Many thanks to our colleague, Robin Canowitz, for submitting the following guest post.
Implementing an Electronic Medical Record (“EMR”) brings many clinical and economic benefits to an institution. These benefits, however, are accompanied a variety of unique HIPAA and other privacy challenges. Questions often arise regarding who should have access to records, how to limit access to portions of the medical record involving alcohol and drug abuse, mental health issues, sexually transmitted diseases, and other sensitive categories of PHI. When treatment of minors is involved, the issues become even more complicated. Set forth below is a discussion of a few such issues we frequently encounter.
As a general rule, parents and legal guardians have the right to obtain a copy of their child’s medical record. However, many states permit unemancipated minors to consent to treatment and diagnosis, and to control their PHI for certain sensitive conditions, such as:
- Sexually transmitted diseases, including HIV and AIDS
- Sexual Assault
- Mental Illness
- Drug and Alcohol Addiction.
The legislative purpose behind providing unemancipated minors with these rights is to encourage them to seek treatment when they may be afraid to speak with their parents about these sensitive issues. When implementing an EMR, providers need to consider how they will address this sensitive information. If a parent requests a copy of his or her child’s medical record, how will the provider ensure that information regarding these sensitive issues does not get released to the parent? With paper charts, it was easy to segregate this information into a separate section that did not get released. The EMR is more complicated. Consider the fact that an HIV positive diagnosis will find its way onto the patient’s “Problem List.” Psychiatric Drugs prescribed will be listed in the prescription area, in the medication list, and may also be in a progress note. When the data flows to different areas of the chart, it is much more difficult to separate it out, and ensure that it does not get released in an inappropriate manner.
Patient portals are designed to allow patients to access parts of their medical record, communicate with their physicians in a secure manner, and set up appointments. The use of patient portals can often result in significant cost savings to physicians and hospitals. When children are involved, a critical consideration is who should have access to the patient portal? Should it be the patient, their parent/legal guardian, or both? When the child reaches the age of majority, how will the provider terminate the access of the parents or legal guardians? If the provider allows parents to access the portal, will the parents have access to those sensitive categories of information that the minor patient has the right to control?
Some institutions have decided to keep any diagnosis related to these sensitive PHI categories out of the patient portal. Another strategy is not to allow information on certain drugs, or on certain test results, to appear in the portals. However, if a provider does choose to limit the type of information that flows to the patient portal, it is good practice to have a disclaimer on the portal site indicating that it does not contain all information which may be pertinent to the care and treatment of the patient.
Sharing Among Institutions
Many EMRs can “speak” to EMRs at other institutions. When deciding what can be released from one institution to another, providers must consider both HIPAA and state law governing the release of information. Some EMRs require that a release be signed before information can flow from one provider’s EMR to another. When children’s medical records are involved, how does a provider ensure that the other institution has obtained consent from a proper party? Providers who deal with children on a regular basis should be attuned to the often murky rules regarding who can consent to release. For example, if parents are divorced, can only the custodial parent can sign a release, or can either parent sign? If parents are unmarried, what are the rights of the father? Providers who do not frequently deal with the issues must be sure consent, if required, is obtained from the proper party.
Role Based Access
The use of EMR technology can assist providers in their HIPAA Security Rule compliance by deterring staff from looking at patient information which they do not have a right to see. Many EMRs have special security settings which will trigger additional questions to staff before they log into a chart they should not be viewing. Some EMR clients use this technology on all cases where there is alleged child abuse, or cases where there has been significant press coverage. These are cases where uninvolved staff may want to “take a peek” at that patient’s chart. Applying this technology can remind staff that they should not be accessing the charts of patients that they are not directly involved in treating, and in the event that wandering eyes cannot be restrained, the EMR will be able to log this inappropriate access.