The Battle Between Privacy & Access

In light of this year’s regulatory information overhauls that include the HIPAA NPRM, 21st Century Cures Act, Information Blocking and more, our recent webinar explored the battle between privacy and access as well as the juxtapositions and challenges brought to both the healthcare IT industry and clinical providers alike.

Trying to navigate the complicated web of both state and federal regulations can often lead to conflicting priorities. For HealthMark, the concept of being both a facilitator of information exchange, trying to get medical records into the hands of the right decision makers at the right time, as well as being a trusted steward of that information, certainly hits close to home.

HealthMark is no stranger to this notion of balancing patient access and privacy at the same time.

We put a lot of time, resources, and effort into making sure that we’re equipped with the expertise and the ongoing knowledge to provide best in class solutions to our clients, especially as it relates to some of these challenging, inefficient areas of the healthcare ecosystem. Our recent panel webinar was evidence of this.

“The Battle Between Privacy & Access” Webinar Featured Panelists:

  • Bart Howe, CEO HealthMark Group
  • Zack Perry, who currently serves as the President of AHIOS and SVP of Strategy for HealthMark, focusing on industry updates, regulatory shifts, and growth efforts for the enterprise and our clients.
  • Joe Licata, our COO & General Counsel, whose efforts are directly rooted in HealthMark operations and in our clients’ success.
  • Iliana Peters, an Attorney with Polsinelli who brings extensive insider expertise surrounding healthcare information privacy. She was formerly the Acting Deputy Director for HIPAA at the Department of Health and Human Services, Office for Civil Rights and Senior Advisor for HIPAA Compliance and Enforcement.

Topics Covered:

Watch the webinar recording below:


07:02 – If privacy protections and ease of access are on opposing ends of the spectrum, where do each of you think the pendulum sits today?

10:10 – What is the impact of technology, particularly on the volume of PHI and the impact of that across the industry, from a record quality perspective?

11:54 – Should the primary objective be access to information with privacy layered on top? Or, should privacy come first, with access facilitated based on that base expectation?

16:12 – There seems to be a lot of confusion, or at least misunderstanding at times when it comes to the protections and obligations of HIPAA. Can you summarize where the HIPAA protections end?

22:00 – How should we think about the obligations around fulfilling verbal requests, especially when verbal requests are not always “clear and conspicuous”?

29:00 – What is a patient directed request and why this is such a lightning rod topic as it relates to privacy versus access?

33:36 – One of the confusing parts of this NPRM is around some of the requestor recipient obligations. Can you really summarize how we should interpret some of those obligations from the NPRM?

42:57 – As more ransomware, digital fraud, and cyber security issues occur, how do we think about that in the face of more ubiquitous access to health information?

47:50 – Is there any current practice with agencies using two factor authentication apps to confirm patient identity for remote records release?

50:35 – How is minimum necessary defined in today’s EMR world?

53:01 – Are electronic signatures accepted for release authorization for Medical Records?


Zack Perry: “Right now we’re seeing the pendulum swing back towards access. It is definitely the intent of everybody in the ecosystem, whether it’s the regulators or the providers or outsource vendors like HealthMark to make sure that patients have as much access to the information as possible. So, I think right now we’re trying to dial in the access part. What’s interesting to me about the battle between privacy and access is really what lies in between – a nuance called intent – to figure out the intent of what information is being requested, and why it’s being requested. I think right now we’re sure to go towards access. And pretty soon there’ll be a moving back towards privacy.”

Joe Licata: “The push to digitization has really created a little bit of a monster that we haven’t quite reckoned with, which is this sort of a misfile proliferation issue. With with a drag and drop file system in most EMRs, you can put something in the wrong place, which unfortunately for the patient from a quality-of-care standpoint means you lost it, right? If you don’t know where it is and it’s not in the file where it’s supposed to be, then it’s not there and one of the other ways to find that is a really good QA on if the file where it is is moving, you can catch it there, but that’s sort of your best hope. You can’t trace and track all those kinds of movements in a way that is easy. The balance right now is as we try to move faster and do things quicker and move in a more automated way is it… generally creates an issue where quality goes down and the actual information, what you’re looking for becomes even harder to find or harder to transmit in a way that it’s just only once.”

Iliana Peters: “Access is absolutely a priority under the HIPAA privacy rule. The access right is a cornerstone of the individual rights that are contained in the privacy rule. But there are guardrails around that. We can request that the individual or their personal representative put that request in writing. Even determining what a ‘personal representative’ is can be somewhat complicated because there’s a state law interaction in terms of who has the right to make health care decisions for a minor; i.e., if there’s guardianship or custody questions or if it’s a deceased person and you’re looking for the executor of the estate. All of these are complicated issues that then defer to state law under HIPAA for purposes of determining who is standing in the shoes of the individual when they’re requesting their information. In any circumstance where we have or use the use or disclosure of information, even if it’s one that’s required under HIPAA. …

We’re all familiar with important and sensitive situations where people are in cancer treatment, and they want to go see a specialist and it truly is a matter of life and death and they need access quickly. We have the military family moving across the country and they need to get their kids in school. These are really important anecdotes that we deal with very often.

At the same time, if we can’t tell if it’s coming from the patient with whom we have a relationship, then many times we need to rely on that verification process to make sure those privacy protections are in place.”

Iliana Peters: “From my perspective, data security is just the other side of privacy. We’re trying to ensure that from a confidentiality, integrity, and availability perspective, which are key words of data security, that whatever processes we use are being talked about more. … related to information blocking and interoperability requirements, particularly with regard to electronic health records systems.”

Where do you want to start?

Tell us a little bit about yourself, and we’ll match you with the right expert to help you optimize your patient information.