Every time someone goes to a doctor’s appointment, the healthcare provider creates and stores a record for later review. On the patient side, they are easy to forget. But for healthcare providers, front desk staff, and hospital administrators, handling electronic health records can be a major part of the job.
Table of Contents
- What are electronic health records?
- How do data silos block information sharing?
- How are medical records regulated?
- What are the rules of HIPAA?
- What are covered entities and business associates?
- The reason hackers want medical records?
- Why do patients request records?
- Why do legal professionals request records?
- Reasons you should coordinate care with another provider
- Training staff to handle the release of information
- How long should medical records be kept?
- What are the benefits of using release of information software?
What are electronic health records?
Most medical records today exist digitally in either electronic medical record (EMR) or electronic health record (EHR) systems. These sound like they’re the same thing, but there’s one major distinction.
Electronic medical records are designed for use within the healthcare facility that created them. They are not meant to be shared outside their system. This makes releasing them to other patients or professionals more difficult.
Electronic health records are designed to be easily shared with other users of the same EHR system. Healthcare providers can more easily release these records to some healthcare providers, but not all.
Electronic health records have antiquated paper records. Healthcare facilities no longer need to dedicate entire rooms to keeping filing cabinets filled with paper records. Digital files can also be backed up, so they are safe in the event of a fire, flood, or other disaster. Finally, they are easier to retrieve, duplicate, and share.
Unfortunately, not all changes are positive. Mass medical record breaches were significantly harder to pull off before files became weightless. An average filing cabinet weighs about 750 pounds when filled with paper, and these would have been behind locked doors. Stealing paper records en-masse was not feasible for most.
Today, hackers can attempt to breach medical information from anywhere. A 2015 breach from Anthem Blue Cross affected 78.8 million people. Protecting these large repositories of medical data without limiting access to authorized individuals has been a challenge for healthcare and government leaders.
Back to the Table of Contents.
How do data silos block information sharing?
Healthy data is transmissible. Data silos (also known as information silos) are a problem in all sectors that keep digital records, but they present unique challenges in the healthcare industry.
Data silos are much like the silos you can see on a farm. Instead of grain, however, a data silo protects sensitive information from the outside world. Cybercrime can be a lucrative path for a tech-savvy criminal, there’s pretty much always a buyer for sensitive information.
For every barrier blocking hackers from accessing siloed information, there’s the same barrier blocking access to authorized individuals.
For example, Google Authenticator is the standard for protecting access to your accounts. It generates temporary login codes on a specific linked device every time you log in. It’s harder for hackers to get into accounts backed by Google Authenticator, but you’ve added an extra step to your own login process.
In a professional setting, the safeguards can be much more stringent than just using Google Authenticator. Some servers require a specific IP address to access, some force you to change your password regularly with strict requirements, and some separate accessible and inaccessible data based on who is signed in.
The problem arises when people who need the data cannot access it. It’s difficult to strike a good balance between accessibility and security, which has led to the creation of critical laws governing the release of protected health information.
Back to the Table of Contents.
How are medical records regulated?
Medical records contain plenty of private information, and cybercriminals are always looking for ways to access it. Early in the development of electronic health records, the United States Department of Health and Human Services (HHS) began working to ensure medical records are both safe and accessible.
In 1996, HHS wrote the Health Insurance Portability and Accountability Act (HIPAA), the first major legislation to protect medical information. HHS has written additional regulations to reduce weaknesses and adjust to the shifting healthcare environment. These are the Privacy Rule, Security Rule, Breach Notification Rule, and the Omnibus Final Rule.
Additionally, the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed as part of the American Recovery and Reinvestment Act (ARRA). The HITECH Act enhanced the Privacy Rule and the Security Rule. It also introduced the tiered penalty structure for HIPAA noncompliance.
The HITECH Act is also responsible for the widespread use of electronic health record systems. It set up increasing financial incentives for the meaningful use of certified electronic health record technology (CEHRT). Before HITECH, only about 10% of healthcare providers used electronic health records.
These rules and regulations outline how professionals must handle protected health information (PHI). Failure to comply can result in major financial and criminal penalties, up to $1.5 million per violation per year.
Some states also passed laws to help regulate PHI. When developing a compliance plan, covered entities should always adhere to the most strict rule applicable.
Back to the Table of Contents.
What are the rules of HIPAA?
The Privacy Rule was written in 2003 to enhance patient privacy and the right to access their PHI. It gave patients the right to request, examine, and correct their medical records. They also gained the ability to prevent the disclosure of their PHI to certain parties, such as lawyers and health plans. Additionally, this rule established the “Minimum Necessary” standard, which limits disclosed PHI to only specifically requested records and relevant information.
