Editor’s Note: In October, the Office of the National Coordinator (ONC) for Health IT extended the compliance dates the information blocking final rule. Read more about the extension here.

By Grace Cordovano, PhD, BCPA, and Shahid N. Shah, M.Sc.
Perhaps the most revolutionary implication of the information blocking provisions of the 21st Century Cures Act Final Rule (Cures Act) is that it shifts control of health information from providers and payers to consumers.
Traditional methods for patients to request medical records still exist; HIPAA mandates the consumer’s right to access their medical records, receive copies of them, and request amendments to them.
However, state and institutional policies vary in request processes, fulfillment costs, and the time between when a request is made and honored (up to 30 days per HIPAA, with a one-time 30-day extension).
The Cures Act removes much of the complexity of medical record requests and gives patients unprecedented power to select a third-party app to securely access, store, and share their own health information.
When patients and their providers have seamless and timely access to medical records, it can lead to empowerment, engagement, improved patient safety, and better outcomes.
HIM professionals have the power to significantly—and directly—impact the lives of patients and providers. The Cures Act offers a pivotal opportunity for HIM professionals to become agents of change for patients, shifting the profession from playing a role primarily focused on medical records to a champion for seamless, strategic health information access.
Welcome to the Patient-Access Digital App Economy
“There’s an app for that” is something we never heard before the iPhone was introduced in 2007. Today, we hear it all the time because innovators build small, purpose-built apps that solve specific problems.
Because not all patients have the same problems, healthcare apps exist for different solutions—from smoking cessation to vital signs monitoring. We do not replace our phones every time we want to do something new; we just add an app, and our phones get new functionality—that’s the “app store” innovation model.
Nurses, pharmacists, physicians, and other clinicians routinely spend time in multiple apps in different systems of record for billing, treatment plans, medication orders, and other functions. Every app developer believes you should just buy another app when you need more functionality. However, app stacking can easily lead to bifurcation and poor interoperability.
The Cures Act requires healthcare providers, healthcare delivery organizations (HDO), and payers to provide consumers with electronic access to their medical information by leveraging application programming interfaces (APIs) that connect back-office systems of record with consumer-friendly third-party apps.
APIs can streamline communication between applications and institutions, helping patients aggregate and control their data using their smart phones and devices. Since APIs are now required by law, HIM professionals looking to enhance their value to their organizations can take on a bigger role in helping patients connect third-party apps to their institutional systems.
Patient Access Challenges
Misinformation about HIPAA, inefficient workflows, lack of adequate staff training, poor communication, and complexities pertaining to state and federal laws often lead to unnecessary barriers in patient access and information blocking.
The American Medical Association published the Patient Records Electronic Access Playbook for actionable guidance to practices and organizations in addressing HIPAA misconceptions, providing guidance on navigating complex state and federal laws, resources on operationalizing patient access workflows, as well as resources guiding patient access in substance use disorder care. The HIM profession should “own” many parts of that playbook—because so much of the playbook is about information management and modern digital patients are really personal health information managers themselves.
The Playbook also provides support on legitimate denial of records requests, as per HIPAA. Denial of medical records requests are frequently poorly communicated, if at all, to patients.
Granting seamless access as well as promptly and clearly communicating the reasons for a request denial is important. ONC has also identified eight exceptions that do not constitute information blocking. Educating patients and their institutions about what’s not information blocking will become an important new role for HIM professionals.
Being a Patient Takes Work
The robustness of the digital app economy and digital transformation of patient access is dependent on the healthcare ecosystem recognizing the intricate work that patients and their care partners perform routinely to ensure patients get the care they need.
Patients and providers routinely need seamless access to medical records throughout the care journey:

Preparing a comprehensive, longitudinal timeline for care coordination purposes
Asking questions about upcoming appointments or preparing to participate in shared decision-making
Scheduling a second or third opinion with a multispecialty team
Preparing for discharge from the hospital
Confirming a diagnosis or treatment plan
Appealing insurance denials
Advancing directives and discussing end of life care
Preventing unnecessary delays in any care or treatment-related decision-making
Mitigating medication errors, in and out of the hospital
Unnecessarily repeating bloodwork, imaging, and other treatments or care
Preventing billing errors and fraudulent claims
Scheduling new patient appointments with specialists
Researching potential clinical trials for treatment planning
Contributing data to scientific research
Transitioning from one health insurance plan to another
Sharing medical data with school nurses as children move from one school to another

