What Do These New Terms Mean?
Electronic Exchange of Health Information
Consent, Authorization, And Patient Rights
SECURITY AND RISKS OF EHRs AND ELECTRONIC HEALTH INFORMATION EXCHANGE
WHAT DO THESE NEW TERMS MEAN?
1. What is an electronic health record (EHR)?
An EHR is an electronic system or systems that your health care provider uses to store your medical information. The information stored could be anything that was written on paper medical records such as doctors’ or nurses’ notes, laboratory test results, any hospitalizations, or prescription information.
The EHRs of large health care providers, like hospitals and large clinics, are often made up of more than one electronic system. One system may create and store all health care images (like X-rays or MRIs), another system may create and store all laboratory test results, while yet another system creates and stores all doctors’ and nurses’ notes.
2. What or who is a health care provider (“provider”)?
The provider is an individual (e.g., a doctor or other medical professional), a health care facility (e.g., hospital, clinic, or primary care center) or health plan organization that provides patients with medical services and/or health care services..
3. What is a Personal Health Record (PHR)?
A PHR is a collection of health-related information that is documented and kept by the individual it applies to (that is, by the patient). Information in a PHR may include information about provider visits, allergies, family history, medications, records of hospitalizations, immunizations, or information about conditions and diseases. The PHR may include information entered by the patient as well as information from the EHR. It can be paper-based or electronic. The main difference between a PHR and an EHR is that a PHR is for the use by the patient and is kept and controlled by the patient, but the EHR is designed for use of the health care provider staff, it is stored in the provider’s data system, and it is kept and controlled by the provider. Also, the provider and the information held in the EHR are legally mandated under Federal and State laws. Your provider may offer you use of a PHR that is available through his/her organization. This can help you and your provider keep track of your health information.
4. What is a Health Information Organization (HIO)?
A HIO is a third party company that enables the health care provider to transfer or exchange your health information to other health care providers or health-related entities who need your information to be able to treat you. HIOs are used to exchange your health information when the health care provider may not have the technical capability to securely exchange information and HIOs have special software programming that will allow them to transfer your information securely.
ELECTRONIC EXCHANGE OF HEALTH INFORMATION
5. What is the electronic exchange of health information?
The electronic exchange of health information allows your health care information to be shared between health care providers. This exchange is done through the EHR system as explained in the section “What Do These New Terms Mean?” Your health information may be exchanged between doctors, laboratories, hospitals, pharmacies, and other providers you have visited. Health information from your health plan may also be exchanged and used for your care.
6. Why is the electronic exchange of health information important and how does it help me as a patient?
There are many benefits to the electronic exchange of health information by using EHRs:
Information is Available in an Emergency: If you are in an accident and are unable to speak to health care providers, they can quickly find the information about your health history, medications you are taking, and other health issues to make informed decisions to treat you faster.
Information is Protected in Disasters: If you are in an area affected by a disaster, like Hurricane Katrina or a catastrophic earth quake, your health information can be stored safely in electronic form in an EHR system and can be quickly accessed by providers caring for you. Also, information can be backed-up (saved) on a regular basis which prevents loss of your critical health information during times of disaster.
Easier Access and Retrieval of Health Information: Your health information sits in multiple locations including provider offices, hospitals, pharmacies, and labs. When needed, information from each of these locations may be accessed by an authorized health care staff at any one of your provider offices or in an emergency room
Improved Care/Reduced Medical Errors: Access to information about care you receive elsewhere gives your health care providers a better, more complete picture of your health. That means your health care providers can make sure the treatment they provide doesn’t interact badly with other treatment you may be receiving. For example, when you can’t remember what medications you are taking, through electronic exchange of health information your health care providers will be able to see what other medications you were prescribed by another doctor, so that they will know the right medications or treatment to give you instead of doing something that might be harmful.
Increased Safety/Reduced Duplication: Because health care providers can see what tests you have had and the results, they don’t always have to repeat the tests. Especially with x-rays and certain lab tests, this means you are at less risk from radiation and other side effects. It also means you pay less for your health care in copayments and deductibles when tests are not repeated.
