Hi All,
The following link is to a FindLaw reference regarding what HIPAA means to Patients:
Enjoy!
-Thomas Clark
BTW: Refer to the bit ob Marketing
Thomas Clark wrote:
Hi All,
The following link is to a FindLaw reference regarding what HIPAA means
to Patients:
http://articles.corporate.findlaw.com/articles/file/00081/002452/title/Subje
ct/topic/Health%20Law_HIPAA/filename/healthlaw_1_335
<soap box>
This article contains an egregious error.
Under the section headed "Patient Rights Obligations" the author states that
"HHS had initially proposed allowing routine disclosures without advance
patient consent for treatment, payment and administrative operations, but
the final rule requires informed patient consent for even these routine
disclosures."
This is not true. The final Privacy Rule *PERMITS* covered entities
(providers, payers, clearinghouses) to obtain consent for use and
disclosure of protected information in treatment, payment, and operations
(there is some restriction in psychotherapy notes). It does NOT require
consent for these uses. At best the author did not read the Preamble where
this modification was clearly articulated to provide an option for those
providers who were fearful of missteps and preferred to err on the side of
caution. Unforunately I find it hard to give the author the benefit of the
doubt and have written to the editors of FindLaw.com complaining about this
article. HIPAA, like Y2K, has been the focus of far too many bottom feeding
lawyers creating self-serving FUD among the US healthcare community.
The US healthcare system has a bad enough rep without "help" like this.
</soap box>
Best regards,
Bill
Hi Bill,
Thanks for the post. I did intend to use HIPAA as an example of a legislative act that is poorly written without the assistance of a uniform model code. It was enacted to keep the payers happy and not the Patients.
Poor results occur when things are not grounded on solid fundamentals. There is a Uniform Commercial Code that has evolved over many years and has been modified and improved over these years. It has been adopted in whole by many states and modified by others. The 51+ jurisdictions are sufficiently different to cause one to look for an attorney to resolve specific problems.
Patients do not have the same rights as Patients in the UK or other EU countries within the US. TheHIPAA Privacy Rule should have 'required' consent initially and finally. It doesn't! It is a problem that has to be fixed or a work-around developed and enacted as a modification or a new law.
BTW: Findlaw is used as a reference, however bad, for the current state of the interpreted law within the US.
Your response is right on and should illustrate the need for a Uniform Model Code for ElHRs especially since this scenario will be repeated in many countries across the globe.
If the US can have national and international model codes for Commerce it should have the same for Healthcare and EHRs. In essence the governments need a guiding light lest they visit another one like HIPAA
Tom,
Are your remarks here concerned only about *privacy* laws with respect to EHR... i.e., patient and provider rights with respect to access and disclosure? I can't think of any other general aspect of law that would apply to EHR... at least not one that would benefit from the "uniform model code" that you describe.
In the US, the conflict and overlap between state laws and HIPAA is actually part of the motivation for writing the HIPAA Privacy Rule. It is expected the state laws will be eventually become aligned with and "modeled" after HIPAA in the privacy area, although there is no mechanism to ensure that. Incidentally, there are also areas of state-federal conflict like "prompt pay" laws, with respect to the HIPAA Transaction Rule... with no help in sight.
Personally, I don't think legislatures should be making ANY rules that are specifically about electronic records and information sharing... at least, not until we have some sort of information authority or technical review board to pass these proposals by. Well-meaning politicians have written the Transaction Rule with the intent of helping patients and providers. But the ill-conceived rule ends up increasing everyone's cost and helping no one.
-Chris
Hi Thomas,
Thomas Clark wrote:
/snip/
It was enacted to keep the payers happy and not the Patients.
I've studied both the HIPAA regs and the Preambles and come away with a
completely different impression. It's probably OT for the list but I'd be
interested in going offline to get your perspective on this. I've included
my email address below.
/snip/
BTW: Findlaw is used as a reference, however bad, for the current state
of the interpreted law within the US.
I know. That's why I felt compelled to write the editors about the article.
Your response is right on and should illustrate the need for a Uniform
Model Code for ElHRs especially since this scenario will be repeated in
many countries across the globe.If the US can have national and international model codes for Commerce
it should have the same for Healthcare and EHRs. In essence the
governments need a guiding light lest they visit another one like HIPAA
on the populace!
With respect to the US, I don't disagree about the need for uniform
treatment and definitions. HIPAA is, IMO, a good start on that. Not
perfect by any means, but at least it raises the debate to the national
level. HHS has charged HL7 and HIMSS with taking the next step; identifying
those things (functions and data) that are essential vs. desirable
components of an EHR system. I think, though, that we should expect these
things to evolve over time. The debate has just started.
With respect to the international scene, I respectfully disagree about the
desirability of a uniform set of rules. The norms and mores of a medical
community must be in synch with those of the larger culture within which
that community exists. I value diversity as a generator of alternative,
competing solutions.
