When I say the U.S., I do not just mean the U.S. Government. I also mean U.S. and multinational corporations that are loyal only to their bottom line, private U.S. military contractors (otherwise known as mercenaries), the U.S. economy, U.S. buying/consuming habits, and the knowledge, involvement, and activism of the U.S. citizenry.

Daniel Suarez, the author of these books, is a systems consultant and programmer. He knows about the software and devices that run our lives. He has consulted extensively on data security to Fortune 1000 companies. The technology described in his books is all current and real . . . and very frightening. His stories successfully make the point that our identities are so tied into the computer systems that run modern life, that our civilization could not survive without them. As we move toward digitizing our medical and mental health records, we simultaneoulsy decrease errors and increase our vulnerability. Long-term loss of electrical systems in a dozen major cities globally could destroy our entire way of life, including our food distribution system. Even a short-term loss of electricity can throw us into major disarray. But not necessarily . . .

A key element of Freedom^TM, is that sustainable communities that are not totally reliant on centralization of resources can survive even major disruption. Sustainability is defined on Wikipedia as “the capacity to endure.” It is the ability to survive based on a balanced and reasonable use of resources that does not deplete those resources.

Currently, the concept of sustainability is enjoying popularity in some government circles. The EPA, HUD, and DOT have developed a program for developing sustainable communities.  These programs focus on housing and business development in urban and rural areas and how to do it in a way that contributes to the well-being of everyone involved, including wildlife and the earth.

Not-for-profit organizations and think tanks focused on a sustainable future have been appearing over the last decade. Philosophical and spiritually grounded individuals have long taught of the need for changes in how we think and live that will result in our well-being. Even some businesses profess sustainability as part of their business mission.

But without action from concerned, educated, and involved individuals, none of these movements will gain the traction they need to affect how we live.

I have long believed that an informed community is also an activist community. When I take the time to educate myself about the events and issues of the day, I am also motivated to examine those events in light of my own beliefs and values. When the values I hold dear are threatened, I take action. At least, that is what I used to believe. I know a few people who do that, but not very many. I do not share the political values of the Tea Party. I do share their belief that it is the responsibility of citizens to express their opinions and to become involved in the political process . . . after educating themselves about the issues.

I know, I know…you don’t have time to breathe. You already work in healthcare, most of you in the mental health community. You take care of other people as part of how you make your living, you certainly cannot consider taking the time to learn more about what is happening in our country and worldwide so you can become even busier. Getting involved in your community or becoming activist about issues that concern you is just out of the question.

And yet . . . unless more of us take the time to become such activists, we may not have day-to-day activities to be concerned about.

I hope you will read these books when you can. They are very good reads . . . extremely entertaining and very informative. Just view them as a treat to yourself.

Then decide what you need to do.

This is an area that has interested and concerned me for quite a while. As developers of software for behavioral health providers, SOS has for years been monitoring developments in the arena of Health Information Exchange (HIE). This is the method by which Electronic Medical Record (EMR) software will exchange information among providers and healthcare organizations. The HIE is both the process of exchanging information and any repository of that information for easy access by those with rights to the data.

This is the bugaboo that has always bothered me as well as my colleagues in the behavioral health software trade association to which we belong (Software and Technology Vendors Association). SATVA members are committed to assuring that our products share information only as the law allows and as consumers wish.

Work is currently in progress to assure that a universal method of acquiring patient permission for release of their information is part of any HIE. Such a method would undoubtedly allow a patient to specify providers to whom their treatment and diagnosis information can be released and any providers to whom it cannot be released. But what happens when a patient changes their mind?

Here’s a hypothetical example that jumps into the future by a few years, when all or most healthcare providers have EMRs and are connected into their regional HIEs.

John D. is admitted to the Emergency Room of a local hospital after a panic attack that he interprets as a heart attack. Among the papers that he signs is a release for the ER to access any information in the regional HIE about his health conditions. Since he is not thinking very clearly as he is sure he is dying from a heart attack, he signs everything put in front of him. After he is medicated, stabilized and sent home, he wonders about what he signed and which of his health information will now be available to whom. Does he really want his optometrist to know that he was treated with an anti-anxiety medication and prescribed an antidepressant (which he decided not to take)? Is it necessary for his urologist to have this information? What does he do to protect just that ER visit information and keep it from being sent on to other providers?

And what do our mental health and substance abuse patients do to secure their sensitive information?

