HIPAA, electronic health records, and patient privacy
• Patient privacy, access to medical records, and related issues
• Resolving issues with electronic health records (EHRs)
(especially privacy, safety, and security)
The anatomy of medical error
Reducing preventable medical errors
What are the chances you will die from medical error?
Improving patient safety
Rethinking medical education and training
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information.
• Summary of the HIPAA Privacy Rule (Health & Human Services) Who is covered, what information is protected, and how protected health information can be used and disclosed. Because it is an overview of the Health Privacy Rule, it does not address every detail of each provision.
• Can health care providers invite or arrange for members of the media, including film crews, to enter treatment areas of their facilities without prior written authorization? (HHS.gov) Answer: Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ protected health information (PHI) will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media. Only in very limited circumstances, as set forth on this website page, does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual.
• HIPAA experts: No need to request a waiver after Orlando shooting (Joseph Burns, Covering Health: Monitoring the Pulse of Health Care Journalism, 6-15-16)
• HIPAA G02: HIPAA Guidance -- Safeguarding Patients’ Photographs and Recordings
• Blog HIPAA (your source for news, ideas, and all things HIPAA)
• No, HIPAA was not waived in Orlando, and here's why (Jacqueline Howard, CNN, 6-14-16)
• Dying in the E.R., and on TV Without His Family’s Consent (Charles Ornstein,NY Times, 1-4-15) In the 18 years since HIPAA was passed, doctors and hospitals have put in place an ever-expanding list of rules meant to protect patient privacy. Yet even in the face of this growing sensitivity, real-life shows like “NY Med” have proliferated, piggybacking off fictional counterparts like “E.R.,” “Grey’s Anatomy” and “House.” "Medical ethicists and groups like the American Medical Association worry that these shows exploit patients’ pain for public consumption, but their makers argue that they educate viewers and inspire people to choose careers in medicine....Hospitals like NewYork-Presbyterian, meanwhile, have seized upon such programs as a way to showcase themselves, vying to allow TV crews to film their staff and patients — even emergency-room patients sometimes in no condition to give permission. When the first season of “NY Med” was broadcast on ABC in 2012, the hospital’s vice president of public affairs at the time, Myrna Manners, told PR Week, “You can’t buy this kind of publicity, an eight-part series on a major broadcast network.” But Anita Chanko, unable to sleep, turned on the previous night's episode of "NY Med" and watched her husband die in the operating room--without the family's knowledge of the taping, much less consent. Asked what she would do if the case fails, Mrs. Chanko said the family would not stop pushing for redress. “If there’s no applicable law, there most certainly should be,” she said. “I’m willing to just pursue it all the way. Why shouldn’t there be a law against this kind of thing?”
• HIPAA, electronic health records,
medical privacy laws, and patient rights (Writers and Editors site, with focus on journalists' viewpoint)
• Hurricane Katrina Bulletin: HIPAA Privacy and Disclosures in Emergency Situations (HHS)
• Orlando shooting: Why the mayor’s HIPAA waiver request is important for gay rights (Ariana Eunjung Cha, WaPo, 6-13-16)
• HIPAA’s Use as Code of Silence Often Misinterprets the Law (Paula Span, NY Times, Health, 7-21-15). The privacy rules created under the Health Insurance Portability and Accountability Act, designed to keep personal health information private, apply "only to health care providers, health insurers, clearinghouses that manage and store health data, and their business associates." The "law does not prohibit health care providers from sharing information with family, friends or caregivers unless the patient specifically objects. Even if he or she is not present or is incapacitated, providers may use 'professional judgment' to disclose pertinent information to a relative or friend if it’s 'in the best interests of the individual.'"