Best regards,
Bill
bill.walton@jstats.com
Hi Chris,
Privacy is a major 'topic'. Others include 'security' onsite, in transmission, retention, archiving, copies, modifications and signatures.
Some jurisdictions have well-developed laws (and model code as well) covering electronic records in eCommerce (includes the US and Clinton's eSign bill). It is easy to see the parallel between the EHRs and the ERs in eCommerce, e.g., an ER is an ER is an ER regardless.
Spring 2003 HIPAA summary:
http://www.dicksteinshapiro.com/seeninprint/publications/pdf/HLBSpring03.pdf
Reviewing the 'Security Rule' is interesting. Swiss Cheese! 'de-identified' information as an exclusion should be a joke. Compare with the model code for eCommerce.
Use of words like 'may' in legislation translates into a 'wish' that the tooth fairy is coming tonight.
Electronic eCommerce has moved ahead in many areas with contracting being a significant area:
Electronic eCommerce already covers a major part of the globe. EHR systems need to get the 'regional' environment working before the national and global. But coming up with something unique to OpenEHR will likely doom the project.
SUGGESTION:
What is good for electronic eEcommerce can be modified to suit EHRs.
Having said that I am back to the model codes. HIPAA just doesn't hack it. What does? A model code is needed for the world.
ONE REASON:
HIPAA places emphasis on the responsibility of Providers for security. That doesn't compute in a single-Provider office. Why? The Patient-single-Provider environment has more security leaks that one can easily describe. Add a Payer and it becomes impossible. Put it in front of a court and you are asking for major complications.
COMMENT:
No more HIPAA-type legislative acts. Do the global model code somebody; do it once.
If a set of global Healthcare applications are to be built to service EHRs it cannot be dependent upon daily legislative changes and court rulings (at all levels). This will not work without the ability to excise one or more areas, e.g., regions, to avoid complications, e.g., jurisdictional-oriented changes.
Globally Patients, Providers and Payers may buy into this in a big way. It is their governments, judicial systems and administratin of justice organizations that are complications here. They need to buy into a model code for global EHRs.
COMMENT:
Retrieve some laws still on the books in various states in the US. They constitute a legal joke.
Some codes give mules the right-of-way requiring motor vehicles to stop at the side of the road. Others require a chain to be drawn across the road at sundown and on weekends. Others prohibit many things that are taken for granted by the current populace.
Why haven't they been removed? Because things change constantly and one never knows when it might be a good idea to run mules down main street.
A model code-based legislative act needs to supercede and eliminate all conflicting laws. Change must be necessary and properly integrated.
-Thomas Clark
Christopher Feahr wrote:
Christopher Feahr wrote:
Tom,
Are your remarks here concerned only about *privacy* laws with respect to EHR... i.e., patient and provider rights with respect to access and disclosure? I can't think of any other general aspect of law that would apply to EHR... at least not one that would benefit from the "uniform model code" that you describe.
THere are more, mainly to do with the medico-legal area. The original GEHR project developed a lot of them; I don't have them to hand right now, but the basic requirement of an EHR whcih one could imagine being required by law is:
* the full informational state of the EHR at any past moment in time must be reconstructable such that it is clear what information was available to the clinician when he/she made he decision in question or took a certain course of action.
In short, the EHR should act as the digital proof for all claims or doubts about what happened to patients and what clinicians did - and it works both ways - clinicians can protect themselves by using the EHR to prove that their decisions were reasonable given the evidence available at the time; patients (or their families) can also ask for the EHR to be "exhumed" to find out if this really was the case, if malpractice is suspected.
Now...since all this kind of investigation would lead to courts, the quality of proof would presumably have to be of interest to the legislature...
In the US, the conflict and overlap between state laws and HIPAA is actually part of the motivation for writing the HIPAA Privacy Rule. It is expected the state laws will be eventually become aligned with and "modeled" after HIPAA in the privacy area, although there is no mechanism to ensure that. Incidentally, there are also areas of state-federal conflict like "prompt pay" laws, with respect to the HIPAA Transaction Rule... with no help in sight.
Personally, I don't think legislatures should be making ANY rules that are specifically about electronic records and information sharing... at least, not until we have some sort of information authority or technical review board to pass these proposals by. Well-meaning politicians have written the Transaction Rule with the intent of helping patients and providers. But the ill-conceived rule ends up increasing everyone's cost and helping no one.
yes, I agree with this comment - it is easy to imagine farcical laws being enacted - they need to be formulated with the informed advice of relevant IT & clinical informtion management professionals...
- thomas beale
Thomas,
I think I'm beginning to see the core of provider push-back regarding the type of EHR-based "accountability" system you are describing. Arguably, their existing paper records are serving this exact function now. In fact, it is generally accepted that, with regard to record entries that would have supported or justified a doctor's actions, "if it ain't written down, it didn't happen". And, of course, it is also frequently pointed out by plaintiffs, that "not being written down does not mean that it *didn't* happen".
