Confidentiality, Privacy and Security

Insurance Payer wants access to EMR

  • 1.  Insurance Payer wants access to EMR

    Posted 13 days ago
    I have a serious concern and I'm hoping for guidance and direction to some good documentation to back me up, one way or the other so that I can feel confident in the decision I will present to our Admin Team. Our regional MCD HMO is petitioning my hospital administration for access to our EHR. They have tied "points" to it to allowing them access to the beneficiary records maintained within our hospital and clinic EHR. They have rated this item at 20% of a full set of criteria that we must meet in order to earn a full incentive.

    This HMO is sort of like a co-op. We are in the Upper Peninsula of Michigan and are part owners (8%) of this organization. My Administration is stating that we are part owners and they are working for us so we should give them the tools they need to be more efficient. We are being told that every hospital in the UP has given access except for us, and one other hospital who just changed EHR systems. I have messages out to 4 of the HIM Directors and Privacy Officers to confirm this, but have yet to hear back from them.

    Our EHR does not have the ability to limit record access based on an patient's insurance. Giving them access to these records will give them full view access of all of our patients. They sent a template contract that states the following, but because of their designation as a payer, I just feel that it's not right.

    1. Access to the Electronic Medical Record. To the extent permitted by any applicable software licenses and subject to the terms, conditions, and restrictions set forth in this Agreement, Hospital shall permit those XX employees and agents under XX's supervision and control, access to the Electronic Medical Record of Hospital Entities to assist XX with its insurance operations and payment on behalf of XX insureds. For purposes of this Agreement, the parties agree that the terms "medical treatment" and "payment" shall include claims payment, and activities related to UM/CM, appeals, complaints and grievances, program enrollment analysis, Risk Adjustment Data Validation (RADV) audits, risk coding verification, Fraud, Waste, and Abuse (FWA) reviews/investigations, quality initiatives, including CMS Five Star, Affordable Care Act, NCQA, risk adjustment efforts, HEDIS audits, and HEDIS-related chart review activities undertaken by XX or its designated representatives (the "Purpose").  XX shall provide Hospital's IT designee with a list of all XX employees or designees provided with access to the Electronic Medical Record and shall update the list annually and in the event of staff changes. XX shall ensure that system access is limited to individuals identified on the list and updates.  XX understands and agrees that system access shall be restricted to only those Hospital patients who are also XX insureds.

    Any insight and knowledge that you can share is very much appreciated.

    ------------------------------
    Kathryn Wood, RHIA
    Assist Dir of Information Systems/Privacy Officer
    War Memorial Hospital
    ------------------------------


  • 2.  RE: Insurance Payer wants access to EMR

    Posted 12 days ago
    Kathryn...what you describe may be among one of the top, long running challenges that really came to the forefront with the adoption of EHRs...access to patient records by third parties.  When I read your posting...it may as be 10 years ago or even longer as this is the same "stuff" back then that people are dealing with right now.

    Funny how now access, in some manner, is a scoring/incentive parameter or factor.  No doubt this is one way to "motivate" folks to allow for the access.

    The upside is that EHR systems that I've dealt with to include Meditech, Cerner, Epic, and a few others...this is not that difficult to audit or monitor.

    To be brief...one solution is at a prescribed time interval (each month, for example)...query the EHR system for patients associated with XX.  This is Report1.  Then query the EHR system for patient records viewed by the employees of XX.  This is Report2.  If you see that the employees of XX listed on Report2 are looking at patient records other than those for patients associated with XX that are on Report1...then someone has some explaining to do.

    I speak from experience...you probably have people who support your EHR that can query and pull reports...and when I did this...the whole process took less than 15 minutes to do from start to finish.  When people are looking at records they should not...you can't miss it when you compare Report1 and Report2.  Depending on how the query is built, you can actually get what you needed in one report.

    Just sharing a solution that I used and worked....very effectively.

    Good luck!






    Posted: 3:47 AM AZ time

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------



  • 3.  RE: Insurance Payer wants access to EMR

    Posted 12 days ago

    Hi Frank,

    So you aren't opposed to giving a 3rd party payer access to the EHR? It seems that I read an article in the Journal of AHIMA a year or two ago that warned against this type of "scam." (The incentivizing to allow access.) I laughed at the time and thought it was absurd that this would even be entertained. However, look at the world right now. Lots of weird things are happening.

    Katie

     

    Katie Wood, RHIA

    Assistant Director of Information Systems/Privacy Officer

    War Memorial Hospital

    500 Osborn Blvd

    Sault Ste. Marie, MI  47983

    p: 906-635-4663   khwood@wmhos.org

     


    Confidentiality Notice: This is a transmission from The Chippewa County War Memorial Hospital, Inc. This message and any attached documents are confidential and may be protected by legal privilege, furthermore this communication may contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please notify the sender and delete/destroy this copy from your system. Thank you.   ­­  





  • 4.  RE: Insurance Payer wants access to EMR

    Posted 12 days ago

    I think I am more of the..."if access to a third party payer to the EHR is going to be provided...this needs to be thought out to include how such access will be monitored and audited".  Keep in mind...and this is a data driven statement...when it comes to auditing and monitoring...many organizations have little if anything in place to show how effectively their processes work...or don't work.

