icon caret-left icon caret-right instagram pinterest linkedin facebook twitter goodreads question-circle facebook circle twitter circle linkedin circle instagram circle goodreads circle pinterest circle

HIPAA, electronic health records, patient privacy, and safety

The Health Insurance Portability and
Accountability Act of 1996
(The HIPAA privacy rule)


The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy and security of health information.
Summary of the HIPAA Privacy Rule (Health & Human Services) Who is covered, what information is protected, and how protected health information can be used and disclosed. Because it is an overview of the Health Privacy Rule, it does not address every detail of each provision.
Disclosures to Family and Friends An invaluable HHS of Q&As about who can disclose what info to whom, with many scenarios. On the left are links to other topics of Q&As.
Can health care providers invite or arrange for members of the media, including film crews, to enter treatment areas of their facilities without prior written authorization? (HHS.gov) Answer: Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ protected health information (PHI) will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media. Only in very limited circumstances, as set forth on this website page, does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual.
HIPAA experts: No need to request a waiver after Orlando shooting (Joseph Burns, Covering Health: Monitoring the Pulse of Health Care Journalism, 6-15-16)
HIPAA G02: HIPAA Guidance -- Safeguarding Patients’ Photographs and Recordings
Blog HIPAA (your source for news, ideas, and all things HIPAA)
No, HIPAA was not waived in Orlando, and here's why (Jacqueline Howard, CNN, 6-14-16)
Dying in the E.R., and on TV Without His Family’s Consent (Charles Ornstein,NY Times, 1-4-15) In the 18 years since HIPAA was passed, doctors and hospitals have put in place an ever-expanding list of rules meant to protect patient privacy. Yet even in the face of this growing sensitivity, real-life shows like “NY Med” have proliferated, piggybacking off fictional counterparts like “E.R.,” “Grey’s Anatomy” and “House.” "Medical ethicists and groups like the American Medical Association worry that these shows exploit patients’ pain for public consumption, but their makers argue that they educate viewers and inspire people to choose careers in medicine....Hospitals like NewYork-Presbyterian, meanwhile, have seized upon such programs as a way to showcase themselves, vying to allow TV crews to film their staff and patients — even emergency-room patients sometimes in no condition to give permission. When the first season of “NY Med” was broadcast on ABC in 2012, the hospital’s vice president of public affairs at the time, Myrna Manners, told PR Week, “You can’t buy this kind of publicity, an eight-part series on a major broadcast network.” But Anita Chanko, unable to sleep, turned on the previous night's episode of "NY Med" and watched her husband die in the operating room--without the family's knowledge of the taping, much less consent. Asked what she would do if the case fails, Mrs. Chanko said the family would not stop pushing for redress. “If there’s no applicable law, there most certainly should be,” she said. “I’m willing to just pursue it all the way. Why shouldn’t there be a law against this kind of thing?”
HIPAA, electronic health records,
medical privacy laws, and patient rights
(Writers and Editors site, with focus on journalists' viewpoint)
Hurricane Katrina Bulletin: HIPAA Privacy and Disclosures in Emergency Situations (HHS)
Orlando shooting: Why the mayor’s HIPAA waiver request is important for gay rights (Ariana Eunjung Cha, WaPo, 6-13-16)
HIPAA’s Use as Code of Silence Often Misinterprets the Law (Paula Span, NY Times, Health, 7-21-15). The privacy rules created under the Health Insurance Portability and Accountability Act, designed to keep personal health information private, apply "only to health care providers, health insurers, clearinghouses that manage and store health data, and their business associates." The "law does not prohibit health care providers from sharing information with family, friends or caregivers unless the patient specifically objects. Even if he or she is not present or is incapacitated, providers may use 'professional judgment' to disclose pertinent information to a relative or friend if it’s 'in the best interests of the individual.'"
HIPAA Criminal Prosecutions: Few and Far Between (PDF, Doreen Z. McQuarrie.Feb. 2007)
Nurse admits to privacy violation in HIPAA case (AP, 4-17-08)
Is HIPAA Creating More Problems Than It's Preventing? (Neil Chesanow, Medscape, 9-16-13)
Do Family, Friends' Photos Trigger HIPAA Violations? (John Commins, HealthLeaders Media, 3-8-2010). You should be able to take photos of your own child or other family member in the hospital, but you mustn't inadvertently catch another patient, or a medical health record, etc. If you are doing photographs for a story, you need a HIPAA release signed for every patient photographed. Hospital personnel may overreact about cell phone photos even of your own family members because HIPAA rules are not easy to master and personnel are duty-bound to observe them.
(St. Jude Children's Research Hospital)
HIPAA, electronic health records, medical privacy laws, and patient rights

[Back to Top]

Patient privacy, access to medical records, and related issues

New federal mandate should allow freer flow of medical information (Kerry Dooley Young and Karen Blum, Covering Health, 7-19-21) April 5 marked the official start of a federal mandate meant to allow consumers easier access to their medical records while also barring organizations from profiting by restricting access to this information. Patients have greater access to consultation notes, discharge summary notes, history and physical information, imaging narratives, laboratory and pathology reports, and procedure and progress notes.

