Monday, December 10, 2007

Kibbee/Markle: Exploration of Consumer Access to Networked Health Information

Dr. David Kibbee provides great insight on the meeting by the Markle Foundation and what it might mean for Health 2.0, consumer driven health care and how health data is managed by traditional health care providers and payors. Well worth the read for anyone interested in where health information might be headed.

I look forward to reading the public policy document cited in his post, Consumer Access Practices for Networked Health Information." Dr. Kibbee hits on a point that I continue to explore from a legal perspective. He makes the statement:
Markle has lifted the discussion onto another level, and this time it's about health data, its ownership and rules of access, and its uses in our nation to promote health and wellness.
We are in the midst of a wave of change in the ownership rights of health information and data. Traditionally (and legally) we have viewed health data as owned/controlled by one group or another (what Dr. Kibbee refers to as the institutional custodians). For example, physician/hospital who owns the patient's paper medical record or insurer who own beneficiaries payment/claims information.

Typical state law support such ownership notions. Most state laws provide you and I as patients the right to copy our records. Some states go as far as providing you and I a right of access. However, to my knowledge no state law takes the alternative approach of the patient owning the records and providing access rights. Most state laws, if not all, base the ownership right on the originator or creator of the medical record. Even the HIPAA privacy rule that evolved to its present state in the late 1990s and early 2000s speaks in terms of a patient's "right to copy" and "right access to records". At no point does it speak of patient's ownership of the records.

Our legal system have very strong views on "ownership" rights. In fact ownership is a basis legal premise build into the fabric of everything we do. With ownership comes notions of control, propriety nature, privacy, competition and power (financially and otherwise). I subscribe that this foundation has largely been the reason we have yet to see integration, standardization and openness of health data exchange. Dr. Kibbee gets at this question in his post when he discusses the spirited debate during the Markle conference surrounding the question of how to "liberate" personal health information.

Dr. Kibbee also gets into the difficult questions that I am constantly struggling with regarding privacy (how much is too much and how much is not enough) and introduces the concept of "fair information practices". Balance between a patient/consumers right to control access to health information, need for access by health care professionals, reasonable protections to prohibit the breach of data, rights of governments to access/use data for particular purposes, etc.

In reacting to Dr. Kibbee's worries that physicians are not embracing the change -- I suspect this is largely due to the current reimbursement system that we have created to pay for health care. My view is that until this reimbursement model changes to create financial incentives for wellness and management of chronic disease it will be difficult to bring about change via the physicians.

These are my initial reactions (stream of consciousness) after having read Dr. Kibbee's very insightful and thought provoking post. I hope to have a chance to come back and think some more about his post and my reaction.


Vince Kuraitis said...

Thanks for the useful primer on ownership vs. access of health data.

What implications does this have for moving toward data liquidity?

If state laws granted me "ownership" (which you say they don't), presumably I could appoint Google, Microsoft, Dossia, whoever, as my "agent" in gathering and acquiring MY health data.

This COULD be a tremendous step toward automating a process to create data liquidity.

But since I don't legally "own" the data....?

...are there other legal constructs that might allow patients to unfreeze their currently frozen health data?

DCK said...

Dear Bob and Vince: I believe it to be the case that the current HIPAA privacy rule permits the individual access to his/her medical data "in the format in which it is stored" by the covered entity. Bob, you can check this easily, I'm sure. Thus, we already have a federal civil right to demand and obtain copies of our health information in electronic format(s). My sense is that the Health Access Service Providers, e.g. Google, Dossia, will act on this right fairly soon, creating a pathway for patients/consumers to move their data from health plans or hospitals into their MedicalAccounts, e.g. HealthVault.
Would be interested in your comments.
Kind regards, David C. Kibbe, MD MBA

Vince Kuraitis said...


As a non-practicing attorney myself, I'm pushing the boundaries of my expertise.

The wording in HIPAA that requires access "in the format in which it is stored" strikes me as equivocal. You'd have to look at broader intent of the legislation and regulations:

* Is this intended to be for the convenience of the PROVIDER, e.g., a doctor keeping paper records doesn't have to go through inconvenience or expense of creating digital information?

* Is this intended to be for the convenience of the PATIENT, e.g., if a health plan stores data in a digital format, the patient also must be provided with a digital copy?

...and what about standards for transmission? Is there any value to the patient (or the Health Access Service Providers) in receiving electronic data that is in a proprietary format?

...and probably many other issues to work through.

Bob Coffield said...

Following is the specific HIPAA Privacy regulation language related to a persons right to access PHI held by a covered entity (provider, payor, clearinghouse).

In a quick scan of the preamble and comments/responses to the proposed rule I didn't see any detail discussing the right of a person to obtain the records in electronic format (format in which it is stored). It really only speaks in terms of right to inspect/copy and does not provide guidance on electronic records.

The implementation specs for providing access under 164.524(c) go a bit further and state:

"the covered entity must provide the individual with access to the protected health information in the form or format requested by the individual, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other form or format as agreed to by the covered entity and the individual."

