Friday, October 09, 2009

"Body Computing" and the Right to Health Information

Fellow cardiac electrophysiologist Leslie Saxon, MD thinks patients should own their medical device information in the era of "body computing:"
But there are major obstacles standing in the way of people's rights to access their health care data. There are over 400,000 patients with implanted defibrillators that have networked capability. Up to 20 percent of people with defibrillators will be shocked from the device. While the shock is life-saving and one of the main reasons the device gets placed, patients feel something that is akin to a punch in the chest and it causes great concern and curiosity from the patient. Where does the vital information about the shock go?

It is transmitted to a secure server--managed by device manufacturers--and the information is then downloaded to a secure web site for the patient's physician. I think patients have a right to see the information, and be able to share it with family members and other physicians, but patients are given no opportunity to access it. Device manufactures tell me that they won't allow patients to access the data because they are worried about insulting the physician who implanted the device. Physicians aren't exactly excited to give up the data because they believe it will cause more work and put them at risk for lawsuits.
So what are those "major obstacles" to allowing patients access to their health information?

Privacy and Safety

You can never be too careful with health information - especially if its yours. Powerful governmental rules exist to make sure your cannot access your health information easily. In 1996, with the advent of electronic submission of claims to the US government, concerns over the privacy of electronically-encoded information surfaced and resulted in the development of HIPAA, enforced by the governmental Office of Civil Rights. After the Institute of Medicine's "landmark report" entitled "To Err is Human: Building a Safer Health System," (available for purchase only) which highlighted critical areas of research and activities needed to improve the safety and quality of health care delivery, Congress passed the Patient Safety and Quality Improvement Act of 2005 (PSQIA). PSQIA provides Federal privilege and confidentiality protections for patient safety information called "patient safety work product." Patient safety work product includes information collected and created during the reporting and analysis of patient safety events. These safety events then feed into the Agency for Healthcare Research and Quality (AHRQ) which has responsibility for listing patient safety organizations (PSOs), the external experts established by the Patient Safety Act to collect and analyze patient safety information. Who are Patient Safety Organizations? Well there's one for nearly every state. The data collected from these PSO's feed into a carefully contructed Network of Patient Safety Databases (NPSD). These NPSD's will receive, analyze, and report on de-identified and aggregated patient safety event information with the goal of facilitating aggregation and analyses of patient safety event information to help reduce adverse events and improve health care quality. All of this aggregated information is then protected by the PSO Privacy Protection Center.

But safety concerns don't stop there.

The FDA (pdf) must also regulate the devices themselves to assure their safety, managed adeptly by the Center for Devices and Radiological Health. They, in turn, manage a Medical Device Recall Database so consumers can find out which devices have or have not been recalled. Doctors also must maintain a registry of all patients who receive medical devices, some of which extend information to hospital information systems as well as a database of implant information tied to clinical variables. Companies can use these data to report potential safety problems. Doctors can use these data to protect their turf in the name of safety.

Legal Concerns

Despite all of the above safety and privacy safeguards, legal liability concerns loom large in the minds of health care providers and device manufacturers as violation of privacy laws can lead to jail time and hefty fines. With the increasing need to balance governmental budgets, we're seeing an increase in audits of health information, thanks, in part to the Health Information Technology for Economic and Clinical Health Act (HITECH Act):
American Recovery and Reinvestment Act of 2009 (ARRA) also includes a section that expands the reach of the Health Insurance Portability and Accountability Act (HIPAA) and introduces the first federally mandated data breach notification requirement.

Title XIII of ARRA, also known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act), reserves $22 billion to "advance the use of health information technology" -- in large part so the U.S. will be able to move to e-health records by President Obama's 2014 deadline.

It also expands the reach of HIPAA data privacy and security requirements to include the "business associates" of those entities (health care providers, pharmacies, and the like) that are subject to HIPAA.
This act significantly expands the reach of the HIPAA Privacy Rule and Security Rule, along with the corresponding penalties. Subsection 13410(c) requires civil penalties that are collected under the HITECH Act to be funneled back into the Department of Health and Human Services' Office of Civil Rights enforcement budget, completing the funding "Circle of Life" for the system.

So if you're wondering why you can't get your health information I think it's pretty clear...

... you should probably thank our government.



Anonymous said...

Dr. Wes,
As a patient with an implant, I confess to being confused by this. I mistakenly assumed that the results of my Pacemaker Interrogation reports would be treated as any other type of test or lab result and be released to my electronic chart. Every other test I get seems to pop up there - labs, scans, surgical reports, EP studies, appointment reminders - but not the interrogation reports. I assumed I owned it. So why can't I access it?

DrWes said...

Anony 09:11 AM-

The information you receive is considered part of the electronic medical record, and is available only on a secured network provided by the hospital system. Which information released to you is decided a priori by hospital administrators with physican input. Not all information is available, except by written request (HIPAA release) to protect health care systems and doctors from legal liability of breaking HIPAA laws.

Also, limitations of current health information systems prevent graphical information from being forwarded (partly why your device information does not appear) and the amount of information presents bandwidth issues for hospital EMR systems also.

DrTruth said...

As a doctor, I'm more than happy to provide my patients their complete medical record as long as the necessary federal laws are addressed. However, what most patients don't understand and what Dr. Wes doesn't tell you is that doctors, surgeons, clinics, and hospitals believe they own your medical chart. This is wrong and old timer thinking.

If you don't believe then I suggest that you go to your doctor and ask to be given all of the original chart so you (the patient) have the only copy. It won't happen. I fully expect Dr. Wes and other doctors to give excuses and fancy Latin words for why this is the case but the fact remains that patients aren't allowed to own and control the medical chart. Blaming the government is a deflection at best.

DrWes said...


I'm more than happy to provide my patients their complete medical record as long as the necessary federal laws are addressed.

Like having a signature in writing. Presently, no electronic means (except fax) will suffice for you to release the medical record to your patients for their use, even though technically, that information belongs to the patient.

Note, too, that electronic records exist in silos, carefully "protected" by major medical systems. While patients can access their entire medical record at one health system (or the legal system can "discover" any portion of it), the ability to transfer information electronically from one health care system to another has, so far, been met with considerable resistance, both from technical as well as legal aspects. The bureaucracy for securing the patients data has recently become greater (as have the risks to providers for failing to protect that data) thanks to the HITECH Act and adds to the challenges the patient will have to negotiate to acquire their complete electronic medical record.