Journal of AHIMA - April 2011

Enabling Patient Access
Data Stewardship Involves More Than Data Use and Disclosure

By Dan Rode, MBA, CHPS, FHFMA

16 / Journal of AHIMA April 11

DATA STEWARDSHIP IS a hot topic. As this issue went to press, the Department of Health and Human Services was expected to publish a notice of proposed rulemaking on accounting of disclosures, an expansion of the HIPAA requirements mandated by the HITECH Act.

Rulemaking was also expected on a second set of privacy rule modifications from HITECH that will affect patient access to information. As the industry awaited these rules, HHS’s Office for Civil Rights (OCR) levied a $4.3 million fine against Cignet Health in Prince George’s County, MD, for failing to grant patients access to their health records.

Data stewardship involves more than managing data use and disclosure. This column examines HIPAA’s other data stewardship obligations, the HITECH rules modifying the HIPAA privacy rule, and HIM’s tasks for implementing the new rules and regulations.

An Obligation to Provide Access

Many think of the HIPAA privacy rule only in terms of the restrictions it places on the use of protected health information (PHI). They fail to remember that the rule also includes an obligation to make information accessible to patients.

Although health information belongs to the provider—who uses it for professional and business purposes—it is the patient’s information. In effect, the provider is the steward of the patient’s data.

Cignet Health was fined $1.3 million for failing to grant 41 individuals access to their health records within 30 days. According to OCR’s report, Cignet did not respond to the individuals. The organization was fined an additional $3 million for failing to cooperate with the investigation, which OCR considered “willful negligence” of the HIPAA privacy rule.

It is unclear why Cignet Health refused
to grant patients access to their informa-
tion, but this is a situation beyond reason
to most and certainly to OCR.

New Rules Coming: More Access
Faster

The HITECH changes to the HIPAA privacy rule are expected at any time. These modifications, coupled with the meaningful use EHR incentive program, require organizations to grant individuals access to their health information within shorter periods of time if the PHI is electronic—and potentially even if it is on paper.

Treatment plans, discharge summaries, and transfer data must be available to patients as they leave the provider’s facility. Other information must be accessible to patients within days, and current information should be shared with the patient when requested during the admission or encounter.

In the absence of rulemaking, the industry lacks specifics on the new requirements. However, AHIMA has voiced its concern regarding organizations’ ability to produce some of this information in today’s hybrid record systems and without physician review.