Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Privacy Medicine IT Your Rights Online

Patient Access To Electronic Medical Records Strengthened By New HHS Rules 53

dstates writes "The Department of Health and Human Services has released newly revised rules for the Health Information Privacy and Accountability Act (HIPAA) to ensure patient access to electronic copies of their electronic medical records. Several years ago, there was a great deal of excitement about personalized health information management (e.g. Microsoft HealthVault and Google Health). Unfortunately, patients found it difficult to obtain their medical records from providers in formats that could easily be imported. Personalized health records were time consuming and difficult to maintain, so these initiatives have not lived up to their expectations (e.g. Google Health has been discontinued). The new rules should address this directly and hopefully will revitalize interest in personal health information management. The new HIPAA rules also greatly strengthen patient privacy, the ability of patients to control who sees their medical information, and increases the penalties for leaking medical records information. 'Much has changed in health care since HIPAA was enacted over fifteen years ago,' said HHS Secretary Kathleen Sebelius. 'The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age.'"
This discussion has been archived. No new comments can be posted.

Patient Access To Electronic Medical Records Strengthened By New HHS Rules

Comments Filter:
  • by Gim Tom ( 716904 ) on Saturday January 19, 2013 @11:54AM (#42633765)
    A recent experience in my family made me fully aware of how important immediate access to personal medical records can be and how difficult they can be to obtain at times.

    A family member had been hospitalized and surgery was indicated. However, the current CT image showed something that may contraindicate surgery if it was new, but would not do so if it was an artifact of a previous surgery many years before. The only way they could tell was to compare the current image with an image several years old, but after the prior surgery. There was such imaging done at a different hospital about 20 miles away about eight years prior and the doctor learned that they did have the image archived. However, the only way to get the image to him was for someone to drive to the hospital and bring a copy of it back on a CD. I made that trip and the CD showed that the suspicious object on the CT scan was an artifact from a surgery over a decade prior.

    This made me realize how important having one's own copy of complete medical records could be. It would be so easy to have them on even a small thumb drive and they could be encrypted for security. The real problem is getting the medical community to give the patient those records in electronic format, and that format should be an open and published format and not in any way proprietary.
    • by Anonymous Coward on Saturday January 19, 2013 @12:27PM (#42633881)

      As someone who develops medical records, let me tell you "good luck with that".

      As a newcomer to the field (with hundreds of competitors) fighting to carve a space for ourselves we're all for it, after all if you don't like your current system, an open record format makes it easy to import it into our system.

      Obviously, the established players aren't so happy with it, but there's one more party who's against it too: the doctors themselves. They don't realize it, but their own actions are fighting this tooth and nail. "Why can't I just dictate everything in a box?" "Why can't i just write it down and scan it in" "I don't want my chart to say Weight can't it just say W"?

      TL;DR: the format already exists, it's called PDF.

      • by ColdWetDog ( 752185 ) on Saturday January 19, 2013 @12:51PM (#42633979) Homepage

        As a physician involved in this mess (and it's a mess), let me chime in and say that you're partially right and partially wrong (TL;DR - it's complicated).

        Yes, lots of health care providers (doctors, nurses and ancillary personell) absolutely hate change. There are doctors who are perfectly happy scribbling down a paragraph of acronyms and abbreviations and calling it a day. Then they get mad at the nurse because she can't figure out just what the hell the doc meant.

        Those people need to get put in a closet and only used in emergencies (fat chance). Then there are EHR providers that can't program anything harder than "hello world" without six months of testing. It should be fairly easy, for example, to input weights in pounds and convert it on the fly to kg (or stones or troy ounces for that matter). Instead you have input fields that are rigidly structured, and worse, fail in unspecified ways requiring you to re input the data. Those programmers need to be put in a closet an left there.

        The problem with patient data is that you don't know the level of understanding that you are shooting for. Do you dump everything out in Doctor Babble? Do you try to make it read at a 5th grade level? Do both? Something else?

