When Measures to Protect PHI Jeopardize Patient Care

My very first blog for Physicians Practicecalled on political and medical leaders to put the “portability” back into HIPAA. Now, seven months later, I am sad to report that the efficient sharing of protected health information (PHI) is about to get even harder in Massachusetts.

The Massachusetts Health Information Highway (Mass HIway) was officially launched earlier this year to significant praise and positive media coverage. The idea is that on the HIway, through secure email and other file transfer technologies, providers throughout the state can easily share EHRs to better and more economically coordinate a patient’s care. It’s a brilliant idea, except for one important detail: Providers need written permission from the patient to share the information on the HIway first.

To make this as clear as possible: Information for the continued coordination of care, information that I can, today, mail and fax without written consent under HIPAA, I cannot share via the fabulous new Mass HIway without specific written permission first.

Look, I get it. I’m a patient too and I don’t want my medical history easily accessible to marketers or to anyone that would use that information to harm me. That said, personally, I hope I’m never in a situation where an ER doctor needs details of my medical history but can’t get it because the medical records person at my primary care has been scared by a lawyer never to release my information. Don’t think it happens? Just this week, I had a practice refuse to share past medical records of a complicated new patient with me, which is currently allowed under HIPPA. The Mass HIway law is only going to raise the paranoia and make this harder.

While measures to protect privacy sound good in theory, in reality these unnecessary protections raise the cost and lower the efficiency of legitimate medical record sharing. Around the same time that the Massachusetts governor was announcing the Mass HIway, a study was making an industry media splash showing that most people (over 90 percent) are willing to share medical data.  If that’s true, then why did the Massachusetts lawmakers kowtow to the small, but loud, minority who want privacy against any societal cost?

Consider this scenario: Right now, today, my solo pediatrician and nurse practitioner (NP) have the ability to log onto many local hospitals’ EHR systems to retrieve patient records as needed. I don’t want to name names, so let’s focus on two with pseudonyms: General Hospital and St. Elsewhere. Both General Hospital and St. Elsewhere have sophisticated EHR software in place that has a web portal for clinicians. My solo physician and NP have filled out all the necessary paperwork and passed all the security checks to obtain logins and passwords.

Last week a new, complicated patient scheduled an initial acute exam at our office. Prior to the exam, the NP (also our medical home care coordinator) logged onto General Hospital’s secure portal to obtain relevant past records. General Hospital’s system has built in layers of security where the NP had to attest that she was a medical provider and she had to agree to comply by HIPAA restrictions. In addition, in the chart itself, the NP had to attest that she had legitimate medical reason to access the records. I think this is brilliant. Our NP was able to quickly and efficiently access the information she needed to prepare for the patient to be seen. Plus, her access was recorded and traceable by General Hospital meeting HIPAA standards.

This particular patient is quite complicated and also has recent records at St. Elsewhere. St. Elsewhere, like General Hospital, also has a sophisticated EHR with a portal but, alas, our NP cannot access the patient’s records because our solo physician is not listed as the patient’s PCP. In theory, restricting access is a good privacy measure, but in reality, the St. Elsewhere system restricts access based on its out-of-date record keeping system. And please don’t tell me it’s up to the patient to keep every EHR system that houses the patient's PHI up-to-date with the correct PCP. We know from experience how poor patients are at keeping the name of the PCP up-to-date with their HMO; we have no reason to hope patients will keep PCP information up-to-date with hospitals, labs, and specialists’ offices.

In healthcare the pull between the desire for privacy and the need to share information deserves better, more nuanced laws than the ones in the new Mass HIway law. Instead of requiring patient permission to share information, the lawmakers should place laws and penalties on the illegal use of such information after the fact (like HIPAA should ideally do today). Better laws and better education of the gatekeepers of privacy information (without legal scare tactics) are the only way to make the efficiency promises of the HIway a reality.