Improved Tracking for Protection: When your health information is shared electronically, information about access to your record is stored electronically. This can include the identity of those who accessed your record, the date of access, the types of information accessed, and the reason your record was accessed. This makes it easier to enforce laws and regulations governing access when using electronic records than it is with paper records.
7. Is storing and accessing electronic exchange of health information through EHRs better than paper based exchange?
In some ways the electronic storing and accessing of health information through EHRs is better than paper based. In terms of storing, paper records are bulky and take up a lot of space whereas EHRs can be stored and maintained cost-effectively since they do not take up costly space and do not require a lot of labor to maintain. Also, sometimes it becomes difficult to find a hard copy of a record that has been filed away. Since your health information is stored in a standard way in EHRs, the information is where the provider expects it to be, and the provider can see and read the health information rather quickly. The electronic health records are easier to read than hard to read handwritten notes. When it comes to accessing your health information, electronic accessing is faster because your provider can instantly access the information. While in a paper based environment the provider has to wait for the hard copies of your records to arrive, and that could sometimes take a while.
8. What are the laws that protect the exchange of my health information?
There are federal and state laws to protect the privacy and security of your health information. All entities which include your health care provider and HIOs who have access to or exchanges your health care information must follow these laws.
Health Insurance Portability and Accountability Act (HIPAA): HIPAA is a broad federal law which originally was developed to regulate group health insurance plans and certain individual health insurance policies. It also includes regulations for the access, use and disclose (including electronic exchange) patient health information by a health plan, health care clearing house (i.e., a HIO), or a health care provider. HIPAA rules mandate these entities to protect the privacy and security of individuals’ health information and payment for health care information. The Privacy Rule regulates the use and disclosure of health information held by the entities (i.e., health care provider, health plan, or health care clearing house). The rule requires the entities to take reasonable steps to ensure the confidentiality of individual health information and how it is communicated or exchanged with others. It requires the entities to notify individuals of how their information will be used. To read more about HIPAA rules, refer to 45 Code of Federal Regulations Parts 160, 162, and 164.
Confidentiality of Medical Information Act (CMIA): The CMIA regulates the access, use and disclosure of individuals’ medical information. The regulations in this act state that no health care provider, health care service plan, or contractor shall disclose a patient’s medical information without first obtaining the patient’s authorization. However, these health care entities are required to disclose medical information without obtaining authorization for certain situations such as a court order, an administrative adjudication, a coroner’s investigation to name a few To read more about CMIA regulations, refer to California Civil Code Sections 56 – 56.16.
9. How is my health information secured when it is being transferred or exchanged?
How your health information is secured depends on what type of organization your health care provider belongs to and how the information is exchanged. Large health care providers use their own database and software program for health information exchange and are able to exchange information directly with other health care providers or entities. Other health care providers must use a HIO to exchange information. In both cases whether your health care provider exchanges information directly or they use a HIO to exchange information, all parties exchanging information must have certain privacy and security policies and procedures in place to safeguard your health care information when it is being exchanged. These policies and procedures would dictate who is authorized to access your health information. Information is secured by encryption to make them unreadable to anyone other than an authorized user. There are federal and state laws to ensure the privacy and security of electronic exchange of health information. Please refer to Question and Answer 4 for information on those laws.
10. Who has access to my health information or can exchange or receive my health information?
Authorized Health Care Providers: Authorized health care providers who are licensed health care providers (e.g., doctors, nurses, and pharmacists) with a direct patient relationships will be the primary users of your health information. But their employees and others (such as public health staff) may also have access to your health information, depending on the various permitted purposes for exchange of health information.
HIOs: While a HIO’s main job is to exchange health information among health care providers and other participants, the HIO may need to use your health information in a number of ways in order to keep the HIO running smoothly. For example, the HIO may need to use actual patient information to troubleshoot when problems occur with the electronic system. In addition, the HIO may need to provide actual patient information if required by legal requirements such as subpoenas. The HIO may also need to review actual patient information to perform quality improvement tests.