    I totally understand that for some organizations...this is a showstopper and they never provide such access...for others...they do provide access...and do a very effective job of allowing access which they also audit and monitor very closely.  So there is a wide range of stances on this...and my intent is not to sway anyone one way or another.  This is also why you hear some other solutions as proxy lists used in cases like this.

    Another thing we are likely seeing is that entities, such as physician offices and payers, are seeing the value of being able to access a hospital's EHR for TPO reasons.  Again...just sharing.  So when I read that in your post the payer is actually scoring such access...I have to imagine this is just another way for third parties, such as payers...to try to motivate or incentivize covered entities to come up with a solution to allow for such access.

    Is such access prohibited by HIPAA...of course not.  It it allowable under the HIPAA regulations...of course it is.  The decision to "provide access or not to provide access" is one that needs to be looked at from many angles, in my opinion, and in combination with what other options, if any, that may also exist and are also practical and effective.

    Hope this helps.



    Posted: 5:43 AM AZ time



    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------



  • 5.  RE: Insurance Payer wants access to EMR

    Posted 12 days ago

    Hi Frank,

    It does help that you feel that this is covered by HIPAA, I would like to learn more about this if you don't mind sharing. Because we can't restrict to "minimum necessary" I was thinking that perhaps we would be in violation of this part of the law. If we can't restrict to their own patients and they shouldn't have access to any other records that the patient may choose to have covered by either self-pay, VA, workman's comp, etc., how can we ensure that we are providing access to the minimum necessary in order to protect that patient from having their privacy invaded?

     

    We have NO way to limit their access to just their beneficiary population. Our current auditing tools are challenging to use and read, and in my opinion are insufficient. I run the audits and I often struggle to find out exactly what was accessed and for how long.

     

    Your earlier idea of running two reports to compare doesn't seem feasible either. We would have 1,000s of visits for this payer in a year.  I really don't think we have the man power to fully ensure that their access is accurate.

     

    Thank you for your knowledge and insight. I really want to do the best thing for our patients in this situation. I am concerned about the organization of course, but I feel that if we do right by the patient, the organization will have done the proper thing.

     

    Katie Wood, RHIA

    Assistant Director of Information Systems/Privacy Officer

    War Memorial Hospital

    500 Osborn Blvd

    Sault Ste. Marie, MI  47983

    p: 906-635-4663   khwood@wmhos.org

     


    Confidentiality Notice: This is a transmission from The Chippewa County War Memorial Hospital, Inc. This message and any attached documents are confidential and may be protected by legal privilege, furthermore this communication may contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please notify the sender and delete/destroy this copy from your system. Thank you.   ­­  





  • 6.  RE: Insurance Payer wants access to EMR

    Posted 12 days ago
    In another role I was faced with the same dilemma.  The healthcare provider that I was employed by was part owner of the health plan request access.   Like Frank states, you can make the case that HIPAA conceivably allows this, but it is a very uncomfortable position and I understand your concern.  It also puts a burden on the healthcare provider to ensure that access is carried out appropriately (access audits which are burdensome and administratively costly to conduct).  Yes, we did allow and there was great pressure to do so - but the deciding factor was our joint ownership.

    ------------------------------
    Nancy Davis, MS, RHIA, CHPS
    Director of Compliance & Safety
    Door County Medical Center
    ------------------------------



  • 7.  RE: Insurance Payer wants access to EMR

    Posted 12 days ago
    The good news..I've heard EVERYTHING you mentioned and more from folks dealing with this issue.  It's all good.

    Also, I would hope that anyone going down this path would leverage the data extract and analysis tools that most EHR systems can provide.  I certainly would not suggest that anyone do the review I described using a manual process.  That would not only take too much time...but also I would question the accuracy of a manual process.

    Just to compare and contrast...I know several hospitals that provided such access to some of their payers.  These hospitals review over 250,000 lines of audit trail data every week.  The process takes the time it takes to do the following.  Again...just sharing that YES it can be done.  Also, before the access was provided, there was a lot of work done to make sure everyone knew exactly what access the third party payer was allowed to access and that such access was going to be closely monitored and audited.

    Steps:
    1. Get the monthly download of audit trail data (auto delivered by the EHR system to the designated individual)
    2. Import the data into the workbook used to analyze the access by the third party payer
    3. Refresh the data in the workbook
    4. Access the "Exceptions" tab in the workbook to identify suspicious activity

    Total time...less than 5 mins...lines reviewed...between 200,000 - 400,000 lines.

    So certainly...some people may say no for whatever reasons (and there's nothing wrong with that)...but for those who are looking to possible ways to see if this can be done...yes...it can be and has been done effectively.






    Posted: 7:16 AM AZ time

    ------------------------------
    Frank Ruelas
    Compliance Professional
    Arizona
    ------------------------------