Now anyone with a login providing access to your records can look you up, AND the system is capable of recording who looked you up (which has gotten people fired when the audit trail shows people with no business looking you up have been in your record). With paper records, there’s no trail: anybody who could access your folder could do whatever they wanted with almost no fear of repercussion, because proving who looked at or photocopied the file was often impossible. (Plus, pre-HIPAA, what consequences could there be anyway?)
I work in health care IT, and this is really the bigger issue than anything else. Just because one of our clinics sees a person, and their medical information is in our EMR doesn’t mean that we can share it with any other health care providers without certain very restrictive sorts of consent on the patient’s part.
Once the HIPAA stuff is satisfied, then you get into the fun that Shodan mentions.
There are vendors trying to fix this situation- Microsoft Health Vault and Dossia are a couple of examples of personal health records that allow the patient to manage their own health records, but from what I gather, they’re not proving to be particularly popular.
I think it depends on how the clinic interprets HIPAA laws. My doctors are all hospital-based, and they all have access to my records within the EMR. They can easily pull up my last set of blood work rather than asking for a new bunch of tests; or they can look at existing radiology films rather than take yet another x-ray of my foot with the weird toe.
This is really pretty handy. Even better, it prevents wasteful use of healthcare dollars. (My podiatrist saw my blood work from last month, saw that my liver tests were fine, and prescribed a medication without having to order another test.)
Usually when you can access that much data, your training tells you that doing so without a legit business need is verboten and a violation of HIPAA. Again, YMMV based on the facility’s understanding of HIPAA and how they choose to implement it.
The larger groups and hospitals can’t restrict people on a case by case basis so they rely on tracking to keep people from inappropriately accessing records they are not allowed to see. I can technically view any chart from any patient seen at a hospital where I have privileges but I am only supposed to look at those where I have a legitimate need to see the data.
Just for fun I looked up my own EMR (Athena) and they are up to 3% of the market and they are getting into hospitals now too, so hopefully they are around for awhile. I find it interesting that one article noted that they had half of the doctors who successfully certified for meaningful use stage 2. I must say that they have been absolute rock stars in regards to MU and PQRS. I basically chose them because they worked mainly with very small practices and because the billing was integrated.
It’s the practice that you’re granting access to- typically, since they’re hospital-based, that means the entire hospital.
But if Dr. Quacko MD as a sole practicioner wanted access, you’d have to specifically grant him access- he’s not part of the hospital you already granted access to as part of the new patient registration.
Not the way I understand it.
I can and do get access to all of my patient records from anywhere that is part of the EpicEverywhere system, no special permissions from patients needed.
I have a friend who does software development at Epic, and gave me a tour of their offices last year. It’s a pretty impressive place. They’re expanding at an astonishing rate, and he seems pretty confident they’re going to conquer the world (or at least the EMR market).
Paging Irishgirl for how it works in the U.K. It’s years since I worked for the NHS, but they were rolling out national access to records back then.
HIPAA restricts shouldn’t apply if the information you are looking for is related to care of a mutual patient.
Most clinics or hospitals have policies in place to have a release form be filled out, but it isn’t required.
My HMO has policies in place to have a release form be filled out, and I did all that, and they STILL wouldn’t release my information to the party I needed it released to.
ETA: My HMO is so uptight with HIPAA rules (which is mostly a good thing, I think) that when I go there for a scheduled appointment, they won’t even tell me if I’m a patient there! :dubious:
Computerisation in the NHS lurches from one expensive failure to another.
"The Fujitsu Connecting for Health contract was part of the £12bn NHS national programme for IT, large parts of which have had to be abandoned at a cost estimated by the National Audit Office to be £2.7bn. Government 'loses £700m NHS IT legal battle with Fujitsu' - BBC News
"A report by the influential Public Accounts Committee (PAC) concluded an attempt to upgrade NHS computer systems in England ended up becoming one of the “worst and most expensive contracting fiascos” in public sector history. NHS IT system one of 'worst fiascos ever', say MPs - BBC News
There are sporadic moves forward - My GP surgery now deals with all requests for and repeat prescriptions online and transmits them straight to the pharmacy of my choice.
You might have thought that hospital doctors would be doing their rounds with a tablet in hand. Not so at the one my wife was in - they still use paper.
This. It is such a struggle to get many hospitals and physician offices to understand that HIPAA does NOT require me to get my patient’s consent in order for me to get their records on my patient.
That’s just a framework for information sharing using Epic, but it doesn’t necessarily mean that two hospitals/doctors/whatever running Epic automatically share all their information. It just means that if they do, it’s much, much easier to do so.
They just signed Mayo Clinic.
Yeah, I wish we would have been able to get EPIC to consider our system. So many of our affiliated systems and consultants use it. But we were too small for them, having only 23,000 active current patients strung out through 40+ different sites. They wouldn’t give us the time of day.
Exactly so. I’ve found that it’s pretty easy to get records released to a doctor outside the hospital-based doctors. My pain management team is not associated with the hospital; however, I just sign a form to have records released from my orthopedic surgeon. It was no problem at all, they had the records the next day.
YMMV with the requesting and requestee physician offices, though.
There was a PostSecret a while ago from someone who worked in a hospital. It said that when he was bored, he would look up records of friends and local celebrities. That’s the downside of trusting that users only view information they are supposed to be viewing. How would they police that kind of inappropriate use? Are there any validation processes that look at logs or whatnot to find suspicious activity?
Oh, it’s not hard to do usually, and AFAIK, they can’t deny you that information, seeing as how it’s technically YOUR data, not theirs.
It’s just something you have to personally shepherd and make happen, not something automated and centrally stored.
As for policing the internal users; that’s hard to do unless you have access logs on certain tables or records, which tend to be something that uses a lot of space and a lot of time. I’d bet a lot of IT and legal departments specifically choose not to do those, under the theory that unless they’re legally required to do something like that, they’re less liable in a case where they just didn’t collect some non-required data, versus collecting it and showing conclusively that someone did violate the law.
Put another way, they can say “We collected all the data required by law, and it doesn’t give us any way to tell if person X did action Y at all” as opposed to “Yes, we have those logs and Person X did action Y on date Z.” Which one is more likely to get the hospital/doctor/whatever nailed to the wall for a judgement.
There are logs kept of who has accessed the files of everyone. Normally nobody pays attention to them, but in the case of celebrities and other notable people, sometimes they look back and see who looked into their files. If they find anybody snooping who shouldn’t have, there can be consequences.
In a related note, a few years ago my father had surgery at Cedars-Sinai hospital in Los Angeles, so he was there for a few days. That is a hospital known for treating celebrities all the time. It had posters all over the place, including in the elevators, indicating that anyone caught comprimising any patient’s privacy would be dealt with severely.
In addition to being a physician in a large hospital system (using EPIC of course) I am a patient. Early on in my treatment, I signed a HIPAA form releasing my records to myself. I don’t know if it would actually protect me from getting in trouble if I were to ever be caught looking at results in my own chart, but fuck 'em.