This process concerns me because of my experience that once a piece of information has been entered into some large electronic database, getting it out may be near to impossible. Several years ago, I attended a conference in New Jersey. I rented a car, drove to the city in which the conference was held, returned the car and paid my bill in a timely fashion, and returned home.

The next time I needed to rent a car was three months after Katrina flooded New Orleans when my mother and I returned to check on her home and attend the funeral of one of my uncles. For some reason, the car was reserved in my mother’s name…the airline tickets were purchased with her card…even though I had placed my name on everything. The rental agency manager noticed something wrong when we picked up the car; there was a block on my account even though there was no balance. She overrode the block, gave me the keys to the car, and we were on our way. I did not give it another thought.

In several return visits to New Orleans, I again rented cars from the same company and always wound up with a car, not even knowing there continued to be a block on my account. Each time the agent or manager overrode the hold and gave me the keys. In November 2010, we arrived in New Orleans on a Sunday. The agent and assistant manager decided they did not have the authority to override the block on my account and there was no one they could contact to clear it. They refused to rent a car to me and offered no solution. They gave me a phone number I could call on Monday, but did not even offer my 90 year old mother and me transportation to another agency. I cursed and swore I would never rent from their unprofessional agency again and called my brother to come pick us up. Fortunately, he was thinking clearly enough to suggest that we go across the highway to a different company and rent a car there.

I did call the company the next day and eventually got the written apology and clearance of my account that I requested. It took six years for this correction of an error to happen.

What processes will we insist be put in place to assure that patients can change their minds about release of information or correct errors or enter corrected information into their records? What kind of advocacy will be required? What do mental health and substance abuse providers need to do to assure that the privacy of their patients’ sensitive information will be handled as they choose?

Please share your thoughts about HIE and EMRs and where we are going with this process.

The difference in attendance speaks to multiple issues. First, Dr. Porter is an excellent presenter who talked broadly about EMRs. His years as a researcher and university professor combined with recent years in private practice give him great credibility. Secondly, the EMR landscape has changed hugely in the past decade with government requirements to migrate patient records to an EMR a distinct possibility.

The psychologists who are my age peers who used an EMR  loved computers and liked doing all their work there. Most of our age-mates would never have considered keeping records that could not be locked up in a file cabinet behind their locked office door. The younger psychologists who are now replacing us in the private practice community are not only willing to consider keeping their records electronically. . . they are willing to keep them online using a Software as a Service (SaaS) type product. The move from needing to hold the patient record in my hot little hands to allowing it to float out there in the cloud is a sea change.

While Dr. Porter presented a great deal of information in the two hours he spoke, there were several items I thought you might find interesting.

1. The American Psychological Association published Record Keeping Guidelines in the December 2007 issue of the American Psychologist. If you are a psychologist and you keep records, you should read them. If you keep behavioral health records but are not a psychologist, you might take a look at them. Such Guidelines frequently become part of the standard of care in a professional community.
2. The APA Guidelines recommend disclosure to the patient of your record keeping procedures, including the limitations of confidentiality of the records. Those limitations of confidentiality lead to a likely need to maintain a separate  record of care for each person you treat, including for each individual member of a family or couple. (Guideline 4)
3. Ofer Zur, Ph.D., a licensed psychologist in California, offers extensive information about and continuing education on record keeping and many other aspects of behavioral health practice. [Retrieved 4/19/2011 from http://www.zurinstitute.com/recordkeepingguidelines.html.]
4. Dr. Zur points out that a treatment plan usually includes problems or symptoms, a diagnosis, goals of treatment, interventions to be used to achieve the goals, and the rationale for use of those interventions.

I would add a quick note about the possibility of a requirement to keep records of psychological care in an EMR. At present, the only behavioral health providers who are Eligible Providers (EP) for ARRA funding to purchase an EMR are psychiatrists and nurse practitioners. Psychologists, social workers, mental health counselors and addiction professionals do not qualify, nor do psychiatric hospitals. While this may change, there is currenly no way for most mental health providers to obtain stimulus funds. At the same time, there is no requirement for them to move to an EMR, nor will they be penalized for not doing so (psychiatrists and nurse practitioners may be subjected to Medicare withholds). Fortunately, most of the products aimed at the private mental health practitioner are relatively inexpensive and can easily be obtained without resorting to government funding or a second mortgage on your house.

While an electronic medical record can be a powerful way to significantly increase the quality of the records maintained by you and your organization, you must know what you are required to maintain in the record. . . by the governmental jurisdictions and the professional guidelines to which you are subject.

