local hospital running a research protocol for which the patient may be eligible. You make the point that as a doc, you cannot give your colleague identifiable information about the patient for such a protocol without first getting the patient’s express consent. You are right on – HIPAA prevents you from doing so. And, in fact, survey data clearly shows that people want to be asked before they are enrolled in – or their identifiable information is used in – a research protocol.
However, HIPAA allows you to access or disclose information for purposes of treating your patients without the need to first get consent. So nothing in HIPAA would have prevented you from sharing the patient’s information to consult on treatment options. (See 45 CFR 164.501). You also could have shared de-identified data (or even a limited data set) with the researcher to pre-determine whether or not your patient met the eligibility criteria – and then you could have contacted the patient to see if he/she was interested in sharing more data or enrolling in the protocol. There were many more easy steps that could have been taken under HIPAA to get this patient into a protocol beyond just sending info about the research to the patient and leaving it up to him or her to take the next steps.
Nowadays patients themselves can go online and enroll in – or even pre-authorize the release of their data for – research protocols. For example, “Private Access” (https://www.privateaccess.info/) and “Patients Like Me” (http://www.patientslikeme.com/) provide these options to patients. But until tools like this are more widespread, physicians should assume that patients do not want their identifiable health information used for research purposes without first being asked.
Thank you very much for your help, this has been a great relief from the books,
“Frustrated after an overnight stay in the ER which she said yielded “little treatment”, she requested a copy of her aunt’s medical records before leaving. When she was told that it was hospital policy to request records “in writing”, Dorothy escalated her requests for the records. Refusing to leave without the records, she was brought to the floor by security guards and arrested on charges of criminal trespassing….”~ I understand the need for patient privacy protection but arresting her is a bit too much. I think the health care institutions should be worried more on electronic breach since it’s on the rise rather than arresting individuals who want to take their relative’s records with them when they’re about to leave..It’s overkill..