• HIPAA Criminal Prosecutions: Few and Far Between (PDF, Doreen Z. McQuarrie.Feb. 2007)
• Nurse admits to privacy violation in HIPAA case (AP, 4-17-08)
• Is HIPAA Creating More Problems Than It's Preventing? (Neil Chesanow, Medscape, 9-16-13)
• Do Family, Friends' Photos Trigger HIPAA Violations? (John Commins, HealthLeaders Media, 3-8-2010). You should be able to take photos of your own child or other family member in the hospital, but you mustn't inadvertently catch another patient, or a medical health record, etc. If you are doing photographs for a story, you need a HIPAA release signed for every patient photographed. Hospital personnel may overreact about cell phone photos even of your own family members because HIPAA rules are not easy to master and personnel are duty-bound to observe them.
• (St. Jude Children's Research Hospital)
• HIPAA, electronic health records, medical privacy laws, and patient rights
• Sharing Health Information with Family Members and Friends (PDF, HHS Office for Civil Rights) HIPAA requires most doctors, nurses, hospitals, nursing homes, and other health care providers to protect the privacy of your health information. However, if you don’t object, a health care provider or health plan may share relevant information with family members or friends involved in your health care or payment for your health care in certain circumstances.
• A Reporter's Guide to Medical Privacy Law (Reporters Committee for Freedom of the Press). Topics covered include: What is HIPAA, What records are available under HIPPA, Health care journalists' access to hospitals curtailed under HIPAA, General access to hospitals, Attitudes toward privacy rules may change in times of disaster, Confusing laws keep information confidential on college campuses, etc.
• Accessing Deceased Patient Records—FAQ (Chris Dimick, AHIMA, 4-1-13). AHIMA is the American Health Information Management Association.
• Who Has Rights to a Deceased Patient’s Records? (Chris Dimick, AHIMA, 8-4-09)
• How to Request Your Medical Records (Chris Dimick, AHIMA, 3-1-12, updated by Mary Butler 3-1-17)
• HIPAA, electronic health records, and patient privacy
• When a Patient’s Death is Broadcast Without Permission ( Charles Ornstein, Pro Publica, 1-2-15) The ABC television show “NY Med” filmed Mark Chanko’s final moments without the approval of his family. Even though his face was blurred, his wife recognized him. “I saw my husband die before my eyes.” An intelligent discussion of an important case.
• New York Hospital to Pay $2.2 Million Over Unauthorized Filming of 2 Patients (Charles Ornstein, NY Times, 4-21-16) "NewYork-Presbyterian Hospital has agreed to pay a $2.2 million penalty to federal regulators for allowing television crews to film two patients without their consent — one who was dying, the other in significant distress. Regulators said on Thursday that the hospital allowed filming to continue even after a medical professional asked that it stop. At the same time, regulators clarified the rules regarding the filming of patients, prohibiting health providers from inviting crews into treatment areas without permission from all patients who are present. That could end popular television shows that capture emergencies and traumas in progress, getting permission from patients only afterward."
• Here's Looking at You: How Personal Health Information Is Being Tracked and Used (Jane Sarasohn-Kahn, California Healthcare Foundation, July 2014)
• HIPAA Helper: Who is Revealing Your Private Medical Information? (Charles Ornstein, Annie Waldman and Mike TigasPro Publica, 12-29-15) For the first time, you can easily search whether your hospital, clinic, pharmacy or health insurer has been named in patient privacy complaints, breaches or violations.
• Journal; Capital Shrink Rap (Frank Rich, NY Times, 10-7-98) "Washington's fear and ignorance of mental illness has led to private local tragedies (the untreated Vincent Foster's suicide) and shoddy public policy, which then leads to preventable national tragedies...I wonder if today's Washington would even muster the same outrage once provoked by one of the most unsavory incidents of Watergate -- the White House ''plumbers'' break-in to the Beverly Hills office of Daniel Ellsberg's therapist in a failed effort to burglarize his psychiatric files."
• Secret video: Mercy guard threatened photo-taking mom (Sarah Okeson, News-Leader 7-19-14) Woman who took photo of her son to post on Facebook was taken to an office where she was questioned by a security guard "The idea is not to prohibit patients from capturing personal memories," said Mercy spokeswoman Sonya Kullmann. "However, we want to ensure that we protect everyone's right to privacy. That includes other patients, visitors, co-workers and providers who may not want to appear in someone else's photograph, video or recording." There is such a thing as carrying things too far.
