XiXinXing/SHUTTERSTOCK.com
You are a general otolaryngologist in a large suburban community, a partner in a three-otolaryngologist practice. Over the past 10 years, your practice has transitioned from paper records to an electronic health record (EHR) system, which now includes the scanned paper records from the past.
Explore This Issue
April 2016Transition to EHR was difficult in the busy practice, but now you and the other otolaryngologists and your staff are utilizing it efficiently. At first, however, you employed a scribe to assist you in data management, which was such a help that you
continue to use a scribe even though the transition to EHR is complete. While you interact with the patient and perform the physical examination, the scribe enters the data elicited—including present illness, past medical history, and physical examination findings. From time to time, you indicate certain information that needs to be input in a particular manner, including diagnosis, treatment plan, and medications to be prescribed. It has been your practice to review the data immediately after the patient leaves the examination room for accuracy and completeness, making your own revisions as indicated, and electronically signing the encounter. The scribe utilizes your password to sign into the system each day.
As with any busy otolaryngology practice, there is a delicate balance between attention to the patient and attention to the data being recorded in real time, but you feel the use of the scribe has allowed you to pay more attention to the patient, which you know is important for a healthy patient-physician relationship. You believe you achieve that balance pretty regularly, but with complex patient histories and examination findings, you may communicate with the scribe more than you care to in order to assure the capture of important data. On particularly busy days, you may not have time to completely review all of the information input by the scribe, but you focus primarily on the critical elements.
Recently, one of your patients, whom you have treated for years for complicated chronic ear disease, tinnitus, and vertigo, stopped by the office to request his records. These were his demands:
- Provide all records within 72 hours, including scanned records from pre-EHR visits in the format of a USB drive;
- Provide a list of all individuals, organizations, government entities, and health information exchanges that had access to his protected health information (PHI);
- Provide a record of any breaches of EHR security in your office during his time as your patient;
- Remove his personal health information from your EHR system to ensure the safety of his PHI;
- Provide a typed translation of your handwritten notes from the old paper records if he deems your handwriting to be illegible, and provide the original paper documents if available; and
- Provide information on the background investigation and certification of the scribe who entered his PHI into his EHR.
You have begun to hear of similar requests to other physicians in your community from patients who are exceptionally worried about the security of their PHI, but this is the most extensive request so far in your practice. While you are aware of the risks of security breaches in EHR systems and appreciate concerns about information technology hacking, you believe this patient’s requests are excessive. How should you handle this situation?
Discussion
While this scenario represents a constellation of private health information concerns, it serves to highlight issues that are being discussed currently in the United States. Since the passage of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and, more recently, the 2009 national digital medical records mandate and the CMS 2014 mandate, the healthcare enterprise has transitioned nearly completely to electronic management of health data. This transition from traditional paper documentation in both hospitals/clinics and physician offices has been difficult, expensive, and often burdensome.
everything possible/shutterstock.com
The early stages of EHR implementation, which require expert assistance, come with a steep learning curve and frequent problems. While these technical issues, along with noteworthy legal implications, have received significant attention, the ethical issues associated with electronic records are now being appreciated as equally important.
We are seeing increased activity in national and international hacking of data, and although this is primarily a financial issue, hackers also pose a real and present danger to hospital and physician databanks, perhaps aiming to exploit private health insurance or to hold hostage the PHI caretakers for ransom. Some patients are fearful that their PHI may potentially become compromised, with no capability on their part to ensure its safety. This understandably might lead to some patients expressing significant concerns about their PHI and requesting that their information be removed from an electronic system they perceive as insecure. The expansion of health information exchanges (HIEs) may also cause patients to worry about the risk that their personal data may be inappropriately exposed. Looking at it from the patient’s perspective, these concerns may be little different than our own concerns about breaches to our financial information and other important personal data sources. Indeed, hospitals, clinics, and physician practices cannot guarantee the unassailable integrity of their EHR systems.
Patient Rights
Regarding the patient’s request for medical records, the HIPAA Privacy Rule gives the patient the right of access to copies of their medical records but not the originals, which remain in the possession of the institution or provider. The patient can request the documents in a favored format, but if the physician feels the format—such as a USB drive—constitutes a risk to the security of the information, other formats may be provided. This applies to both electronic and paper medical records. The physician must provide the records to the patient within 30 days of the written request, unless the patient is notified of a request for a 30-day extension for extenuating circumstances.
