Patients have a right under the HIPAA Privacy Rule to request copies of their personal health information from all of their providers. However, this right of access typically hinges on the effective submission of a legal release of information (ROI) form that is then acted upon by a medical records staffer. The person responsible for fulfilling the patient’s request may not always be local to the provider’s location. They may be part of a large medical records department or outsourced to a specialized service. This can cause confusion for the patient and/or extra work for front office staff. Worse, if provider organizations are found by the HHS Office of Civil Rights to be preventing the patient from having access to their health information in a timely manner or otherwise acting as “information blockers,” they can be fined significant amounts. [Civil monetary penalties: HHS may impose civil penalties on a covered entity of $100-50,000+ per failure to comply with a Privacy Rule requirement – not to exceed $1.5 million per calendar year for multiple violations of the same Privacy Rule requirement]
We need to simplify and streamline this process to make it easier for patients and providers alike. Creating a single portal that simplifies communication between the patients and medical records staff would help. By registering to this portal, HIPAA covered entities could provide patients with the address to their medical records department’s front door – eliminating the risks of being labeled information blockers. [Generally, HHS has not imposed civil monetary penalties when the covered entity has implemented a corrective action. NATE suggests that by participating in the NATE Blue Button Directory (NBBD), organizations will have taken a preemptive step that mediates the risk of failing to respond to the consumer’s request within the permitted time.]
Further, this electronic address could be integrated into the existing workflows of the medical records department – acting as a workflow entry point. This “work queue” approach would decouple the receipt of the request from how the organization manages the ROI process today. As a result, the consumer is spared needing to understand how the organization chooses to process their request internally, and the organization has a single electronic way to receive requests, resulting in a more manageable process. For medical records staff, an authorization to share PHI with a consumer supplied Direct address can be incorporated into the release of information form bound to the consumer controlled application of the consumer’s choice.
The Enabling Technology:
At the center of this new flow of information is the NATE Blue Button for Consumers (NBB4C) Trust Bundle. Because the NBB4C aggregates consumer controlled applications, consumers could choose any one of a number of Direct-enabled applications to make their request and receive their information. A use case-specific directory of registered medical records departments would enable the creation of an organization-specific account that includes a Direct address to securely receive requests from consumers. During registration, a profile with information about the organization would be completed by the representative of the medical records department. It is this profile information that consumers would be able to search to discover where their providers’ records are managed and how best to access them. By registering with the NATE Blue Button Directory (NBBD), the healthcare organization and the entities that serve them would have a single, secure queue from which they could establish a reliable process to ensure compliance with applicable law and a secure bi-directional way to communicate with their consumers.
What’s in It for Me?
- Data Holders (Provider Organizations and Other HIPAA Covered Entities)
- Patients and their Caregivers
- Consumer Controlled Applications
- Policy Makers and Regulatory Enforcement Organizations
How Does the Prototype Work?
- Streamlines the Process. The NATE Blue Button Directory allows provider organizations and other HIPAA-covered entities and business associates the flexibility to handle the information request workflow however works best for them while presenting their customers with a single front door. It doesn’t matter whether you have Direct secure messaging baked into your system or not – now even a small practice with just a smart copier can exchange records electronically.
- Prevents Unnecessary Distractions. No longer are first-line care providers distracted by patients wanting a copy of their records. Your organizational profile in the NATE Blue Button Directory tells requesters exactly what to do in order to submit a request that works with your organization’s existing workflow. A single organizational Direct address ensures that the request goes to the right place every time, saving your staff time and effort. Plus, connection with the NATE Blue Button Trust Community means that you don’t have to decide whether you trust a given third party app – you can let the patient choose an app that works best for them.
- Leverages Patient Knowledge and Effort. By providing an easy two-way communication channel with your patient or their caregiver, you can let them do the work of keeping their records accurate and up-to-date. The NATE Blue Button Directory allows you to capture whatever customer attributes you need from the very first step and the use of Direct secure messaging provides a secure communication channel for patients to request the correction of errors or omissions in their chart.
- Creates a Regulatory Shield. Quality assurance is built into the process. Making the request and delivering the records electronically means accountability for both the patient and the organization. Having a record of when and where the request was made, and how and when you responded, provides verifiable proof against charges by government regulators of information blocking or delay.
- Eases Wayfinding. The NATE Blue Button Directory allows provider organizations to present their customers with a single electronic front door for records requests. Your provider’s organizational profile in the NATE Blue Button Directory tells you exactly what to do in order to submit a request that works with your provider’s existing workflow. A single organizational Direct address ensures that your request goes to the right place every time, saving you time and hassle.
