1. News Articles
  2. Related News Articles
News Article Details

Challenges for Medical-Record Privacy Rules

Source: WSJ - Melinda Beck

Posted on 02 May 2013 by Neilson

Facebook LinkedIn Twitter Google

Patient Privacy recordsThe sharing of Americans' health information is set to explode in coming years, with millions of patients' medical records converted to electronic form and analyzed by health-care providers, insurers, regulators and researchers.

That has prompted concerns over privacy-and now, new federal rules that aim to give patients more control over their information are posing technical and administrative problems for the doctors and hospitals that have to implement them.

Information-technology experts say the challenges illustrate how difficult it may be to protect sensitive patient information as digitization of the health-care industry expands.

"The reality is, our ability to exchange electronic information is already well beyond our ability to control it," says John Leipold, CEO of Valley Hope Technology in Norton, Kan., which makes electronic record systems for behavioral-health providers.

The new rules are part of a revision of the 1996 Health Insurance Portability and Accountability Act, known as HIPAA. They went into effect in March, but providers have until Sept. 23 to comply.

One key new provision requires doctors and hospitals not to disclose medical information to a patient's insurer if the patient requests it and pays for the services out-of-pocket. The information can be noted in the patient's medical file, but stopping it being revealed to insurers inadvertently may be difficult, some health-care providers say.

"It's a technology problem and a work-flow problem and a policy problem," said John Halamka, chief information officer at Beth Israel Deaconess Medical Center in Boston, and co-chair of a federal advisory committee on data standards.

For example, he said, a patient could pay cash to have a sexually transmitted disease treated at a hospital and ask that his insurer not be informed. But many payment contracts between hospitals and insurers currently give the insurers considerable access to patient files for quality review and other oversight. If the same patient returned with a broken leg, an insurance case manager reviewing his leg care could readily see the STD treatment in his file, said Dr. Halamka.

As of now, the technology to make some parts of a patient's file visible only to some users and not others-known as data segmentation-isn't widely available, he said.

The out-of-pocket rule will also require new work-flow procedures, say some providers. For example, even if a patient paid cash for a medication, many electronic prescription systems automatically alert the insurer's pharmacy-benefit manager when a prescription is written.

"The industry is just starting to get its head around this rule," said Angela Dinh Rose, a director of practice excellence at the American Health Information Management Association. She predicts that many of these issues won't be solved by the Sept. 23 deadline.

Iliana Peters, a health-information specialist with the Department of Health and Human Services' Office for Civil Rights, which oversees HIPAA, says the out-of-pocket rule was mandated by Congress. "Every time a regulation comes out, the regulated community says they can't do it. But our hands are tied."

The question of how much control patients will have over their records is increasingly urgent. HHS is paying doctors and hospitals up to $30 billion in incentives to turn their paper files into electronic records that can not only streamline a patient's care but also link to cancer registries, public-health agencies and other data-sharing projects. Researchers, insurers, federal officials and doctors are counting on the trove of data in digital records to revolutionize care, helping identify the most effective treatments so they can cut costs without harming quality.

For many purposes, patient data can be "de-identified." HHS guidance last year listed 18 kinds of information, from names to email addresses, that should be removed in such cases; after that, HIPAA no longer applies. But there is little federal guidance on what kinds of projects should use de-identified data.

Long-standing HIPAA rules still bar the disclosure of identifiable patient information in many circumstances, but there are broad exceptions for treatment, payment and "health-care operations" that allow a wide range of doctors, nurses, pharmacists and others to access a patient's records without his consent or knowledge.

HIPAA orders all such users to access or disclose only the information needed, and with scattered paper records only a limited amount was available. But with electronic records, a patient's entire medical history can be transmitted in seconds.

Many doctors say having more information will improve care, but privacy advocates fear patients won't be candid with their doctors if confidentiality isn't assured. "There's no transparency. Nobody knows who is using their health information and for what purpose," said Deborah Peel, founder of the Patient Privacy Rights Foundation.

HHS is funding tests of data-segmentation programs that can transfer patient records while blocking sensitive sections. Valley Hope's systems, for example, can mask substance-abuse treatment in a patient's file unless the patient agrees to reveal it, as required by a 1973 law.

Joy Pritts, chief privacy officer at the HHS division coordinating information technology, said her office wants to help providers comply with all such federal and state laws. But many complex issues remain. Said Dr. Halamka: "We have the technology to build a skateboard, and we'd like to have a helicopter."