Under new administration guidelines, the physician is not allowed to require the patient to state a reason for the request, nor can the physician deny a request for medical records by a patient who has failed to pay his medical bills. The physician’s office may charge the patient a nominal or reasonable fee to cover the cost of the copying, but may not charge for staff time required to locate the records. A physician may not be required to provide a typed translation of handwritten notes, although egregious handwriting may prevent the patient from full access to his medical information. In such a situation, it would be appropriate for the physician to spend time with the patient reviewing these handwritten notes, giving adequate explanation to ensure the patient’s understanding of his health status as noted in the record.
For a variety of reasons, many patient medical records—whether they are electronic or handwritten—will contain incomplete information, omissions of fact, or outright mistakes. This can especially be a risk when a physician takes home 30-plus charts at night to make written or electronic entries. Who can remember the exact details on each patient? It is quite ethical for the physician to be receptive to a patient’s review of his medical records, whether periodic or in toto, to allow for amendments of the records or addenda to reports. (This author has been cared for by an orthopedic surgeon who dictated the entire patient encounter at the end of the consultation and then asked the author to make any needed corrections to his statements.) Time constraints in the office may be a major deterrent to the accurate documentation of the medical history and clinical examination, although the rigidity of some EHR programming may also be complicit.
The Physician’s Role
While it is understandable that some patients might have concerns about other healthcare entities’ access to their PHI, including office staff, the amount of information requested in this scenario about the scope of access appears to fall outside of a “reasonable accommodation.” However, this case does point out the importance of the physician’s keen oversight of those staff members who participate in the recording of a patient’s PHI, especially the background, capabilities, and trustworthiness of a scribe. The veracity of the information input by a scribe is not only important to the patient’s clinical care, but also to the legal integrity of the documents. The patient is entitled to know how much responsibility is given to a scribe as well as the level and extent of the physician’s oversight of the information the scribe inputs into the EHR. Failure to identify
inaccurate information in the medical record can be harmful to the patient and may jeopardize the physician. Therefore, the patient poses a valid concern. The physician need not discuss personal or private information about the scribe, or any staff, in order to reassure the patient of her/his integrity. A general description of the education and training of the scribe, however, would be worthwhile to explain to the patient.
The patient has an ethical and legal right to learn of any breaches to his secure PHI in a timely manner, and with guidance on any potential risk. The American Medical Association Council on Ethical and Judicial Affairs has outlined the appropriate procedures of disclosure to the patient if such a breach has occurred.1 Just as with breaches of financial information, the patient, and potentially his family, could be at great risk if sensitive PHI were obtained and misused. If no breaches have occurred, the patient can be reassured and given an explanation of the security barriers in place to prevent breaching of the EHR or other sources of PHI. If the patient cannot be dissuaded from requesting the withdrawal of PHI from the EHR, then some accommodation or compromise must be pursued through further discussion.
Listen to Your Patient
With respect to this particular scenario, the physician would be well advised to invite the patient in for an informal discussion of his requests and to take the time to listen to the patient’s concerns before addressing them. Just why, after all the years of care by his physician, did the patient feel the need to make these requests? Perhaps something occurred recently in his life to bring about this anxiety or paranoia, and consultation from the appropriate healthcare provider might be appropriate. The patient can be reassured that the physician takes the protection of his PHI very seriously and appreciates his concern. Such a discussion will likely lead to a better understanding by the patient of the processes in place in the physician’s office to protect and defend his PHI, as well as the physician’s willingness to work with the patient toward a “reasonable accommodation.”
While it might be possible to alleviate the patient’s concerns and respond satisfactorily to his requests through a professional discussion, this may not be effective, and the physician will then need to follow the federal rules and regulations that govern protected health information. It is usually best to utilize the confidential patient-physician relationship to solve conflicts, and often an acceptable ethical solution can be found. Our responsibility is to find a way to preserve patient autonomy while still maintaining our professional integrity and following applicable legal guidelines.
Dr. Holt is professor emeritus in the department of otolaryngology-head and neck surgery at the University of Texas Health Science Center in San Antonio.
Reference
- American Medical Association. Code of Medical Ethics. Current Opinions of the Council on Ethical and Judicial Affairs. Opinion 5.10. A physician’s role following a breach of electronic health information. Accessed March 29, 2016.