How does your organization determine what goes in the client’s record? Who is responsible for those records? Are you using an EMR, a paper record, or some hybrid system?

Please share your thoughts on records in the Comments below.

The rate at which users want to be able to access their work applications remotely has grown geometrically. Fifteen years ago, we were asked about remote access a couple of times a year. Five years ago, that increased to a couple of times a month as many more users wanted to be able to access their software from home. Now, everyone who carries a laptop, or even a smart phone, wants to be able to do everything they need to do for their jobs from wherever they are located with whatever device they have handy.

Whew! If only they realized what an expectation that is! And, all of these expectations complicate the issue of security in ways that those of us who are not very technically savvy cannot imagine. But imagine we must…if we plan to protect PHI, that is.

First, the issue of backup. This is the primary way in which you protect the security and integrity of client information. If you do not have a usable backup from which you could restore PHI in the event of a catastrophe, you are only one step away from having allowed the destruction of your client’s PHI.

Yes, the identifying demographics together with the diagnosis you use to file claims is PHI and is protected under HIPAA. Everything you have in an EMR is PHI. Yes, you are responsible to assure that this information is intact, safe from destruction, and secure from preying eyes (and hacks). Without a usable backup (preferably encrypted) stored in a secure location ready at a moment’s notice to replace data on your computer system, you are not even doing the most basic things necessary to provide protection to your patients. You could probably be demonstrated to be guilty of ‘willful neglect,’ the level of culpability that will generate the highest of fines from HHS and OCR under their HIPAA authority.

If you are not sure of what kind of backup strategy is minimally adequate, take a look at the backup recommendations and product suggestions we make to our customers.

The issue of remote access, especially from handheld devices like smart phones and iPads, is one that concerns me considerably. HIPAA requires that we must provide for the security of PHI while it is at rest (on a computer drive or CD or smart phone) and while it is in motion (being transmitted from one location or device to another).

Access tunnels like a secure VPN or MS Terminal Services are specifically designed to assure the safety and security of the data being transmitted through those tunnels. Those of us who are not very technically sophisticated may assume that the developers of the iPad and smart phones have already taken care of equivalent security for us. Not so, folks. While there are some products that will provide that security, they are not built into those hand held devices and we are on our own to find them.

Do you realize what that means? Do you understand that using your cell phone to access your desktop computer and patient information without adding specific protection assures that your data are vulnerable? There is not built-in security in your telephone or tablet. Even having your client names and phone numbers in your telephone contact list is potentially a breach of their privacy.

No one has volunteered to create a secure environment for your data…that is your job. You must do the research and determine which products will give your PHI the greatest protection.

Not being informed about a problem of insecurity is not considered an excuse by HIPAA. You must know what security your devices use to assure the safety of PHI. Do you have password protection on your phone? Do you have a way of wiping all data from the phone if you lose it or it is stolen? Have you initiated the services that are available to accomplish those purposes?

I know, this has started to sound like a rant. I do not mean to suggest that everyone is acting irresponsibly with client PHI. I do mean to suggest that we take a much too casual attitude toward protection of that PHI…especially when it comes to technologies about which we know little but assume much.

What policies does your organization have in place about use of portable devices and the protection of PHI? Have you found products that are wonderful to accomplish that protection? Will you share their names and your experiences with the rest of us?

Please enter your comments below.

A new study published in The Journal of General Internal Medicine suggests that email contact with a trained psychiatric nurse can dramatically improve the outcome of medication treatment for depression by internal medicine practices. Reported in Healthcare IT News on March 17, the study was a follow-up to a similar study using telephone contact with patients who had newly been started on antidepressant medication. According to the report, the email messaging was even more effective than a telephone call in improving the benefit of the medication.

The study utilized 208 members of Group Health, a consumer-governed, nonprofit, integrated healthcare organization that coordinates care and coverage for 600,000 individuals in Washington state and Idaho. The Group Health Research Institute (GHRI) was the responsible research organization. GHRI  is a non-proprietary, public-domain research institution within Group Health.

The Group Health plan includes a patient portal that has access into the organization’s electronic health record. According to the abstract of the article, the Intervention consisted of:

 Three online care management contacts with a trained psychiatric nurse. Each contact included a structured assessment (severity of depression, medication adherence, side effects), algorithm-based feedback to the patient and treating physician, and as-needed facilitation of follow-up care. All communication occurred through secure, asynchronous messages within an electronic medical record.