The Security Rule was written in 2005 to create secure baseline standards to help safeguard PHI. This includes physical, technical, and administrative components, each targeting different areas of potential weakness. This rule is flexible, based on the size, type, and capabilities of the facility in question.
The Breach Notification Rule was written in 2009 to force covered entities and their business associates to take responsibility after a breach. It requires them to notify patients if their medical records have been compromised. The size of the breach determines what actions they must take afterward. If more than 500 individuals lose private information in a breach, the more intensive rule applies.
The Omnibus Final Act was written in 2013 to implement the rules of the HITECH Act and update the Privacy Rule and Security Rule. This further enhanced patient rights, the protection of PHI, and closed gaps that hindered these goals.
Back to the Table of Contents.
What are covered entities and business associates?
To avoid listing out every type of relevant individual in every section of HIPAA and the HITECH Act, HHS created unique terms meant to encompass a wide array of such professionals. They refer to most professionals bound to these standards as either covered entities or business associates.
A covered entity is the primary demographic HHS targeted with HIPAA. Generally speaking, this should be any healthcare or administrative professional who is expected to be handling protected health information. The three main categories are healthcare providers, health plans, and healthcare clearinghouses.
Covered entities cannot do everything alone, however. There are several non-medical aspects of running a healthcare facility that each require professionals with different backgrounds. To protect PHI while in the hands of such individuals, HHS labeled them as business associates.
A business associate is a professional hired by a covered entity for a job that may expose them to PHI. Common examples include lawyers, IT professionals, 3rd-party administrators, independent medical transcriptionists, and more. In order to legally work for covered entities, all business associates must sign the Business Associate Agreement (BAA). This is a unique contract that explains expectations and binds the business associate to maintain HIPAA compliance.
Back to the Table of Contents.
The reason hackers want medical records
Not many people are skilled and malicious enough to breach medical record systems. Electronic health record systems are designed to be inaccessible to unauthorized users, but some people manage to find a back door.
But what do hackers have to gain from breaking into these systems? The same thing most criminals are after, money.
Medical records are treasure troves of private information. From contact information to private details, they can contain everything a cybercriminal needs to assume their identity.
In large breaches, the hacker is rarely the one stealing identities afterward, however. There are websites on the dark web where criminals can purchase private information.
Whether it’s medical records or credit cards, the hacker selling the information is guaranteed profit. Oftentimes, hackers sell stolen information in batches. As such, it can take months after a patient receives breach notification before a criminal tries to use their information.
It’s imperative that covered entities and their business associates stay diligent and adhere strictly to HIPAA regulations. It’s also important that patients are mindful when handling their own medical records because breaches can happen anytime.
Back to the Table of Contents.
Why do patients request records?
The key reason for the average patient to request medical records is to build their personal health record. This is a complete collection of an individual’s medical history. This important tool can help save both patient’s and healthcare providers hours that would otherwise be spent doing administrative work.
The average medical records request can take requestors up to two hours, factoring in the follow-up calls that help ensure a quick turnaround. If the patient stores medical records after the first request, they share them directly with legal and/or health professionals. This saves time for the patient, the custodian receiving the request, and the professional who needs the records.
Additionally, records can be shared more quickly from a personal health record compared to a traditional request. When a healthcare provider receives a medical records request, HIPAA allows them 30 days to fulfill it. A patient with a personal health record, however, can pull and share files in minutes.
This comes in especially handy in an emergency situation. By presenting first responders with relevant medical files, they can work without making assumptions or guesses. This means that keeping a personal health record can also prevent medical errors, which can cause disability or death. By simplifying the methods patients can use to request their medical information, healthcare providers can improve the overall patient experience.
Back to the Table of Contents.
Why do legal professionals request records?
When a lawyer, judge, or other legal professional needs medical records, it is generally for medical malpractice, worker’s compensation, or another type of legal case. Their process for requesting medical records can be more complicated than the average patient.
The ideal method of retrieving patient PHI for a legal case is simply submitting a request for the records with a signed authorization form from the patient. ChartRequest makes this simple by allowing legal professional users to send a digital form for patients to electronically authorize. The patient can refuse to sign this form if they don’t want their medical records disclosed.
The next option is submitting a subpoena directly to the healthcare provider. A subpoena will include the specific records requested, the date that the records are due, and the type of subpoena. The primary types used in healthcare are “records only” and ”appearance and records.” While the healthcare provider or patient can object to subpoena requests, they must have a valid reason for the records to not be released.
Before releasing records, healthcare providers should verify that everything is valid on the subpoena form. Pay close attention to the signature and the date, and be sure not to release the records early. This gives the patient sufficient time to object.
