Thursday, April 09, 2015

Who is Reading Your Medical File? The more things change...

So, 9 years ago, Bob wrote an eerily prescient post on the future of health records:

"In a time zone 17 hours ahead, a radiologist in Australia, working for a company called NightHawk Radiology Services, had been sitting before the same images ... In an effort to hold down costs, hospitals and other medical practices are outsourcing certain functions half way around the globe."

Turns out, one of those functions is patient record-keeping.

About a month ago, we wrote a long term care insurance policy for a very nice couple. Sam and Sally are relatively young, and in good physical shape, but pretty much every case requires an APS (medical records). Generally, the carrier sends a request (and a check) to the doc, who then instructs his clerical folks to get the records together and faxed/emailed over to the carrier. This can take a couple of weeks, but it's not usually a major roadblock.

Until now.

Seems that Sally's doc uses an off-site electronic records keeping outfit, which relieves the doc of certain administrative costs and burdens. But according to the way the contract is written, the vendor may specify that it will only fulfill these kinds of requests once a month. Here's the first problem: let's say that Sally's doc's vendor’s contract specifies that requests are fulfilled on the 15th of each month. So Doc Smith sends the request on the 13th, no problem.

But if he sends it on the 16th, we've now just lost one month. And this is significant, because the underwriter can't finish...underwriting…without the records, and so that app just went to the bottom of the pile.

Not a pleasant thought.

Here’s the next problem (they keep getting "better"): Sally had no idea that her doc was using such a service. When she called to find out why the doc hadn't sent her records, she was told that the doc had, in fact, requested them over two weeks ago. Unfortunately, no one told the carrier, which has been waiting patiently, and the vendor hasn't returned phone calls asking about status.

And to add further insult to injury, Sally also had no idea that her records were being stored not just off-site, but on a vendor's cloud server.

Why is this a problem?

Well, let's skip down a bit in Bob's 2006 post:

"Most are aware of the privacy laws that come as part of HIPAA but few stop to think about how much of that law is lost once your medical information leaves the shores of the United States."

That is, HIPAA stops at the border. So here’s a question: exactly where is the vendor's cloud server physically located? Denver? Or New Delhi? Makes a difference: if the former, HIPAA applies, if the latter...

So here's a question: does the doctor have the obligation to notify his patients that he is, in fact, using such a service? Does he have a further obligation to determine whether or not his patient’s PHI (Private Health Information) is, in fact, protected by HIPAA?

In Part 2, we discuss these issues with Dr Rob Lamberts.

[Hat Tip: FoIB Randy G]
blog comments powered by Disqus