This study was motivated by poor improvement outcomes reported nationally for depressed individuals treated by their primary care providers with antidepressant medication. The goal of the entire research project is to determine if use of an organized plan of treatment including evidence-based follow-up services would result in greater effectiveness of medical therapy.

A significant movement is developing within the U.S. to improve outcomes of our healthcare system by providing services in non-traditional ways. The Connected Healthmovement seeks to improve healthcare services and outcomes by use of technology to remotely monitor and provide services. Partners Healthcare Center for Connected Health has been a pioneer in this effort. Their web site states the goal in this fashion:

Changing Healthcare Delivery

We are engaging patients, providers and the connected health community to deliver quality care outside of traditional medical settings. Telehealth, remote care and disease management initiatives reflect the opportunities for technology-enabled care programs.

What potentials do you see for the use of electronic methodologies like secure email communication with clients within your organization? Are you already engaged in such endeavors? What do you see as the obstacles to such care? What are the potential benefits to your clients? How do we get from here to there?

Please share your experiences, concerns and other comments below.

As I look at the huge changes that are happening, I find myself  thinking about how individuals handle change.

To oversimplify, it seems to me that there are people who seek out change and all things new…the thrill-seekers of the world. Then there are those who fight change of anything at all costs…the ultraconservatives of the world. And, of course, there are those in the center who struggle to embrace changes that seem constructive while trying to hold onto what they value in the old . . . a delicate balancing act. How do you deal with change?

I am one of those middle-of-the-road people who likes things to stay mostly the same, as long as people are not hurt by that sameness. I like to do the same things day-to-day in very similar ways. I like to experience lots of things, most in moderation (except for reading), but is difficult for me to do new things just for the sake of doing something new…except for traveling to new places. I do not dive into new technology or new software programs if the old are doing the job for me.

I know, I know . . . those of you who know me as a radical feminist and politically liberal woman will be amazed by those statements. After all, I actively endorse public and personal ‘policies’ that support dramatic social change so more people have the right and ability to seek their happiness and success and to be safe and secure as they do so. Nevertheless, those who work with me know of my strong tendency to say ‘no’ first, and only later to consider the new way of accomplishing something. I am comforted by the familiar and will face the anxiety caused by the new only if I deem the potential benefit to be worth the discomfort.

I share this perspective on myself to encourage you to assess your own responses to change.

Are you the first in your group of colleagues and friends to try out a new assessment technique or therapeutic modality, new computer or software? Do you go to all the workshops because they are fun and stimulating rather than just to meet the requirement for continuing education credits? Have you already started using an EMR or clinical record software product?

Or do you fall on the side of ‘If it ain’t broke, don’t fix it’? Do you prefer the comfort of seeing clients in the same way you have always done so without feeling the need to explore new methods? Are you determined that you will not move to an EMR? Electronic prescribing? Patient portals? Will you just retire before it is required that all behavioral health professionals participate in the electronic record revolution?

How does your personal approach to change affect your opinions about and participation in your organization’s direction? Are you leading the charge for change or being dragged along by those who are racing ahead? Are you just sitting back and taking a wait-and-see posture rather than jumping into the fray?

Please share your experiences with change and how your personal approach is affecting your view of the move to Electronic Medical Records. Just enter your comments below.

The rush to EMRs that can share information with one another (interoperability) has as its goal diminished costs and increased quality of health care. The need to keep that information secure and private is usually dealt with almost as a side issue. I have often heard statements like these: “Why, of course the data will be protected. Why are you so worried about keeping data private? Sharing it with other providers is much more important than privacy. Some compromises will need to be made . . . ”

The American Medical Association, in their discussion of patient confidentiality, briefly indicate their concerns about EMRs.

Electronic health information systems allow increased access and tranmission [sic] to health data.  Physicians in integrated delivery systems or networks now have access to the confidential information of all the patients within their system or network. Confidential information also is disseminated through clinical repositories and shared databases. Sharing this information allows patients to be treated more efficiently and safely. The challenge for physicians is to utilize this technology, while honoring and respecting patient confidentiality.

Sharing confidential information among treating professionals is only one aspect of this issue. Now we must consider to the issue of sharing the electronic data with the patient.  

According to John Fully on nextgov, patients want access to the information stored in the electronic records about them maintained by their physicians. 93% of patients have rarely or never asked their physicians for electronic copies of their data, but 70% say it is very important to them that doctors and hospitals provide those electronic records. 60% of patients and over half of physicians say sharing information from EMRs with patients will be a crucial measure of how successful health care reform and provision of stimulus dollars has been.

