Patient engagement is developing as a key focus area in US healthcare, and patients are progressively able and willing to report extra health data to their providers. Traditionally, healthcare providers have received unsolicited patient health information volunteered by the patient or other providers responsible for patient care. In its most simple form, unrequested information is data received by a healthcare provider who has taken no active steps to ask for or collect that information. In some instances, this information is provided in the absence of an existing patient-physician relationship. For example, consider a patient who has recently moved to a new location. Though the individual may have already picked a primary care physician for insurance purposes, if they are seen in an emergency room prior to established contact they may still wish to send the information from their visit to the primary provider.
Today, unsolicited patient health information may come from many sources, such as health information exchanges (HIEs), personal health records (PHRs), or patient-generated health information from mobile devices. This unsolicited data can arrive in a variety of formats from paper to electronic media. As a result, healthcare providers are receiving more unsolicited information than ever before, the influx of which necessitates new methods to handle and process the data in an effective manner.
The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).
An individual does not have a right to access PHI that is not part of a designated record set because the information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals. For example, a hospital’s peer review files or practitioner or provider performance evaluations, or a health plan’s quality control records that are used to improve customer service or formulary development records, may be generated from and include an individual’s PHI but might not be in the covered entity’s designated record set and subject to access by the individuals.
join our upcoming webinar on ”Managing Incoming Patient Information: What It May Be, Where It May Come From and How to Use It Properly”.