Who’s Seen My Medical Record? Better Be Able To Answer

Posted on June 19, 2011 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Right now, HHS is considering a new rule which would demand that hospitals, medical practices and health plans provide anyone who asks with a list of who has accessed their electronic medical records.

The proposed rule, which will go into effect January 2013 if approved, shouldn’t be a big deal in theory. After all, since 2005 healthcare companies directly involved in patient care have had to keep their own log of who accesses patient records electronically.  But apparently, the industry is arguing that providing a report on who saw your EMR file would be a massive hassle. (Even the rule’s author told USA Today that “the burden could be significant.”)

OK, I’m beginning to get a bit of a headache. Correct me if I’m wrong, but isn’t such monitoring — a detailed record of who looked at what record — a completely standard security measure for any organization with its act together?

I’m also wondering why the heck the article suggests that it would be difficult to get such access logs across departments. Again, I’m not an IT executive and I don’t play one on TV, but how much would EMR security be worth if you could only track access department by department?

I’ll admit that the more paper that remains in the process, the trickier things get. If a consumer wanted a complete list of who’d accessed their files, and the healthcare organization still conducted some major processes on paper, things could get pretty time-consuming. (Though even in that case, healthcare organizations better be aware of who’s peeked at what patient’s data.)

Still, I detect a smokescreen here. While there are probably entities — notably smaller practices with lower-end EMRs in place — that would be burdened by this requirement, many more would probably find it no trouble to handle if they tried. In fact, if a provider has spent big bucks on an EMR that can’t dig up access records easily, they should get their multi-million-dollar investment back.

I understand health plans’ and hospitals’ reluctance to turn over such information, which could drag them into lawsuits, divorces (“Did my wife really have the right to see my records?”) and medical ID theft prosecutions, to name just a few possibilities.  Once targeted, the entity would have to prove, sometimes laboriously, why a given person actually did have good reason to access a certain patient record, and sometimes they’d look bad even if they were in the right.

But if that’s the real issue, and I strongly suspect it is, I’d prefer to see health plans and providers come out and admit that they don’t want to get dragged into fights they may not win. Saying they can’t afford to comply with what should be a simple request just makes them look dishonest. And that can only lead to further headaches down the road.