One potential method for sharing those electronic records is the Personal Health Record (PHR). After all, having an electronic copy of the physician’s record but having no way to store or to access it will not be a very beneficial state. As a result, provider organizations, payers, and even Medicare have begun to connect EMRs, claim histories, and PHRs as an effective way of tracking your health.

Even so, patients are hesitant.

. . . while the products use some of the same technology that banks use to secure financial data, some patients remain wary of putting health information online. Only about 4% of the online population uses Internet-based PHRs, according to Elizabeth W. Boehm, a principal analyst at Forrester Research Inc. in Cambridge, Mass. Many people don’t see the need, Ms. Boehm says, while others are nervous about putting confidential health information online.

That figure is telling. It is not that only 4% of patients use a PHR . . . only 4% of the online pupulation uses one . . . only 4% of the people who use the Internet all the time utilize an online PHR.

I have registered for the PHR used by my insurer. The Privacy policy says all the right things. I have entered some information into it, but I am still hesitant to put everything there. The conventional wisdom is that these programs are secure. I’ll give you an example of why I am slow to completely adopt.

About 18 months ago, I noticed that one of my mother’s physician claims was rejected by her Medicare supplemental plan. When I looked at the EOB more carefully, I noticed that it had been filed on my insurance plan rather than on my mother’s Medicare supplement plan. Since we both have the same insurer, I telephoned, explained what had obviously happened and was assured that it would be corrected. When I checked my PHR today prior to writing this blog, I found that claim still sitting in my record.

I have never been a patient of the physician who filed the claim, so I know he did not file the claim with my insurance information. I am thirty years younger than my mother and my first name does not come close to hers. But the same last name and address resulted in this confusion that has not yet been corrected. I cannot help but wonder what other two bits of information might result in the confusion of something important in my file and that of some stranger. Since this payer automatically adds claim information to the PHR, their system now sees me as the patient of a cardiologist . . . something I have not yet become. I wonder what other data confusions I have in store.

What is your take on PHRs? How do you see them affecting the behavioral health community? Please enter your comments below.

If you are unfamiliar with the events, this CBS News report will give you a four-minute overview. To make it short . . . Roommate 1 and his friend decide to publicly out his gay Roommate 2. Roommate 1 sets up webcam in their shared dormitory room, records and then, with the help of friend, publishes online Roommate 2 making out with his male date. Roommate 2 is so humiliated that he announces his suicide on Facebook and jumps to his death from the George Washington bridge. Tyler Clementi’s suicide was the fourth widely reported death by suicide of an LGBT teenager in the past few months.

Roommate 1 and his friend have been charged with invasion of privacy. It is yet to be decided whether they will also be charged with a hate crime.

Both Kathleen Parker and Meg Riley conclude that all of us must assess our own behavior and determine how we can behave differently to preclude such events in the future. Parker’s solution would be accomplished by the community of ‘decent’ folks refusing to tolerate invasions of privacy. . . our own or that of anyone else. Riley’s focus is on bullying of lesbian and gay kids and argues that we must ‘stand on the side of love’ refusing to allow people to be victimized because they are different from most of us in any way.

Reading these articles and viewing the news report on these sad events inevitably makes me think about our current rush to electronic medical records (EMRs) in the world of behavioral health care and chemical dependency treatment. How will be assure the protection of the privacy of the vulnerable populations we treat? Will we put them even more at risk by how we handle the records of their treatment?

I am reminded of a conversation with a customer several years ago. They were in the process of implementing their second try at an EMR. They were working on issues of security and access to data, and were attempting to make decisions about how to handle employees who read the treatment records of clients they have no business viewing. One of their experiences was with a staff person reading the record of a neighbor; another was a family member viewing a cousin’s record.

Of course, these breaches of privacy could almost as easily occur in a paper record world. Pulling a file off a shelf or out of a file drawer is not much harder than calling the record up on the computer. The paper record probably takes a bit more effort and sneaking around than just logging into the EMR that sits on the organization’s network and taking a quick look at what is entered there. Cases in California two years ago emphasized this; medical and nursing staff who had a right to view hospital records did not seem to hesitate at viewing the records of celebrities in their hospital for treatment, whether involved in their care or not. 2009 laws in California increased reporting requirements if inappropriate access of records is discovered. Last year’s HITECH requirements also focus this issue.