        PDF is fine for data output that would be static - not so good if the patient wants the new provider to input it into another system. That's a difficult problem to solve. HL7 was supposed to be the standard that offered a solution to that, but, like most standards, it suffers from implementation problems.

        And the new gem:

        When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.

        is going to really jam things up. Now you have to sort data on a whole new metric - who can see it. I predict this isn't going to work out well, although I understand the rationale behind it. I also understand how this is going to be abused - your doctor / healthplan doesn't see the fact that you paid for a script for 150 Vicodan. You'd like some more.... Whatcouldpossiblygowrong.

        • by Anonymous Coward

          GP again.

          It should be fairly easy, for example, to input weights in pounds and convert it on the fly to kg (or stones or troy ounces for that matter).

          It is easy. When they use our field to do that. When they want to dictate "21 year old 18 stone female presents in my office with a blistering rash on the upper right thigh" that's their problem (and they make it my problem).

          HL7 was supposed to be the standard that offered a solution to that

          Except that it really, really wasn't. Wasn't ever supposed to be.

          • Don't you love how a management task gets offloaded to the technology....again.

            If you don't want your RNs to look at their records then tell them not to and have and run an audit report to see if they are or are not....then fire them for ignoring you and if you really don't like them, report them to the licensing board for breaking ethical and legal codes.

            • by dstates ( 629350 )
              And they will come back at you for a HIPAA privacy violation. Your scenario implies that to save IT complexity and expense, you are willing to risk patient confidentiality. You are not going to come across as a sympathetic defendant, especially when they say the only reason they were looking was to test the system security which they found wanting but were afraid to report to their greedy boss looking for an excuse to fire people.
              • Sorry it does not work like that.....the data is protected...a user of the system is not allowed to access their medical chart using the system.

        • by Kjella ( 173770 )

          You're trying to solve the problem of electronic patient journals, very good luck with that. But the grandparent is right in one thing - it'd be a helluva start to get "electronic paper journals" off the ground. Sure it *would* be nice if it existed in plain text or a structured format that could be parsed electronically as well, but currently a lot is done by printer/scanner/photocopier that didn't have to go via physical paper.

        • As a patient involved in this mess, first, let me say that you sure are putting a lot of people in the closet. :)

          (And I heartily agree.)

          As a patient, what drives me crazy is that each health care provider wants you to fill out forms with the same questions. Each form is just different enough that I can't make a standard form and just take it with me. "Yes, I have high blood pressure (and you people are part of the reason, heh), yes, I've had surgery, my father had heart trouble and both parents have had can

        • So it wold jam things up to treat some patient's information different than other's? I think that proves the deceptive fallacy in the patient opt out of the original HIPPA.

          We have all seen the HIPPA privacy disclosure forms they give you in the doctors office. Part of that form says that you have the right to request changes with respect to how your data is handled. But as coldwetdog points out, if they say yes it could require new software, maybe even new sort fields in their databases (horrors!). So of

        • So it would jam things up to treat some patient's information different than other's? I think that proves the deceptive fallacy in the patient opt out of the original HIPPA.

          We have all seen the HIPPA privacy disclosure forms they give you in the doctors office. Part of that form says that you have the right to request changes with respect to how your data is handled. But as coldwetdog points out, if they say agree to a change it could require new software, maybe even new sort fields in their databases (horr

      • "TL;DR: the format already exists, it's called PDF."

        No, it isn't.

        PDF is a proprietary format that can change at any time at the behest of Adobe. (And in fact has changed on a pretty regular basis, with no requirement for "public" input.) So far, they have decided to be user-friendly about making the format available to the public, but there is NOTHING saying that will be true tomorrow.

        A standard medical record format has to be PUBLIC, not proprietary. The Open Document standards (Open Office, Libre Office) come a hell of a lot closer to a truly public

        • Wikipedia sayz:

          While Adobe Systems made the PDF specification available free of charge in 1993, PDF remained a proprietary format, controlled by Adobe, until it was officially released as an open standard on July 1, 2008, and published by the International Organization for Standardization as ISO 32000-1:2008.[3][4] In 2008, Adobe published a Public Patent License to ISO 32000-1 granting royalty-free rights for all patents owned by Adobe that are necessary to make, use, sell and distribute PDF compliant impl

          • "Wikipedia also sayz:"

            Well, good for Wikipedia.