Employer: If your employer is a sponsor of an employee health plan, then it can receive information about you. There are special provisions in HIPAA to protect your information when this is the case. Your provider, health plan and other health care providers must obtain your authorization before they send your employer health information about you for most purposes.
Insurance or Health Plan Organization: Your health information is received by your health plan in order to process claims for the services you received. That information is used for payment and health care operations of the health plan. California insurance or health care plans currently do not process claims through electronic exchange of health information, but may do so in the future. The main function of electronic exchange of health information at this point is to exchange clinical data for treatment of patients. Health plan organizations would not be authorized users of a HIO or as electronic health information exchange partners as they are not providers of health care.
11. Do all of my doctors have access to all of my records?
Some of your doctors may not be participating in the electronic exchange of health information; and therefore, would not have access to your records that are available at your various providers. Also, if some of your health information is still in paper form and not entered electronically in an EHR, then this information may not be available through the electronic exchange of health information. Please refer to Question and Answer 9 for further information.
12. What information will be shared through the electronic exchange of health information?
The health information being exchanged will differ depending on what participating organization is requesting or receiving your information. Some examples of the types of information that may be exchanged and available to your provider are your eligibility information, medication history, lab history, and/or immunization history, as well as your identifying information such as your social security number, date of birth, home address, telephone numbers, medical record number, and insurance billing information.
13. Is some of my most sensitive health information provided extra protection?
Certain kinds of health information, for example, mental health status, substance abuse, HIV test results, and genetic testing, are subject to additional legal protections. These additional protections may include a requirement that your written consent be obtained for each release of protected information or other special protections. All providers of health care are required to follow all existing privacy and security laws that protect your health information no matter what form it is in or what manner it is exchanged. Special protections for sensitive health information must also be followed. This means that the entity electronically exchanging your health information must be able to handle the proper authorizations and legal requirements for exchanging your health information.
14. Can my doctor(s) use his/her personal smart phone to access/get to my health information that is available through electronic exchange of health information? If so, are they secured?
Your doctor may have access to your health information via his/her personal smart phone. By law (under the HIPAA Security Rule) before your doctor can access your information on his/her mobile device, he/she must have appropriate security safeguards in place.
15. Can my doctor see all of my prescriptions that I am currently taking?
Currently not all doctors can see the prescription history, because not all providers, hospitals, pharmacies, etc. have established EHRs so they are not yet able to exchange your health information electronically. Your complete prescription history will be available if every provider you see that has prescribed you medications is participating in electronic exchange of health information.
CONSENT, AUTHORIZATION, AND PATIENT RIGHTS
16. Do I have access to my medical information that is held or kept by either my health care provider or a HIO?
You are entitled to get copies of your own health information, by law. If you want copies of your health information, ask your health care provider with whom you have a direct care relationship how you would be able to access or to get copies of your information. You may be able to either access and print your health care information online or request hardcopies of your information to be provided to you.
Since most HIOs do not have a direct relationship with each individual patient, it is unlikely that you will be able to obtain your medical information directly from a HIO. Some HIOs’ role is only to transmit the medical information between entities and not to store it; therefore, they would not be able to access it for individuals’ requests.
17. How do I give permission or consent to let others such as my doctors to see my medical information through a HIO?
Generally, providers who use HIOs to exchange your health information do ask patients for their consent in order to allow the patients’ information to be exchanged through the HIO. The two most common types of consent are: “Opt In” and “Opt Out”. If you are asked to give Opt-In consent, you will be asked to sign a written (paper or electronic) form giving your permission for your information to be exchanged through the HIO. If you are given Opt-Out consent, you should be provided with information about the HIO and given a period of time to exercise your opportunity to refuse to let your information be exchanged. In order to opt out, you must usually either send in a form by mail or else click on a certain box on a website to make clear that you do not want your information to be exchanged through the HIO. Some providers in California might have a no-consent policy. A No Consent model is appropriate when the HIO does not have access to any health information.
