Healthcare Information Security

Cybersecurity News

LinkedIn users respond to AAP health security queries

By Patrick Ouellette

- Last week, HealthITSecurity.com reported that the American Academy of Pediatrics (AAP) thinks adolescent patient protected health information (PHI) is at more risk because EHR systems aren’t built to handle patient consent among minors. Regardless of whether AAP’s recommendations are eventually acted upon, the relationship between health data security and adolescent patient consent remains largely debated. Two LinkedIn users chimed in on their experiences with the matter this week and though their backgrounds are different, they both offer interesting points of view:

Frank Ruelas of HIPAA College and former Compliance Officer at Maryvale Hospital:

Not to mention that many covered entities are unaware, generally speaking, of the minor consent laws related to the types of treatment which minors can consent to without their parent’s knowledge. This is a very, very volatile area and so often people who allow a parent to access a minor’s record later find themselves in very hot water. Too often they use the reasoning of, “Well, if my 13 year old son was being treated for alcohol abuse, I would want to know about it….”

Though certainly this sounds logical and many parents would also likely agree that it should be allowed (especially if they are asked to put themselves in the shoes of the requester)….but the fact remains that there are laws and in many States, if the minor can consent, then the courts hold that the minor also has the capacity to authorize access to this information.

Folks needing more info need to turn to their own state statutes related to consent…it may be an eye opening experience. To that end, it’s also the staff and their understanding when a minor’s information can be released that is most critical in my view. As with many rules, it seems many folks are quick to enforce them and they do so rather effectively….UNTIL that rule or regulation hits close to home then it often seems that automatically, the rules no longer apply.

READ MORE: Prioritizing Patient Privacy in Your Auditing Approach

A long-time example of a situation that happens…a manager checking the EHR of a coworker because she has the “right to know” just how ill the employee is so she can staff the department effectively. It happens…and very likely more than people realize because as I’ve mentioned before, I would bet that many organizations do not have any type of monitoring or auditing that would alert anyone if an employee was looking at another employee’s record that may represent a questionable access. Sure this is done from time to time as part of retrospective audits…but rarely on an ongoing basis.

Dennis Melamed, President at Melamedia, LLC, a healthcare research company:

I can’t help but note that Family Educational Rights and Privacy Act (FERPA) plays a role in this as well. And I’m always a little surprised about this omission. A substantial amount of healthcare is provided under the auspices of educational institutions. And I’ve yet to see any real discussion about this.

My work in this area continues to find little appetite for addressing this interaction. I also remain astonished at how few people seem to get the basic point that EHRs — as we discuss them today — are only aimed at treatment as defined largely by HIPAA. When you add coordination of care to the mix under the ACO program, we are inexorably heading to a situation in which health data is being collected for EHRs that are ruled by different laws. That should mean that EHR systems will have to track the origin of that information and the rules that governed the creation of that data. We’ve seen some of that with the work on meta data. But we haven’t seen much beyond that.

Minors’ rights to privacy/consent is yet another good example of the complexity. And I won’t bother going into the age of consent issues that arise when a teenager goes to Planned Parenthood. I’d also remind everyone that going to the doctor is not simply going to the doctor. We have rules that govern the data based on why you went to the doctor. A good example of that is workers comp records and occupational safety and health records.


READ MORE: Updates Sought on Personal Health Record Model Privacy Notice

Segmenting patient data and having separate privacy and security rules that abide by both state and HIPAA laws can get tricky. As stated by both parties above, this going to continue to be a pressing issue for healthcare providers because, despite gaining more features over time, some EHR systems aren’t built with patient consent capabilities.

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks