Health Record Banking Alliance

Transcription

1 Health Record Banking Alliance From: William A. Yasnoff, MD, PhD, President, Health Record Banking Alliance To: Regulations.Gov Website at Date: May 4, 2012 RE: Comments on: Medicare and Medicaid Programs; Electronic Health Record Incentive Program -- Stage 2; Proposed Rule [CMS-0044-P] The Health Record Banking Alliance (HRBA) is a non-profit 501(c)(6) membership organization with the goal of establishing accurate, secure, and comprehensive health records that can be accessed and authenticated by both patients and their health care providers under the control of the individual patient. We advocate for community repositories of electronic health records (health record banks) as an effective and sustainable health information infrastructure solution, provide assistance to communities building health record banks, and promote necessary legislation & regulation consistent with community health record banks (see ). HRBA members include state and community health information exchange organizations, health information providers, physicians, and vendors interested in health information technology, exchange, and services. We have reviewed Medicare and Medicaid Programs; Electronic Health Record Incentive Program Stage 2; Proposed Rule, and are very pleased that the Stage 2 requirements incorporate, to a great extent, our prior recommendations to CMS (submitted in 2010 in response to the original Meaningful Use NPRM) to enable patients to download and/or transmit their electronic medical records to systems of their choice such as health record banks. These new requirements have the potential to greatly improve patients ability to share their health information with physicians, hospitals and other caregivers on a timely basis, and provide access to such records in emergencies. Clearly, CMS shares our understanding that in order for health record banks or personal health record (PHR) systems to be effective, patients (or designees on their behalf) must be able to authorize timely and automatic electronic information updates to such systems so that accurate records are immediately available when they visit another physician or medical service provider, or have an emergency. We applaud CMS for including download and transmit in the core Stage 2 requirements for all providers. To ensure that the potential improvements from the download and transmit requirement are fully realized, we believe that several clarifications are needed: 1) Standing requests should be required We believe it is critical to allow patients to record a standing request for information transmission. This can easily be done by adding a Data Sharing Preferences section to the Consumer/Patient Preferences capability that was required for collection and storage of communications preferences in Meaningful Use Stage 1. The consumer/patient would select

2 whether they would like to get a copy of some or all of the consumer/patient related data being generated and/or shared. This transmission preference information can be gathered during regular registration/intake processes and via self-service web portal. At least two specific options should be available: 1) Any shared information checkbox: consumer/patient would like a copy of every transaction that is sent to any other provider or entity (e.g. referral) that is not covered in the information in the patient specific category (this is how the Standards & Interoperability Framework Transitions of Care use case is defined); and 2) All information checkbox: consumer/patient designates that they want to have a copy sent to them for all transactions related to them, and if so, to whom (themselves, a health record bank, PHR, etc.), documenting their Direct address and their requested format for sending information. For this option, it should be possible to designate multiple entries in a table so that patients not limited artificially to 1, 2 or 3 fixed entries. 2) Transmission should be in a standard form and include Direct as a transmission option The data format options for the transmission should include current approved standards for structured data, e.g. CCD. A patient s Direct address should be an option for the destination upon request of the patient. Ideally, in addition to free form Direct address input, address validation capability with a directory should also be available (only via matching entry confirmation that does not allow scrolling within the directory -- to protect against unwanted discovery or distribution of addresses). The required use of standards in this context has also been recently recommended by Adler-Milstein and Jha in the Journal of the American Medical Association: using the power of Medicare and Medicaid as payers, policy makers should create incentives for all clinicians and health care settings to make certain types of data (eg, medication lists, laboratory results) available for exchange in a structured format. [from Sharing Data Electronically: A Critical Challenge for Fixing the Health Care System, JAMA 307,16: , 2012] 3) An open letter should be promulgated from the Secretary of HHS reminding providers of their existing obligation to provide records in electronic form on patient request We believe that giving patients the ability to transmit their information to a system of their choice, such as a health record bank, is urgent. The sooner this capability is widely available, the sooner patients can begin to benefit from establishing comprehensive longitudinal electronic medical records under their control. Since the Stage 2 requirements will not take effect until 2014, and we recognize that requiring earlier implementation is not realistic, we believe that interim action by HHS is needed. A major obstacle to patients obtaining their records today is the lack of awareness on the part of providers that HIPAA requires release of such records. Many providers are not aware of the HIPAA requirement that records must be released in electronic form if they are available in such form (U.S. 45 CFR (c)(2)). In addition, Business Associates are typically not aware that these requirements now apply to them as well. HRBA members have documented specific instances where legitimate patient requests for records under HIPAA have been explicitly (and illegally) denied. While such HIPAA violations can be (and are) reported to the HHS Office of Civil Rights (OCR) for enforcement, we believe it is also important (as well as more efficient and less expensive) for HHS to take proactive steps to ensure that providers and Business Associates are aware of their HIPAA obligations in this regard. - 2 of 6 -

