Implementing Patient access to Electronic Health Records under HIPAA: Lessons learned
Review: implementing Patient access to Electronic Health Records under HIPAA: Lessons learned
Wang T, Pizziferri L, Volk LA, Mikels DA, Grant KG, Wald JS, Bates DW. Implementing Patient Access to Electronic Health Records Under HIPAA: Lessons Learned. Perspect Health Inf Manag. 2004 Dec 15;1:11
Let’s first give a look at the paper’s content
The author started with a brief background about the importance of patient’s access to medical records as a one of the proposed approaches to close the quality chasm in healthcare process, then moved to the next phase to state the limitations presented by the Health Insurance Portability and Accountability Act (HIPAA) and pointed out that nationally significant calls for giving patient more control over health record motivated researcher to do a great job in overcoming such constraints. The author selected Patient Gateway (A web based portal) of Partners HealthCare System as an example of successful implementations of patient access to EHR and starved to provide key attributes of successful handling of patient information security issues. Going more deep in the system the author described what portion of the data is available for patient and listed the functionalities provided by the system to the patient like:
• Electronic Messaging
• Appointments and referrals
• Health Library
The system server is isolated and running behind firewall providing first line defense from unwanted intrusions. The health information management (HIM) played an important role in assessing security policies and procedures for communication and information retrieval.
Policies and technical procedures are classified into more than one level according to different actors involved in the scene; they are classified into 3 main categories:
1. Authenticating & Authorizing Patient Use The patient uses user name and password to gain access to his medical record, the patient has to provide his information (demographic, physician..) to enroll to the system(and the system compares provided data with data in the EHR
2. Authenticating & Authorizing staff Use Patient Gateway informs the user about who may view his messages. All employees of Partners have to provide username and password to gain access to information on the system, in addition to that a special authorization process is required to gain access to Patient Gateway.
3. Messaging The Gateway provided technical security procedures to make system messaging more secure than e-mail messaging, and it supported only encrypted browsing.
The author will go through the categories mentioned above to show how the design of the system was successfully compliant with HIPAA requirement and even went stricter.
1. Authenticating & Authorizing Patient Use The research staff was able to handle patient’s concern in most of the cases, they also changed password recovery policy in order to turn the system more usable by the use of secret and challenging question.
2. Authenticating & Authorizing staff Use The patients had a little concern about other physicians seeing their messages but when they become aware that they participated in the response to messages they were satisfied
3. Messaging Allows inquiries about contents of the medical record with no current mechanism to electronically limit the inappropriate use of messaging services
The call for the use of IT to increase patient involvement in the healthcare process by Institute of Medicine (IOM) quality chasm report and mandating patient’s ability to access his medical record was Partners’ main motivation to launch the Patient Gateway system with a comprehensive understanding and implementation of HIPAA rules, The researchers not only did a brilliant task but they also have an ambitious plan for the future
1. Authenticating & Authorizing Patient Use The system will extend authorization level to encompass other caregivers like friends and family members
2. Authenticating & Authorizing staff Use The patient will be accurately informed by other physicians getting access to their records and more awareness and education to patients should be taken into consideration.
3. Messaging The concern now is towards standardizing the messaging system and developing policies to maintain higher level of security than traditional e-mail systems.
Finally the author provided researcher’s vision towards how the information is viewed to the patient in a suitable format and context so the patient can understand it, they are also afraid that putting more security constraints will hinder patient’s access to the system and subsequently they will be reluctant to use the system.
I agree that constraints such as those mandated by HIPAA to maintain patient privacy are putting constraints on designer’s freedom of creativity but at the same time such constraints are quite essential, as if we went without them, the patient harm from the technology will surpass its benefits. So a collaborative effort must be done to share experience about the success stories that enable designer to see other’s creative approaches to provide the required compromise. That was exactly what our author aimed and successfully achieved from this paper where he brilliantly managed to extract lessons not only from the implementation of Patient Gateway and the vision beyond implementing security policies and procedures, but also from the future vision of the researcher there. The author mentioned the role of HIM and as I am a firm believer of the role of special people in the success of systems’ implementation so I wished that the author stressed much on their role in turning the system more secure and more compliant to HIPAA requirements
Reviewed By Mohamed Abd-Elmoneam Clinical Information Systems BMI-512 Winter 2008