• Can medical records be released without consent? Supreme Court refuses case. (Warren Richey, Christian Science Monitor, 10-3-11) The US Supreme Court turned aside an appeal involving the scope of privacy protections for a patient’s medical records when a state agency seeks to force a doctor to disclose those records without first obtaining a patient’s consent. (Eist v. Maryland State Bd. of Physicians) Issues of case, on SCOTUSblog: (1) Whether a state may restrict a patient's federal constitutional right to privacy by compelling a physician to disclose confidential patient records without notice to and authorization by the patient and in conflict with the physician's ethical obligations; (2) whether a state agency may simultaneously serve as investigator, prosecutor and adjudicator with respect to a licensee under its jurisdiction without amending the state's constitution which explicitly separates legislative, executive and judicial powers; and (3) whether a physician may be disciplined by a state's medical licensing board if: (a) the relevant statutory language - â€œfails to cooperate with a lawful investigationâ€ - is unconstitutionally vague; (b) the board never notified the patients it was seeking their confidential medical records; or (c) the board's simultaneous roles as investigator, prosecutor and adjudicator deprive petitioner of his right to due process.
• Medical privacy (summary of info and links to more on breaches of privacy, damages and alternatives, electronic systems, many releases that are allowed by law, comparison of lists of data breaches)
• Medical privacy
• Baby Pictures at the Doctor’s? Cute, Sure, but Illegal (Anemona Hartocollis, NY Times, 8-9-14). Letters to the Editor, in responseWhen Baby Pictures Offend the Law
• Secret video: Mercy guard threatened photo-taking mom (Sarah Okeson, News-Leader 7-19-14) Woman who took photo of her son to post on Facebook was taken to an office where she was questioned by a security guard "The idea is not to prohibit patients from capturing personal memories," said Mercy spokeswoman Sonya Kullmann. "However, we want to ensure that we protect everyone's right to privacy. That includes other patients, visitors, co-workers and providers who may not want to appear in someone else's photograph, video or recording."
• VA uses patient privacy to go after whistleblowers, critics say (Joe Davidson, Washington Post, 7-17-14) A registered nurse was threatened with suspension and stripped of managerial duties after she complained about how a veteran was treated.
• Spread of Records Stirs Patient Fears Of Privacy Erosion (Theo Francis, WSJ, 12-26-06--behind a paywall, for subscribers only, but you may be able to read it at the library).
• Could photographing an ED patient get you sued? (PDF, ED Legal Letter April 2009) Without consent, you are asking for a lawsuit.
Resolving issues with electronic health records (EHRs)
(especially privacy, safety, interoperability, and security)
• Botched Operation. Death By 1,000 Clicks: Where Electronic Health Records Went Wrong (Fred Schulte and Erika Fry, Fortune and KHN, 3-18-19) Electronic health records were supposed to make medicine safer, bring higher-quality care, empower patients, and yes, even save money--make health care better, safer, and cheaper. But 10 years after President Barack Obama signed a law to accelerate the digitization of medical records — with the federal government, so far, sinking $36 billion into the effort — America has little to show for its investment. Ten years and $36 billion later, the system is an unholy mess. Inside a digital revolution that took a bad turn. Unlike, say, with the global network of ATMs, the proprietary EHR systems made by more than 700 vendors routinely don’t talk to one another, meaning that doctors still resort to transferring medical data via fax and CD-ROM. Patients, meanwhile, still struggle to access their own records — and, sometimes, just plain can’t. Compounding the problem are entrenched secrecy policies that continue to keep software failures out of public view. EHR vendors often impose contractual “gag clauses” that discourage buyers from speaking out about safety issues and disastrous software installations...
