The law giveth, taketh away patients' rights to access their records

You've got to love the irony.

In a year where patient access to their medical records--a right conferred by law--is a priority issue for the Department of Health and Human Services' Office for Civil Rights (OCR), it turns out that the law itself is an added obstacle.

Case in point, new guidance was published this week regarding the Patient Safety and Quality Improvement Act (PSQIA). The PSQIA is a voluntary program intended to improve patient safety by encouraging providers to submit information about care they provided to patient safety organizations (PSOs), which analyze it and provide feedback and education in order to reduce adverse events. The information providers submit or slate for submission, called Patient Safety Work Product (PSWP) is afforded federal privilege and confidentiality protections to encourage providers to share what could be incriminating.

It's a great idea in theory. But it turns out that some providers have been gaming the law by defining patient records as PSWPs--rendering them inaccessible to patient prying eyes--even when those records don't qualify as such, and even though patient medical records themselves are not PSWPs. Even worse, some providers have been destroying original patient records. The guidance clarifies that not all records can be treated as PSWPs. 

"[The Patient Safety Act was not designed to prevent patients who believed they were harmed from obtaining the records about their care that they were able to obtain prior to the enactment of the Patient Safety Act," the guidance states.

Also this week, an article published in the Annals of Internal Medicine points out that due to the proliferation of EHRs, patients have unprecedented opportunity to access their information. However, the authors note that HIPAA, the very law that grants patients the right to access their records, is unintentionally in conflict with itself, prohibiting or restricting this access. How? Because the law, written before the advent of technology, no longer fits well. 

For instance, the conflicts between HIPAA and the many state laws regarding when parents can view their children's records has created so much confusion that some providers deny all access to minor's records for fear of making a mistake. The authors suggest that state laws be reconciled with HIPAA in order rectify this problem.     

They also suggest that HIPAA's total ban on sharing psychotherapy notes is outdated in light of electronic data sharing and note creation among mental health professionals. HIPAA's assumption that providers own the patient records, giving them power to restrict what goes into them, is also outdated due to the influx of patient generated information being added into them, the authors say.

This is hardly the first time that the law is behind technology and needs to catch up. And sometimes the law simply needs to be refined or clarified as time goes on.

But there are some valid issues here.   

OCR, which enforces both HIPAA and PSQIA, has quite a task before it to reconcile this conundrum. It's pretty clear that not only do patients have the right to access their records, but it's beneficial in terms of catching errors, engaging patients in their care, and building trust. It's bad enough that patients and providers need to be reminded that patients have the right to access their records. If the law contains loopholes, is out of date, or too difficult to comply with, those benefits are not achieved. - Marla (@MarlaHirsch and @FierceHealthIT)

Suggested Articles

Roche, which already owned a 12.6% stake in Flatiron Health, has agreed to buy the health IT company for $1.9 billion.

Allscripts managed to acquire two EHR platforms for just $50 million by selling off a portion of McKesson's portfolio for as much as $235 million.

Artificial intelligence could help physicians predict a patient's risk of developing a deadly infection.