            Now create a nice graphic-and-fancy-text-filled web page in Adobe Illustrator CS5 (or 6 now, if you prefer), and save it as .pdf. Then see if you can open it with an older program that was made to read the .pdf specification as it was in 2008 or 2009.

            And good luck with that.

    • The problem with your solution is that it requires patients to behave in a rational and appropriate fashion. Asking an individual to be responsible for their medical records just doesn't work on the whole. Too many people can't be arsed. Too many people would purposefully hide data. And there are many, many people who would simply find this to be impossible - my demented mother, for instance.

      At present, there are many ways to keep track of important medical information. A piece of paper with your relev

      • by Gim Tom ( 716904 )
        Thank you for your comments. I was aware of the multitude of problems that would have to be addressed to really do this effectively. Both of my parents had Alzheimer's, and prior to retirement in 2007 I was Network Engineer and Security Officer for a State Agency that handled PHI and was on a state wide HIPAA implementation team. A nightmare that still haunts me from time to time.

        I too was surprised that the image could not be transmitted electronically between the two hospitals. Some prior experienc
        • Kaiser is now much harder to work with.

          They will not request medical records to be transferred from your old doctor. As far as I can tell, you must request them directly from your old doctor on paper (this generally means paying for copying costs at a jacked up per page rate) then the fun really begins.

          You can't just take the copies of the records to Kaiser and ask them to put them in the system, you have to take them to the doctor (in that department) with an appointment and have the doctor designate what

          • There is some rational thinking behind parts of those policies:

            - In general, having a patient directly give a doctor records makes tampering with the record a real possibility. No real way to ensure that the record hasn't been modified or simply trimmed of data that the patient didn't want anyone to know or just simply thought wasn't relevant.

            - Some EHRs dump every cold and sniffle to the output. EHRs, especially on complex patients, suffer from a signal to noise problem. Unfortunately, the best way to d

            • it is a hospital....of course a committee of no nothing administrators made decisions based on stupid political BS with wrong assumptions because they fail to even know who the right people are to pull in and ask.

  • by somarilnos ( 2532726 ) on Saturday January 19, 2013 @12:16PM (#42633831)

    One thing it misses - the "Final Rule" part of it implies that this is it. It's not.

    The requirements from HITECH come in three stages - and this is the final rule for stage 2. There's an entire additional stage coming to further enhance what hospitals are doing to improve the quality of health care with technology.

    Of note, too, hospitals who meet these requirements get additional reimbursement from Medicare (Beaucoup bucks). Those that don't get reduced reimbursement from Medicare. So a lot of these rules aren't entirely mandates, but close enough.

  • For what cost? (Score:4, Interesting)

    by pubwvj ( 1045960 ) on Saturday January 19, 2013 @12:22PM (#42633857)

    A year or so ago our doctor switched over to electronic records. Now they want $75 per person for us to get a copy of our records as an administrative fee. All they need to do is print the records off of the computer. Minimal labor, minimal cost, not even very many pages. They're just using the fact that they're now electronic records as a means to collect more fees. It is greed on the doctor's part, plain and simple.

    • Re: (Score:3, Insightful)

      by Trax ( 93121 )

      I'm a doctor who is involved with the hospital's IT and EMR. The cost of switching over to electronic records is an already expensive proposition at the beginning and where the vendors get you is for maintaining the EMR on a yearly basis. Yes, it is minimal labor and not many pages but it is NOT minimal cost. Neither the private insurance nor medicare/medicaid reimburse the doctor for his or her use of the EMR and the patient is saddled with the cost.

      • That's not always the case. We provide copies of medical records to patients free of charge. Yes, it takes a little time to retrieve and send, but feel that charging for that is detrimental to relationships with our patients.
      • by pubwvj ( 1045960 )

        That cost is your problem. Not mine. I did not ask my doctor to switch to electronic records. They shouldn't be charging an arm and a leg for me to get a copy of my own records. They don't do this for the paper records, only the last years that are in electronic form.