• FDA Chief Calls For Stricter Scrutiny Of Electronic Health Records (Fred Schulte and Erika Fry, Fortune and KHN, 3-21-19) Food and Drug Administration Commissioner Scott Gottlieb called for tighter scrutiny of electronic health records systems, which have prompted thousands of reports of patient injuries and other safety problems over the past decade. Gottlieb said the best approach might be to say that an EHR that has a certain capability becomes a medical device. He called EHRs a “unique tool,” noting that the risks posed by their use aren’t the same as for a traditional medical device implanted in a patient. “You need a much different regulatory scheme,” he said. The 21st Century Cures Act of 2016 excludes the FDA from having oversight over electronic health records as a medical device.
• Why Doctors Hate Their Computers (Atul Gawande, New Yorker, 11-12-18) Digitization promises to make medical care easier and more efficient. But are screens coming between doctors and patients? "A 2016 study found that physicians spent about two hours doing computer work for every hour spent face to face with a patient—whatever the brand of medical software. In the examination room, physicians devoted half of their patient time facing the screen to do electronic tasks. And these tasks were spilling over after hours....The Tar Pit has trapped a great many of us: clinicians, scientists, police, salespeople—all of us hunched over our screens, spending more time dealing with constraints on how we do our jobs and less time simply doing them...." Electronic-medical-record companies like Epic resist medical teams' ways of adapting the technology and developing time-saving apps, because they fear losing "control (and potential revenue)" but they may need to bend. Once more, Gawande crystallizes the problems at the intersection of human, medical, and technological systems.
• It's time we address the elephant in the room at every health care conference (Christina Farr, CNBC, 3-10-18) "It is unacceptable that a hospital in 2018 can't send an X-ray from one facility to another, without asking a patient to physically carry over a CD-Rom or a USB drive. Even drug dealers have moved on from using faxes and pagers....Technology companies are rallying around the issue. Patients shouldn't have to pay to copy medical records and then bring all of them along to every appointment with another new specialist.
• Why American medicine still runs on fax machines (Sarah Kliff, Vox, 1-12-18) It's time to face the fax. The clinic has digitized its own patient data. But its electronic system can’t connect with other clinics’ records. So when doctors want to retrieve records from another office — an ultrasound for a pregnant patient, for example — they have to turn to the fax. So they use a Rube Goldberg-esque analog method for sharing data: Print out pages of one record, fax it, and then scan those pages into the other digital system. By one private firm’s estimate, the fax accounts for about 75 percent of all medical communication. It frustrates doctors, nurses, researchers, and entire hospitals, but a solution is evasive. Obama tried to force the health sector to go digital. But he didn’t make the systems talk. “Medical records generally come by fax. Sometimes they're mailed. They almost never come by any other route.”
• Check Your Medical Records for Dangerous Errors (Judith Graham, KHN, 11-21-18) “I tell people, ‘Collect all your medical records, no matter what’ so you can ask all kinds of questions and be on the alert for errors,” said Sheridan, director of patient engagement with the Society to Improve Diagnosis in Medicine. An incorrect diagnosis, scan or lab result may have been inserted into a record, raising the possibility of inappropriate medical evaluation or treatment; a transcription error can change "renal cell carcinoma" (kidney cancer) to "basal cell carcinoma" (skin cancer); allergies, medications, and lab results unlisted can be devastating; a patient’s name, address, phone number or personal contacts may be incorrect, making it difficult to reach someone in the event of an emergency or causing a bill to be sent to the wrong location; etc. And how to report the errors and get them corrected.
• Public’s Experiences With Electronic Health Records (Cailey Muñana, Ashley Kirzinger, and Mollyann Brodie, KHN, 3-18-19) While there is wide acceptance among the public for the use of EHRs, some concerns about privacy and accuracy of records remain.
• Patient access to health records in jeopardy amid health policy upheaval (Rebecca Vesely, Covering Health, AHCJ, 7-26-17) Amid the deep uncertainty over what changes Congress could make to the health care sector in the coming years, patients would benefit from having access to their own medical records. Insurance coverage losses, changes in insurance plans and cuts to provider networks could happen if the Affordable Care Act is repealed, repealed and replaced or is weakened because of lack of support from the Trump administration.