The implementation specs also outline the fees that a covered entity may impose on an individual who requests a copy of PHI.

I hope this helps to continue the discussion.

164.524(a) Standard: access to protected health information.
1. Right of access. Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for:

1. Psychotherapy notes;
2. Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and
3. Protected health information maintained by a covered entity that is:
1. Subject to the Clinical Laboratory Improvements Amendments of 1988, 42 U.S.C. 263a, to the extent the provision of access to the individual would be prohibited by law; or
2. Exempt from the Clinical Laboratory Improvements Amendments of 1988, pursuant to 42 CFR 493.3(a)(2).

164.524(c) Implementation specifications: provision of access. If the covered entity provides an individual with access, in whole or in part, to protected health information, the covered entity must comply with the following requirements.

1.Providing the access requested. The covered entity must provide the access requested by individuals, including inspection or obtaining a copy, or both, of the protected health information about them in designated record sets. If the same protected health information that is the subject of a request for access is maintained in more than one designated record set or at more than one location, the covered entity need only produce the protected health information once in response to a request for access.
2.Form of access requested.

1.The covered entity must provide the individual with access to the protected health information in the form or format requested by the individual, if it is readily producible in such form or format; or, if not, in a readable hard copy form or such other form or format as agreed to by the covered entity and the individual.
2.The covered entity may provide the individual with a summary of the protected health information requested, in lieu of providing access to the protected health information or may provide an explanation of the protected health information to which access has been provided, if:

1.The individual agrees in advance to such a summary or explanation; and
2.The individual agrees in advance to the fees imposed, if any, by the covered entity for such summary or explanation.

3. Time and manner of access. The covered entity must provide the access as requested by the individual in a timely manner as required by paragraph (b)(2) of this section, including arranging with the individual for a convenient time and place to inspect or obtain a copy of the protected health information, or mailing the copy of the protected health information at the individual’s request. The covered entity may discuss the scope, format, and other aspects of the request for access with the individual as necessary to facilitate the timely provision of access.
4.Fees. If the individual requests a copy of the protected health information or agrees to a summary or explanation of such information, the covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of:

1.Copying, including the cost of supplies for and labor of copying, the protected health information requested by the individual;
2.Postage, when the individual has requested the copy, or the summary or explanation, be mailed; and
3.Preparing an explanation or summary of the protected health information, if agreed to by the individual as required by paragraph (c)(2)(ii) of this section.

Vince Kuraitis said...

Bob, thanks for posting the HIPAA language.

So, if I were an organization with the mindset of NOT wanting to create PHI data liquidity, here are some of the roadblocks I'd put up:

#1) 164.524(c)(2)(1)

"The data is not READILY reproducible. Sorry."

"You can have our electronic data that is readily reproducible in our proprietary, non-standardized format. Good luck."

#2) 164.524(c)(2)(3)

"We have to give you the data in a TIMELY manner. Our claim data system produces information that is 6 months old."

"We have to give you the data in a TIMELY manner. We'll get around to this a year from next Wednesday. That's quicker than you can get a plumber in Russia."

3) 164.524(c)(2)(4)

"We're allowed to impose 'a reasonable, cost-based fee'. We interpret that as meaning average costs per transaction, not marginal costs per transaction. We have about $432 million invested in our IT system, so your share to access your lab result is about $235.65. How many transactions would you like to order?"

...etc, etc.

apb said...

Misc comments...

* Charges for copying. Many states regulate the price that can be charged for copying records. California law, e.g., sets a maximum charge of 25c/page.

I routinely request all my medical records. What I have found:

* Some entities refuse to release records, with bogus claims, including, e.g.:

- "Radiology records are not medical records"
- "Radiologists are not physicians"
- "Records cannot be released until a physician approves them"

* No entity has ever released the complete records requested on the first attempt. Usually THREE attempts are required to get complete records. Extreme skepticism is necessary to realize that records are incomplete.

* Digital imaging records are frequently provided in proprietary, non-industry standard, formats.

* Digital records are not preserved, and become available only in hardcopy.

* Degraded (compressed) digital records are provided instead of raw data.

* Some entities refuse inspection of records for bogus reasons. E.g., "doctor said 'NO'" (no lawsuits or mental health records involved)

* All entities refuse CONVENIENT inspection of records, and typically require long advance notice to allow "cleansing" of records.

* Many entities simply ignore the request; others do not respond within a reasonable time (e.g., longer than 2 months).

* Entities that maintain mixed digital and paper records usually fail to provide copies of paper records, and usually fail to provide complete copies of digital records.

* The government has never prosecuted any entity for failing to release records.
In other words, while HIPAA improved the previously horrendous situation with release of records, the current situation is still pretty bad. Of course, close inspection of the content of my records shows that the quality of medical care is not that much better than the quality of recordkeeping and release. The entire healthcare industry is grossly mismanaged and requires much greater scrutiny than it has received in the past.