It seems to me that the more important issue is how we address the matters of human curiosity and discomfort with others . . . whether celebrities or LGBT clients. How do we create a culture of respect for other people and their right to keep their own information private? Where do we draw the line in our own lives? Do we gossip and tease and reveal secrets shared with us? Or do we empathize and protect and defend those in our lives who are different?

Please share your comments below.

HHS is finally gearing up to begin this study and the Substance Abuse Mental Health Services Administration (SAMHSA) has been tasked with organizing and conducting the study.

September 7, 2010

 

 The Substance Abuse Mental Health Services Administration (SAMHSA) is conducting a Confidentiality and Privacy Issues Related to Psychological Testing Data study, in close cooperation with the Office for Civil Rights (OCR) pursuant to section 13424 of the Health Information Technology for Economic and Clinical Health (HITECH) Act, a component of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5). This study is addressing whether the HIPAA Privacy Rule’s special protections relating to the use and disclosure of psychotherapy notes should also be applied to “test data that is related to direct responses, scores, items, forms, protocols, manuals or other materials that are part of a mental health evaluation.”

 

As part of this study, SAMHSA is hosting public meetings to bring together professionals in the areas of mental health and privacy protection to discuss current practices and the policy implications surrounding this very important issue. The next regional public meeting will be held at the U.S. Department of Health and Human Services Region 5 office in Chicago, Illinois, on October 7, 2010. The details of this meeting, as well as the project staff contact information, are contained in the embedded brochure…. 

 

Some of the issues that will be addressed are included on page two of the brochure.

What  activities  and  information  are  considered  the  “test  data”  that  is  part  of  a  mental health evaluation?  What are the relevant distinctions among test materials, raw data, and reports  or  assessments  with  respect  to  the  level  of  protection  currently  afforded  and/or otherwise necessary?

Are  there  circumstances  under  which  test  data  should  be  disclosed  to  third  parties?  Should  the  individual’s  authorization  be  required  prior  to  such  a  disclosure?  To  whom should test data be released?

How  would  affording  mental  health  test  data  a  higher  level  of  protection  affect  the workflow  in  medical,  behavioral  health,  or  psychological  practices?  Are  there  any additional  implications  with  respect  to  clinical  integration  efforts  and  the  increasing
availability of mental health services in general health care settings?

Another regional meeting is planned for Los Angeles in November or December. SAMHSA does not indicate whether others will be held. This is certainly an important opportunity to have your voice heard if you are a practitioner whose primary work is psychological testing, if you are a consumer of services who might want or not want raw test data to be shared among treating professionals without your specific authorization, or if you are a potential recipient of such data.

Is the protection of psychotherapy notes and psychological test data an issue for your practice or organization? What guidelines do you currently follow in determining how such data are released? How would new rules affect you?

Please share your comments below.

HITECH provides for stronger controls. It requires that the provider be able to inform the patient (upon the patient’s request for the information) about all the times that PHI has been released by the organization (disclosures), to whom it was released, and the purpose of the release. This includes release of information for operations and billing. If you send claims to an insurance carrier via a clearinghouse, you would need to be able to document every time a claim was sent and that it went to both the clearinghouse and the insurance company. If you send it to the payer directly on their web site, you would still need to be able to document every time you did that.

HHS has been gathering comments from provider organizations about the burden this will place upon them. How the rules are ultimately written remains to be seen.

At the same time, the HealthIT Policy Committee has been working on a framework for privacy and security of PHI as we move toward EMRs and the electronic exchange of identifiable personal information. An attempt is being made to come up with methods and understandings that will allow a national standard and method of exchanging PHI in spite of different laws and requirements in each of the 50 states. A Privacy and Security white paper series explores these issues.

Part of the current concern is the point in an exchange at which a specific consent should be required from a patient for release of their information. It is believed that patients feel fairly secure when provider #1 releases information to provider #2 whether the provider is a lab or another physician. Trying to determine the point at which comfort in an exchange is lost and the requirement of consent is triggered is part of the challenge. For example, if provider #1 has consent to send information to provider #2 but the only method of doing so is through a third party (like a clearinghouse or directory), does additional consent need to be obtained for that transaction? What kind of situation must exist to trigger a patient’s right to “opt out” of the electronic transaction.

These are important issues that pertain to information electronically exchanged for billing and operations as well as for treatment. Avoiding the use of an EMR will not shield you from addressing these issues if you send claims electronically. . . even at a payer’s web site. 

What do you think about protecting the PHI of the consumer of services?  What are you doing to assure that you meet the requirements of the law? Please share your thoughts and comments below.