       'A major part of this effort is intended to tackle a longstanding industry practice known as “information blocking,” which is somewhat akin to holding hostage information in electronic health records (EHRs). Since the April 5 deadline kicked in, medical organizations and health information technology (IT) firms have been under an order to stop practices that can keep people’s medical records being siloed in competing EHRs.'

       See Federal Rules Mandating Open Notes (OpenNotes) "On April 5, 2021, federal rules implemented the bipartisan 21st Century Cures Act specifing that 8 types of clinical notes are among electronic information that must not be blocked and must be made available free of charge to patients. To meet the interests of some patients, the rules allow specified exceptions."
Be Aware: Someone Could Steal Your Medical Records and Bill You for Their Care (Michelle Andrews, KFF Health News, 7-31-23) Consumers should realize that “medical identity” fraud can happen in several ways, from a large-scale breach to individual theft of someone’s data. Unlike other forms of identity fraud, medical identity thieves may steal not only their victims’ personal data — Social Security number, date of birth, address — but also information about their medical records and care, potentially putting their health at risk.

     “Sometimes people can’t get their prescriptions, if their records are mixed with someone else’s.”

      Medical identity theft can happen if someone loses a wallet with their insurance card in it, for example, or a piece of mail from their insurer goes astray. Or one person might have a higher copayment for emergency department visits, "so they let a family member, such as a cousin or a sibling, use their insurance card to get medical care."    

