Wednesday, June 7, 2023

HIM Perspective on Patient Engagement

Submitted By: 2022-2023 Consumer Engagement Committee

What is Patient Engagement?

Patient engagement relates to the patient being informed on their healthcare conditions, and being more involved in the decision making for themselves related to their health. Patient can be more involved by using the tools available to them such as patient portals provided by their healthcare providers. “Patient engagement is a strategy that encourages patients to stay actively engaged in managing their own health and make informed decisions about the same.” (Prasad, 2023).

Patient engagement improves patient outcomes and lower costs of care. With the patient being more involved in their care and in contact with their providers through patient portals these measures can reduce emergency room visits and enhance the patients overall health outcome. Patients should have some input into the health decisions so that their providers are able to include the patient’s desires for their expected outcomes into the decisions that they make for their patients. When a patient is more involved in the decision making of their care the patient will be more apt to follow the recommendations by the provider. This is a big reason why patient engagement is important because a better patient health outcome is the ultimate goal.

“Patient portals have demonstrated benefit by improving adherence to medications and providing patient-provider communication.” “Many healthcare providers design and implement patient portals to increase patient engagement because these tools give patients convenient, 24-hour access to personal health information from anywhere with an Internet connection.” (Meyer, 2021)

Health Information (HI) Professionals can assist in patient engagement.

“But the change in the way patients consume their health information means today’s HIM professional plays an important role in giving healthcare consumers the tools needed to make all interactions and communications with their providers meaningful and efficient. The HIM professional is an important part of a team of care professionals at an organization that promotes a culture of valuable service to the patient.” (AHIMA, 2016)

HI Professionals have an important role in patient engagement by making sure that patients have the tools needed to ensure their interactions with providers are significant and effective. HI Professionals can ensure that patients are able to access their health information when needed through patient portals, printed copy, and record sharing. HI Professionals can provide patients instructions on how to access their medical records. After patient view these records if they feel there is any inaccuracy in their record, Then, HI professionals will help the patient to seek amendment for the inaccuracy in the record. In addition, the HI professional can be a patient advocate that can work in partnership with clinical staff ensuring accuracy of the information through documentation and proper coding/billing.

 An HI Professional is a vital part of the patient care team. They provide the patient with easy access to their records, helping with use of patient portals, and serving as advocates between the patient and care providers; resulting in a better health outcome for patients.

References                             

AHIMA. (2016, March 10). HIM Professionals Play Vital Role In New Age Of Consumer Engagement. Retrieved from Health IT Outcomes: https://www.healthitoutcomes.com/doc/him-professionals-play-vital-role-in-new-age-of-consumer-engagement-0001

Hahn, C. (2022, November 14). What is Patient Engagement and Why is it Important? 2022 Guide. Retrieved from EasyPractice: https://easypractice.net/patient-engagement-2022/

Meyer, H. (2021, December 8). Patient Portals: A Valuable Tool For Improving Patient Engagement. Retrieved from providertech: https://www.providertech.com/patient-portals-tool-for-improving-patient-engagement/

Prasad, A. (2023, April 9). Patient Engagement. Retrieved from RevenueXL Accelerating Healthcare Revenues: https://www.revenuexl.com/resources/patient-engagement

Thursday, January 5, 2023

How Medical Audits Benefit our Patients and Providers

Submitted by: Grace Doumanian, RHIT, CCS, and Angela Hulvey, RHIT, CCA
FHIMA Consumer Engagement Committee

What is medical auditing? AAPC defines a medical audit as “a systematic assessment of performance within a healthcare organization" (AAPC, 2022). Most audits look at payer reimbursement and a facility's payment for giving medical service. These audits performed keep coding and billing errors in check. Audits are important for the consumer as they find inaccuracy issues caused by a lack of medical documentation or the creation of erroneous billing. Medial audits prevent fraud caused by habitual overcoding and overbilling, which can help keep insurance costs low.

Medical coders specializing in auditing must validate the diagnostic-related group (DRG). A nurse with a background in coding can perform clinical validation. The two work together to confirm that appropriate assigned diagnostic and procedure codes accurately reflect the care and treatment provided as well as the condition of the patient. DRG assignment impacts facility reimbursement and the case mix index (CMI), where the average relative DRG weight of an inpatient discharge reflects the complexity and severity of the illness of the facility's patients.

DRG audits can be done internally by an employee of the hospital, or the insurance company will flag target DRGs sent to an outside company. This outside company is contracted with the insurance company to ensure the appropriate DRG is assigned and properly paid. If the insurance company determines there was an overpayment to the facility, the facility must reimburse the payer.

Target DRGs claims involve complications, comorbidity (CC), major complications, and comorbidities (MCC) that impact reimbursement. The presence of two or more diseases (comorbidities) and complications can greatly impact a DRG and the reimbursement with a possible flag for an audit. It is important to validate these specific conditions and confirm the current treatment. Secondary diagnosis codes must meet the Uniform Hospital Discharge Data Set (UHDDS) as a secondary diagnosis which is "those conditions that coexist at the time of admission or develop subsequently, and that affects the patient care for this current episode of care" (ACIDS, 2022). During a patient's stay, conditions require treatment and monitoring.