18. How long does my permission/consent last with a health care provider or HIO?
This will depend on the policies of your health care provider. It also depends on the procedures the participating organizations of a HIO follow. It may last until you revoke your consent or you may be asked to sign a new consent periodically (such as, annually). However, once your health information has been viewed or exchanged through a HIO, it cannot be retracted which means the information already viewed or exchanged cannot be taken back or deleted out of the system. Providers who have relied on this information to make decisions about your health must be able to retain a record. If you revoke your consent, then your health information will not be able to be further viewed or exchanged through the HIO.
19. What happens in an emergency if I am not able to consent?
In an emergency situation where you are not able to communicate with the treating health care provider (even if the treating health care facility is not your own health care provider), they would be able to receive your health information directly from your health care provider and treat you without your consent.
If your health information is exchanged through a HIO, accessing your health information would depend on if you provided prior consent for the HIO to exchange your information. If you refused consent through your health care provider to have the HIO exchange your information prior to the emergency, then none of your information will ever be available, even in a life-threatening emergency. Some health care providers and HIOs have systems under which emergency providers can obtain access to your information under a “break-the-glass” scenario. Under the “break-the-glass” scenario, an emergency physician is able to exercise his/her professional judgment and obtain your information even if you did not give consent if it will help the physician to treat you.
20. What is the difference between an authorization and consent?
An authorization is a very specific term that is used in HIPAA to describe permissions for use and disclosure of your health information that falls outside of treatment, payment, and health care operations. The authorization provision in HIPAA requires your provider or health plan to obtain your permission before they use your health information for anything that you might not be aware of that was not listed on the Notice of Privacy Practices, such as, marketing.
Consent for your information to be accessed or exchanged through a HIO is specific to the electronic exchange of your health information. By giving your consent, you are not consenting to uses and disclosures of your information. It is simply a means to acknowledge that you were informed about the use of a HIO to obtain your health information.
21. I did not receive a consent form to sign for the electronic exchange of my health information, but noticed the Notice of Privacy Practices now states that my data may be exchanged through a HIO. Will I receive a consent form too?
You should receive a Notice of Privacy Practices upon a first visit to a physician or admission to a hospital. As specified by HIPAA, these notices describe how your protected health information is to be collected, used, and disclosed. Some providers will only use the NPP to notify you of their ability to electronically exchange your health information. Others may use a consent form and others yet may use a combination. If you are unclear about what your NPP states you may ask your provider how your data is being used and shared electronically.
22. Will I know if my health information was misused?
Under HIPAA requirements, you have the right to receive a list of instances where your health information was disclosed and for what purposes. If your information was misused or inappropriately disclosed it should also be logged at your provider’s organization. This would be considered a request for “Accounting of Disclosures” as stated and required in HIPAA. If there was a breach of your electronic health information you would be notified by the entity that breached your information. Refer to Questions and Answers 23, 24, and 25 for more information regarding breach of health information.
If you believe that a person, agency or organization covered under HIPAA violated your (or someone else's) health information privacy rights, you may file a complaint with that person, agency, or organization or with the federal Office for Civil Rights. The Notice of Privacy Practices that you received from the provider will have information about who to contact. Individuals found in violation of HIPAA can be civilly and criminally prosecuted. For more information, see: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html
23. Can I request changes to my health record or other information included in the HIO?
If you notice that your health care provider has outdated or incorrect information in your health record, you may request an amendment, or changes, to your record as one of your rights under HIPAA the provider who created the record. Deletions of records are not generally permitted as providers who have made decisions about your health based on those records must maintain them.
