In an April 8 meeting, the Health IT Policy Committee approved best practices recommended by its Privacy and Security Tiger Team to assure that proxies acting on behalf of adult patients have proper access to protected health information. 

Family, friends and personal representatives can legally have access to patients’ PHI through view/download/transmit (VDT) permissions, according to the Tiger Team's chairman Deven McGraw. The team recommended that the Office of the National Coordinator for Health IT develop and disseminate some best practices for assuring access to adult patient VDT "extended to friends and family authorized by the patient, and, where appropriate, legal personal representatives." 

McGraw said there are some issues that must be resolved before VDT access can be granted to these proxies, namely confirming whether they are authorized to access PHI through VDT. "The process for granting credentials to authorized friends, family and personal representatives should be sufficiently easy to discourage shared access yet still be sufficient to satisfy the need to assure authorization and identification/authentication," states the team's briefing slides.

In the "easiest case" a patient makes a request for VDT access for a family member or friend, which can be done in person or remotely. In this scenario, providers should document the request, preferably electronically. In addition, out-of-band notification can be used to notify/confirm, recommended the team, which is particularly important when a patient request for proxy access is made remotely or through software acting on the patient’s behalf.

In the "harder case" a family member or friend makes the request themselves, which must be confirmed with the patient, such as through out-of-band confirmation. If the patient is incapacitated, the provider will need to consider whether providing access to relevant treatment information through VDT is an appropriate vehicle, according to the recommendations.

The Tiger Team also recommended that ONC should disseminate the best practices to providers to enable them to establish (and turn off) proxy access to VDT accounts consistent with laws and patient needs, emphasizing the need to develop the process and capability to cut off VDT access by friends, family and personal representatives due to patient change in preferences or changes in personal representative legal status.  

For VDT accounts that offer “all or nothing” access for proxies, McGraw said it is "particularly important to educate patients on the scope of data that will be accessible by anyone granted proxy access." By law, patients can expressly authorize the sharing of their PHI with others. The HIPAA Privacy Rule permits the sharing of PHI with family members or other persons who are involved in a patient’s healthcare or payment for care, provided that the disclosed information is directly relevant to their involvement with an individual’s care or payment.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access