So you aren't opposed to giving a 3rd party payer access to the EHR? It seems that I read an article in the Journal of AHIMA a year or two ago that warned against this type of "scam." (The incentivizing to allow access.) I laughed at the time and thought it was absurd that this would even be entertained. However, look at the world right now. Lots of weird things are happening.
Katie Wood, RHIA
Assistant Director of Information Systems/Privacy Officer
War Memorial Hospital
500 Osborn Blvd
Sault Ste. Marie, MI 47983
p: 906-635-4663 firstname.lastname@example.org
I think I am more of the..."if access to a third party payer to the EHR is going to be provided...this needs to be thought out to include how such access will be monitored and audited". Keep in mind...and this is a data driven statement...when it comes to auditing and monitoring...many organizations have little if anything in place to show how effectively their processes work...or don't work.I totally understand that for some organizations...this is a showstopper and they never provide such access...for others...they do provide access...and do a very effective job of allowing access which they also audit and monitor very closely. So there is a wide range of stances on this...and my intent is not to sway anyone one way or another. This is also why you hear some other solutions as proxy lists used in cases like this.Another thing we are likely seeing is that entities, such as physician offices and payers, are seeing the value of being able to access a hospital's EHR for TPO reasons. Again...just sharing. So when I read that in your post the payer is actually scoring such access...I have to imagine this is just another way for third parties, such as payers...to try to motivate or incentivize covered entities to come up with a solution to allow for such access.Is such access prohibited by HIPAA...of course not. It it allowable under the HIPAA regulations...of course it is. The decision to "provide access or not to provide access" is one that needs to be looked at from many angles, in my opinion, and in combination with what other options, if any, that may also exist and are also practical and effective.Hope this helps.Posted: 5:43 AM AZ time
It does help that you feel that this is covered by HIPAA, I would like to learn more about this if you don't mind sharing. Because we can't restrict to "minimum necessary" I was thinking that perhaps we would be in violation of this part of the law. If we can't restrict to their own patients and they shouldn't have access to any other records that the patient may choose to have covered by either self-pay, VA, workman's comp, etc., how can we ensure that we are providing access to the minimum necessary in order to protect that patient from having their privacy invaded?
We have NO way to limit their access to just their beneficiary population. Our current auditing tools are challenging to use and read, and in my opinion are insufficient. I run the audits and I often struggle to find out exactly what was accessed and for how long.
Your earlier idea of running two reports to compare doesn't seem feasible either. We would have 1,000s of visits for this payer in a year. I really don't think we have the man power to fully ensure that their access is accurate.
Thank you for your knowledge and insight. I really want to do the best thing for our patients in this situation. I am concerned about the organization of course, but I feel that if we do right by the patient, the organization will have done the proper thing.