While this scenario represents a constellation of private health information concerns, it serves to highlight issues that are being discussed currently in the United States. Since the passage of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and, more recently, the 2009 national digital medical records mandate and the CMS 2014 mandate, the healthcare enterprise has transitioned nearly completely to electronic management of health data. This transition from traditional paper documentation in both hospitals/clinics and physician offices has been difficult, expensive, and often burdensome.
Explore this issue:April 2016
The early stages of EHR implementation, which require expert assistance, come with a steep learning curve and frequent problems. While these technical issues, along with noteworthy legal implications, have received significant attention, the ethical issues associated with electronic records are now being appreciated as equally important.
We are seeing increased activity in national and international hacking of data, and although this is primarily a financial issue, hackers also pose a real and present danger to hospital and physician databanks, perhaps aiming to exploit private health insurance or to hold hostage the PHI caretakers for ransom. Some patients are fearful that their PHI may potentially become compromised, with no capability on their part to ensure its safety. This understandably might lead to some patients expressing significant concerns about their PHI and requesting that their information be removed from an electronic system they perceive as insecure. The expansion of health information exchanges (HIEs) may also cause patients to worry about the risk that their personal data may be inappropriately exposed. Looking at it from the patient’s perspective, these concerns may be little different than our own concerns about breaches to our financial information and other important personal data sources. Indeed, hospitals, clinics, and physician practices cannot guarantee the unassailable integrity of their EHR systems.
Regarding the patient’s request for medical records, the HIPAA Privacy Rule gives the patient the right of access to copies of their medical records but not the originals, which remain in the possession of the institution or provider. The patient can request the documents in a favored format, but if the physician feels the format—such as a USB drive—constitutes a risk to the security of the information, other formats may be provided. This applies to both electronic and paper medical records. The physician must provide the records to the patient within 30 days of the written request, unless the patient is notified of a request for a 30-day extension for extenuating circumstances.