3 Accordingly, we recommend that HHS issue an open letter to providers from the Secretary reminding them of their existing obligations under HIPAA to supply electronic copies of records (available in electronic form) to patients who request them. Not only would this accelerate achieving the goals of the download and transmit requirement, but it would also help prevent inadvertent HIPAA violations, thereby reducing the number of complaints to OCR, all at little or no cost to HHS. We have appended a suggested draft of such a letter (pages 5-6). We strongly urge CMS to maintain the download and/or transmit requirement in Stage 2 regardless of objections that may be raised. To aid CMS in this effort, we have compiled specific suggested responses to potential objections: 1. Too burdensome or costly All certified electronic health record systems (EHRs) will be required to provide standardized export capabilities so that the information they contain can be easily transmitted; this capability is essential to be able to compile comprehensive electronic records for individual patients. Adding the capability for creating and maintaining a list of destinations where records should be transmitted upon completion is a very minor enhancement to these export capabilities. Indeed, in the absence of a stored list of destinations, the transmission would need to be done manually for each record, which would actually be even more costly and burdensome. 2. Too difficult to ensure that records are securely transmitted to a patient-authorized recipient Transmission of records could be limited to Direct addresses. With the Direct protocol, each patient can readily have a secure address for receipt of messages and other records. The patient can provide the address either in person as part of their healthcare encounter or via a secure online mechanism (preferably with two factor authentication), so there would be no doubt about the identity of the patient or the authenticity of the address. The transmission itself would be automatic. 3. Providers should not be required to share electronic records with patients Sharing records with patients is and has been a long-standing legal requirement. The original HIPAA privacy rule specified that patient records must be provided in electronic form when available if the patient requests them in that form. (U.S. 45 CFR (c)(2)) 4. The transmission deadline requirements of 4 days for outpatient providers and 36 hours for hospitals do not provide sufficient time Transmitting records electronically is not labor-intensive or time-consuming and can be done as soon as an encounter is complete. The only reason to delay is to receive the results of laboratory tests. The 4-day and 36-hour requirements are more than sufficient for this. Furthermore, there is no requirement that all lab results be obtained prior to transmission of the record, so even if results are delayed, the time requirements can still be met. It can be argued that the 4-day and 36-hour deadlines are actually too long, since there is a risk that critical patient records may be missing or unavailable should the patient require additional follow up treatment before the transmission of records from the prior encounter. 5. The requirements take effect too soon and should be delayed - 3 of 6 -

4 With the modifications we have suggested, we believe the proposed Stage 2 Meaningful Use requirements will truly enable patient information to routinely be aggregated and used for improved patient care, under the control of the patient. Despite anticipated widespread adoption of EHRs, individual providers do not typically have (and cannot by themselves arrange for) access to comprehensive medical records for any of their patients their own records merely represent an electronic silo of information about the care they have provided. By enabling the accumulation of lifetime, longitudinal electronic health records in organizations of the patients choosing, such as health record banks, both individual patients and the nation as a whole will finally have a realistic opportunity enjoy the promised benefits of comprehensive electronic health records including fewer medical errors, reduced likelihood of avoidable adverse events, and elimination of repetitive and unnecessary tests. Furthermore, providers are already required to provide electronic copies of patient records upon request (with a 30 day deadline), so this new requirement only specifies transmission sooner after an encounter which is consistent with ensuring the availability of comprehensive records for subsequent care. EHRs will have the capability for download and transmit built in, so this feature will be readily available to providers. If anything, the requirement should take effect sooner. 6. Requiring 10% of patients to actually view, download or transmit health record data is too burdensome We believe that there is ample evidence that patients, if given the opportunity by their physician, will sign-up to use portals that allow them to view, download or transmit their health records data. Requiring that 10% of them do so does not seem like an overly difficult burden. However, what is critically important from our perspective is that all patients are given the capability to access their health records. We could support a lower level of usage (or even an elimination of any usage measure) if it ensured that the primary requirement that more than 50% of EP patients have the ability to view, download or transmit their health records remained in the Stage 2 requirements. In summary, we recommend that: 1. The download and transmit requirements should include the ability of patients to designate the ongoing recipient of their information just once in a standing request with providers; 2. The information should be transmitted in a standard, encoded form with Direct as one of the options (that can be designated by the patient); and 3. As an interim step prior to the initiation of this new requirement, HHS should immediately issue an open letter to providers from the Secretary reminding them of their current obligation under HIPAA to provide records in electronic form on patient request (draft letter appended) Thank you for your consideration. /s/ William A. Yasnoff William A. Yasnoff, MD, PhD President, Health Record Banking Alliance - 4 of 6 -