The patient's medical record documentation must be consistent. If documentation is inconsistent, incomplete, or inaccuracies, the facility should query the attending physician to validate the condition (AHIMA, 2019). Documentation in the query should support the diagnosis/condition in question. Medical audits are beneficial as they decrease patient risk and raise a facility's reliability. Patients can trust that the facility providing their care is doing the right thing and accurately documenting their treatment. Providers benefit from medical audits as these audits reduce habitual overcoding and overbilling and ensure accuracy.

References

AAPC. (2022, May 2). Medical auditing. AAPC. Retrieved December 13, 2022, from https://www.aapc.com/medical-auditing/medical-auditing.aspx#whatDoesaHealthcareAuditorDo

Guidelines for achieving a compliant query practice (2019, n.d.). Guidelines for Achieving a Compliant Query Practice (2019 Update) / AHIMA, American Health Information Management Association. (n.d.). Retrieved December 13, 2022, from https://bok.ahima.org/doc?oid=302673#.Y5iDtsvMJUs

Q&A: Primary, Principal, and secondary diagnoses. (ACDIS, n.d.). Retrieved December 13, 2022, from https://acdis.org/articles/qa-primary-principal-and-secondary-diagnoses-0

Friday, June 25, 2021

Information Blocking & Access: Bridging Compliance in Release of Information

 The FHIMA Advocacy and Public Policy Committee keeps our members informed regarding Information blocking and access, and bridging compliance in the release of information. Tools you can use are listed below:

1.    The ONC Cures Act Final Rule implements interoperability requirements outlined in the Cures Act. Patients need more power in their health care, and access to information is key to making that happen.

Putting the patient first in health technology enables the healthcare system to deliver:

  • Transparency into the cost and outcomes of their care
  • Competitive options in getting medical care
  • Modern smartphone apps to provide them convenient access to their records
  • An app economy that provides patients, physicians, hospitals, payers, and employers with innovation and choice

2.   Frequently asked questions regarding ONC's Cures Act Final Rule on information blocking. Link: Information Blocking FAQs

3.   Lauren Riplinger, JD, Vice President of Policy & Government Affairs for AHIMA was interviewed recently by McGuireWoods LLP regarding information blocking and trends in interoperability. Here's the link to this free video: https://youtu.be/uHNpcSXDYYY

4.   Information Blocking & Access: Bridging Compliance in Release of Information free webinar from Verisma. Presenters are:

  • Elisabeth Myers, MBA, Deputy Director, Office of Policy, HHS Office of the National Coordinator for Health IT
  • Timothy Noonan, JD, Deputy Director for Health Information Privacy at the HHS Office for Civil Rights

This free webinar is an unprecedented opportunity to learn directly from the Office for Civil Rights and the Office of the National Coordinator for Health IT, the agencies that oversee and enforce regulations concerning access and interoperability of protected health information.

Access is at the heart of new regulatory changes that impact Release of Information (ROI) policy and practices. Agency experts will discuss the regulatory goals and vision, how their respective Rules protect and promote access, and their plans for education, technical assistance, and enforcement. They will answer questions posed by participants and discuss how best to approach health information access and compliance. Don’t miss this important agency discussion of patient access to their health information.

Learning Objectives:

  • Understand how the ONC Cures Act Final Rule promotes access through technology innovation
  • Understand how the OCR proposed modifications to the HIPAA Privacy Rule advance access through policy modernization
  • Consider how covered entities should adopt and adapt for compliance in coming year. Identify the specific impacts for release of information.

For your reference, here is a link to the recording (password: Verisma616): https://bit.ly/3gwNmqU

5.   AHIMA's "On-Demand- Practical Steps in Complying with The 21st Century Cures Act and Information Blocking." Purchase Product #: AUDA020121. Category: Webinar Recordings. Receive a high-level overview of the Cures Act Final Rule. The presentation also includes an information blocking checklist that can help with compliance. Earn 1 CEU.  

6.   View the ONC Cures Act Final Rule here

Tuesday, June 8, 2021

FHIMA's Public Comment Letter to HHS OCR Regarding Proposed Modifications to the HIPAA Privacy Rule

 

May 4, 2021

 

Robinsue Frohboese
Acting Director and Principal Deputy, Office for Civil Rights
U.S. Department of Health and Human Services (HHS)
Attention: RIN 0945-AA00
Hubert H. Humphrey Building
Room 509F
200 Independence Avenue, SW
Washington, DC 20201

Regarding: RIN 0945-AA00, Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement NPRM

Submitted electronically via www.regulations.gov


Dear Acting Director Frohboese:

Thank you for the opportunity to provide comments on the Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement (NPRM).

The Florida Health Information Management Association (FHIMA) is a nonprofit component state association of the American Health Information Management Association (AHIMA), with over 4,100+ health information (HI) professional members statewide.

