But there are major obstacles standing in the way of people's rights to access their health care data. There are over 400,000 patients with implanted defibrillators that have networked capability. Up to 20 percent of people with defibrillators will be shocked from the device. While the shock is life-saving and one of the main reasons the device gets placed, patients feel something that is akin to a punch in the chest and it causes great concern and curiosity from the patient. Where does the vital information about the shock go?So what are those "major obstacles" to allowing patients access to their health information?
It is transmitted to a secure server--managed by device manufacturers--and the information is then downloaded to a secure web site for the patient's physician. I think patients have a right to see the information, and be able to share it with family members and other physicians, but patients are given no opportunity to access it. Device manufactures tell me that they won't allow patients to access the data because they are worried about insulting the physician who implanted the device. Physicians aren't exactly excited to give up the data because they believe it will cause more work and put them at risk for lawsuits.
Privacy and Safety
You can never be too careful with health information - especially if its yours. Powerful governmental rules exist to make sure your cannot access your health information easily. In 1996, with the advent of electronic submission of claims to the US government, concerns over the privacy of electronically-encoded information surfaced and resulted in the development of HIPAA, enforced by the governmental Office of Civil Rights. After the Institute of Medicine's "landmark report" entitled "To Err is Human: Building a Safer Health System," (available for purchase only) which highlighted critical areas of research and activities needed to improve the safety and quality of health care delivery, Congress passed the Patient Safety and Quality Improvement Act of 2005 (PSQIA). PSQIA provides Federal privilege and confidentiality protections for patient safety information called "patient safety work product." Patient safety work product includes information collected and created during the reporting and analysis of patient safety events. These safety events then feed into the Agency for Healthcare Research and Quality (AHRQ) which has responsibility for listing patient safety organizations (PSOs), the external experts established by the Patient Safety Act to collect and analyze patient safety information. Who are Patient Safety Organizations? Well there's one for nearly every state. The data collected from these PSO's feed into a carefully contructed Network of Patient Safety Databases (NPSD). These NPSD's will receive, analyze, and report on de-identified and aggregated patient safety event information with the goal of facilitating aggregation and analyses of patient safety event information to help reduce adverse events and improve health care quality. All of this aggregated information is then protected by the PSO Privacy Protection Center.
But safety concerns don't stop there.
The FDA (pdf) must also regulate the devices themselves to assure their safety, managed adeptly by the Center for Devices and Radiological Health. They, in turn, manage a Medical Device Recall Database so consumers can find out which devices have or have not been recalled. Doctors also must maintain a registry of all patients who receive medical devices, some of which extend information to hospital information systems as well as a database of implant information tied to clinical variables. Companies can use these data to report potential safety problems. Doctors can use these data to protect their turf in the name of safety.
Despite all of the above safety and privacy safeguards, legal liability concerns loom large in the minds of health care providers and device manufacturers as violation of privacy laws can lead to jail time and hefty fines. With the increasing need to balance governmental budgets, we're seeing an increase in audits of health information, thanks, in part to the Health Information Technology for Economic and Clinical Health Act (HITECH Act):
American Recovery and Reinvestment Act of 2009 (ARRA) also includes a section that expands the reach of the Health Insurance Portability and Accountability Act (HIPAA) and introduces the first federally mandated data breach notification requirement.This act significantly expands the reach of the HIPAA Privacy Rule and Security Rule, along with the corresponding penalties. Subsection 13410(c) requires civil penalties that are collected under the HITECH Act to be funneled back into the Department of Health and Human Services' Office of Civil Rights enforcement budget, completing the funding "Circle of Life" for the system.
Title XIII of ARRA, also known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act), reserves $22 billion to "advance the use of health information technology" -- in large part so the U.S. will be able to move to e-health records by President Obama's 2014 deadline.
It also expands the reach of HIPAA data privacy and security requirements to include the "business associates" of those entities (health care providers, pharmacies, and the like) that are subject to HIPAA.
So if you're wondering why you can't get your health information I think it's pretty clear...
... you should probably thank our government.