Many care providers, some HIM professionals, and much of the healthcare ecosystem, in general, do not fully understand all the real-world ways that patients and care partners use medical records. But, if tomorrow’s HIM professionals use Patient Impact Stories to learn where they should take a more active role in their institutions’ digital front door, patients will prefer those institutions to others that do not take patient stories into account.
Constant Companion
It is no longer sound advice to advise patients to not request their medical records before being discharged from the hospital. Hospitals and HDOs should encourage and support patients in requesting their medical records as part of the discharge process. Internal patient access workflows must be updated accordingly.
If patients wait to request their records after a hospital stay, most follow-up appointments, that are typically scheduled between seven to 10 days from the hospital discharge, do not have the information needed for a productive conversation between the doctor and patient. Primary care physicians and specialists are often frustrated that “no one told them that their patient was in the hospital,” often unnecessarily creating a frustrating situation where patients and care partners may be unable to relay all the details of the hospitalization, such as results of lab work, imaging, procedures, medication adjustments, or new diagnoses, and the caregiver is unable to practice at the top of their license.
Patients who are discharged with a life-altering diagnosis, such as cancer, may be unable to make a new patient follow up appointment with a specialist as many providers require a copy of the incoming patient’s medical records, including images on CDs, pathology reports, and even pathology slides, prior to scheduling an appointment.
Gathering images on CD takes time and often requires a separate request process for the radiology department. If a patient had imaging done and is having a follow-up appointment, it should be standard practice to be sure the images follow the patient out the door immediately after the visit as most providers find the images on CD accompanying the radiology report more valuable than the report alone.
In any of these situations, it is much easier to ask for help in how to get copies of pertinent records while at the hospital or HDO than to try to find the right contact number on the HDO website or by way of navigating their phone directory once you have been discharged.
Medical records must follow patients to all follow-up appointments with key members of their care team, which is why the Cures Act created the mandate. Nurse navigators, social workers, patient advocates, and discharge planners may all help patients and their care partners determine what records may be needed.
HIM staff may need to be restructured and expanded to have professionals move from behind computers and to the bedside, leveraging their expertise to strategically guide patients and their loved ones with planning actionable flow of medical information to ensure seamless, well-coordinated care that supports a value-based health economic model.
HIM professionals need to be armed with solutions and technology that empower them to become agents of change for patients. This involves being patient-centric with respect to the importance of seamless access to medical records across the continuum of the patient experience instead of being solely focused on being medical records-centric. Imagine a world where HIM staff collaborate with clinical care teams, discharge planners, and patients and care partners to empower them on the road to success by ensuring that medical records follow the patient where they go for their care. Many Patient Impact Stories would be quite different in such a world.
By leveraging digital tools and technologies such as HDO digital front doors, HIM can transform patient access by the bedside, carefully educating patients and care partners about rights under HIPAA, mapping care pathways to ensure pertinent records are routed accordingly for upcoming follow-ups and outpatient care, and verifying any pertinent information needed for proper HIPAA authorizations, including fulfilling part 2 rule requirements for handling substance use disorder care. HIM professionals can also help make sure appropriate HIPAA authorizations are proactively obtained at the bedside using smart devices to streamline the process.
During the average inpatient hospital stay, there is a revolving door of people who visit the patient at the bedside. This steady stream of visitors includes doctors, attendings, residents, fellows, interns, nurses, nurse practitioners, nursing students, TV and phone service staff, physical therapists, social workers, case managers, housekeeping staff, chaplains, food and beverage staff, transport staff, and discharge planners.
These individuals play essential roles in a patient’s care during their time in the hospital. There is one very important hospital staff member that is sorely missing: someone from the medical records or health information department. It is critical to recognize the importance of access to medical records to every patients’ success and health journey.
Proactively obtaining appropriate HIPAA authorizations can prove to be critical in nature, especially in the event of an unexpected death where most individuals may not have a will, an executor of their estate, or a designated personal representative.
Everyone should discuss what to do with their medical records when they die and have appropriate authorizations in place as well as credible patient education materials available to guide informed decision making.
HIM professionals, HDOs, and care providers must be informed of the proper practices and workflows guiding access to a deceased individual’s medical records so as to not be a source of information blocking during what may be an already difficult time filled with grief.
Revamped Law, Revamped Incentives, Real Penalties
Patients’ access to their health information is a fundamental right. With the implementation of the Cures Act and information blocking rules, there are now stricter enforcement of civil penalties for not providing patients with their records in a HIPAA-compliant manner.