    • dump your doctor.

    • by Anonymous Coward

      The cost has to be the actual cost of making the copy and delivering it to you(postage, for instance) They cannot charge for search, retrieve, or things like transportation from an offsite location. Basically, they can charge for the labor and materials to burn a CDROM or make photocopies.

  • One of the things that the UK does right is to allow 'subject access' to all forms of computer held data, with remarkably few 'national security / crime control' cop outs. The fee for the access is £10 - less than US$18 for EVERYTHING they've got on you. Facebook even succumbs - providing a CD when such a request is submitted. This certainly included your records with the National Health Service. It was passed nearly 30 years ago in 1984 http://en.wikipedia.org/wiki/Data_protection_act [wikipedia.org] for the histo
    • by Anonymous Coward

      Actually the fee isn't limited to 10GBP: they can charge reasonable costs and postage. For health record requests from the NHS, though, it's capped at 50GBP.

      Also, it's not quite that simple. You have to work out who has the data, and they might have destroyed it. I've recently requested my medical records, and while my GP was able to supply me with everything they had (basically summary notes for my entire medical history) for 15GBP plus postage, the hospital where I had a battery of tests in 1990 destroyed

  • It's about government access to patient information. Everything else is a sideshow.
    • And the moon landings were a fake...and Obama signed executive orders to allow the UN to kick in my door and take my guns if they feel like it!!

      [/ stupid conspiratorial nut]

  • "Google Health has been discontinued"

    2012 was the Year of the Cloud Going Away. Several major service vendors bailed completely. GoDaddy dropped their cloud service last October [gigaom.com], Dell discontinued their Quest Cloud Automation Platform [quest.com] and Harris dropped theirs last February. [informationweek.com]

    On the consumer side, where the contracts are heavily biased towards the vendor, it's worse. Apple dropped MobileMe, and Google dropped a long list of products. Windows Live Mesh shuts down February 13, 2013. [binlogs.com]

    When cloud services die, they tend to die fast. A business

    • I work with a company named Dynamic Vault http://www.dynamicvault.com/ [dynamicvault.com] and we are a cloud & disaster recovery provider focused on the healthcare industry. Cloud services in general are rapidly growing and this holds true for especially for the healthcare industry. As offers further mature, this will ultimately lead to a cost savings and increased data security for providers. Centralizing your infrastructure and using a leveraged support model absolutely delivers a better value than many disparate
    • by Qzukk ( 229616 )

      To be honest, people who called themselves "the cloud" were the pets.com of the post-dot-bomb era. "The cloud" existed before it became a buzzword, and it will continue to exist afterwards for the use cases where it makes sense.

      Get out! Get out now! This post is coming from inside The Cloud [tvtropes.org]!

  • You want to make electronic health records easier for consumers?

    1. Set up a standard XML format for records and mandate that all providers must give consumers access to the data in that standard format (other formats are allowed, but the standard format's required). That'd give services and software at least one format they can target for import/export that the patient's guaranteed to be able to get. Make sure the format inclues a "Notes" element that's free-form text, so providers can include stuff that wo

    • What you are asking for is already being implemented. See the Automated Blue Button Initiative (ABBI) at http://wiki.siframework.org/Automate+Blue+Button+Initiative [siframework.org]
  • by Anonymous Coward

    You'd think /. would be able to get HIPAA right, given they also link to the description of the abbreviation. "Health Insurance Portability and Accountability Act", folks.

  • The sad thing is that those who follow the rules keep the information safe. Hospitals are in the game for the money, just like the pharmaceutical companies. Nothing is free, nothing is sacred, just show me the money. Anything that can benefit the patient is secondary unless some medical graduate can get a grant to further the exploration. If a substance cannot be patented, regardless of the lives saved or at least relieved, it has no merit.

I've noticed several design suggestions in your code.