FHIMA affirms and supports the public comments submitted by AHIMA in their March 22, 2021 letter to Acting Director Robinsue Frohboese.[1]

Like AHIMA FHIMA represents professionals who work with health information and health data across the healthcare continuum of care. FHIMA’s mission is to “empower Health Information Management professionals to impact health by advancing best practices.” We empower people to impact health which “drives our members and credentialed HI professionals to ensure that health information is accurate, complete and available to patients and clinicians. Our professionals work at the intersection of healthcare, technology and business and can be found in data integrity, information privacy and security and revenue cycle job functions worldwide.”[2]

FHIMA actively supports value-based healthcare, care coordination and case management communications among individuals and covered entities (including hospitals, physicians, and other health care providers, payors, and insurers). The proposals in this Notice of Proposed Rule Making (NPRM) seek to address these areas while continuing to protect the privacy and security of individuals’ protected health information.

FHIMA supports patients having timely access to their own protected health information (PHI), and electronic protected health information (ePHI), and data as a necessary foundation for patient engagement. PHI provides patients and consumers with “a driver’s manual and roadmap,” promoting a greater awareness and understanding into their own health and healthcare options, as they work towards achieving better health for themselves and their families. 

Our FHIMA membership, have asked us to share a few additional public comments, and wherever possible, provide some examples to the OCR. These public comments do not seek to replace those already offered by AHIMA, which we fully support and affirm.[3] Rather, they are being submitted to offer additional thoughts on the proposed rulemaking. 

·         The comments are divided into three main sections below: 

o   Section One addresses general public comments, and this section is further divided into eight general categories.

o   Section Two addresses proposed legislation in the State of Florida in the areas of patient access, timelines, right to examine original medical records, fees, legal representative access to client’s medical records, etc.

o   Section Three is an “ask” from FHIMA to expand the HIPAA Privacy Rule to include third-party application developers and their applications.

Section One: General Public Comments by category as follows:

1.       Timelines:

o   Recognition and consideration that one size does not fit all “covered entities.” Depending on their size and financial situation, some covered entities will have no problem with this shorter timeline, while others will.

o   For example, covered entities may experience:

§  Lack of access to up-to-date technology:  

§  Perhaps assumptions may have been made that all covered entities have access to technology, and if they do, that this technology is kept up-to-date.

·         For example, Matthew A. Michela, President and CEO of Life Image, said in a statement, “The medical imaging Data Company also found most healthcare groups aren’t using digital technologies to share info with patients, with 66% still relying on paper and 32% using CDs[4].”

·         Recognition and consideration of the barriers that hybridized legacy systems pose on covered entities which complicates searching multiple databases and systems to fulfill requests for records. An informal poll taken reflects that some of the covered entities have anywhere from eight to forty-three different databases they must search when processing and fulfilling requests for medical records.

§  Lack of Access to Broadband: All covered entities do not have access to broadband. Recognition and consideration of the barriers posed by America’s digital divide. Digital deserts affect care coordination and case management communications among individuals and covered entities, so what would appear to be noncompliance by the covered entity may be the result of this.

·         In conjunction with Federal Communication Commission (FCC), FHIMA has been educating and working with our Florida State Legislators on legislation to increase the awareness and the need for improving broadband penetration for Florida’s healthcare providers.

·         For several years now, FHIMA has been educating and working with the Florida Hospital Association and the Florida Medical Association on Florida legislation and regulations in order to improve and address access to broadband and telemedicine in Florida.

§  Lack of Access to Trained Staff: Do all healthcare providers have access to trained staff? Do they ever experience staff turnover and shortages affecting the capacity to process and fulfill a fifteen-day turnaround time?

·         Perhaps assumptions may have been made that all covered entities have adequate, experienced, trained staff. For example, one of our Florida trauma centers, which has a hybridized, legacy system, receives and processes 12,000 to 14,000 medical record requests each and every month. Recognition should be considered regarding the volume of requests received and how this may impact the timeline and the financial burden this volume places on the covered entity.

§  Recognition and consideration of the barriers posed by America’s increasing healthcare cybersecurity intrusions, to include ransom ware, and the issues these pose on the capacity to fulfill a fifteen-day turnaround time. In some cases, patient records are never recovered.

§  Recognition and consideration of the barriers posed by America’s increasing medical identity theft which pose barriers to both the proposed fifteen-day timeline for turning around medical record requests and also on the privacy and security of patient information.

·         For example, a Florida patient applied for a business loan at their local Florida bank. The loan was approved and the patient was asked to come in to complete the loan process. While scheduling this appointment, the individual said that it would be a couple of weeks before he could make it in because he was currently in the hospital. The bank’s loan processer was able to locate the hospital where the loan applicant was being hospitalized. The loan processer completed the patient directed access request to a third-party and sent it to the hospital who in turn processed the request. The information released to the bank’s loan officer contained substance abuse medical records for the loan applicant. The loan was subsequently withdrawn by the bank. This case is currently in litigation.

