Know Your Health Record Data Rights
Dive into our comprehensive guide to understanding your health record data rights. Learn how to safeguard your personal medical information in today's digital world.
What data do I own as a business?
You own your patient data. Any information you collect on the patient, including medical history, contact information, and patient interactions with the practice, is all data owned by the practice.
Regardless of where the data is stored – in an EHR or patient experience platform like NexHealth – that is your data as a healthcare provider. You have the right to continuously access this data under HIPAA and, depending on your EHR, also under the Information Blocking Rule.
Patients also have ownership over their data, and a patient can ask a provider for access to information. That is one of the reasons the provider must have access to the data, regardless of where it is stored.
If you switch EHRs, the EHR needs to give you 100% of the data so you can continue to provide treatment to your patients.
What data does the EHR own?
The EHR does not own your patient data. Since they are your business associate, they are supposed to support you in providing healthcare services to your patients.
How you choose to access and use the data in the EHR is up to your discretion, as protected by HIPAA. The EHR is not allowed to block your access to data
What am I allowed to do with my patient data?
A practice can share it with any third parties they choose under HIPAA. This is a common use case to make it easier to collect patient information via online scheduling, forms, or direct messaging.
You can use an external software vendor to sync data with your EHR.
How is sensitive data protected when using software?
If your software partner has access to protected health information (PHI), their software must comply with HIPAA. This applies to your EHR vendor and any other software tools you use to handle patient information.
EHRs cannot second guess your choice of software vendors or block external software from collecting patient information. It is up to the practice to determine the tools they use to collect patient data based on their own diligence.
NexHealth conducts a Security Risk Assessment annually under HIPAA using a third-party to protect and secure your patient information.
EHRs sometimes claim you must integrate with their APIs to be HIPAA compliant. Is that true?
No. HIPAA requires EHRs to share information with providers and their software partners when requested. In 2016, the US Government passed the Cures Act, which included the Information Blocking Rule, further protecting interoperability with health record systems. The regulators who authored the Information Blocking Rule have explicitly stated that the rule does not allow EHRs to require that patient data only be shared through their API.
Some EHRs are inappropriately sharing misleading information regarding HIPAA compliance to consolidate practices on their systems or on their partners’ systems.
So I can use software that is not an official partner with my EHR?
Yes. NexHealth built the Synchronizer to work autonomously from health record systems. Most health record systems' APIs need more functionality to support common workflows that practices expect, such as online booking, patient forms, and two-way messaging. The absence of a robust API for auto-updating patient data to the health record system is why NexHealth built the Synchronizer.
The Synchronizer works with over a dozen EHRs to sync patient information between systems.
Is there an advantage of using software that is not a partner with my EHR?
Practices using NexHealth have found using external software improves reliability. It is one of the reasons that dozens of DSOs use NexHealth's Synchronizer.
The advantage of using the NexHealth Synchronizer is you can read and write data directly to your health record system without having to rely on the API of that health record system. Which often means:
- A faster sync connection → often in seconds
- Ability to share more data like patient demographic information, insurance information, and medical history
- Ability to sync at each step of the patient experience, from the initial online scheduling, to messaging, to forms, to reviews, to recare
- Lower costs by not paying extra fees to use the EHR API
But is using software that is not an official EHR partner less secure for my business?
You should confirm all software partners are HIPAA-compliant and will take the necessary care to protect all sensitive information. In many cases, newer software providers not part of the EHR have less legacy technology and use a more modern approach to meeting security requirements.
Regardless of any software partner you select, it would be best to verify they meet the security requirements of your business.
Can EHRs block other software from accessing your data?
HIPAA requires EHRs to share information with users and their software partners when requested. EHRs make it difficult for outside vendors to access their systems, unless they can monetize those vendors by requiring an official partnership.
This is why NexHealth spent 5 years building the Synchronizer, so we could create a more reliable sync with EHRs by not using the limited functionality required from an EHR in a monetized partnership.
What happens if an EHR says I violate my terms of service?
EHRs have the right to discontinue a relationship with any customer that violates their terms of service. Fortunately, EHRs can't restrict data access as part of a terms of service agreement in violation of HIPAA and the Information Blocking Rule. These regulations exist so that you can more easily and effectively provide care and patients can more easily and effectively receive care. NexHealth makes it easier and more effective for you to coordinate the provision of care.
If an EHR threatens a customer to stop them from accessing their own data, it's likely the EHR themselves are violating the Information Blocking Rule and at risk of penalties.
If I leave the EHR, can I take my data with me?
Yes. The practice owns all data, and it is transferable to new EHR systems. Most practices are reluctant to move data from one EHR to another, but partners now exist to make the transference of data more seamless for practices and ensure practices keep access to all patient information.
For advice and recommendations on how to move to a new EHR, please email EHRMove@nexhealth.com