For healthcare to work for everyone, providers and other organizations face the responsibility of providing patient privacy rights education and safeguarding patient data.
When a patient goes to the doctor for the first time, he or she is asked to sign a HIPAA Release Form authorizing the provider to use and potentially disclose protected health information (PHI) to inform decision-making.
This is often the only exposure the patient has to information about his or her HIPAA privacy rights — and it is often insufficient to fully educate individuals about how their data will be collected, stored, used, and shared.
A thorough understanding of privacy rights is important for patients to be better informed about their own healthcare.
Patients have a right to ask for information and to access their medical records under HIPAA, said Erin MacKay, associate director for health IT programs at the National Partnership for Women and Families.
“Individuals should understand that they’re not asking for anything unreasonable. They’re not asking for a favor. They are simply asking for what they are entitled to under the law,” MacKay told HealthITSecurity.com.
If patients misunderstand their privacy rights, there can be a number of adverse consequences. Patients may be discouraged by their providers from accessing their health record, or they may let improper exposure of their data slip by unnoticed. Patients may be overly cautious about accessing their medical records online or sharing this data with others, which could negatively affect their healthcare.
Certainly, the complexity of the HIPAA rules can be an obstacle for some and fear of a data breach can deter others. It is incumbent upon healthcare providers to provide clear, easy-to-read information to patients on their privacy rights.
Providers Come Up Short on Privacy Knowledge
Providers must address the fact that many of their own healthcare employees misinterpret HIPAA, as well, and may inadvertently violate the spirit — or letter — of the law. There is a tendency to just say “no” when patients ask for access to their medical records or to share medical records with others, but that isn’t always the right answer.
Kim Murphy-Abdouch, clinical assistant professor at Texas State University’s Health Information Management Department, said that healthcare provider misunderstanding about HIPAA — what it allows and does not allow — can create problems for patient access and could be detrimental to patient care. It creates inefficiencies in the form of duplicate procedures because of the unwillingness of providers to share information with other providers.
“If a patient is going from one provider to another, without appropriate health information exchange, the second provider might not have adequate information on what the first provider is doing to provide good care to the patient,” Murphy-Abdouch said.
That is why provider literacy about HIPAA rules is so important to healthcare outcomes. Yet, a recent survey by MediaPro of 1,000 US healthcare workers found a disturbing lack of understanding about data privacy and and security rules. In fact, more than three-quarters of healthcare employees were unprepared to address common privacy and security threat scenarios.
“Beyond training geared toward HIPAA compliance, healthcare employees need a comprehensive approach to awareness education that includes security and privacy awareness,” MediaPro researchers observed.
Christiana Care Health System CISO Anahi Santiago cautioned that a lack of privacy awareness by healthcare providers can be detrimental to patients.
“A lot of times clinicians will err on the side of being very conservative. If they don’t really understand the rules, they might be concerned about sharing information because they think that it’s not allowed. That could inhibit patient care,” Santiago told HealthITSecurity.com.
Mark Savage, director of health policy, Center for Digital Health Innovation, the University of California, San Francisco, agreed. “We have all heard the stories about providers who respond to a patient’s request for their health data by saying that HIPAA does not allow them to disclose or share the patient’s health data.”
“On the contrary, the HIPAA privacy rule explicitly establishes the patient’s right of access and right to transmit her health information to others. Education for providers and patients is needed and beneficial,” he said.
Patients Worry about Privacy, Data Security
Unfortunately, patients are reluctant to access and share their records because of doubts about the ability of healthcare providers to protect their medical data and privacy.
A 2017 survey of 12,090 adult consumers by Black Book found that a majority of respondents with experience using health IT were skeptical of the benefits of patient portals, mobile apps, and electronic health records mainly because of recently reported data hacking and a perceived lack of privacy protection by providers.
In addition, 87 percent of respondents expressed an unwillingness to divulge all their personal health information to achieve better care.
Another study by ONC in 2018 found that 25 percent of individuals offered access to their online medical records did not access that information because of privacy and security concerns.
“It’s important that patients and their caregivers have access to their own health information so they can make decisions about their care and treatments,” said National Coordinator for Health Information Technology Don Rucker.
Concern about privacy also discourages patients from agreeing to share their medical information beyond their primary care physician and hospital.
The University of Buffalo (UoB) carried out a study in 2017 looking at patient attitudes toward sharing their health records. The study examined more than 1,600 individual responses using data from the Health Information National Trends Survey conducted by the National Cancer Institute.