2.       Strengthening the Access Right to Inspect and Obtain Copies of PHI

·         “OCR proposes to require covered entities to allow individuals to take notes, videos, and photographs using personal resources after arranging a mutually convenient time and place for the individual to inspect their PHI including points of care where PHI in a designated record set is readily available for inspection by the patient.” FHIMA “…supports the right of individuals to inspect their PHI, however, we have concerns regarding how this provision might be operationalized in a manner that minimizes provider burden and maintains patient privacy. For example, this proposed requirement will require additional training and education of all staff to ensure that a patient is only recording their own PHI. For requests made during the point of care, we are concerned that such a requirement could lead to workflow disruptions, taking providers away from their operational purpose because responding to access requests are not always in the clinical workflow. We are also concerned about the potential for liability to a covered entity when certain elements of PHI have not been incorporated into the record yet (e.g.—lab values, imaging, etc.) and an individual takes a photo and/or video of their PHI which in turn, is relied upon for care by another provider. Additionally, we seek clarity on whether covered healthcare providers would be allowed under this provision to object if an individual’s recording and/or photograph includes the provider.”[5]

·         To add to this, FHIMA is concerned about some of the physical building structure requirements in operationalizing this provision in the healthcare office setting. Is there enough of a private and secure area for the staff and patient to allow for this function to be conducted outside the daily workflow within the healthcare provider’s office? Once again, one size does not fit all.

·         FHIMA asks OCR to use care when adopting and finalizing the NPRM provisions. Recent proposed “access to examine original medical records” to their “clients” medial records have taught us valuable lessons and highlighted relevant pressures in which provisions of the NPRM may inadvertently provide support to some of the more inappropriate provisions that have been advanced in the Florida legislature by these for-profit third parties (i.e., to access and to examine original medical records of their “clients” by the “client’s legal representative” within a specified timeline).  See section two.

3.       Privacy and Security Barriers and Burdens on Patients and Covered Entities: AHIMA offers education, training and certification in the privacy and security of health information and data: “Certified in Healthcare Privacy and Security (CHPS®).” Individuals who earn this AHIMA designation will achieve recognition of their expertise in designing, implementing, and administering privacy and security protection programs in all types of healthcare organizations. Holders demonstrate advanced knowledge of the privacy and security dimensions of HIM to include best management practices. 

o   Recognition and consideration of the barriers and issues posed by the shortened fifteen-day turnaround time to properly vet third-party security and access controls to fulfill third-party access to electronic healthcare records portals and databases. (i.e., EHRs/systems/databases/portals. Currently, Business Associates (BA) have to go through a rigorous vetting, screening, legal and security background process before they are given access to a provider’s (EHR) and portal.

4.       Fees:

o   OCR to consider and recognize the financial paradigm shift that the proposed fee structure would pose on covered entities who will now have to pay a business associate to perform the release of information function, or the covered entity will have to bring the release of information function back in house.

§  The financial impact of the proposed fee structure would cause a paradigm shift. For example, one of our Florida Level I trauma centers, which currently outsources their release of information function to a HIPAA compliant third-party business associate, would now have to pay their business associate to perform the release of information function, or they would have to bring the release of information function back in-house at an estimated annual cost of $2,500,000.

§  This health provider has a legacy, hybrid system with multiple databases which process approximately 12,000 to 14,000 requests for health information each and every month.

§  “AHIOS worked with Hemming Morse to study the financial impact of the NPRM.  Using data from 14 AHIOS member companies, which processed nearly 15 million records requests in 2020, Hemming Morse estimates that finalization of the NPRM would create a shift in costs, which could exceed $1 billion annually or more than $10 billion over the next 10 years, from commercial third-party requesters to hospitals, physician groups, and other outpatient service providers.  Hemming concludes that, by applying the federal Patient Rate to TPDs for PHI in EHRs, Commercial Third-Party Requesters will jump from patient authorizations to TPDs, thus shielding themselves from paying state-regulated fees.   Further, history shows that when Commercial Third-Party Requesters must pay for their requests, they limit the size of their requests.  Conversely, when those requesters can get those records for free or close to free, the size of the requests increases greatly.”[6] 

o   The HIPAA compliant processing of requests for PHI and ePHI and examination of original medical records is not without associated costs. Fulfilling requests for third-party, for-profit businesses, not involved in care coordination, case management or patient care puts added financial and economic pressures on healthcare providers (i.e., life insurance companies, banks, personal injury attorneys, all attorneys, other businesses, etc.). Requests to be used for legal purposes require a “certified copy” of their “clients” medical records for court.

o   Additionally, FHIMA requests that the associated costs be reimbursable to the covered entity when they must use thumb drives, CD’s, and other storage methods to process and fulfill requests for medical records in the form and manner it has been requested.

5.       Associated Costs of Proposed Rule: Statement of estimated regulatory costs (SERC)

o   The “release of health information” process and function has associated costs which have fiscal and economic impacts on the healthcare provider community. Passing the proposed language would cause a paradigm shift, which has a direct financial impact on the healthcare provider industry. This proposed “fee” language in this area has been the cause of much discussion, debate and proposed state legislation and rulemaking efforts here in Florida. Please see section two below.

o   FHIMA requests recognition and consideration by the Centers for Medicare and Medicaid Services (CMS) and OCR of the barriers and issues posed by the proposed policies which would create a measurable financial paradigm shift and cost burden on covered entities, including small healthcare providers, certified electronic health records technology (CEHRT) businesses, covered business associates and subcontractors.

