While working a clinical rotation at a children’s hospital, University of Minnesota nursing school graduate Mary Reinhardt often wanted to check back on patients’ progress after they left her care.
But she understood that even well-meaning records access can be a breach of privacy.
This stringency in medical records privacy is mirrored in a federal proposal that would allow patients to view who has accessed their medical records, whether digital or paper copies and whether for legitimate or clandestine purposes. The proposal came last week from the U.S. Department of Health and Human Services.
“You get involved in someone’s life and care,” Reinhardt said. “If it was a paper record, you could look and no one would ever know. With electronic records, there’s no room for that.”
The proposed legislation is available for comment on the Federal Register until August and would not take effect until 2013. It rides a tailwind of medical record mishandling in Minnesota.
Last month, Allina Hospitals and Clinics fired 32 health care workers for looking up medical information about a patient who overdosed and set off a high-profile criminal case. In April, Fairview Southdale Hospital in Edina, Minn., lost a box with 1,200 patients’ health information.
The proposal falls under the Health Insurance Portability and Accountability Act of 1996, which created national standards for the security and privacy of electronic health data. Hospitals are currently required to let patients know if their file has been inappropriately accessed, but do not have to give them a printout of who has viewed the records.
The proposal would also give patients a list of any outside agencies that accessed their medical record, like law enforcement officers, judges or public health investigators.
John Jensen, assistant director of the University’s Privacy and Security Project, said the additional information would be empowering to patients. Jensen’s office handles privacy concerns for Boynton Health Service, which rarely gets complaints from students, he said.
“By being more transparent, we’re providing tools to our patients to take charge of their health care and not to be a passive participant,” Jensen said. “We are benefited by an informed population.”
Boynton Health Service has measures in place to ensure patient privacy and so far has avoided a major records scandal like those at Allina and Fairview.
Boynton records the date and time of staff members’ trainings on how to handle medical records because federal auditors crosscheck to make sure employees have gotten the training before they are ever given access to the records, he said.
Auditors want to know, “Did you give them the keys to the city before you did the background check?” Jensen said.
The U.S. Department of Health and Human Services is required by law to provide a list of institutions that have had breaches of unsecured protected health information affecting 500 or more individuals.
Mayo Clinic, Mankato Clinic and several other Minnesota entities have been responsible for breaches that put more than 30,000 medical records at risk for unauthorized access in 2010 and 2011.
Fairview Health Services said in an April statement that employees were “unable to confirm” if a box containing health information from 1,200 patients arrived to its destination during a February move. Fairview offered a year’s subscription to an identity protection service to the patients affected.
Lois Dahl, Fairview’s information privacy director, said most patients have no idea of the number of people that have valid reasons to access medical records. Front desk staff that help at check-in, medical records staff that code a patient’s claim, pharmacists, billing staff, doctors and nurses may have viewed any one patient’s electronic records.
While seeing a full list of who had accessed one’s record might be assuring to someone familiar with health care facilities, Dahl said she thinks “it would raise a lot of questions” to someone who is less familiar,” and answering those questions “could be very time consuming,” depending on how many people exercise their right to the disclosure.