Hospitals face a number of challenges regarding security and sharing medical records. On one hand, they are being asked to provide potentially lifesaving data with increasingly short turnaround times. On the other hand, they must preserve the integrity and security of a patient’s medical records. In addition to medical records, hospitals need to secure patient information regarding health insurance, addresses, next of kin, religion, in some cases sexual orientation and other sensitive personal data. In some situations health insurance carriers, lawyers, pharmacists, accountants and courts to release all or part of this information then call upon them. Often patients also disclose their personal information to differing facilities, institutions, which makes it to track where a particular security breach may have occurred.
Like many other businesses and institution who are responsible for the maintenance of personal data, hospitals are held responsible for the security of the information compiled by them. This includes medical information, insurance information and billing data. This information can be accessed for a variety of reasons. In situations when a law suit is filed regarding a personal injury, workers’ compensation or medical malpractice case all parties have varying rights to review a patient’s medical history and frequently have the patient evaluated by an impartial medical expert. In that event, the patient’s medical history, including information regarding pre-existing conditions, must be released subject to certain parameters. Their own representatives, by co-counsel, could request this data by opposing counsel, by an insurance company or health information can be subpoenaed by the court. In these situations, there are certain release forms that must be executed by the client prior to the release of information. These forms must contain specific legal verbiage which covers the scope of information, the period of the treatment and must be delivered within a certain time frame to the hospital medical records and billing departments. If the hospital is treating the patient or has treated the patient for other conditions that information must be requested and released as well. These releases cannot be held on file beyond a certain date. Therefore, if a patient is treated for an injury and receives follow up physician care, physical therapy or subsequent treatment a new release must accompany the updated request. In addition, if exacerbation of a pre-existing condition is alleged the treatment and billing information for that condition must be released as well.
In other situations, regarding legal actions treatments for previous injuries or for conditions that totally unrelated to the pending litigation may require that the records released have that information stricken from the client’s records prior to their release. They could result in certain notes be reviewed by a competent professional and all references regarding those records removed from the patient’s medical file.
In a completely different scenario, vital medical information must be communicated to emergency care providers. If Emergency Medical Services are responding to a call for help, it could be vital for the patient to have all current medical records available so that the EMS personnel can respond effectively. For an example, if a patient has an open wound and is also taking an anti-coagulant for a pre-existing heart condition the emergency medical care providers need to know this so that they may render the proper treatments and medications. Some individuals also provide their medical information via a USB flash drive to EMS services such as ambulance drivers and emergency hospital departments. If a patient discloses information in this manner, the same mandates for medical records security apply to this information as apply to information revealed verbally, on paper or by other data transfer means. Once the medical information is in the hospital’s information system the hospital is required to treat it equally with any other information in its possession. Generally, this information includes current treatments, current medications and past treatments and medications in reverse chronological order. At times the patients may compile these records themselves at other times health insurance companies and HMOs produce these records and provide the patient with the flash drive. Hospital Information Service department cannot provide these carriers with any records regarding the content of these flash drives, even in instances where the carrier produced the drive.
Specialists and follow up care providers are other groups that may wish to receive medical records. Often a patients request all or some of their records transferred to one or more different dare providers. In these scenarios, the patient may as that the records be made available directly to the service provider. In cases where the hospital has films records like x-rays they will hand carry the records to their appointments. In situations where this occurs, the hospital must make copies. The hospital still can charge for the effort that it takes to produces the appropriate records. Often there is a preset fee structure set in place by the court system that governs these fees.
The intentional record disclosure extends to situation where patients are suffering from a psychiatric condition that makes them a danger to themselves and others. In those situations, any medical caregiver is legally mandated to alert law enforcement departments to assist in monitoring the patient in order to prevent the commission of a crime. The failure to do so can result in fines, license suspension or revocation of their license and even criminal charges.