§  “AHIOS worked with Hemming Morse to study the financial impact of the NPRM.  Using data from 14 AHIOS member companies, which processed nearly 15 million records requests in 2020, Hemming Morse estimates that finalization of the NPRM would create a shift in costs, which could exceed $1 billion annually or more than $10 billion over the next 10 years, from commercial third-party requesters to hospitals, physician groups, and other outpatient service providers.  Hemming concludes that, by applying the federal Patient Rate to TPDs for PHI in EHRs, Commercial Third-Party Requesters will jump from patient authorizations to TPDs, thus shielding themselves from paying state-regulated fees.   Further, history shows that when Commercial Third-Party Requesters must pay for their requests, they limit the size of their requests.  Conversely, when those requesters can get those records for free or close to free, the size of the requests increases greatly.”[7]

o   FHIMA requests the OCR perform a fiscal analysis and economic impact statement on the direct economic impact on the healthcare provider community prior to implementing the proposed HIPAA Rule fee provisions (i.e., Statement of Estimated Regulatory Costs (SERC).

§  Depending on the outcome of the Statement of Estimated Regulatory Costs (SERC), The Centers for Medicare and Medicaid Services (CMS) could initially provide incentives to meet the new HIPAA Privacy Rule program requirements.

§  For example, historically, the Centers for Medicare and Medicaid Services (CMS) provided providers with an EHR Incentive Program—also known as Meaningful Use or MU—initially provided incentives to accelerate the adoption of electronic health records (EHRs) to meet program requirements.[8]

6.       Patient Education:

o   Organizations like FHIMA, AHIMA, and others in the privacy and security space have been providing consumers with patient education and information they need to make informed decisions regarding their health information.

o   FHIMA members request that the OCR assess its current efforts to educate the public about how to ensure that their private health information stays private.

o   We need the help of federal agencies, ONC, OCR, Federal Trade Commission (FTC), U.S. Department of Health and Human Services Office of Inspector General, and the FCC to provide search engines and algorithms to help consumers identify these domestic and international API’s and Applications, what privacy rights they may be giving up, and how to measure the security of these sites.

o   We recommend that the HIPAA Privacy Rule be expanded to include the plethora of domestic and global API’s, Applications and companies that inundate and directly market to patients in order to collect their health information. They have little to no knowledge regarding health information privacy and security industry best practices. It can be difficult for an average consumer to wade through the fine print and technical terms these API’s, Applications, and companies send to them or post online. See section three.

o   We recommend that the policy makers create red flag rules and patient right of action under HIPAA to seek remedies for damages if the patient is harmed.

7.       Covered Entity Education (Actor):

o   Organizations like FHIMA and others have been collaborating with the Florida Hospital Association, the Florida Medical Association, Florida’s Legislators, the Florida Justice Association, and others in the privacy and security space have been providing education and information to their employers/organizations they need to make informed decisions regarding their health information.

o   FHIMA members request that the OCR assess, collaborate, and join in the effort to educate the public in order to ensure that their private health information stays private and secure.

8.       Alignment and Harmonization with Other Federal Rules:

o   In general, FHIMA professionals are concerned about certain aspects of this proposed rule and how these aspects align cohesively with other Federal rules and provisions like OCR’s Cures Act Final Rule. We request that recognition and consideration be addressed to harmonize these rules on how to best translate these policy concepts into tools in order to better assist the covered entities.

o   The lack of harmonization of regulatory language and definitions between federal statutes:

§  For example: Harmonization of who is defined as the patient (individual)? Who is defined as the patient’s personal representative? Who is defined as the patient’s legal representative? Definition of a designated record set?

§  For example: Harmonization of the timeliness of production of ePHI and PHI.

§  For example: What are the unintended consequences of the designated record set being a key component of the definition of electronic health information (EHI). What was originally intended as a means to clarify the scope of an individual’s right to access, amend, restrict and acquire an accounting of disclosures, has become, under the ONC Cures Act Final Rule, what an actor must be able to access, exchange and use for purposes of information blocking.[9]

§  In some cases, the proposed changes could not be complied with due to a lack of documentation within the proposed shortened fifteen-day timeline. 

 

Section Two: Florida specific proposed “patient access” legislation as follows:

FHIMA asks OCR to use care when adopting and finalizing the NPRM provisions. Recent proposed “access to examine original medical records” by for-profit third parties have taught us valuable lessons and highlighted relevant pressures in which provisions of the NPRM may inadvertently provide support to some of the more inappropriate provisions that have been advanced in the Florida legislature by these for-profit third parties (i.e., to access and to examine original medical records of their “clients” by the “client’s legal representative” within a specified timeline).

 

In 2020, the Florida State Legislature convened on January 14, 2020, and adjourned on March 13, 2020. FHIMA members helped to educate our state legislators during this Florida legislative session on: HB 1147 and SB 1882 (2020) - Patient Access to Records. Last Event: 03/14/20 S Died in Rules on Saturday, March 14, 2020 12:00 AM (See Appendix 2: Florida HB 1147 (2020).