If a subpoena fails, they will likely try to have a judge sign a court order demanding the records. These have higher authority, and they can bypass most patient and provider objections.
Back to the Table of Contents.
Reasons you should coordinate care with another provider
Care coordination is one of the most cost-effective ways to improve patient outcomes and reduce medical errors. It is also one of the easiest ways to get the most value possible out of data.
Directly communicating with another healthcare professional allows you to:
- Ask any questions that arise while looking at medical records.
- Explain your concerns before their appointment.
- Share updates and results to reduce unnecessary tests and treatments.
- Ask for advice or second opinions; two minds are better than one.
Care coordination requires strong referral management skills to achieve the best results. It’s important for healthcare providers to create a list of trusted specialists that they can pull out when patients need additional care. It’s worth reaching out to any healthcare providers on this list to connect before sending them any referrals.
With ChartRequest, healthcare providers can more easily handle referral management and care coordination. Doctor A can easily use the platform to refer patients to other healthcare providers, exchange protected health information, and chat without picking up a phone.
The ease of communication and information sharing we provide healthcare providers helps mitigate the administrative costs of coordinating care. By minimizing the inconvenience and time required to handle these exchanges, we grant them additional time to discuss important issues.
Reducing costs and enhancing communication are key steps toward transitioning to a value-based healthcare system. Ideally, this reduces unnecessary treatments, repeat tests, and medical errors to improve the overall quality of care.
Back to the Table of Contents.
Training staff to handle the release of information
The Roman principle ‘ignorantia juris non excusat’ means ‘ignorance of the law excuses not.’ This is a common legal phrase, and it applies to HIPAA as well. When new staff members first begin to understand the stakes when handling medical records, they can feel understandably daunted.
Fortunately, HHS developed HIPAA to encompass healthcare facilities of all shapes and sizes. The law is strict, yet flexible. As such, it’s difficult to create a perfect one-size-fits-all guide to training staff for your specific healthcare facility.
HIPAA training isn’t just required for new staff. In order to remain compliant, all healthcare staff must have an annual HIPAA training session. Because of the complicated and ever-evolving nature of HIPAA, this would be wise regardless of the requirement.
To help healthcare providers and administrators ensure their staff is ready to begin handling protected health information, HHS assembled a list of HIPAA training resources.
The Covid-19 pandemic has changed how people work, and the healthcare industry has felt the shift as well. Healthcare staff can perform some tasks remotely. This requires the individual to adhere to the physical and technical requirements in their own home
Back to the Table of Contents.
How long should medical records be kept?
HIPAA requires that healthcare providers keep most medical records for a minimum of 6 years. Some types of records, such as any pertaining to cancer treatment, must be kept much longer. In this example, the minimum is 30 years or 8 years after death.
HIPAA regulations are a baseline, and some states have passed laws that extend this minimum timeframe. As mentioned above, you should always adhere to the more strict rule between HIPAA and state regulations. If the law for your state only says you need to keep records for 4 years, you must still meet the HIPAA minimum of 6.
Furthermore, some healthcare providers set minimum standards that surpass both state and HIPAA rules. Electronic health records don’t take nearly as much physical space as paper records – a single hard drive today can hold up to 20 terabytes of information.
HIPAA-compliant cloud services enhance the storability of electronic health records by allowing covered entities to back up and archive medical records. The need to make space for the storage of medical records is no longer as essential.
If you do need to delete expired electronic health records, it’s important to do so properly. The computer doesn’t truly remove data from the hard drive when somebody deletes a file. Instead, it marks the memory blocks as open space and removes the path to find the blocks. You must take special care while handling medical record retention and destruction.
Back to the Table of Contents.
What are the benefits of using release of information software?
There are many reasons why healthcare providers choose to use software to help manage the release of protected health information. For those seeking the top ROI solution on the market, look no further than ChartRequest.
Our workflow is customized based on the user type, so your patient, legal, and healthcare requestors will each enjoy a unique version of the ChartRequest platform. Each one is streamlined to reduce confusion, error, and the time required to submit requests.
The ease of exchange ChartRequest provides breaks down information barriers and reduces the input required by healthcare staff. Users can also connect directly via the provider chat built-in to every request.
Additionally, incoming phone calls for status updates will be further reduced by the transparency we provide. Rather than calling, requestors can either sign into the ChartRequest dashboard or enter their request ID.
In addition to saving healthcare providers time and money, ChartRequest helps protect them from HIPAA violations and audits. Our double QA process, ”minimum necessary” approach, and automatic audit logging reduce medical errors and help ensure HIPAA compliance.
ChartRequest was developed by experts seeking to help improve healthcare. Join the large and growing network of healthcare provider