The study found that privacy concerns represented the single biggest factor discouraging patients from sharing their healthcare information beyond their primary care physician. Patients were concerned about who would have access to their PHI, how it would be used in health information exchanges, the intentions of the PHI users, and the risk of a data breach in which their information might be compromised.
“We found that privacy is the most important factor related to patients sharing their information,” said G. Lawrence Sanders, professor of management science and systems in the UoB School of Management and co-author of the report.
“The reason they’re leery about sharing the information is because they’re worried about the threat of that information being breached, taken, or stolen,” Sanders told HealthITSecurity.com.
Added Joana Gaia, a co-author of the report and clinical assistant professor of management, science, and systems at the UoB School of Management, “The more educated healthcare providers, and especially physicians, are on privacy and security of personal health information and how it’s shared, the better they can inform the patient on how that information is going to be used and address any concerns that the patient might have.”
Solutions for Healthcare Providers
Education needs to be the keystone of any healthcare provider program.
The UoB study recommends a two-track approach to education. “On the one hand, patient education is crucial to generate a perceived technological safe environment for sharing PHI electronically, and on another front, we suggest that physician education is as important as patient education,” said the authors.
In terms of educating patients, the healthcare provider can offer patients clear, easy-to-read information about their privacy rights.
Murphy-Abdouch recommended using the model notices of privacy practices (NPPs) developed by HHS for healthcare providers to post in their offices or provide directly to patients. That way, patients know what they have the right to ask for and receive from the provider.
Some of the NPP options offered by HHS include a booklet, a layered notice that presents a summary of the information on the first page followed by the full content on the following pages, a notice with the design elements found in the booklet but formatted for full page presentation, and a text only version.
HHS states that a covered entity must make its notice available to any person who asks for it and must prominently post and make available its notice on any website it maintains that provides information about its services or benefits.
“Providers should have a notice of privacy practices that includes a description of how your information will be used, that the information will be maintained confidentially, and that you have the right to see and obtain a copy of your records. You also have a right to ask that the records be changed if you think they are incorrect, and you have the right to have your information sent to other individuals,” Murphy-Abdouch said.
Gaia concurred that patients should be informed about their rights in a clear way, such as a brochure or web page.
“What seems to be happening right now is that organizations will give patients disclaimers and a bunch of information of how their personal health information is dealt with … Nobody really reads them because those are documents that are pages long,” observed Gaia.
Instead, healthcare providers should provide patients with clear information and then be willing to answer any questions that the patient may have, she noted.
“If the patient is more informed from the get-go and the doctor says, ‘Hey, I’m going to ask for an MRI, and I’m going to share this with a specialist,’ the patient already knows how that’s going to happen and how their information is protected,” Gaia explained.
Santiago favored clinicians having face-to-face conversations with patients about their privacy rights.
“A good privacy and information security program is not just handing somebody a piece of paper and asking them to sign it, but providing them with education that they can take home and read, providing them online access to education that they can pull up at any given time, and providing them a link to their patient portal,” she said.
For the healthcare providers, staff training on HIPAA rights is advisable.
“A brief formal training for staff would be helpful, perhaps a ten-slide Powerpoint presentation that could be made available to physician practices to share with their staff,” recommended Murphy-Abdouch recommended.
This presentation could be developed by a medical society or industry association or based on training materials from the OCR website, she added.
MacKay favored including stakeholders beyond the patient and the primary care physician in the education process.
“We need to be thinking more broadly about how to build a more robust education campaign that involves more stakeholders,” said MacKay.
“Patients want access as well as privacy. They want convenience and security. They want control over their data to make decisions, but they also want to be able to have conversations with their providers and be making decisions in partnership with their care team,” she said.
Savage noted that elements of a strong patient education program should include those captured in ONC’s Model Privacy Notice (MPN). He participated on the ONC Consumer Task Force that worked on the MPN in 2016.
The MPN is a voluntary, openly available resource designed to help health technology developers provide notice to consumers about what happens to their digital health data when the consumer uses the developer’s product.
While the MPN was developed primarily for consumer apps that collect health data, it can be used across the healthcare industry to inform patients and providers about privacy rights, Savage explained.
In sum, both patients and providers need to be better educated about privacy rights and data security. Providers should provide training for staff about HIPAA rules and clearly written information, in the form of brochures and web pages, to educate patients about their privacy rights.
When providers and patients worked together, privacy rights can be protected while health information can be shared in a responsible, secure way to better serve the patient and the healthcare organization.