Q&A: Upholding HIPAA Compliance and Streamlining Patient Access to Medical Data in Today’s Digital, Consumer-Driven Environment

Cristin Gardner is Director of Consumer Products & Markets for Mammosphere, by Life Image. She will present the webinar “Upholding HIPAA Compliance and Streamlining Patient Access to Medical Data in Today’s Digital, Consumer-Driven Environment” on December 3, 2019 and you can register here.  Cristin answers many commonly asked questions on our blog, focused especially on Breast Cancer Awareness and in anticipation of this webinar.

What are the requirements and implications of HIPAA in the context of patient access to personal health data?

HIPAA is an extensive regulation, with a lot to unpack. In particular, the HIPAA Privacy Rule specifically focuses on the sharing of information and establishing a national standard to protect an individual’s medical records, personal health information, and rights to access that information. According to subsection 45 CFR 164.524(c)(2)(i) within the Privacy Rule, if a patient requests a copy of their medical record (e.g. medical notes, lab results, imaging), the provider has an obligation to provide that information in the form and the format the patient requests, including electronic format.

In addition to form and format requirements, HIPAA recently expanded their guidance around sharing data electronically to include clarification surrounding the transmitting of electronic protected health information (ePHI) via third-party apps. The guideline prohibits the refusal to disclose ePHI to a third-party app designated by the patient if the ePHI is producible in the form and format requested; even if the covered entity has concerns around the security of the app. HIPAA cites the measures a provider must take to make sure a patient receives their data in a timely manner and without undue burden. For instance, HIPAA specifies that providers cannot ask patients to physically drive to their facility to sign a form if the patient requested to receive their record via U.S. mail. They also cannot require a request for access to be written and mailed in (this is an outdated institutional practice we see very frequently). Likewise, providers cannot deliver medical records on a CD if the patient specifically asks the provider to share it via a health app on their mobile phone or via a portal.

The guidance was expanded to recognize technology capabilities available to streamline access to clinical data. Patients want their medical information in a format they can actually see, use, and store – and HIPAA protects that right. In fact, if a facility maintains their records electronically (nearly 100% of facilities today do) and the data can be transported and stored electronically, then that facility is specifically obligated under the HIPAA Privacy Rule to provide the information to the patient in that format.

Why is receiving data in CD form problematic?

Many facilities have outdated policies stating that patient data must be shared via CD. These facilities believe that cutting a CD is compliant with a request for an electronic format, but most patients today no longer have a disk drive; even if they do, many don’t have the software to enable them to read the images on the CD. CDs are not secure, are easily damaged, lost, and actually unreadable 20% of the time. If the patient is transporting that media from one facility to the next, they have likely had to drive to pick it up or had it mailed. These methods require significant effort on the patient’s part; it could take a week or more for the patient to get that information, which can cause a delay in care – translating to an undue burden. Further, once a patient arrives at their appointment, there is still a chance the CD is incompatible due to proprietary facility technology or other technology barriers that make the record unreadable. In these instances, the patient has gone through the process of requesting their records; couriered their medical information, arrived at the appointment prepared, but still encountered barriers to timely care. This leads to additional, unnecessary testing or additional burden on the patient to retrieve the records again and reschedule appointments.

Nearly 80% of provider offices are still sharing patient records and diagnostic images using a CD, though nearly 100% of facilities maintain records electronically. CDs are an outdated technology that are not easily shared. They create significant barriers to timely, accurate care and put the onus on the patient to courier their medical records. When health is on the line and the clock is ticking, patients should not have to wait to retrieve their records on physical media that could be unreadable. It is a frustrating problem that healthcare is capable of alleviating with digital storage and sharing of health information.  HIPAA and OCR support and require this shift.

How are these challenges exacerbated in the case of breast screening?

In the case of breast cancer screening, the corresponding frustration and stress are multiplied. There is arguably no larger population of regularly screened people that is as dependent on imaging as breast health screening patients in the United States. A critical component of accurate screening is comparing current mammograms to prior mammograms to determine what is normal for each individual. 60 million women in the United States get regular mammograms, and as the patient moves from one provider or imaging center to another (likely over the course of 20-30 years), it is imperative that the new provider has the patient’s complete imaging history, so they can make the best clinical decisions possible.

Of those 60 million women, one in four are screened for breast cancer without their prior mammograms. This is due to a lack of awareness of the importance of prior mammograms for comparison and extreme difficulty patient and providers face in transmitting these records due to lack of interoperability in healthcare. This results in a 260% increased chance of being called back for additional testing.  95% of the time those additional tests yield a result of no cancer- called a false positive.

Why are prior exams so important in mammography screenings?

The importance of priors is not often discussed in medical appointments. Mammography is unique, not only in the fact that there are 60 million women regularly receiving imaging, but also because of its dependence on access to prior imaging. Every woman’s breast tissue is unique, and there is no textbook picture of what a “healthy” breast looks like. It is important for each woman to have a baseline mammogram and her history of mammograms that her radiologist can look at for comparison in order to accurately detect any changes over time.

For example, it is very common for a woman to have a nodule or a “spot” on an exam – if a radiologist is looking at that mammogram with no context into that woman’s breast history and unique breast tissue over time, they have no choice but to flag it as something suspicious, leading to more diagnostic imaging or a biopsy. That spot may have been there, unchanged, for the last 15 years. If the radiologist had access to prior images, the patient would have avoided being retested, going through a painful and expensive biopsy, and experiencing great stress for her and her family believing she may have cancer – when she never did.

Access to priors can be lifesaving. When women are readily able to share their breast health history with their care team, there is a 40-60% reduction in false positives. 30% of cancers are caught earlier when it’s in more easily treated stages. This alleviates stress on patients and allows providers to make a more accurate diagnosis.

One in eight women will receive a breast cancer diagnosis in her lifetime – that is one in eight women who will be seeking treatment and likely second opinions. When patients are faced with this type of health event, they need to make sure each doctor has all of the information that they need to make the best treatment decisions possible. Seeing multiple specialists requires the gathering of a significant amount of records. Having to wrangle and organize CD’s, written notes, folders full of papers and films is unacceptable in 2019; especially for cancer patients.  The industry can do better, and consumers deserve better.  There are innovative, easy-to-implement solutions to end this problem available on the market today.

Cristin Gardner is Director of Consumer Products & Markets for Mammosphere, by Life ImageAbout the Author

Cristin Gardner is Director of Consumer Products & Markets for Mammosphere, by Life Image. Cristin has more than ten years of experience leading population health services within the health plan, employer, and provider sectors.

Be sure to register for this webinar, “Upholding HIPAA Compliance and Streamlining Patient Access to Medical Data in Today’s Digital, Consumer-Driven Environment” happening on December 3, 2019. Cristin also joined host, Catherine Short on the podcast, 1st Talk Compliance, which can now be found here or subscribe to our podcasts here. Take a look at our brand-new book: HIPAA Privacy and Security, and our online compliance training courses such as Physician Distribution of Durable Medical Equipment, Compliance: Basics of Billing Coding and Auditing, and MACRA – Medicare Access & Chip Reauthorization Act of 2015.