Proposal protects medical records

Patients would be allowed to view who accessed their records and why.

Kathryn Elliott

While working a clinical rotation at a childrenâÄôs hospital, University of Minnesota nursing school graduate Mary Reinhardt often wanted to check back on patientsâÄô progress after they left her care.

But she understood that even well-meaning records access can be a breach of privacy.

This stringency in medical records privacy is mirrored in a federal proposal that would allow patients to view who has accessed their medical records, whether digital or paper copies and whether for legitimate or clandestine purposes. The proposal came last week from the U.S. Department of Health and Human Services.

âÄúYou get involved in someoneâÄôs life and care,âÄù Reinhardt said. âÄúIf it was a paper record, you could look and no one would ever know. With electronic records, thereâÄôs no room for that.âÄù

The proposed legislation is available for comment on the Federal Register  until August and would not take effect until 2013. It rides a tailwind of medical record mishandling in Minnesota.

Last month, Allina Hospitals and Clinics  fired 32 health care workers for looking up medical information about a patient who overdosed and set off a high-profile criminal case. In April, Fairview Southdale Hospital  in Edina, Minn., lost a box with 1,200 patientsâÄô health information.

The proposal falls under the Health Insurance Portability and Accountability Act of 1996, which created national standards for the security and privacy of electronic health data. Hospitals are currently required to let patients know if their file has been inappropriately accessed, but do not have to give them a printout of who has viewed the records.

The proposal would also give patients a list of any outside agencies that accessed their medical record, like law enforcement officers, judges or public health investigators.

John Jensen, assistant director of the UniversityâÄôs Privacy and Security Project, said the additional information would be empowering to patients. JensenâÄôs office handles privacy concerns for Boynton Health Service, which rarely gets complaints from students, he said.

âÄúBy being more transparent, weâÄôre providing tools to our patients to take charge of their health care and not to be a passive participant,âÄù Jensen said. âÄúWe are benefited by an informed population.âÄù

Boynton Health Service  has measures in place to ensure patient privacy and so far has avoided a major records scandal like those at Allina and Fairview.

Boynton records the date and time of staff membersâÄô trainings on how to handle medical records because federal auditors crosscheck to make sure employees have gotten the training before they are ever given access to the records, he said.

Auditors want to know, âÄúDid you give them the keys to the city before you did the background check?âÄù Jensen said.

The U.S. Department of Health and Human Services is required by law to provide a list of institutions that have had breaches of unsecured protected health information affecting 500 or more individuals.

Mayo Clinic, Mankato Clinic and several other Minnesota entities have been responsible for breaches  that put more than 30,000 medical records at risk for unauthorized access in 2010 and 2011.

Fairview Health Services said in an April statement that employees were âÄúunable to confirmâÄù if a box containing health information from 1,200 patients arrived to its destination during a February move. Fairview offered a yearâÄôs subscription to an identity protection service to the patients affected.

Lois Dahl, FairviewâÄôs information privacy director, said most patients have no idea of the number of people that have valid reasons to access medical records. Front desk staff that help at check-in, medical records staff that code a patientâÄôs claim, pharmacists, billing staff, doctors and nurses may have viewed any one patientâÄôs electronic records.

While seeing a full list of who had accessed oneâÄôs record might be assuring to someone familiar with health care facilities, Dahl said she thinks âÄúit would raise a lot of questionsâÄù to someone who is less familiar,âÄù and answering those questions âÄúcould be very time consuming,âÄù depending on how many people exercise their right to the disclosure.