Under HIPAA’s Right to Access Initiative, which defends an individual’s right to cost-effective, secure, timely access to their health information, the Office of Civil Rights (OCR) has settled nine cases to date where HDOs have been fined and held accountable to resolution agreements that will require meeting specific criteria and routine monitoring by way of corrective action plans.
From these settlements alone, it is clear that OCR is taking patients’ right of access seriously and as a priority. All covered entities and HDOs should be proactive and future-facing, reviewing all patient access workflows to not only prevent costly fines and damages to reputation, but also to be authentically patient-centered in putting the patient in control of their health information as data access champions.
Besides civil monetary penalties and corrective action plans, additional incentives should be considered for implementation to further support patient right of access. HIPAA compliance and being a patient access champion needs to be measured.
Hospital Consumer Assessment of Healthcare Providers and Systems (HCAHPS) and Press Ganey surveys should include dedicated reporting on patient access as a meaningful assessment of comprehensive care.
US News and World Health Report hospital rankings should include patient access as a structural measure and an essential process in its methodology that is necessary for delivering safe, comprehensive patient care especially, in chronic, medically complex patient care situations.
Hospitals, HDOs, and physician practices that are patient access champions and data liberators should be formally recognized and celebrated for their efforts. Patients and consumers have a right to know which actors and entities support the right of patient access as well as which entities and actors are information blockers.
Balancing Consumer Education and Control
All covered entities and HDOs should be proactive in understanding the digital app economy and ready to answer consumers’ questions about use of APIs and apps for accessing, sharing, and managing their medical records.
Apps should be evaluated for their privacy standards, terms of use, as well and their trustworthiness in order to be suggested to patients and consumers who are interested in potentially using apps to manage their health information.
However, even if an app is not paternalistically “vetted” by an institution or advocacy group, patients have the right to connect those apps to their data held by any institution. Patients can only truly have control when they are not told what “proper” or “improper” use is. Education is important but true control is even more important.
The CARIN Alliance, a non-partisan, multi-sector alliance committed to providing digital health information to patients and consumers has created a Trust Framework and Code of Conduct to raise the bar of ethics guiding consumer-directed information exchange by entities handling protected health information (PHI), especially by non-HIPAA covered entities.
My Health Application serves as reference for patients and consumers of vendors and entities who have voluntarily agreed to abide by the CARIN Alliance’s Trust Framework and Code of Conduct.
The AMA Privacy Principles emphasize that third parties with access to PHI should be responsible stewards of such sacred information, extending the nature of the physicians promise to maintain patient confidentiality to the digital world. The AMA has also provided numerous recommendations to safe guard patient medical information privacy as well as made recommendations to improving federal health IT policy.
Provider organizations must honor patients’ requests to release medical records to the app of their choosing, regardless of the app’s privacy policy, terms of use, and general trustworthiness.
The healthcare ecosystem and innovators are responsible for meeting gaps in patient education and transparency about the digitization of patient access and the digital app economy, committing to Do No Harm.
File-Sharing Services as Personal Health Records
Many commercial file-sharing sites are HIPAA-compliant, but patient-access provisions allow consumers to keep their records wherever they would like, whether or not the system they choose is HIPAA-compliant.
While third-party apps are a great place to send patient data, an even easier place to start is with a file-sharing service, such as Microsoft OneDrive.
Microsoft OneDrive allows users to save their files and images and access them anywhere. A OneDrive Basic account with 5GB of storage is free while 100 GB storage is $1.99/month. Files can be accessed across all devices and offline. OneDrive and similar tools can help patients, their care partners, and families collaborate, sharing records, files, images, and folders of health information via an email or text link.
The Cures Act has the potential to fundamentally re-shape the healthcare industry, making it more accountable on cost transparency and patient outcomes; fueling competition across the marketplace; and providing a framework for driving innovation for all stakeholders, most notably, patients.
However, the success of the Cures Act will rest on more than compliance with technical requirements. Patient education and advocacy regarding their rights and responsibilities will be critical, as well installing the proper reporting mechanisms when their rights are not honored.
Further Reading
The Compliance Clock is Ticking on ONC’s 21st Century Cures Act Regulations
Federal Regulators Put Patients in the Driver’s Seat
Patient Stories
The authors have curated a collection of stories from patients and their difficulties in securing their medical records. You can access the slideshow here.
Grace Cordovano (enlighteningresults@gmail.com) is founder of Enlightening Results, a patient advocacy practice, and co-founder of Unblock Health, which empowers patients and their care providers to eliminate information blocking practices.
Shahid N. Shah (shahid.shah@netspective.com) is co-founder of Unblock Health, is an internationally recognized and influential healthcare IT thought leader, entrepreneur and technology strategy advisor to several federal agencies.

Show CommentsClose Comments

Leave a comment