P6

Patient Access and the Record Locator Service

Connecting for Health's Record Locator Service (RLS) is intended as a critical line of communication within and among sub-network organizations (SNOs),⁴⁷ and, as a matter of principle, patients should be able to access the RLS. At this stage, however, there are serious privacy and policy issues that must be addressed regarding such access.

Both the HIPAA Privacy Rule and the Markle Connecting for Health “Architecture for Privacy in a Networked Health Environment” are instructive here. As discussed above, patients have a federal right to see and copy their medical records held by a provider. However, since the RLS may not be covered under the HIPAA Privacy Rule as a provider, plan, or clearinghouse, there may be no legal obligation to provide patients access to the information in the index. But, as a matter of principle, the RLS should be designed to provide such access in a secure, authenticated manner.

The nine principles articulated in the Markle Connecting for Health “Architecture for Privacy in a Networked Health Information Environment” support this philosophy. The most pertinent principles are “openness and transparency,” “individual participation and control,” and “data integrity and quality.” The principle of openness and transparency asserts that patients should be able to establish what information exists about them in the data market and in government databases, should be able to track how that information is used, and by whom. The principle of individual participation and control clearly stipulates that patients should be able to see and amend their information: “at all stages in the information chain, they should be able to inspect and query their information…they should have clear avenues to correct information.” The data integrity and quality principle further emphasizes this point, establishing that patients “should have clear avenues to view all information that has been collected on them, and to ensure that that information is accurate, complete, and timely.”⁴⁸

Based on the access provisions of the Privacy Rule and the principles articulated in the Markle Connecting for Health “Architecture for Privacy in a Networked Health Information Environment,” it becomes clear that, ideally, patients should have access to the information in the RLS. Allowing patients the opportunity to independently access information held in the RLS will empower patients to be more informed and active in their care.

However, providing access to the RLS is not a simple task. Significant privacy and security concerns come into play when considering giving patients direct access to the service. Authentication poses a significant challenge for allowing such access. Ensuring that information is not accessed by unauthorized individuals is central to establishing privacy and security, but developing a reliable and convenient method of authentication even beyond the issue of patient access remains a significant obstacle in the field of health information exchange. The problem with authentication is both fundamental and widespread. Indeed, one of the longest functioning SNOs—the Indianapolis Network for Patient Care (INPC)—cites authentication as a challenge.⁴⁹ Outside of the health care industry, experts in banking and government continue to struggle with devising policies and technologies that would allow individuals access to data while ensuring security. Many proposals have come forth. For instance, the Liberty Alliance Project—an open standards organization representing over 160 companies—emphasizes decentralized authentication, allowing individuals to link “elements of their identity…without centrally storing all their personal information.”⁵⁰

A few current health information exchange networks have taken steps to address patient access in a secure environment. Caregroup, a Massachusetts-based hospital consortium using electronic information exchange, is often noted for its strong privacy and security practices, including those for authentication. Caregroup implements a three-tiered authentication process for providers, requiring users to prove identity with a user name, password, and a SecurID Token system.⁵¹ Caregroup’s PHR service for patients follows this model—requiring users to authenticate themselves twice—passing through both a front and interior “door.”

The RLS poses unique challenges related to patient access and authentication; yet given the imperative of allowing patients the ability to see, copy, and amend their personal health information, it is important to work towards realizing goals supported by the Markle Connecting for Health “Architecture for Privacy in a Networked Health Information Environment” principles.

Recommendations:

• Each SNO should have a formal process through which information in the RLS can be requested by a patient or on a patient’s behalf.
• Participating entities and SNOs shall consider and work towards providing patients direct, secure access to the information about them contained in the RLS.

Conclusion

The access provisions of the Privacy Rule serve as an important baseline for ensuring that patients have adequate control over their personal health information. Meanwhile the principles articulated in the Markle Connecting for Health “Architecture for Privacy in a Networked Health Information Environment” recommend taking these rights further, establishing that patients should have access to all their information, including information held outside of a covered entity. With this in mind, a discussion about how to give patients access to the information held in the RLS is appropriate.

The RLS could ultimately empower patients. Patients’ ability to access a reliable list of where their personal health information is stored could significantly enhance their ability to access and potentially amend information. It is, therefore, important to adopt policies and procedures that adhere to the notion that patients should have the same access to their own information that health care providers do.

EHRs, PHRs, and similar information systems could significantly enhance patient participation, with untold benefits to both individuals and the general public. Using the RLS and asserting their rights to access under the Privacy Rule could go a long way to ensuring that patients play an active and informed role in their own health care.