      Monitor the notices and bills you receive from insurers and providers and contact them immediately about anything suspicious.
HIPAA Guide for the Newsroom (Pennsylvania News Media Association) The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects health insurance coverage for workers and their families when they change or lose their jobs. The Act also requires “covered entities” to protect the privacy of individuals’ medical information, and imposes significant penalties on those entities that violate the law.
Sharing Health Information with Family Members and Friends (PDF, HHS Office for Civil Rights) HIPAA requires most doctors, nurses, hospitals, nursing homes, and other health care providers to protect the privacy of your health information. However, if you don’t object, a health care provider or health plan may share relevant information with family members or friends involved in your health care or payment for your health care in certain circumstances.
A Reporter's Guide to Medical Privacy Law (Reporters Committee for Freedom of the Press). Topics covered include: What is HIPAA, What records are available under HIPAA, Health care journalists' access to hospitals curtailed under HIPAA, General access to hospitals, Attitudes toward privacy rules may change in times of disaster, Confusing laws keep information confidential on college campuses, etc.
Full Disclosure: Do we have a right to medical privacy after we are dead? (Jack El-Hai, Aeon) The Health Insurance Portability and Accountability Act (HIPAA) of 1996, a federal US law that regulates the disposition of medical records and protects the privacy of patients, applies to hospitals, medical providers and insurers – but not to writers. Even if it did apply to writers, HIPAA’s privacy protections last for only 50 years past a patient’s death.
Accessing Deceased Patient Records—FAQ (Chris Dimick, AHIMA, 4-1-13). AHIMA is the American Health Information Management Association.
Who Has Rights to a Deceased Patient’s Records? (Chris Dimick, AHIMA, 8-4-09)
How to Request Your Medical Records (Chris Dimick, AHIMA, 3-1-12, updated by Mary Butler 3-1-17)
HIPAA, electronic health records, and patient privacy
When a Patient’s Death is Broadcast Without Permission ( Charles Ornstein, Pro Publica, 1-2-15) The ABC television show “NY Med” filmed Mark Chanko’s final moments without the approval of his family. Even though his face was blurred, his wife recognized him. “I saw my husband die before my eyes.” An intelligent discussion of an important case.
New York Hospital to Pay $2.2 Million Over Unauthorized Filming of 2 Patients (Charles Ornstein, NY Times, 4-21-16) "NewYork-Presbyterian Hospital has agreed to pay a $2.2 million penalty to federal regulators for allowing television crews to film two patients without their consent — one who was dying, the other in significant distress. Regulators said on Thursday that the hospital allowed filming to continue even after a medical professional asked that it stop. At the same time, regulators clarified the rules regarding the filming of patients, prohibiting health providers from inviting crews into treatment areas without permission from all patients who are present. That could end popular television shows that capture emergencies and traumas in progress, getting permission from patients only afterward."
Here's Looking at You: How Personal Health Information Is Being Tracked and Used (Jane Sarasohn-Kahn, California Healthcare Foundation, July 2014)
HIPAA Helper: Who is Revealing Your Private Medical Information? (Charles Ornstein, Annie Waldman and Mike TigasPro Publica, 12-29-15) For the first time, you can easily search whether your hospital, clinic, pharmacy or health insurer has been named in patient privacy complaints, breaches or violations.
Journal; Capital Shrink Rap (Frank Rich, NY Times, 10-7-98) "Washington's fear and ignorance of mental illness has led to private local tragedies (the untreated Vincent Foster's suicide) and shoddy public policy, which then leads to preventable national tragedies...I wonder if today's Washington would even muster the same outrage once provoked by one of the most unsavory incidents of Watergate -- the White House ''plumbers'' break-in to the Beverly Hills office of Daniel Ellsberg's therapist in a failed effort to burglarize his psychiatric files."
Secret video: Mercy guard threatened photo-taking mom (Sarah Okeson, News-Leader 7-19-14) Woman who took photo of her son to post on Facebook was taken to an office where she was questioned by a security guard "The idea is not to prohibit patients from capturing personal memories," said Mercy spokeswoman Sonya Kullmann. "However, we want to ensure that we protect everyone's right to privacy. That includes other patients, visitors, co-workers and providers who may not want to appear in someone else's photograph, video or recording." There is such a thing as carrying things too far.
Can medical records be released without consent? Supreme Court refuses case. (Warren Richey, Christian Science Monitor, 10-3-11) The US Supreme Court turned aside an appeal involving the scope of privacy protections for a patient’s medical records when a state agency seeks to force a doctor to disclose those records without first obtaining a patient’s consent. (Eist v. Maryland State Bd. of Physicians) Issues of case, on SCOTUSblog: (1) Whether a state may restrict a patient's federal constitutional right to privacy by compelling a physician to disclose confidential patient records without notice to and authorization by the patient and in conflict with the physician's ethical obligations; (2) whether a state agency may simultaneously serve as investigator, prosecutor and adjudicator with respect to a licensee under its jurisdiction without amending the state's constitution which explicitly separates legislative, executive and judicial powers; and (3) whether a physician may be disciplined by a state's medical licensing board if: (a) the relevant statutory language - “fails to cooperate with a lawful investigation” - is unconstitutionally vague; (b) the board never notified the patients it was seeking their confidential medical records; or (c) the board's simultaneous roles as investigator, prosecutor and adjudicator deprive petitioner of his right to due process.
Medical privacy (summary of info and links to more on breaches of privacy, damages and alternatives, electronic systems, many releases that are allowed by law, comparison of lists of data breaches)
Medical privacy
Baby Pictures at the Doctor’s? Cute, Sure, but Illegal (Anemona Hartocollis, NY Times, 8-9-14). Letters to the Editor, in responseWhen Baby Pictures Offend the Law
Secret video: Mercy guard threatened photo-taking mom (Sarah Okeson, News-Leader 7-19-14) Woman who took photo of her son to post on Facebook was taken to an office where she was questioned by a security guard "The idea is not to prohibit patients from capturing personal memories," said Mercy spokeswoman Sonya Kullmann. "However, we want to ensure that we protect everyone's right to privacy. That includes other patients, visitors, co-workers and providers who may not want to appear in someone else's photograph, video or recording."
VA uses patient privacy to go after whistleblowers, critics say (Joe Davidson, Washington Post, 7-17-14) A registered nurse was threatened with suspension and stripped of managerial duties after she complained about how a veteran was treated.
Spread of Records Stirs Patient Fears Of Privacy Erosion (Theo Francis, WSJ, 12-26-06--behind a paywall, for subscribers only, but you may be able to read it at the library).
Could photographing an ED patient get you sued? (PDF, ED Legal Letter April 2009) Without consent, you are asking for a lawsuit.

[Back to Top]

 


Resolving issues with electronic health records (EHRs)


(especially privacy, safety, interoperability, and security)

“We’ll have to do three main things to make the EHR the vehicle that we want it to be. First is promoting for more use of user-centered design. The second is dealing with too many alerts—alert fatigue is overwhelming and dangerous, and we simply have to figure out how to prevent it. And the third is interoperability, to ensure that patient medical records can be shared easily between doctors, hospitals, and other healthcare providers at any time.”

