From the smart phone to the patient portal and beyond, balancing privacy with patient access to health information is one of the industry’s hottest topics. Two experts explored the challenges of leading privacy in a world of new technology during Monday’s Advocacy Leadership Symposium in Washington, DC.
Lucia Savage, JD, chief privacy officer, Office of the National Coordinator for HIT (ONC), and Deven McGraw, JD, deputy director, health information privacy, Office for Civil Rights (OCR), shared the latest.
Task Force Working on Automation with Mobile apps
Savage said ONC has been focusing in three areas:
- Focusing on HIPAA basics. “We as stakeholders seem to have forgotten what HIPAA actually says and how it support interoperability, and we’re going back to that,” she said.
- Working with the National Governance Association to produce toolkits to help states better clarify their privacy laws and address barriers to interoperability
- Bringing automation to the process of moving information around via mobile apps. The key to this is through use of open or publicly available application programming interfaces (APIs). “Think of APIs as a doorway; you go through it to retrieve data,” Savage said. Open APIs will enable unaffiliated providers to use apps and mobile technology to retrieve data on a read-only basis. They also will enable patients to retrieve data about themselves on a read-only basis.
ONC convened an API Task Force to identify potential privacy and security concerns and to identify recommendations on how to address barriers to using open APIs. Recommendations will be forthcoming this spring, she said.
The API Task Force has held hearings with testimony from technology experts, consumers, and providers. Savage shared some of the highlights from their testimony:
The technology experts pointed out that APIs are already used in online banking and other processes. “There’s a lot of security layers” for who is authorized to use the doorway, Savage said. Programmers must have clear documentation about how the API works.
Consumers asked why they could not have more access to their own data. “Patients are adults and they can make smart decisions about where to put their health data,” Savage said.
Developers also need to account for the diversity of audiences, language, and health literacy levels. There are also varying levels of engagement, Savage said. Some consumers want to control every step, while others don’t want to be bothered. This is important, she said: “I do not want us to end up in a world where people have to do their privacy settings in ambulances.”
Healthcare providers said they support the use of open APIs and want to meet the patients where they are: on their smart phones. But they are concerned about how to make sure the app is being used by an authorized person and that the right data is going to the right person.
Working Toward a More Patient-Centered Health System
OCR has also been working in the area of patient access and privacy, with a recently published guidance on the topic. “We made things a lot more clear, we hope. We also recognize that questions beget more questions,” McGraw said.
McGraw said OCR issued the guidance because complaints from individuals about not being able to access their health information are among the office’s top 5 HIPAA complaints—today it is no. 3, she said. “The bottom line [for healthcare] is: the individual is permitted to get information in the format requested, as long as it is readily reproducible by you,” McGraw said.
In addition, McGraw said OCR has received many complaints from patients about the cost of obtaining copies of their medical records. Many of these complaints are the byproduct of out-of-date state laws. “Default and per-page charges don’t match a digital world,” she said.
OCR made an effort to clarify reasonable labor costs for making copies for individuals and what HIPAA rules mean with respect to state laws. “We are continuing to get questions about the fee guidance, and additional guidance will be forthcoming. We recognize that there are costs associated with getting individuals their records, but the individuals whose information is part of those records are the least able to bear a portion of that. There should be limitations placed on that,” McGraw said.
Solving this problem is an important step in making the healthcare system more patient-centered, she said. Demand is relatively low now, but that’s going to change. McGraw urged people to use OCR’s guidance as an opportunity to think about their own processes. “Mere compliance with the rules will not be the end of the conversation. How can we do better and be more customer service and patient-first oriented?” McGraw said.
HIM professionals have the opportunity to serve as patient advocates in matters of access, McGraw said. She urged the audience to do this by “being the leaders within your organizations for process redesign on access to information and making individuals aware that they have a right to this information; people don’t always feel empowered to ask.” Savage added if your organization is using certified EHR technology, “become familiar with how your view download/transmit/function works and help the patients use it. “
McGraw also recommended that her listeners “educate medical professionals within your institutions about myths. If you dig into the guidance, there is more you are permitted to do within the context of good practice than is done today,” she said. “There is an idea that HIPAA means ‘no.’”