Medical care facilities are also frequently mandated to provide statistical information in order to comply with public mandates regarding equal care to minorities or for private research. In the case of a teaching hospital that is affiliated with a medical students and professors frequently require data regarding a particular illness or treatment method to further the learning experience or research conducted by the associated institute. Even in situations where the hospital does not have such an association, they may still receive requests for research data. Under these circumstances, the data must have all identifying information removed prior to its release.
The previous scenarios are all situations where the hospital must intentionally disclose a patient’s medical treatment and billing history.
There is another group of instances where medical records are taken illegally. There is a variety of reasons why someone might do that. In the case of an important or famous person and their friends and relations, a reporter, misguided fan or potential black mailer could steal records from the hospital’s files in order to gain some degree of control over them. In other situations, a purveyor of questionable treatment methods or medications may wish to target a group of patients suffering from a particular illness or with particular symptoms. Additionally, all business have to guard their patrons personal financial and billing information to prevent their release to fraud artists who use them to steal from the patient’s accounts or set up new accounts using the patients financial information.
With so many opportunities for things to go wrong, it takes firm records control to keep from releasing records to the wrong person or institution. The U. S, Department of Veterans Affairs and Kaiser Permanente worked for years to resolve these problems. On 10 January 2010, they launched the program. Subsequently, in March of that same year Kaiser Permanente launched their HealthConnect Electronic Health Record sharing program that links together over five hundred medical offices and thirty-seven hospitals. This system coordinates treatment programs between the hospital, doctors, radiology, laboratories and pharmacies. This system has enjoyed some over whelming successes between 2010 and 2012 they were able to prevent manageable diseases from becoming acute problems. Kaiser Permanente found in one test study that they were capable of reducing the instances of coronary heart disease by an incredible 76%. They are also actively working on utilizing this tool to its fullest to save lives. An added benefit to the company is that the preventative care costs much less to initiate and maintain than it does to render acute care when the medical problem devolves into a life -threatening crises.
The Kaiser Permanente HealthConnect system also provides caregivers with the most up to date medical findings at the time of treatment in order to deliver the best possible care to their patients. There is also a patient web site, as well as apps for Android and Apple smart phones so that any one of Kaiser Permanente’s over nine million members can get to their records twenty-four hours a day, seven days a week. Using this system EMS technicians have immediate access to a patient’s records, either through the web site or through a flash drive that Kaiser Permanente developed and updates whenever a patient receives medical treatment. This is possible in part because Kaiser Permanente is a private carrier whose patients understand and appreciate this level of personal care. In the case of their affiliation with the U. S. Department of Veterans Affairs a different set of regulations exists that differs from that used by the civilian population.
Given the success enjoyed by this program, it is inevitable that at least certain aspects with be universally instituted. However, because of the privacy guarantees extant it cannot be instituted without the patient’s consent. This means that at the present, every individual who would like to participate in a system similar to this would have to consent to a medical record release in order to be included in a universal database. Instituting this level of medical record disclosure within a private system for the benefit of the nine million members who pay to receive care through the private Kaiser Permanente system was a massive undertaking. It will be even more difficult to provide this service in a Universal Health Care system.
Some providers are concerned that access to a patient’s records may serve as a mandate for specialists to diagnose potential conditions outside their general scope of expertise. Licensing is also a concern in regards to specialized fields such as radiology, where each state has its own licensing system and the caregiver who take does a test that is subsequently transmitted electronically might not be licensed in the state where it is interpreted. On the other hand, having a broader scope of caregivers watching out for a patient it is more likely that subtle signs of conditions that may have otherwise escaped scrutiny might be noticed and addresses. Child abuse, infectious disease and prescription drug use are three conditions that are easier to understand and diagnose when a patients records are available.
Part of this problem is the security guarantees that need to be instituted in order to secure the confidentiality of these records from general public scrutiny while still providing access to them for legitimate caregivers and authorized individuals and institutions. Another difficulty is data input and the sheer mass of information needed to incorporate patients’ past record and current treatments into a centrally accessible system. Most medical care providers already have this information in a localized database. However, formats and platforms are different across this ad hoc system. In the case of medical records, it is vital that the correct records are accessed, especially in circumstances where a patient may be incapable of confirming the information.