    ~Robert M. Wachter, MD, professor and chair of the Department of Medicine at the University of California, San Francisco.


Health records don’t always show when patients are dead. One researcher is trying to change that ( Mohana Ravindranath, STAT news, 12-14-23) Health professor Neil Wenger was deep into a years-long study on seriously ill primary care patients when he uncovered a different but persistent issue: Many patients who were targeted for follow-up interventions had actually died, and their hospitals did not know about it. It was unacceptable, he said, for health systems to lose track of seriously ill primary care patients who’d been treated on-site for years. To be clear, these were not one-time out-of-state patients who’d come in for a single visit.
Patients can now access all health information in electronic record sets (Karen Blum, Covering Health, AHCJ, 10-24-22) On October 6, 2022, marked another milestone for patients seeking access to information in their electronic health records. That’s the date federal information-blocking regulations expanded to enable patients’ access to all electronic protected health information (ePHI) in designated record sets. With some medical organizations pushing back on the deadline saying smaller medical centers aren’t ready for this or are unaware of the requirement, journalists could find interesting stories querying hospitals to find out how they got ready for this requirement or how it’s going, or interview patients seeking information from their records and find out how easy it was to get that data.
        “October 6th is a big day because we’re saying if data is electronically accessible — meaning it’s on a computer system somewhere in your hospital — you’re required to make it available,” said Micky Tripathi, national coordinator for health information technology at the Office of the National Coordinator for Health Information Technology (ONC).
        The 21st Century Cures Act directed ONC to implement a standardized process to report claims of so-called information blocking or holding information hostage in records. There are eight allowable exceptions where an entity would not be found to engage in information blocking, including cases where health information can be temporarily taken offline while computer systems are updated, or where a provider or health system believes that releasing the information could result in harm to a patient or another person. This article is full of links to much additional information.
---Information Blocking Rule includes ePHI starting October 2022 (OpenNotes) In October 2022, the definition of Electronic Health Information (EHI) is expanded to include electronic Protected Health Information (ePHI).This could include:
Medical and billing records maintained by a health care provider
Enrollment, payment, claims adjudication, and case or medical management record systems
Other records used in whole or in part by a covered entity to make decisions about individuals
ONC reports 299 information blocking claims since banning the practice (Becker's Health IT, 3-1-22)
An Assessment of Family History Information Captured in an Electronic Health Record (Fernanda Polubriaginof, Nicholas P. Tatonetti, and David K. Vawdrey, AMIA Annual Symposium proceedings, 2015) Family history has always been considered “a core element of clinical care.” But "We analyzed differences between 10,000 free-text and 9,121 structured family history observations. Each observation was classified according to disease presence/absence and family member affected (e.g., father, mother, etc.). The structured notes did not collect a complete family history as defined by standards endorsed by the U.S. Agency for Healthcare Research and Quality; the free-text (narrative) notes contained more information than the structured notes, but still not enough to be considered “complete.” Several barriers remain for collecting complete, useful family history data in electronic health records."

     Writers and editors: Is there not a role for you here?

     Develop the kind of family history a medical practice would find useful. Learn what they need to know, especially in an emergency.