I think doctors generally regard their medical records as their "friends"... their best defense, should their decisions be challenged. The only other defense would be to get a bunch of people to testify that the doctor is a "good guy", has a long history of being careful and thorough, etc. But doctors are also keenly aware that the HR is also the principle basis for the plaintiff's case... hence, their preference for keeping the things locked safely in their offices.
With today's often undecipherable paper records, it is difficult and expensive for a plaintiff to build a solid case, and it's even more difficult to comb through a thick, longitudinal record and discover patterns of negligence, incompetence, depraved indifference, etc.... but what if that were trivially easy to do. What if a standard EHR could be fed into Smoking Gun Pro, and out pops a perfectly articulated complaint. Just staple on the blue paper cover and hand it to the judge! What if the attorney who wrote the Smoking Gun Pro software erects billboards, inviting patients to email copies of their EHR to him for a free scanning to see if there is anything juicy and "actionable" contained in them? Heck, he could put a copy of Smoking Gun Pro on the web and invite patients to scan their own EHRs.
As we get closer to real implementation of the EHR concept, we may to have to conceive of a completely different trust-model between healthcare providers and the communities they serve. In general, I think the EHR system will have to be held up as such a reliable and provable basis for trust that we can simply agree to REMOVE malpractice litigation from the table, as a way of establishing a basis for distrust. It may come down to doctors choosing a voluntary, public, but fully automatic "competence" and/or "trust" rating, derived from the EHR... perhaps, with a standard mentoring or mandatory educational protocol kicking in, should a provider's rating drop below some agreed-upon level.
Either way, this will be a *very* emotional discussion with providers... and possibly with patients.
Regards,
-Chris
Chris -
Your comments are interesting, and largely accurate in my experience. Two
things come to mind that could help address some of the issues you describe.
First, we could encourage or require patient representation at all levels of
design, implementation, purchase, training, etc. for EHR system. They seem
to be routinely left out of the conversations in these forums, and I suspect
their presence would shift the tone of the discussions considerably.
Second, we could look to the airline industry model for litigation
management. Black boxes would never have gotten off the ground without some
grace being offered in return for having actual facts captured about how an
aircraft was operated.
Of course, you could also shoot the doctor 99% of the time when a patient
died, (about the ratio that pilots experience relative to their passengers),
but that, in the end, might leave us with very few doctors since medicine
doesn't seem to be nearly as certain as flying...
Best Regards,
Ken Thompson
Manager, WebCIS Development/System Architecture
Information Services Division
University of North Carolina Health Care System
200 North Greensboro Street
Carr Mill Mall, 2nd Floor
Carrboro, NC 27510
(919) 966-9195 Voice
(919) 966-2110 Fax
<mailto:gthompso@unch.unc.edu>
The opinion(s) of the sender of this document do not necessarily represent
the opinion(s) of UNC Health Care or its management
Interesting comments but I suspect the antagonists would outnumber the
protaqonists but a considerable ratio.
I fear that in this whole debate the issue of the EHR is still in the hands
of the legislators (irrespective of their country of origin) and it will
require a brave piece of legislation to break this 'glass ceiling'. Are
there any legislators out there that have the courage of their convictions
to push this through.
There is considerable and continuing debate here in Australia about the EHR
and the principles surrounding it and there has been an enormous amount of
work done in the design, specification etc however the one thing that is
still lacking and that is an agreed identifier - that is what will make or
break the process and that can only be achieved through the legislative
process. I strongly suspect (if results of surveys are anything tro go on)
that the majority of the population see little threat in the EHR however it
is, as always, the vocal minority that has centre stage.
Denis Nosworthy
Director of Information Services
Hi All,
Some quick comments on Patient involvement in EHR design, development,
deployment and usage.
1)At first glance it appears necessary and may lead some to mandate
participation.
2)A personal observation is that Patient objectives and goals are
sufficiently diverse from those of
the Providers that a merging would be difficult if not impossible
3)Patients are generally oriented toward successful outcomes; the means and
procedures to arrive at
a successful outcome are less important, and in some cases to be suppressed.
4)Patients are members of families and groups that have a keen interest in
Healthcare and tend to
respond to Providers as group participants and/or individual Patients,
making it difficult to determine
whether the Patient or the group is responding to a topic.
5)How Patients deal with Providers is normal in my opinion since they have a
history and a
pre-disposition; much like Providers.
Some involvement with Patients during design, development and especially
deployment is necessary
as is great PR. In the great balancing act that continually occurs in
society there is only one set of
tablets that appears to have stood the test of time and they were hand
carried down the mountain.
Whatever gets deployed must be acceptable. The Patients have to buy into
this at some point.
Regards!
-Thomas Clark