Providing access to patients and other authorized individuals presents another concern. Hospitals could free up a great deal of staff time if they did not have to process information requests from the legal and financial accounting sector. However, patients must use great care in providing the access information to a law or accounting firm. The access system should also have a means to limit the scope of disclosure as well. Since all a patient’s information will be available, it will make it easier for a tax preparation service to pull the records and determine the highest possible medical care tax deduction. However, the accountant does not need to know the content of the medical records. An accounting firm need only know that the payments were made. A patient’s attorney may need medical information regarding an injury that is totally unrelated to other care received at the facility. In those instances, it is necessary to limit the search parameters before granting direct access.
Additional concerns are involved in regards to legal proceedings. A patient will not feel comfortable granting total access to all their records to the opposing counsel, or even to a co-defendant’s counsel. Yet it is almost a certainty that there are circumstances where this type of access is in the patient’s best interests. It is a certainty that this will be the subject of a great deal of discovery litigation, court rulings, appeals and expert testimony.
As the potential for beneficial access increases, so does the potential for unauthorized access by persons who want to utilize, exploit, abuse or sell the confidential medical and financial records. Given the frequency that confidential financial security breaches appear in the news it is obvious that as long as technology is evolving and there is gained by nefarious individuals who steal it our data records will not be secure. Additionally, much of the financial information is already potentially available through other sources such as the accountant’s office, bank records, and insurance records. The question then becomes one of data security versus superior medical care. In some ways, it makes perfect sense to take the risks involved to provide the most up to date information to your medical care provider. After all what good is secure data if it costs you your health or even your life?
Clune, S. (2011, 05 17). Report: Push for Electronic Medical Records Overlooks Security Gaps. Retrieved 08 02, 2012, from PBS: http://www.pbs.org/newshour/rundown/2011/05/report-push-for-electronic-medical-records-overlooks-security-gaps.html
Darce, K. (2010, 01 06). Medical breakthrough: VA; Kaiser to share records. Retrieved 08 12, 2012, from U-T San Diego: http://www.utsandiego.com/news/2010/jan/06/a-medical-breakthrough-va-kaiser-to-share-records/
EPIC. (2012). Medical Record Privacy. Retrieved 08 02, 2012, from Electronic Privacy Information Center: http://epic.org/privacy/medical/
Kaiser Permanente. (2012). Kaiser Permanente HealthConnect Electronic Health Record. Retrieved 08 03, 2012, from Kaiser Permanente: http://xnet.kp.org/newscenter/aboutkp/healthconnect/index.html
Nanji, F. (2009, 19 02). Security Challenges of Electronic Medical Records. Retrieved 08 02, 2012, from Computer World: http://www.computerworld.com/s/article/9128261/Security_Challenges_of_Electronic_Medical_Records
Patient Privacy and Security of Electronic Information. (2012). Retrieved 08 02, 2012, from RadiologyInfo.Org: http://www.radiologyinfo.org/en/news/newdetarget.cfm?id=19
Personal Health Records. (2012, 07 18). Retrieved 08 02, 2012, from Medline Plus: http://www.nlm.nih.gov/medlineplus/personalhealthrecords.html
Philpott, T. (2012). DoD, VA enact Health Record Sharing. Retrieved 08 02, 2012, from Military.Com: http://www.military.com/features/0,15240,180009,00.html
Tillinghast Lich LLP. (2008, 03 26). Electronic Medical Records - Health Care's Next Challenge in Cyberspace. Retrieved 08 03, 2012, from FindLaw For Legal Professionals: http://corporate.findlaw.com/litigation-disputes/electronic-medical-records-health-care-s-next-challenge-in.html
U.S. Department of Health and Human Services. (n.d.). Unleashing the Power of Data and Innovation To Improve Health. Retrieved from HealthData.Gov: http://www.healthdata.gov/unleashing-power-data-and-innovation-improve-health