We have been approached by a few companies to consider allowing them full access to their requested patients EMR records. We are on Epic so this would be via Link. We have not allowed this in the past but our Privacy officer is asking for feedback from others on how they are managing these. Are you allowing full access to patient records for these audits or are you limiting the information they receive through normal ROI practices? Appreciate any feedback anyone is willing to share.
LeAnne, we have been approached as well and denied them full access. However, we will review this in the coming days with Information Blocking in mind.
We just went through this with an insurance company as well. They were "incentivizing" us to participate of course. That made our CEO determined to accomplish their request. I was vehemently opposed to it at first, but we were able to find a compromise. We have Meditech so we don't have a link/portal etc. for non-patients. We will allow two users from their company to have access to our system, and we require them to sign a computer security agreement just like everyone else who is allowed access to our system. They must provide a list of all patients and all accounts/visits that they are reviewing, they will not be given full access to the patient records. They will only get access to the accounts for which they were the payer. The HIM Team will build a worklist that contains each requested visit. We have set up the access so that they are completely limited to the accounts that are on their worklist. I think it's a super slippery slope to allow the payers access to the full medical record. It's getting harder and harder to ensure patient privacy. If patients only knew where their results, visit history, etc. went who all had access, they would be shocked.
I hate to say that this is a slippery slope, from what I've seen and heard we can expect more and more of these requests for access, not just from auditors, payers will want access to all billing items and records too, that'll come. We are afraid that they may try to call information blocking on our providers if these other parties are not allowed access (in a fast manner ,10 days). So I'd think over the next couple of years as Cures Act implements and exchanges become more customary we'll find privacy is going to be impossible to maintain outside our entities. The information blocking rules already expand PHI into EHI and relate having EHI to entities outside of HIPAA. Our records PHI will move outside HIPAAs controls, that is going to happen regularly. The government, rightly or wrongly, is moving towards much more openness with the patient information, patients and then others being able to automatically get information, at least what's in the USCDI data set for the next 2 years. My best advice is to begin planning, these Engage discussions are very good and we need to keep informing each other how these requests and the policies being put in place to manage them are progressing. Also prepare to rebut claims of our providers having HIPAA breaches when the info really came from an outside entity, we'll see instances of our providers or BAs getting the blame for these.
We had one insurance company request access; however, our contract with our release of information company had a clause in there. At this time, we are not allowing access.
Well, best laid plans................ I was just contacted by the company to begin working out the logistics of getting them access. When I requested that they provide the visit dates for the patients they need to review, they are telling me that it would be labor intensive for them to provide that information and they don't often know which dates of service they need to review, they need all of 2020 and some of 2019 in the case of pregnancies. Am I correct that if they are doing a HEDIS review for themselves, they are not entitled to any records that may have been paid for by workman's comp or another payer? Sometimes we have local businesses contract specific testing for their employees (like Covid for example) and they pay for it. The claim does not go to an insurance company, we work out a payment arrangement with the company. Also, if they are the insurer, why don't their records reflect the covered services to determine whether or not a patient had a specific service to meet their measures?
Thanks for any insight anyone can provide.
Thank you very much! I don't know why I couldn't find this. I have spent quite a bit of time, but must have overlooked this somehow.
Katie Wood, RHIA
Assistant Director of Information Systems/Privacy Officer
War Memorial Hospital
500 Osborn Blvd
Sault Ste. Marie, MI 47983
p: 906-635-4663 email@example.com