5 Considerations for Hospitals Releasing Medical Records to Patients Electronically

In September the Office of the National Coordinator for Health Information Technology launched the Consumer e-Health Program to encourage individuals' engagement in their healthcare. One of the major goals of the program is to provide patients with easy access to their medical records. To accomplish this goal and others, ONC created the Healthy New Year Video Challenge and is developing an animated video to explain the value of health IT to consumers, among other initiatives.

Hospitals are also encouraging patients to take a more active role in their care by providing easy access to patients' lab reports and other medical information. Jan McDavid, general counsel and compliance officer, and Steve Emery, director of product management, at HealthPort share five considerations for hospitals when providing patients with electronic access to their medical records.

1. Compliance. Whenever dealing with patients' protected health information, hospitals need to ensure compliance with HIPAA and other applicable federal laws. HIPAA requires patients' records to be provided within 30 days of their request, barring certain exceptions. For instance, if a physician decides providing the full record is not in the best interest of the patient, the physician may withhold certain parts of the record.  

Hospitals also need to be aware of laws of the state in which patients' medical records are located. Ms. McDavid says in general, that when federal and state laws differ, hospitals should follow whichever set of laws is stricter. She suggests hospitals' privacy and security officers constantly educate themselves on updates to the law and the specific facility's policies regarding patients' medical records. Policies may include requiring documents with confidential information to be shredded, prohibiting the sharing of passwords, and mandating training on HIPAA.

2. Security. Hospitals releasing medical records to patients need to consider both the physical and electronic security of the records. For example, Ms. McDavid says hospital officials should ensure restricted areas are enforced if a computer containing patient records is located there. In addition, computers with screens that can be seen by patients may need privacy screens. Hospitals may also need to develop policies on where to store patients' charts, which are typically placed outside the patients' doors and are easily accessible to unauthorized individuals.

Furthermore, computers and the hospital network need to be electronically secure to prevent viruses and people from accessing information. A best practice for securing medical records is encryption. While encryption is not required by law, it lessens the reporting requirements if breaches occur, Mr. Emery says. Another best practice for securely releasing medical records to patients is two-factor identification. For example, the hospital would send the patient an email with a link to a website that hosts medical records. The patient would then have to authenticate his or her identity with personal information and a password to access the records.

3. Content. If a patient requests his or her entire record, the hospital is required under HIPAA to provide the entire record. However, if a hospital voluntarily offers patients access to their medical records through a portal or similar site, it has to decide how much information to include. Some physicians oppose patients' full access to their records on the grounds that patients would misunderstand or misinterpret information, which could cause unnecessary anxiety. However, a recent study in the Annals of Internal Medicine found that only 12-16 percent of patients expected that viewing physicians' visit notes would cause them greater worry. Ms. McDavid suggests that if patients do not understand something in their records they may decide to reach out to their physician and engage more in their healthcare, one of the goals of ONC's Consumer e-Health Program.

4. Format. Hospitals also have to create a format that organizes patients' information. "A larger concern [than the content] is how to make that record understandable for a patient. It's not only a question of what to put on there, but how to translate it so it becomes not just available but understandable," Mr. Emery says.

Physicians view a patient's medical record in the format of its electronic health record system. When hospitals offer patients access to their records, they will most likely not provide a link to the EHR system but to a portal where patients can view a condensed or partial version of their record. "It's going to become more and more difficult because everybody's EHR is so different," Mr. Emery says. "Even if it's the same vendor, [hospitals] modify [the EHR] on the front end. If you had [electronic] records at 10 places, they would be [formatted] 10 different ways."

5. Portal. Mr. Emery predicts that more hospitals will develop patient portals that can be used to not only view medical records, but to also schedule appointments and access other services. He says that while meaningful use Stage 1 did not require patient portals, is may be required in future stages. Hospitals would thus have a financial incentive to build these sites.

Learn more about HealthPort.

Related Articles on Health IT and Patient Engagement:

Using HIT to Drive Clinical Integration, Patient and Physician Engagement and Population Health Management
79% of Veterans Would Share Personal Health Records With Family, Non-VA Providers

Study: Patients Clamber for Physicians' Notes, But Many Physicians Oppose Idea

Copyright © 2022 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars