CCHIT Certification-Security-Patient Care

visolveemr wrote on Saturday, September 12, 2009:

Hi Team,

**Individual Access:** Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format.

**Correction:** Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied.

Note:We have framed the technical requirements based on our understanding. Your suggestions are most welcome.

1.   Individual access can be provided by creating a new patient level ACL , which would have only the read-only rights for viewing his/her EPHI alone. The rights can also be made configurable.

2. When the new patient is added, this access facility should be disabled. Only the authorized users can enable this feature.

3. The patients can access their details only from the corresponding doctor office

4. All the patient access details can be logged

5. Interface to enter the disagreement/views from the patient
a. Date of visit
b. Type of the info (Encounter/Issues/History/Demographic/Immunizations/Prescriptions)
c. What information is wrong?
d. What is the correct one?

6. The corresponding doctor can have a look into the above report and  and he can provide his views in the specified text area. He can mention the status (new/closed). An option for informing the decision through email to the patient can also be provided.

Do share your views here.

Thanks

ViCare Team

he can provide his views in the specified text area. He can mention the status (new/closed). An option for informing the decision through email to the patient can also be provided.

ideaman911 wrote on Saturday, September 12, 2009:

"only from the DOCTOR office" is problemmatic, since a number of providers are not MDs.  I would request specific language stating "only with the agreement of the authorized user/author of the data".  I do NOT believe there should be (nor ever will be) a requirement for anyone not specifically authorized by the patient to see their medical records or EHR, nor of the provider to share such information without that explicit authorization, and I believe allowing patients, without training in doing so, to have access to OpenEMR is a nightmarish problem.  Any user authorized to do so can show any patient anything they wish, with their own recognition of their personal liabilities from doing so.  I daresay most would simply print out anything they wished to share with a patient, and leave it to that patient to pass along to others as THEY wish, but have no direct means to edit that data.  An ability to document a request or dispute with anything in the record is easily noted by the user now, but I have seen nothing which suggests that the user is not the owner of the data, and responsible for its security.  Only a SUMMARY of that data is required to be passed to the next provider if requested and authorized under HIPAA.

Joe Holzer    Idea Man
http://www.holzerent.com

drpwayne wrote on Saturday, September 12, 2009:

I agree with Joe that patients should not be given the ability to write to the chart. Patients already have the right to ask for corrections in the chart - that is not the same as patient entries. And at least in my state (NY), the patient can get a complete copy of the chart any time they want, not just a summary, and the provider is only allowed to charge 75 cents/page for providing the chart.
When a patient disputes an entry in our chart, we simply enter the information as provided by the patient. For example, we saw a patient in January and recorded that he had been in an auto accident in December 2008. Apparently the patient is involved in a lawsuit related to that accident, and after our medical records were requested, the patient called and said the accident occurred in April. We made an entry to the effect that "Mr X called to tell us that the accident occurred on April 7, 2008, and not in December." The patient wanted us to change the entry in the chart, but we refused to do so; we added an addendum with the patient-provided correction. It would be a disaster to allow patients to make entries, even in their own records, even in our office - where would we sit them?  How could we be certain they would not look at someone else’s information? (even the schedule of appointments is not supposed to be visible to patients). And so on.