• Lessons From More Than A Decade In Patient Portals (Terhilda Garrido, Brian Raymond, and Ben Wheatley, Health Affairs blog, 4-7-16) More than a decade of experience engaging patients online offered four key lessons.
1. Secure email supports improved outcomes and patient-centered care.
2. Patient portal use positively impacts patient loyalty to the health plan and member satisfaction.
3. Evidence of a relationship between secure email and other kinds of utilization is mixed.
4. Even with the best intentions, e-health disparities can emerge.
• The medical chart is coming to an end. Here’s why. (Mike Sevilla, KevinMD, 8-29-14) Medical professionals "have lost the art of telling the story of our patients because of the digital record....Many believe that the electronic medical record is a way for “big brother” (whomever that is) to keep an eye on clinicians, and eventually find a way to compensate less." And with security breaches more common, one day patients will insist that certain things be left out of the medical record.
• Medical Records: Top Secret (Elisabeth Rosenthal, NY Times 11-8-14) "In a digital age when we can transfer money to purchase a house online or view a college transcript by logging on to a secure website, why is it so often difficult for patients to gain access to their medical data? And who controls our health information? ...Although doctors and hospitals legally own their medical charts, patients have a right to have access in a timely manner — HIPAA requires a response within 30 days of a patient request — and at a reasonable processing cost."
• Why Health Care Tech Is Still So Bad (Robert M. Wachter, NY Times, 3-21-15) "A 2013 RAND survey of physicians found mixed reactions to electronic health record systems, including widespread dissatisfaction. Many respondents cited poor usability, time-consuming data entry, needless alerts and poor work flows." "A recent study of more than one million medication errors reported to a national database between 2003 and 2010 found that 6 percent were related to the computerized prescribing system." "Whopping errors and maddening changes in work flow have even led some physicians to argue that we should exhume our three-ring binders and return to a world of pen and paper." But, Wachter concludes, we are still in a very early stage of digitization. We need better technology and better training on how to use it while still paying attention to the patient, instead of the keyboard.
• Spread of Records Stirs Patient Fears of Privacy Erosion (Theo Francis, WSJ, 12-26-06). Ms. Galvin's Insurer Studies Psychotherapist's Notes; A Dispute Over the Rules. "As the health-care industry embraces electronic record-keeping, millions of pages of old documents are being scanned into computers across the country. The goal is to make patient records more complete and readily available for diagnosis, treatment and claims-payment purposes. But the move has kindled patient concern about who might gain access to sensitive medical files -- data that now can be transmitted with the click of a computer mouse."
• Electronic Health Records Seen as Safety Trap for Doctors (James Swann, Health Care on Bloomberg Law, 8-28-18) The current design of most EHR products is confusing and can cause physicians to make medical errors such as prescribing the wrong drug or lab test for a patient, the Aug. 28 report from the American Medical Association, Pew Charitable Trusts, and MedStar Health said. The government needs to step up and require more rigorous EHR testing, Michael Hodgkins, chief medical information officer at the AMA, told Bloomberg Law.
• A New Challenge Competition – Can you Help Make EHR Safety Reporting Easy (Andrew Gettinger,HealthITBuzz, 5-22-18) “The goal of ONC’s Easy EHR Issue Reporting Challenge is to help EHR users identify, document, and report a potential health IT safety issue when it happens.”
• Better Testing of Electronic Health Records Needed to Protect Patients (Ben Moscovitch, Pew, 8-28-18) These digital tools have increased the quality, safety, and efficiency of health care, but problems with their usability—how doctors, nurses, and other staff interact with them—have put patients in harm’s way. Report offers hospitals and record-system vendors rigorous safety tests, best practices.
• Pew, AMA: 6 components to consider when assessing EHR safety, usability (Jessica Kim Cohen, Becker's Health IT & CIO Report, 8-28-18) The six stages developers and providers move through during the EHR product lifecycle and notes to consider during each one to improve product safety.
