July-August 2020
Record Release Party
By Selena Chavis
For The Record
Vol. 32 No. 4 P. 10
New interoperability rules promise to make it easier for patients to access their health care history. What are the ramifications for release of information processes?
In March, Health and Human Services released its much-anticipated interoperability rules, which promise to grant improved access to patient information via third-party solutions powered by application program interfaces (APIs). Issued by the Centers for Medicare & Medicaid Services and the Office of the National Coordinator for Health Information Technology, new requirements for payers and providers will soon go into effect that will have implications for release of information (ROI) processes.
Amid COVID-19 challenges, the deadline for complying with the rules was extended to mid-year 2021, but experts caution that health care stakeholders should not wait to analyze systems and adequately prepare.
“In my mind, it’s still hugely questionable when these [rules] will really be implemented given the COVID situation. But these rules are inevitable and still have a lot of largely unknown implications,” says Kelly McLendon, RHIA, CHPS, managing director of CompliancePro Solutions, noting that foundationally, patient access and third-party disclosures will be impacted by automation. “Patients, their representatives, and many other parties—providers, payers, personal health apps—will have an easier time requesting and receiving some patient data. But an open question is who manages monitoring what is supposedly streaming out and in through the APIs in EHRs and other designated record set systems that are certified EHR modules? Will there be any management or reviews of what is coming inbound or outbound through interfaces/APIs?”
Zachary Perry, CEO of RRS Medical, points out that traditionally, a health care organization’s ROI department or vendor has managed access to records. And while in recent years, EHR patient portals have become an additional source of data, the information is limited and, in some cases, incomplete.
“The new rule takes portal access to a level that will influence the request process for patients. The exchange of patient information between providers has also evolved with the use of EHRs,” Perry notes. “The new rule will most likely facilitate in-network access to patients’ health care history, which should positively impact care, as well as reduce traditional ROI requests.”
Bottom line, these rules are needed in today’s health care environment, according to Diane Ferry, MS, FHIA, president and CEO of Star-Med. “We really need to concentrate on better access and release of health information for patients,” she says. “I talk to hospitals across 15 to 16 states, and one of the biggest problems is that the gatekeepers of information need to get it out faster, more secure, and more accurate than what we’re doing. And when I say ‘we,’ I mean the industry in general because it should not take [weeks] to get a medical record for a patient.”
ROI Impact: Digging Deeper
According to Sue Chamberlain, vice president of compliance and education at RRS Medical, the new rules support greater access to information, which, in theory, should naturally result in a decrease in formal patient and continuity-of-care requests. However, she points out that patient requests for access to personal data will most likely increase.
“A learning curve will exist for patients without reliable access to technology and organizations that have in the past requested or delivered information via CDs as they transition to data in the cloud,” Chamberlain says.
While EHRs are an important enabler of patient medical record access, Ferry points out that there continues to be lackluster use of patient portals. “People aren’t using them like everybody thought that they would because they forget passwords. Just think of all the passwords people have to keep up with,” she notes, adding that there is also a generational divide to consider. “The millennials and Gen Z will be more apt to use technology than the boomers will. The boomers and above are not always going to use or have computers to go in and log in to the portals. It’s easier for them to come into the hospital and fill out the paper and get their records there.”
Ferry believes physician offices may also be slow to change their ways. “If you look at a doctors’ office, they rely on faxing, which is old technology. But, they rely on it. It’s easier for them to make a call to a hospital and say, ‘Can you fax over records?’ than to go into the EMR,” she says. “Some will change. But again, it’s getting people used to new ways of doing things. It’s great that the government is doing this, and I applaud their efforts. But we do have to train people on how to use technology here, too.”
Consequently, while direct patient requests for information through the ROI process will likely be reduced, Ferry says it will take some time before the reduction becomes substantial. Perry agrees, noting that, for legal purposes, there will still be a need to release information directly via the formal ROI process. Additionally, formal requests will be needed for disability, insurance underwriting, and any other area where a chain of custody is essential to ensure the record is complete and accurate compared with the original.
Legal and Compliance Considerations
From a legal perspective, Chamberlain says that organizations will need to clearly define their designated and legal health record sets to answer fulfillment and access questions. “Will patients have access to all of their records under the definitions? Most hospitals have multiple EHR systems, and many times do not upload all information into the primary EHR,” she says. “This raises important questions: Is the information that was not uploaded used for patient care? Will this secondary EHR data be discoverable, [will the data be] maintained, and is it customarily released when requested? Is the HIM department aware of all the systems that collect PHI?”