SECURITY AND RISKS OF EHRs AND ELECTRONIC HEALTH INFORMATION EXCHANGE
24. How secure are EHRs?
Just like paper records, EHRs must obey and follow the federal and state laws to ensure your medical information is kept private and secure from others who do not have authority to access your information. HIPAA is a federal law that protects individual’s health information to ensure its privacy and security. The Notice of Privacy Practices (NPP) that you may have received from your doctor or health care plan, or from your hospital will tell you how, your provider can use and disclose your health information.
Unlike paper records, EHRs can be encrypted (using technology to scramble the information) to make them unreadable to anyone other than an authorized user. Security settings in the EHR system can be set so that only authorized individuals can view the records. However, not all EHRs are encrypted and not all health care providers have the technical ability to encrypt EHRs at high security levels.
EHRs can offer the added security of an electronic tracking system that provides an accounting history of when records have been accessed and who accessed them. It is impossible to track who has accessed specific paper records so in that manner EHRs can be more secure than paper.
25. Is electronic exchange safer than paper based exchange of health information?
There are risks to exchange of health information in any format whether it be paper, electronic, or even oral. Paper records cannot be tracked in the way electronic records and may be open to unintended disclosures, for example, faxing information to an incorrect fax number, leaving a transmission in a fax machine for others to see or filed in file cabinets that are accessible to authorized and unauthorized people. Paper records can be permanently destroyed through human accidents or catastrophes like fire or hurricanes.
EHRs are required to have specific security controls that allow only authorized users to have access to your health information. EHRs can be backed-up (saved) regularly so that during an emergency your records will be available to the health care provider who is treating you.
26. What are the risks to electronic exchange of health information?
Electronic exchange of health information increases the amount of data available to the providers who care for you. The increase in the amount of data opens the opportunity for an unauthorized person to possibly get access (through hacking or social engineering) to the information in the system about you and your health. Security safeguards are required by law, but they are not failsafe. In addition, your health information is at risk if people with access to information choose to act in violation of law and ethical standards. This can happen with both paper and electronic health records.
HIOs may or may not have access to your data. If the HIO is allowed access then there are more people (HIO staff) with access to your data. Any time more people are granted access to your data there is an increase in risk of inappropriate use and disclosure.
Just like a paper health record, if the health care provider does not enter the correct information, that information remains in the health record until it is corrected. However, electronic information can provide checks and balances that paper health records cannot such as an audit trail which automatically records who and when someone accessed your information. You also have the right to access and review your health information and request amendments or changes if you see something that is incorrect.
Although electronic information should be encrypted, hackers could try to break security codes just like they do in other electronic systems. As a result, those hackers may use your information for unlawful activities such as credit card fraud or to obtain medical services using your health plan information. Identity theft occurs with both paper files and electronic files, but a breach of electronic files may affect more records than a breach of paper files.
27. What is a “breach”?
A breach is an incident in which health information has potentially been viewed, stolen or disclosed by an individual unauthorized to do so. The most commonly recognized data breach is an attacker hacking into a corporate network to steal sensitive data. However, not all data breaches are so dramatic. If a hospital employee deliberately views a patient's health information on a computer screen over the shoulder of another employee without appropriate reason or need to do so, that also constitutes a data breach. Inadvertent viewing of the wrong record is not necessarily a breach. For example, if a provider opens the wrong record for John Smith when there are multiple records with the same patient name, this is not a breach.
28. What can I do to protect myself if my health information has been breached?
Contact the California Office of Privacy Protections; their contact information can be found at (http://www.privacyprotection.ca.gov/identity_theft.htm). This office can walk you through the steps you can take to protect yourself. Typically, steps include filing a police report, credit monitoring, fraud alerts, and/or credit freezing to protect you from identity theft. Please see the Office of Privacy Protections website for details.
29. What responsibility does the entity that breached my information have?
Both Federal and California law, require certain entities to inform you if your information has been breached. Under California’s Health and Safety Code, when certain entities (i.e., a clinic, health facility, home health agency, or hospice) become aware of any unlawful or unauthorized access to or use or disclosure of a patient’s health information, they must report the breach to the Department of Public Health (DPH).
[WU1]Is the information copied from a source for our #6?