- Enables Communication. Having the information you need to request your records online means you probably don’t have to go all the way to your hospital or provider’s office to sign and make your request in person or go back again to pick up awkward paper copies. The use of Direct secure messaging opens a protected two-way communication channel between you and your provider’s office so you can receive your records, review them and let your provider know electronically about any errors or omissions, all from the comfort of your own home or office.
- Maximizes Choice. Because the NATE Blue Button Directory is connected to the NATE Blue Button for Consumers (NBB4C) Trust Bundle, you have a choice in where you choose to manage your records. NATE-approved consumer controlled apps provide a wide variety of products and services, so you can use the one that best suits your needs, not the needs of your provider.
- Eases Wayfinding. The NATE Blue Button Directory allows provider organizations to make available a single organizational Direct address for records requests. Using this address ensures that your customers’ requests go to the right place every time, saving you from having to keep track of a wide variety of changing organizational workflows and contacts.
- Enables One to Many. The NATE Blue Button Directory is connected to the NATE Blue Button for Consumers (NBB4C) Trust Bundle. Because this trust bundle and its requirements are broadly available for review and use by provider organizations, participation in one trust community connects you with multiple data sources that already trust you because NATE trusts you.
- Leverages Existing Standards. The NATE Blue Button Directory leverages both existing (Direct secure messaging) and next generation (FHIR APIs) transport standards so there’s no question about how to make a connection. These standards are already baked into all Meaningful Use-approved products, which minimizes your development time and costs.
- Extends from Technophiles to Technophobes. Exchanging requests with provider organizations is easy once you have the right Direct address. Additionally, the NATE Blue Button Directory is associated with a Direct based portal for organizations that do not have an EMR implemented, or the EMR that they have does not support integration of incoming Direct messages with the providers’ medical records workflow.
- Eases Public Confusion. The NATE Blue Button Directory allows provider organizations and other HIPAA covered entities and business associates the flexibility to handle their information request workflow however works best for them while presenting their customers with a single easy-to-find front door. A provider’s organizational profile in the NATE Blue Button Directory tells consumers exactly what to do in order to submit a request that works with their organization’s existing workflow. A single organizational Direct address ensures that their request goes to the right place every time, saving time and hassle for consumers and providers alike.
- Creates an Auditable Trail. Making records requests and delivering them electronically means accountability for both the patient and their provider. Having an auditable electronic record of when, where and by whom the request was made, and how and when the organization responded, provides verifiable documentation when investigating complaints of information blocking or delay.
- Maximizes Choice and Encourages Innovation. Because the NATE Blue Button Directory is connected to the NATE Blue Button for Consumers (NBB4C) Trust Bundle, consumers have a choice in what third party app they want to use to manage their records. The NATE Blue Button Trust Community includes multiple consumer controlled applications that have elected to adopt a common set of publicly available policies and practices that enable consumer mediated health information exchange while upholding personal privacy preferences. This shared foundation allows NATE-approved apps to innovate and compete equally, providing a wide variety of products and services to meet the needs of a wide variety of consumers.
The Federal Health Architecture (FHA) Interoperability Showcase vignette showcased how federal agencies, such as the Department of Defense, United States Postal Service and Veterans Affairs, and external partners like the National Association for Trusted Exchange, enable veterans and service members to efficiently access their own health information.
Consumers are requesting their medical records and providers want to share them but there is often a workflow disconnect between the two. NATE and its demonstration participants showed visitors to the Interoperability Showcase how a simple enabling infrastructure can alleviate this problem. The NATE Blue Button Directory (NBBD) allows patients to discover how best to submit their request for health information and establishes a secure end-point for the HIPAA-covered entity’s staff responsible for managing these requests. NATE demonstrated the registration of the organization by the appropriate staff (e.g. medical records department) in a FHIR-based directory, and showed how the provisioning of a Direct address enables bi-directional exchange with the consumer-controlled apps recognized by NATE’s NBB4C trust community.
Thank you to NATE’s demonstration partners:
HIMSS17 conference attendees’ responses to the NATE Blue Button Directory prototype demonstrations were amazing. Based on the encouragement and recognition of the value proposition to both providers and consumers alike, NATE will continue to work on establishing this enabling infrastructure. Stay tuned for more information and video demonstrations coming soon.