How Tech Can Turn Doctors Into Clerical Workers (Abraham Verghese, NY Times Magazine, 5-16-18) In America today, the patient in the hospital bed is just the icon, a place holder for the real patient who is not in the bed but in the computer. The threat that electronic health records and machine learning pose to physicians’ clinical judgment — and their well-being. Advances in pattern recognition applied to X-rays and CT scans and retinal scans are helpful aids to the clinician. But as with any lab test, what A.I. will provide is at best a recommendation that a physician using clinical judgment must decide how to apply.
Ransomware attacks on U.S. hospitals spike (Debra Gordon, Covering Health, AHCJ, 11-5-2020) The FBI warned hospitals several days ago of the likelihood of attacks with the Ryuk ransomware and, sure enough, numerous hospitals have been hit, forcing some to resort to paper, the last thing they need with COVID-19 cases again spiking. Others have shut down email.
Botched Operation. Death By 1,000 Clicks: Where Electronic Health Records Went Wrong (Fred Schulte and Erika Fry, Fortune and KHN, 3-18-19) This award-winning investigative project (the Gerald Loeb Award) reveals how the shift toward electronic medical records gave rise to patient safety risks, fraud, physician burnout, gaps in interoperability and a lack of industry transparency. Electronic health records were supposed to make medicine safer, bring higher-quality care, empower patients, and yes, even save money--make health care better, safer, and cheaper. Ten years and $36 billion later, the system is an unholy mess. Inside a digital revolution that took a bad turn. Unlike, say, with the global network of ATMs, the proprietary EHR systems made by more than 700 vendors routinely don’t talk to one another, meaning that doctors still resort to transferring medical data via fax and CD-ROM. ­Patients, meanwhile, still struggle to access their own records — and, sometimes, just plain can’t. Compounding the problem are entrenched secrecy policies that continue to keep software failures out of public view. EHR vendors often impose contractual “gag clauses” that discourage buyers from speaking out about safety issues and disastrous software installations..
Building wave of ransomware attacks strike U.S. hospitals (Christopher Bing, Joseph Menn, Reuters, 10-26-2020) Eastern European criminals are targeting dozens of U.S. hospitals with ransomware, and federal officials on Wednesday urged healthcare facilities to beef up preparations rapidly in case they are next.
Threat spotlight: the curious case of Ryuk ransomware (Jovi Umawing, MalwareBytes, 10-30-2020) "First discovered in mid-August 2018, Ryuk immediately turned heads after disrupting operations of all Tribune Publishing newspapers over the Christmas holiday that year. What was initially thought of as a server outage soon became clear to those affected that it was actually a malware attack. It was quarantined eventually; however, Ryuk re-infected and spread onto connected systems in the network because the security patches failed to hold when tech teams brought the servers back.".
FDA Chief Calls For Stricter Scrutiny Of Electronic Health Records (Fred Schulte and Erika Fry, Fortune and KHN, 3-21-19) Food and Drug Administration Commissioner Scott Gottlieb called for tighter scrutiny of electronic health records systems, which have prompted thousands of reports of patient injuries and other safety problems over the past decade. Gottlieb said the best approach might be to say that an EHR that has a certain capability becomes a medical device. He called EHRs a “unique tool,” noting that the risks posed by their use aren’t the same as for a traditional medical device implanted in a patient. “You need a much different regulatory scheme,” he said. The 21st Century Cures Act of 2016 excludes the FDA from having oversight over electronic health records as a medical device.

Electronic Health Records Creating A ‘New Era’ of Health Care Fraud (Fred Schulte, KHN, and Erika Fry, Fortune, 12-23-19) The federal government funneled billions in subsidies to software vendors who overstated or deceived the government about what their products could do, according to whistleblowers. The whistleblowers also allege that Medhost, the Tennessee firm that developed the software, concealed defects during government-mandated reviews that were supposed to ensure safety. In March, Fortune and KHN revealed that thousands of injuries, deaths or near misses tied to software defects, user errors and other problems have piled up in various government-sponsored and private repositories.

[Back to Top]


Electronic Health Records Continue to Lead to Medical Malpractice Suits (Darrell Ranum, TheDoctorsCompany) The top five risks and suggestions for how to avoid an EHR-related malpractice claim.
Who Will Build the Health-Care Blockchain? (Mike Orcutt, Technology Review, 9-15-17) Decentralized databases promise to revolutionize medical records, but not until the health-care industry buys in to the idea and gets to work. "There are 26 different electronic medical records systems used in the city of Boston, each with its own language for representing and sharing data. Critical information is often scattered across multiple facilities, and sometimes it isn’t accessible when it is needed most—a situation that plays out every day around the U.S., costing money and sometimes even lives. But it’s also a problem that looks tailor-made for a blockchain to solve, says John Halamka, chief information officer at Beth Israel Deaconess Medical Center in Boston."
A slow death by charting (Erin O'Laughlin, KevinMD, 9-12-19) Under the guise that they “care,” insurance companies courteously remind this doctor of all the “missing” items for the “quality” care of her patients--all the hoops she must jump through to get paid.
EHRs aren’t entirely to blame for physician burnout (Rebecca Vesely, Covering Health, AHCJ, 9-12-19) A new study published in JAMA Open Network indicated that EHR systems create “information overload.“ But other workplace factors may contribute even more to burnout, the study of 280 clinicians at three medical centers concluded. Those factors:
--Chaotic office atmosphere
--Lack of control over workload
--Poor work/life balance
--Values misalignment with leadership
-Lack of time for documentation at work.
Why Doctors Hate Their Computers (Atul Gawande, New Yorker, 11-12-18) Digitization promises to make medical care easier and more efficient. But are screens coming between doctors and patients? "A 2016 study found that physicians spent about two hours doing computer work for every hour spent face to face with a patient—whatever the brand of medical software. In the examination room, physicians devoted half of their patient time facing the screen to do electronic tasks. And these tasks were spilling over after hours....The Tar Pit has trapped a great many of us: clinicians, scientists, police, salespeople—all of us hunched over our screens, spending more time dealing with constraints on how we do our jobs and less time simply doing them...." Electronic-medical-record companies like Epic resist medical teams' ways of adapting the technology and developing time-saving apps, because they fear losing "control (and potential revenue)" but they may need to bend. Once more, Gawande crystallizes the problems at the intersection of human, medical, and technological systems.