5 Suggested Open Letter from Secretary Sebelius Reminding Doctors and Hospitals to Facilitate Patients Requests for Copies of Medical Records To Doctors, Hospitals, and Other HIPAA Covered Entities and Business Associates: I am aware of anecdotal reports that some hospitals, doctors, and their HIPAA Business Associates are illegally obstructing patients who request copies of their medical records. This public letter is an advisory to stop these illegal actions. Patients have a clear HIPAA right to request and promptly receive copies of their medical records from any HIPAA Covered Entity, including doctors and hospitals, and their HIPAA Business Associates. Patients make this request simply by furnishing a signed HIPAA Authorization. Generally, copies of medical records must then be delivered within 30 days. Doctors, hospitals, and their Business Associates can charge fees for copies. Fees are limited by HIPAA rules to specified copying and postage costs. If the records are available in electronic form and a patient requests an electronic copy, the doctor, hospital, or Business Associate must furnish an electronic copy of the entire record, unless the patient asks for a summary (and is advised in advance about any additional fees for preparing the summary). Doctors, hospitals, and their Business Associates may NOT do any of the following, each of which is a HIPAA violation: Refuse to accept a generic HIPAA Authorization form rather than the doctor s, hospital s, or Business Associate s own HIPAA form. So long as all the HIPAA-required elements are in a form the patient signs, any Authorization is proper and triggers the obligation to furnish the medical record copy. You cannot insist that your own form be used. Insist that the patient or patient s representative appear in person to deliver a HIPAA Authorization. Delivery by mail or by electronic mail (with a satisfactory patient signature) triggers the obligation to furnish the medical record copy. Refuse to send copies of a patient s record to any third party, such as a Health Record Bank or other recipient, designated in the patient s HIPAA Authorization. Refuse to furnish a copy of the entire medical record (not a summary) if that is what the patient requests in the HIPAA Authorization. This often may include information in the doctor s or hospital s medical record that was received from other doctors, hospitals, clinics, government entities, or other sources. Refuse to furnish copies to a third party repository (such as a Health Record Bank) unless the third party enters into a data sharing agreement with the doctor s office, hospital, or Business Associate. A demand for a data sharing agreement is illegal a HIPAA violation whenever a patient signs a HIPAA Authorization to request that a medical record copy be sent to a Health Record Bank or any other third party. - 5 of 6 -

6 Patients have every right to expect that copies of their medical records will be furnished promptly to them or to a third party designated in the patient s HIPAA Authorization. All a patient need do is supply a signed HIPAA Authorization that includes all required elements. As we implement vital new health information technology to improve outcomes, speed results, lower costs, and eliminate hassles, doctors and hospitals must follow the HIPAA rules. Illegal obstacles that slow or thwart patients requests for copies of their medical records must become a thing of the past; and we will continue to emphasize that in our enforcement policies. /HHS Secretary s signature/ Kathleen G. Sebelius, Secretary Department of Health and Human Services References: HIPAA Rules, 45 CFR Patient s Request for Copies HIPAA Rules, 45 CFR (c)(2) Electronic Copies; Summaries HIPAA Rules, 45 CFR (c)(4) Allowable Fees for Copies HIPAA Rules, 45 CFR (e)(2)(ii)(E) Business Associate duties HITECH Act, Business Associate duties - 6 of 6 -