I read through a few of the comments here that relate to PHRs and I have been covering the technology since it began. When you read about the “email” portions of this it’s a slam dunk as to why you really don’t want to rely on standard email systems to do that for you. It states that once, you as a consumer are advised of the “risk” with using non encrypted technologies to transport information, the monkey is on your back. There’s 563 pages of the law. Rules go into effect on March 26th and there's 180 to become compliant.
The good thing here is a broader coverage for “associates” and when I think of some of those the old Accretive situation comes to mind where a representative was showing a Wall Street investor actual medical records and “their” recommendations for treatment…a big no no which became front page news when they had to report a total of 6 notebooks being stolen. This is not the way to approach “revenue cycling audits”. I attended at the end of last year a convention where I asked the million dollar question of how do hospitals work and govern 3rd party entities and it is something everyone works on as you never know when crossing the line to make a buck will happen but we are seeing a lot of that of late in many areas. If you want more background on this thought process, watch the 5 videos on this blog to your left and see how money takes over.
Accretive Health Debt Collector Employee Has Laptop Stolen With Non Encrypted Patient Data from 2 Hospitals And Had Access to All the Data Via Revenue Cycling - Patient Information Was Shared With Wall Street Investors – Algorithms For Profit Again?
What is also interesting here of late too is that the US CIO, who’s background is with Microsoft is scheduled to testify on January 22nd before the House Oversight and Government Reform Committee on technology and IT systems and how they are purchased and used throughout government. The digital illiterates at the House won’t get most of this but someone has to make the case for the expense and yes IT services not only in government but everywhere are expensive.
At least he’s got a better handle on it than Chopra did telling everyone coding could make them rich. I would even wonder how many members of this House Committee even use a PHR and much less know what one is, as they go back to the dated paradigm of “its for those guys over there”. You see it in the news every night.
It states that associates and providers are not responsible for educating the consumer about appropriate ways to transmit via encryption so the best thing here is to be an informed patient and be up on it and get yourself a PHR to store your data. Besides mail servers have issues too, I remember those and just ask anyone who has had to take care of “Exchange’:)
You can always reference the government page here on HIPAA and keep up to date with the news and find answers to questions. Anyway as I see it, rather than having long conversations about what is an approved method for patients to get copies of their medical records, get yourself a PHR and be done with it and have a system you know and can rely on. The full press release can be read here.
There are a couple other revisions, especially in the areas of security breaches that are of interest to hospitals and the 3rd parties who seem of late to be most of the breaches happening today with HIPAA compliance being almost non existent with the breaches we have read about in the news.
One other area of the new rules also substantiates my campaign for licensing and excise data sellers and that has to do with using information for marketing and fundraising…well…how it the heck do we know who’s using our information…answer: License them and require a federal disclosure page and again get that excise tax in there as companies, banks, and so on make BILLIONS in profits here.
“The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.”
How do we know who’s using our information for marketing until one of them reaches us…they ignore HIPAA and the dollar takes over. How many HIPAA fines have we had? That answers the question right there, so don’t depend on the mostly invisible HIPAA police to come to your rescue. So we have half the job here and without away to enforce it will fail in this area as money seems to be winning all the time. It’s actually too bad that a more complete comprehensive model was not created here but band aids are better than nothing.
When we one day get some Hybrid executives in office that understand this perhaps it will get better and they are hard to find but until such time we are stuck with attorneys who like to keep the money rolling in and thus they want to make sure they get paid for every tiny incremental change that is made.
Excise Taxing the Data Sellers–Nobody’s Supporting the US IT Infrastructure, Especially In Times of Disaster-Companies Have Probably Made Money Off Selling Scraped Data of Those Hurt in the Wake of “Sandy”
And we could have this too…
One More Good Reason to Tax the Data Sellers– Create Additional Funding for the NIH and FDA From Sources That Otherwise Are Too Greedy to Share & Contribute
Anyway, back to PHRs, now that you as a patient can request your records electronically, get one set up, so you can now have one place where you can have access to all your information you collect in one spot. With a PHR you are set to handle almost any HIPAA compliance method to be used by a hospital, provider and other entities. If they are not up to the20th century, get a PHR compliant fax number and get your records that way too. Most importantly they can’t make you as a patient go out and get a new thumb drive (grin) but will have to get into long conversations about alternative methods if you don’t have a PHR. BD
If a patient wants their data to be placed on an external media drive, like a thumb drive, providers are not mandated to accept the device if their organization has conducted a HIPAA risk analysis and found external drives to be a risk. However, if they reject a patient's thumb drive, they can't require the patient to purchase one the covered entity provides. Instead, they have to find an alternative distribution method, such as email.
The OCR did not define EHRs, but clarified that patients do have access to electronic copies of their health information wherever the data is housed.
Covered entities are not liable for unauthorized access to unencrypted emails if patients want to receive their data that way. OCR said in the rule: "We do not expect covered entities to educate individuals about encryption technology and information security. If individuals are notified of the risks, and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual's request [or once it's delivered]."