[Back to Top]


It's time we address the elephant in the room at every health care conference (Christina Farr, CNBC, 3-10-18) "It is unacceptable that a hospital in 2018 can't send an X-ray from one facility to another, without asking a patient to physically carry over a CD-Rom or a USB drive. Even drug dealers have moved on from using faxes and pagers....Technology companies are rallying around the issue. Patients shouldn't have to pay to copy medical records and then bring all of them along to every appointment with another new specialist.
Why American medicine still runs on fax machines (Sarah Kliff, Vox, 1-12-18) It's time to face the fax. The clinic has digitized its own patient data. But its electronic system can’t connect with other clinics’ records. So when doctors want to retrieve records from another office — an ultrasound for a pregnant patient, for example — they have to turn to the fax. So they use a Rube Goldberg-esque analog method for sharing data: Print out pages of one record, fax it, and then scan those pages into the other digital system. By one private firm’s estimate, the fax accounts for about 75 percent of all medical communication. It frustrates doctors, nurses, researchers, and entire hospitals, but a solution is evasive. Obama tried to force the health sector to go digital. But he didn’t make the systems talk. “Medical records generally come by fax. Sometimes they're mailed. They almost never come by any other route.”
Check Your Medical Records for Dangerous Errors (Judith Graham, KHN, 11-21-18) “I tell people, ‘Collect all your medical records, no matter what’ so you can ask all kinds of questions and be on the alert for errors,” said Sheridan, director of patient engagement with the Society to Improve Diagnosis in Medicine. An incorrect diagnosis, scan or lab result may have been inserted into a record, raising the possibility of inappropriate medical evaluation or treatment; a transcription error can change "renal cell carcinoma" (kidney cancer) to "basal cell carcinoma" (skin cancer); allergies, medications, and lab results unlisted can be devastating; a patient’s name, address, phone number or personal contacts may be incorrect, making it difficult to reach someone in the event of an emergency or causing a bill to be sent to the wrong location; etc. And how to report the errors and get them corrected.

[Back to Top]


Public’s Experiences With Electronic Health Records (Cailey Muñana, Ashley Kirzinger, and Mollyann Brodie, KHN, 3-18-19) While there is wide acceptance among the public for the use of EHRs, some concerns about privacy and accuracy of records remain.
Patient access to health records in jeopardy amid health policy upheaval (Rebecca Vesely, Covering Health, AHCJ, 7-26-17) Amid the deep uncertainty over what changes Congress could make to the health care sector in the coming years, patients would benefit from having access to their own medical records. Insurance coverage losses, changes in insurance plans and cuts to provider networks could happen if the Affordable Care Act is repealed, repealed and replaced or is weakened because of lack of support from the Trump administration.
Lessons From More Than A Decade In Patient Portals (Terhilda Garrido, Brian Raymond, and Ben Wheatley, Health Affairs blog, 4-7-16) More than a decade of experience engaging patients online offered four key lessons.
1. Secure email supports improved outcomes and patient-centered care.
2. Patient portal use positively impacts patient loyalty to the health plan and member satisfaction.
3. Evidence of a relationship between secure email and other kinds of utilization is mixed.
4. Even with the best intentions, e-health disparities can emerge.