Data exchanged between two providers can create additional ambiguity that will need to be addressed as it creates definition challenges related to the legal record set, Chamberlain explains. “Each organization has many questions to answer, and the conversation should include the providers, those who perform HIM functions, as well as IT,” she says, suggesting that health care organizations ask questions such as the following:
• Is the combined information expected to become part of the legal patient record that is released for legal requests?
• Will these new data be combined, or will the imported data be stored under “imported” or “miscellaneous” in the chart to designate different sources?
• Will the imported data be used by Provider B to make medical decisions, and, if so, would they then be part of the legal record?
“It’s important to note that an EHR is not just one thing but rather a collection of data and information from multiple sources that need to be connected, ideally using a national set of standard definitions,” Chamberlain says. “Interoperability is not just connecting EHRs but also looking at the data elements within. Questions related to identifying different types of data and the level of data quality must be asked and answered.”
Tracking related to automated access and disclosures is another area that needs further evaluation and discussion with representation from HIM. For example, Chamberlain notes that while HIPAA does not identify the need to track requests that are being released to a patient for their own records, there are reasons why these requests are tracked anyway.
McLendon points to this area as one of the “unknowns,” adding that he believes EHR developers will be slow to respond with appropriate mechanisms that can address tracking. “They are notorious for not thinking of such things until their HIM and other customers beat them up—for years,” he stresses. “HIM better be banging this drum loudly now. How will this work if payers get access to records for billing and get their own information? Who tracks that, which could be very high volume?”
Ferry points to existing technology that can work alongside EHRs to help patients request their health information online or via a kiosk placed in the lobby of a health care organization. Tools also exist that enable health care organizations to manage, track, and account for the disclosures of patient health information.
Pointing out that it is often difficult to locate HIM departments, Ferry says kiosks can empower patients. “We have people wandering all over the hospital for a piece of paper. That doesn’t make sense,” she says. “So, we’re saying put a kiosk in the lobby where somebody can fill out an automated authorization. We’re not using our technologies to the best of our abilities in the health care arena when it comes to ROI. There’s so much opportunity here to improve the process through technology.”
Forward Looking
As ROI processes continue to evolve in tandem with the new interoperability rules, Perry stresses that patient care must remain the primary focus area over cost and administration. “Patients have had the right to access their entire medical record for 20 years. Still, even now, many health care organizations do not fully understand these rights and how to facilitate the process for a smooth transition of data,” he says. “Although organizations are fully aware of HIPAA, they don’t quite know how to operationalize it in a manner that does not unintentionally create barriers to access.”
Perry adds that many patients don’t fully understand EHRs and their limitations, which is sure to create frustration—especially as it pertains to HIPAA. Consequently, education will be a necessity to ensure accuracy and consistency for providers and patients.
“Even if a patient is not interested in getting his or her own record, caregivers need access for parents and children. They know the information is vital for their role as advocate in ensuring better patient care,” Perry says.
Ferry says the way providers approach ROI in the future—and the effectiveness of their efforts—will factor into patient satisfaction. “Hospitals should look at this because it does affect public relations out in the community. If you don’t get your information out accurate, secure, and timely, it will affect [reputation],” she says. “I speak at bar associations and all over, and I am always astounded at what I hear when it comes to releasing health information and what we’re doing or not doing in this arena. We really need to come together and come up with a better solution.”
Chamberlain says organizations must include HIM representation in the conversation going forward, including functions such as patient care, finance, the organizational focus of resources, studies, and payer audits. “HIM can also provide insight into the need for protecting protected health information vs the need of sharing it,” she says. “As we work to share more and more data to improve health care, decrease costs, and many more great opportunities, we must also look at how we can mitigate any adverse impacts on patients.”
Perry believes that technological advances will continue to introduce new opportunities to bolster ROI processes. For example, he notes that the industry hopes to add artificial intelligence as part of the new rules to help notify providers of conflicting information, contraindicated medications, and other potential risks.
“There is still a reliance on the provider for quality and patient-centered care with clear documentation of that care,” Perry says. “Hopefully, this rule can help decrease administrative burdens and allow more time for patient care and appropriate documentation.”
— Selena Chavis is a Florida-based freelance journalist whose writing appears regularly in various trade and consumer publications, covering everything from corporate and managerial topics to health care and travel.