 

Similar proposed legislative language was filed during the 2017 and 2019 Florida legislative sessions respectively. In all three years, 2017, 2019 and 2020, this legislation has failed to pass and become law in Florida. The 2019 and 2020 bill versions passed the full House but failed to pass in the Senate.

 

Florida’s proposed language in the 2020 version of the patient access bill would have caused added confusion with Florida State, HIPAA, HITECH and other federal laws and regulations. It would have created a paradigm shift of additional administrative and technology costs and burdens on Florida’s medical provider community, their patients and Florida’s healthcare system overall.

 

Florida House Bill 1147 and Florida Senate Bill 1882 sought to amend and create new Florida statutes regarding the definition of a “legal representative” access to medical records.  The proposed bill would have created new Florida statutory language giving “ALL legal representatives” and all requesters the access and the right to obtain current patient records who have not been discharged via the patient portal. Unfortunately, the amendments and new statutes in HB 1147 and SB 1882 would put greater administrative and financial burdens and expenses on an already taxed medical provider community. If passed, it would have violated patient privacy and the covered entities’ security rule provisions. The broad nature and overreach of the bill’s proposed language reflect the true nature and intent of the proposed legislation providing statutory cover to for-profit, third-party “legal representatives” who request “client” records for their own financial gain and at the expense of the medical provider community.   

 

So, the point here is that Florida and other state legislatures are trying to advance legislation that defines “legal representative” in the broadest possible way and provides virtually unlimited and free access to their “client’s” protected health record via the patient portal. 

 

It is, therefore, important that OCR’s proposed revisions to HIPAA be granular and make it very clear that access remains the patient’s prerogative and sound third-party directed authorization practices are not compromised. OCR should not promulgate changes that will open the flood gates on access end runs, such as those being repeatedly attempted in Florida. 

 

Other portions of the proposed bill language that were most in need of review and discussion were:

 

1)  HB 1147 and SB 1882 (2020) - Patient Access to Records and Timelines: The title of this proposed bill is a misnomer and should be amended to reflect the true nature and intent of the proposed legislation to read: “Legal Representatives access to their client’s medical records within 14 days” at non-HIPAA rates and access through web-based patient portals. Please refer to the new Section 5. Section 408.833, Florida Statutes, is created to read: “408.833 Client access to medical records. “ (Lines 192 – 221)

 

Attorneys have “clients.” Healthcare providers do not have “clients.” They have patients and residents.

 

Attorney groups and other third-party business groups are seeking to redefine and reclassify themselves as the “patient personal representative” so that they can obtain “free certified copies” of their client’s medical records and have these same rights of access and examine their “clients” original medical records within a specified timeline for court and other legal purposes.

 

For example:  The proposed bill would have created new Florida statutory language giving “ALL legal representatives” and all requesters the right to obtain the right to access and examine current patient records who have not been discharged within specified timelines:

·         Facility: access to examine “clients” original medical records or microforms within 10 working days; provide copies of the requested records within 14 working days

·         Nursing Home Residents: access to examine original requested records within 24 hours and provide copies of the requested records within 2 working days

·         Healthcare Practitioner: access to examine “clients” original medical records, or microforms within 10 working days; provide copies of the requested records within 14 working days

 

2)  HB 1147 and SB 1882 (2020) - The proposed bill would have eliminated current Florida statutory language giving access to a person’s curator, personal representative, parent of a minor, or to the next of kin of a decedent the right to obtain patient records in violation of HIPAA.

 

3) HB 1147 and SB 1882 (2020) - The proposed bill would have created new Florida statutory language giving “any and all legal representatives” the same fee structure and right of access to their “clients” web-based patient portal, or submission through a patient’s electronic protected health record within 14 working days after receiving a written request. Additionally, within 10 working days after receiving such a request from an individual or an individual’s “legal representative,” a service provider shall provide access to examine the original records in its possession, or microforms or other suitable reproductions of the records.  For copies of records of care and treatment of a resident, the timeline was reduced to 24 hour working days access and provide copies of the requested records with 2 working days respectively.

 

This proposed language would have violated patient privacy and security since it would have allowed any and all “legal representatives” requests to have the same right of access their client’s patient portal, as well as to examine the original records in its possession. Currently, information in patient portals is not partitioned off by date of encounter into a “designated record set” for legal purposes. Patient portals were never technologically designed for the courts, legal issues, and/or “legal representatives” to ask for and receive access to certified copies of their client’s medical records. Rather, patient portals include internal communications between patients and their healthcare providers, appointment scheduling, healthcare records for continued care, outside records and reports, ancillary services reports, insurance, billing, payment information, and demographic information available to patients via the patient portal.