The medical chart is coming to an end. Here’s why. (Mike Sevilla, KevinMD, 8-29-14) Medical professionals "have lost the art of telling the story of our patients because of the digital record....Many believe that the electronic medical record is a way for “big brother” (whomever that is) to keep an eye on clinicians, and eventually find a way to compensate less." And with security breaches more common, one day patients will insist that certain things be left out of the medical record.
Medical Records: Top Secret (Elisabeth Rosenthal, NY Times 11-8-14) "In a digital age when we can transfer money to purchase a house online or view a college transcript by logging on to a secure website, why is it so often difficult for patients to gain access to their medical data? And who controls our health information? ...Although doctors and hospitals legally own their medical charts, patients have a right to have access in a timely manner — HIPAA requires a response within 30 days of a patient request — and at a reasonable processing cost."
Why Health Care Tech Is Still So Bad (Robert M. Wachter, NY Times, 3-21-15) "A 2013 RAND survey of physicians found mixed reactions to electronic health record systems, including widespread dissatisfaction. Many respondents cited poor usability, time-consuming data entry, needless alerts and poor work flows." "A recent study of more than one million medication errors reported to a national database between 2003 and 2010 found that 6 percent were related to the computerized prescribing system." "Whopping errors and maddening changes in work flow have even led some physicians to argue that we should exhume our three-ring binders and return to a world of pen and paper." But, Wachter concludes, we are still in a very early stage of digitization. We need better technology and better training on how to use it while still paying attention to the patient, instead of the keyboard.
Spread of Records Stirs Patient Fears of Privacy Erosion (Theo Francis, WSJ, 12-26-06). Ms. Galvin's Insurer Studies Psychotherapist's Notes; A Dispute Over the Rules. "As the health-care industry embraces electronic record-keeping, millions of pages of old documents are being scanned into computers across the country. The goal is to make patient records more complete and readily available for diagnosis, treatment and claims-payment purposes. But the move has kindled patient concern about who might gain access to sensitive medical files -- data that now can be transmitted with the click of a computer mouse."
Electronic Health Records Seen as Safety Trap for Doctors (James Swann, Health Care on Bloomberg Law, 8-28-18) The current design of most EHR products is confusing and can cause physicians to make medical errors such as prescribing the wrong drug or lab test for a patient, the Aug. 28 report from the American Medical Association, Pew Charitable Trusts, and MedStar Health said. The government needs to step up and require more rigorous EHR testing, Michael Hodgkins, chief medical information officer at the AMA, told Bloomberg Law.
A New Challenge Competition – Can you Help Make EHR Safety Reporting Easy (Andrew Gettinger,HealthITBuzz, 5-22-18) “The goal of ONC’s Easy EHR Issue Reporting Challenge is to help EHR users identify, document, and report a potential health IT safety issue when it happens.”

[Back to Top]


Better Testing of Electronic Health Records Needed to Protect Patients (Ben Moscovitch, Pew, 8-28-18) These digital tools have increased the quality, safety, and efficiency of health care, but problems with their usability—how doctors, nurses, and other staff interact with them—have put patients in harm’s way. Report offers hospitals and record-system vendors rigorous safety tests, best practices.
Pew, AMA: 6 components to consider when assessing EHR safety, usability (Jessica Kim Cohen, Becker's Health IT & CIO Report, 8-28-18) The six stages developers and providers move through during the EHR product lifecycle and notes to consider during each one to improve product safety.
Safety-Test Your EHR With This 3-Step Guide (Steven Porter, HealthLeaders, 8-29-18) Here's how providers can make the most of a 57-page report on electronic health record system safety by Pew, the AMA, and Medstar Health. "Imagine for a moment that a patient in his late 20s arrived in your emergency department with severe flank pain. Based on his allergies and medical history, your team determines that he should be given a high dose of opioid pain medication and monitored closely. If a physician were to order 10 mg of hydromorphone to be administered intravenously, would your electronic health record (EHR) respond with an alert that this dosage falls outside normal limits? If not, then your EHR would fail one of 14 test-case scenarios."
Stop the privatization of health data (John T. Wilbanks and Eric J. Topol, Nature, 7-20-16) Tech giants moving into health may widen inequalities and harm research, unless people can access and share their data, warn the authors.
How Mayo Clinic Is Using iPads to Empower Patients (David J. Cook, Jeffrey E. Thompson, Joseph A. Dearani, and Sharon K. Prinsen, Harvard Business Review, 2-24-14) Empowering patients and setting their expectations requires effectively providing them with "A plan of stay" (which includes a "plan of day"), modular educational materials ("just in time" materials relevant to the day's needs and expectations), gaining strength modules (that set daily expectations for physical activities such as walking and breathing exercises and provide patients with tools to self-assess and report things like pain and mobility), and recovering planning information (on wound care, exercise and diet, activity restrictions, follow-up appointments, and potential complications and how to recognize them).