• Safety-Test Your EHR With This 3-Step Guide (Steven Porter, HealthLeaders, 8-29-18) Here's how providers can make the most of a 57-page report on electronic health record system safety by Pew, the AMA, and Medstar Health. "Imagine for a moment that a patient in his late 20s arrived in your emergency department with severe flank pain. Based on his allergies and medical history, your team determines that he should be given a high dose of opioid pain medication and monitored closely. If a physician were to order 10 mg of hydromorphone to be administered intravenously, would your electronic health record (EHR) respond with an alert that this dosage falls outside normal limits? If not, then your EHR would fail one of 14 test-case scenarios."
• Stop the privatization of health data (John T. Wilbanks and Eric J. Topol, Nature, 7-20-16) Tech giants moving into health may widen inequalities and harm research, unless people can access and share their data, warn the authors.
• How Mayo Clinic Is Using iPads to Empower Patients (David J. Cook, Jeffrey E. Thompson, Joseph A. Dearani, and Sharon K. Prinsen, Harvard Business Review, 2-24-14) Empowering patients and setting their expectations requires effectively providing them with "A plan of stay" (which includes a "plan of day"), modular educational materials ("just in time" materials relevant to the day's needs and expectations), gaining strength modules (that set daily expectations for physical activities such as walking and breathing exercises and provide patients with tools to self-assess and report things like pain and mobility), and recovering planning information (on wound care, exercise and diet, activity restrictions, follow-up appointments, and potential complications and how to recognize them).
• How close are we to meeting the promise of electronic health records? (Carla K. Johnson, Covering Health, 3-6-15) "Smooth patient handoffs, data-driven performance improvement and real-time analytics are still mostly dreams, although those ambitions have been talked about for years," said specialists on health information technology, at a panel on the topic, summarized here.
• Hazards tied to medical records rush (Christopher Rowland, Boston Globe, 7-20-14) Subsidies given for computerizing, but no reporting required when errors cause harm. The explosion in the use of the electronic records has created the potential for efficiencies and safety benefits but also new risks for patients, the scope of which still is not fully understood.
• Electronic health records ripe for theft (David Pittman, Politico 7-13-14)
• Six months after the Target security breach, report says cases of identity theft are increasing (Teresa Dixon Murray, The Plain Dealer, 7-9-14). "Medical providers are particularly vulnerable to data breaches because health records generally contain detailed desirable personal information such as Social Security numbers, but the offices of doctors and other medical providers generally don't have the same firewalls and levels of protection that banks do."
• Major medical records breaches pass 1,000 milestone as enforcement ramps up (Joseph Conn, Modern Healthcare June 2014)
• Breaches Affecting 500 or More Individuals (HHS, Health Information Privacy)
• 3 Approaches to the EHR Patient Control Debate (Power Your Practice), about the Patricia Galvin case.
• The HiTech Act of 2009
• UT Southwestern Medical Center (example of a secure online health management tool that the patient also has access to)
• 10 things to know about Epic (Erin Dietsche, Becker's Health IT & CIO Review)
• Spread of Records Stirs Patient Fears Of Privacy Erosion (Theo Francis, WSJ, 12-26-06) Patricia Galvin's Insurer Studies Psychotherapist's Notes; A Dispute Over the Rules. "The U.S. Department of Health and Human Services implemented standards in 2003 for guarding patient privacy, supplementing a patchwork of state laws. The federal standards, which grew out of the 1996 Health Insurance Portability and Accountability Act, single out psychotherapy notes for extra protection. Critics claim that loopholes in the rules have left patient privacy under threat." Galvin's "experience offers a look at how increasingly complex confidentiality issues are affecting patients and their insurance coverage." "As the health-care industry embraces electronic record-keeping, millions of pages of old documents are being scanned into computers across the country. The goal is to make patient records more complete and readily available for diagnosis, treatment and claims-payment purposes. But the move has kindled patient concern about who might gain access to sensitive medical files -- data that now can be transmitted with the click of a computer mouse."
• [Back to Top]