 

4) HB 1147 and SB 1882 (2020) - The proposed bill would have created new Florida statutory language as seen in Section 5: 408.833, Florida Statutes, is newly created to read: 408.833 Client access to medical records. Number (1), (Lines 192 – 202). This newly proposed “legal representative” definition is in direct conflict with HIPAA. (See below) This proposed language gives the right to access and examine original medical records,  to “all legal representatives” in violation of HIPAA Personal Representatives, 45 CFR 164.502(g)

 

5) HB 1147 and SB 1882 (2020) - Fees:

 

The process of retrieving, copying, and producing a medical record takes trained professionals who understand the intricacies of federal and state privacy laws to protect patient privacy.  Not to mention, these professionals also must be trained in various electronic health record platforms as interoperability is still merely a goal.  Also, many providers have legacy systems which need to be checked when producing a record which requires the HIM professional to have experience with multiple software systems.

 

The term “Microforms” has been stricken-out of current F.S. 395.3025 for the sole purpose of reducing copy costs to $2.00 for non-paper records, which in turn could then be interpreted to include ePHI.  See Line 91 - 96, Section 2. 395.3025 Patient and personnel records; copy costs copies; examination: Number (1): “The licensed facility shall further allow any such person to examine the original records in its possession, or microforms or other suitable reproductions of the records, upon such reasonable terms as shall be imposed to assure that the records will not be damaged, destroyed, or altered.

 

Yet, the term “Microforms” was added back into the newly proposed language under Section 5: 408.833, Florida Statutes, used to create: 408.833 Client access to medical records: Number (3), Lines 215 - 219. This newly created language authorizes the client or a “client’s" legal representative" to: “(3) Within 10 working days after receiving a request from a client or a client's legal representative, a provider shall provide access to examine the original records in its possession, or microforms or other suitable reproductions of the records.”

 

If passed, the bill proposes language would make changes to copy fees as outlined under FS 395.3025 Patient and personnel records; copies; examination. Lines 69 – 96. It would do away with existing copy cost for microforms and create a legal ambiguity for all non-paper copies subject to a charge not to exceed $2.  This would create a legal black hole in which legal battles will ensue, along with the financial burden on all facilities and healthcare providers currently governed under FS 395.3025.

 

Section Three: FHIMA requests expansion of the HIPAA Privacy Rule:

 

Lastly, FHIMA members encourage the OCR to bring our message to Congress to expand the HIPAA Privacy Rule to include third-party applications and their application developers in order to provide regulatory oversight and guidance regarding the increasing commercialization and monetization of patient’s personal and electronic protected health information. These third-party applications are being marketed to U.S. consumers both domestically as well as internationally.

 

Currently, federal policy is squarely on expanding access and removing barriers and relaxing guardrails. The Office of the National Coordinator for Health IT (ONC) is encouraging the use of applications and portals for patient access. Over the past year, there has been a 300% increase in the rate with which patients and patient directed third-party access are requesting and retrieving personal and protected health information and electronic protected health information using applications and portals.

 

FHIMA requests that applications being marketed to consumers meet HIPAA privacy and security rule regulatory standards. That these applications be HIPAA approved and certified, and that this certification be readily visible to any consumer downloading any application which seeks to curate their PHI and ePHI.

Guillermo Vargas, MISM, CEO, WeCcode says, “As an experienced cyber security expert in the applications development industry, it is critical to require developers to follow HIPAA privacy and security rules when building application programs that handle ePHI. Such federal rules are essential for the privacy and security of ePHI. My experience covers securing the code for covid19resultsfl.com at the beginning of the pandemic, and by designing a blockchain architecture for protecting ePHI at rest and in transit. With that said, the need for HIPAA to regulate application developers dealing with ePHI is critical, since there is nothing stopping the applications and their developers from direct marketing and selling curated and harvested ePHI domestically and internationally. It is impossible to protect the privacy of ePHI at the rapidly increasing rate these applications are being created and directly marketed to the consumer who seek to monetize their ePHI.”[10]

 

§  One Example: “Sen. Bob Menendez, D-New Jersey and Democratic New Jersey Reps. Bonnie Watson Coleman and Mikie Sherrill sent a letter to the FTC, blasting certain menstruation-tracking mobile health applications for failing to obtain user consent before sharing sensitive information of women with outside parties.”

 

“The letter follows a recent lawsuit against Easy Healthcare, which owns the Premom fertility applications. The filing alleges that the platform routinely shares personal and geolocation information with three marketing, data collections, and analytics firms with ties to China.”

 

“The lawsuit further claimed those Chinese firms were also allowed access to sensitive user data, such as personal health interests, health, religion, politics, and a host of other sensitive data.”

 

“Though alarming, multiple reports have found the majority of health and mental health applications routinely share user data without consent or even transparency about the practice. This can be attributed to many of these applications falling outside of HIPAA regulations.”

 

“Thus, many of these consumer applications hold massive privacy gaps and concerns. What’s worse, some of the most popular mHealth applications are vulnerable to API attacks due to the use of hard-coded API keys and a number of security oversights.”[11]

 

§  Our members are increasingly aware that patient information is being collected by a variety of companies and third-party entities into their private databases through the use of API’s and/or applications. These companies and third-party entities offer patients “free services” or other such inducements such as “a free electronic medical record and database services” and “free research services” on the front end. Recognition of the impact that the decisions EHR software developers make in order to save on development costs at the expense of the patient, and also on how they harvest and sell patient data on the back end under the upfront guise of providing a patient with their own "free" and "personal" electronic health record. Once acquired by the Applications, sometimes patients aren’t even provided access to their own PHI, and the “free electronic medical record and database services,” and/or “free research services” which they were promised are not fulfilled.