[Back to Top]


How close are we to meeting the promise of electronic health records? (Carla K. Johnson, Covering Health, 3-6-15) "Smooth patient handoffs, data-driven performance improvement and real-time analytics are still mostly dreams, although those ambitions have been talked about for years," said specialists on health information technology, at a panel on the topic, summarized here.
Hazards tied to medical records rush (Christopher Rowland, Boston Globe, 7-20-14) Subsidies given for computerizing, but no reporting required when errors cause harm. The explosion in the use of the electronic records has created the potential for efficiencies and safety benefits but also new risks for patients, the scope of which still is not fully understood.
Electronic health records ripe for theft (David Pittman, Politico 7-13-14)
Six months after the Target security breach, report says cases of identity theft are increasing (Teresa Dixon Murray, The Plain Dealer, 7-9-14). "Medical providers are particularly vulnerable to data breaches because health records generally contain detailed desirable personal information such as Social Security numbers, but the offices of doctors and other medical providers generally don't have the same firewalls and levels of protection that banks do."
Major medical records breaches pass 1,000 milestone as enforcement ramps up (Joseph Conn, Modern Healthcare June 2014)
Breaches Affecting 500 or More Individuals (HHS, Health Information Privacy)
3 Approaches to the EHR Patient Control Debate (Power Your Practice), about the Patricia Galvin case.
The HiTech Act of 2009

UT Southwestern Medical Center (example of a secure online health management tool that the patient also has access to)
10 things to know about Epic (Erin Dietsche, Becker's Health IT & CIO Review)
Spread of Records Stirs Patient Fears Of Privacy Erosion (Theo Francis, WSJ, 12-26-06) Patricia Galvin's Insurer Studies Psychotherapist's Notes; A Dispute Over the Rules. "The U.S. Department of Health and Human Services implemented standards in 2003 for guarding patient privacy, supplementing a patchwork of state laws. The federal standards, which grew out of the 1996 Health Insurance Portability and Accountability Act, single out psychotherapy notes for extra protection. Critics claim that loopholes in the rules have left patient privacy under threat." Galvin's "experience offers a look at how increasingly complex confidentiality issues are affecting patients and their insurance coverage." "As the health-care industry embraces electronic record-keeping, millions of pages of old documents are being scanned into computers across the country. The goal is to make patient records more complete and readily available for diagnosis, treatment and claims-payment purposes. But the move has kindled patient concern about who might gain access to sensitive medical files -- data that now can be transmitted with the click of a computer mouse."
Electronic Health Records Continue to Lead to Medical Malpractice Suits (Darrell Ranum, The Doctors Company, 8-19)
Investigation reveals failings in adoption of electronic health records (Cheryl Clark, Covering Health, AHCJ, 12-4-19) "Today, 96% of hospitals have adopted EHRs and, while there have been numerous software updates and improvements, the systems are still clumsy, unintuitive, time sucking and non-interoperable." The chief problems are outlined in two stories:
---Death By 1,000 Clicks: Where Electronic Health Records Went Wrong (Fred Schulte and Erika Fry, Fortune and KHN, 3-18-19) The U.S. government claimed that turning American medical charts into electronic records would make health care better, safer and cheaper. Ten years and $36 billion later, the system is an unholy mess. Inside a digital revolution that took a bad turn. Instead of reducing costs, many say, EHRs, which were originally optimized for billing rather than for patient care, have instead made it easier to engage in “upcoding” or bill inflation (though some say the systems also make such fraud easier to catch). More gravely still, a months-long joint investigation by KHN and Fortune has found that instead of streamlining medicine, the government’s EHR initiative has created a host of largely unacknowledged patient safety risks. Compounding the problem are entrenched secrecy policies that continue to keep software failures out of public view. EHR vendors often impose contractual “gag clauses” that discourage buyers from speaking out about safety issues and disastrous software installations — though some customers have taken to the courts to air their grievances.
---No Safety Switch: How Lax Oversight Of Electronic Health Records Puts Patients At Risk ( Fred Schulte and Erika Fry, Fortune and KHN, 11-21-19) Plans "for putting patient safety first — and for building a comprehensive injury reporting and reviewing system — have stalled for nearly a decade, because manufacturers of electronic health records (EHRs), health care providers, federal health care policy wonks, academics and Congress have either blocked the effort or fought over how to do it properly, an ongoing investigation by Fortune and Kaiser Health News shows.Over the past 10 years, the parties have squabbled over how best to collect injury data, over who has the power to require it, over who should pay for it, and over whether to make public damning findings and the names of those responsible for safety problems."After a contentious process in which consumer advocacy group Public Citizen accused FDA officials of collaborating with the devices industry to weaken oversight, Congress passed the 21st Century Cures Act. A few sentences buried in the law, signed by Obama in late 2016, all but shut the door on FDA regulation of EHRs. The bipartisan law, which speeds up approvals for some medical therapies, states flatly that electronic health records are not medical devices subject to FDA scrutiny."

[Back to Top]