Enabling Patient Access
Data Stewardship Involves More Than Data Use and Disclosure
By Dan Rode, MBA, CHPS, FHFMA
16 / Journal of AHIMA April 11
DATA STEWARDSHIP IS a hot topic. As
this issue went to press, the Department
of Health and Human Services was expected to publish a notice of proposed
rulemaking on accounting of disclosures,
an expansion of the HIPAA requirements
mandated by the HITECH Act.
Rulemaking was also expected on a
second set of privacy rule modifications
from HITECH that will affect patient access to information. As the industry
awaited these rules, HHS’s Office for
Civil Rights (OCR) levied a $4.3 million fine against Cignet Health in Prince
George’s County, MD, for failing to grant
patients access to their health records.
Data stewardship involves more than
managing data use and disclosure. This
column examines HIPAA’s other data
stewardship obligations, the HITECH
rules modifying the HIPAA privacy rule,
and HIM’s tasks for implementing the
new rules and regulations.
An Obligation to Provide Access
Many think of the HIPAA privacy rule only
in terms of the restrictions it places on
the use of protected health information
(PHI). They fail to remember that the rule
also includes an obligation to make information accessible to patients.
Although health information belongs
to the provider—who uses it for professional and business purposes—it is the
patient’s information. In effect, the provider is the steward of the patient’s data.
Cignet Health was fined $1.3 million for
failing to grant 41 individuals access to
their health records within 30 days. According to OCR’s report, Cignet did not
respond to the individuals. The organization was fined an additional $3 million for
failing to cooperate with the investigation, which OCR considered “willful negligence” of the HIPAA privacy rule.
It is unclear why Cignet Health refused
to grant patients access to their informa-
tion, but this is a situation beyond reason
to most and certainly to OCR.
New Rules Coming: More Access
The HITECH changes to the HIPAA privacy rule are expected at any time.
These modifications, coupled with the
meaningful use EHR incentive program,
require organizations to grant individuals access to their health information
within shorter periods of time if the PHI
is electronic—and potentially even if it is
Treatment plans, discharge summaries,
and transfer data must be available to
patients as they leave the provider’s facility. Other information must be accessible to patients within days, and current
information should be shared with the
patient when requested during the admission or encounter.
In the absence of rulemaking, the industry lacks specifics on the new requirements. However, AHIMA has voiced
its concern regarding organizations’ ability to produce some of this information in
today’s hybrid record systems and without physician review.