§  Additionally, some of these third-party companies have made business arrangements with other business associates to provide marketing links to their sites. One third-party company has a privacy policy that says we are, “Links to Other Sites…We are not responsible for the security or privacy practices of these sites, the products or services offered by these sites, or the content appearing at these sites, and does not endorse any of the products or services marketed at these other sites.” What considerations and regulations are in place to inform, educate and protect patients from these emerging trends?

§  This is often done without educating, and fully informing the patient, that their curated/harvested health information is being “sold” on the back end once it has been acquired in their database. What considerations and regulations are in place to inform, educate and protect patients from these emerging trends?

§  Once acquired, these companies harvest and use the patient data and information in order to monetize it on the back end for a variety of purposes.

§  Third-party businesses are collecting patient health information for business purposes through use of a “patient directed access request” (i.e., life insurance, mortgages, health insurance, bank loans, personal injury, employment, legal purposes, other business, etc.).

o   In addition, some of the aforementioned companies have it in their policies that if they decide to sell their API and/or Applications and/or company, the curated/harvested patient information transfers to the new owner/buyer.

o   In addition, patients are being asked to agree to indemnify these companies, officers, employees, directors, and agents in case of any and all losses, damages, liability and expenses. What protections do patients have in this case?

o   Is there a “patient right of action under HIPAA” to seek remedies for damages if the patient is harmed? If not, this needs to be remedied to provide a patient right of action under HIPAA to seek remedies for damages if the patient is harmed by this.

o   Recognition and consideration should be made which would provide more granular patient consent regarding third-party access in certain defined situations. Specific definitions should be created documenting patient directed third-party access.

In closing, we recognize that both the advancement of time, and the development of new technologies, will keep us moving forward in these areas. This is inevitable. As we do so, we must keep the patients’ right to timely access, and examination of their medical records, as well as the privacy and security of their PHI, in the forefront of all regulatory decision making.

Once again, we thank you for the opportunity to comment on this proposed rule. Like AHIMA, FHIMA looks forward to having the opportunity to work with OCR to ensure the finalization of this rule and subsequent implementation. Should you need any additional information, please contact: Dee Kring, CAE, CMP, Executive Director, FHIMA Central Office | 325 John Knox Road, Ste. L103, Tallahassee, FL 32303 | Office: (850) 205-5644 | Email: executivedirector@fhima.org

Thank you.

 

Respectfully submitted,

Jennifer Schunke, MS, RHIA

FHIMA President/Director

 

Lesly Carreras, RHIA, CCS

FHIMA President-Elect/Director

 

Lee Starling, JM, RHIA

FHIMA Past President/Director

 

Dee Kring, CAE, CMP

FHIMA Executive Director

 

Glenneta “Nitta” Thompson, MBA RHIA

FHIMA Chief Delegate/Director

 

Linda Renn, RHIT, CHPS, CCS, CPC, CPC-H, CHTS - TR

FHIMA Advocacy and Public Policy Chair

AHIMA Advocacy and Public Policy Committee Member

 

      

Attachment:

Florida HB 1147 (2020). Patient Access to Records



[1] AHIMA’s Re: RIN 0945-AA00, Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement NPRM public comment letter to Acting Director Robinsue Frohboese. March 22, 2021. Pages 1-16.

[2] AHIMA’s Re: RIN 0945-AA00, Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement NPRM public comment letter to Acting Robinsue Frohboese. March 22, 2021. Pages 1-16.

[3] AHIMA’s Re: RIN 0945-AA00, Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement NPRM public comment letter to Acting Robinsue Frohboese. March 22, 2021. Pages 1-16.

[4]Most healthcare organizations unprepared for federal info-blocking rules, new imaging survey finds,” Matt O’Connor, April 7, 2021, HealthImaging insights in imaging and informatics.

[5] [5] AHIMA’s Re: RIN 0945-AA00, Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement NPRM public comment letter to Acting Robinsue Frohboese. March 22, 2021, Page 4-5.

[6] “Hemming Morse study on the financial impact of the Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement,” AHIOS Zachary Perry, President, AHIOS. May 3, 2021.

[7] “Hemming Morse study on the financial impact of the Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement,” AHIOS Zachary Perry, President, AHIOS. May 3, 2021.

[8]Meaningful Use: Electronic Health Record (EHR) incentive programs,” AMA Medicare and Medicaid online news. 2021.

[9] AHIMA’s Re: RIN 0945-AA00, Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement NPRM public comment letter to Acting Robinsue Frohboese. March 22, 2021, Page 2.

[10] “Require Application Developers to follow HIPAA Privacy and Security Rules,” Guillermo Vargas, MISM, CEO, WeCcode. weccode.com, May 3, 2021.

[11]Congress Urges FTC Crackdown on Health Applications Via Breach Notice Rule,” Health IT Security, by Jessica Davis. March 8, 2021.