Caring for adolescents is already complex given all of the changes that children experience as they grow up. The complexity arises not just with the delivery of care though. Clinicians and organizations also face a number of challenges concerning access to patient records. The issue becomes tangled because pediatric patients are not legal adults, which in many instances means a parent or legal guardian has legal authority or control over the individual and full rights of access on their own to the records of the adolescent patient.
The confusion or consternation has been pushed to the forefront because of the recent information blocking regulation. The premise of the information blocking regulation is that individuals should be able to access their information and barriers need to be removed. The new requirements build upon the rights in HIPAA and will eventually (at least as of the time this blog is being written) result in enforcement where non-compliance arises (this is the reminder that the enforcement regulation remains pending at the time of writing).
What does all of the push for access mean for the adolescent patient’s privacy though? A May 2022 commentary piece in Pediatrics published by the American Academy of Pediatrics directly discusses this point. As laid out in the commentary, the lay of the land requires a meshing of federal and state laws and regulations that interweave when it comes to privacy of adolescents.
Spelling Out the Confusion
The confusion is a combination of the language of the new information blocking regulation and the nature of the discourse about the new regulation. First, the new regulation, as suggested by the name, is designed to remove barriers to information. That includes enabling transmission to applications identified by the patient (or their legal representative) and opening new connections that make it easier to get to the data. Taking a bit of a simplistic approach, the messaging mostly talks about the full ability to access without getting into the nuances.
As suggested, the messaging that the information blocking regulation is about unfettered access creates difficulties when it comes to determining when information can be withheld. When looking at an adult patient and their healthcare organization, that angle does not necessarily create a problem. The growing consensus is that blocking should not happen because an individual should be entitled to see all of the information about themself. However, the full and complete access outcome is not quite so good when looking at adolescents, especially as that adolescent gets closer and closer to being a legal adult and may not want all of their healthcare information shared with a parent or guardian.
What Happens at that Point?
Once the issue comes to a head or optimistically before, what should happen is a nuanced assessment of the information blocking regulation along with other laws and regulations governing privacy of records. The information blocking regulation does not operate in isolation. Instead, it is yet another framework that needs to be layered together with the other laws. Taking those steps certainly adds a lot of time to the implementation and compliance process, but it also is a very beneficial one. If only one regulation is considered, then one of the ones not considered could be violated.
Without getting into the myriad of other privacy laws (mostly on the state level), the first step is to look at the exceptions already built into the information blocking regulations. The exceptions address issues such as complying with other privacy and security laws or patient harm. Parsing through the fact or situation based specifics on the exceptions is vital. Reliance on an exception cannot necessarily occur on a blanket basis, which means no default policy using the exception.
The inability to use an exception as a blanket approach though is different from working to comply with the multiple intersecting laws beyond the information blocking regulation. Again, that takes a lot of time that work through the details, but it must occur.
Talking about all of these interactions in the abstract only goes so far. What could one of the privacy questions look like? Some states allow adolescents of a certain age to obtain testing for certain conditions or medications with direct consent, which means the parent or guardian does not need to sign off on the treatment or service. Oftentimes the ability for an adolescent to provide consent arises in the case of testing for sexually transmitted diseases or birth control in some areas. As would probably be expected, the adolescent likely does not want their parent or guardian to see that information. Even though the consent can be given by the adolescent, the parent or guardian could subsequently request the medical records and then see the information. At times, a state law could specifically state that such information is private only to the adolescent, but there is also a high likelihood of the state statute being silent. In that instance, a balancing would be required along with a parsing of the information blocking exceptions.
How to Practically Respond?
How an organization practically responds will rest upon how many resources or supports can be brought to bear on the issue. If due consideration to the issue is not given, then it is highly likely that information will be released without evaluating the potential repercussions.
A more thoughtful approach would dive into potential segmentation of records in the electronic health records system, flagging of certain portions of the record as subject to enhanced privacy, updating of forms, and more. As with the whole discussion, the practical steps will require building in multiple levels of checks to balance against the inadvertent over disclosure of information.
The whole issue is one that will remain in flux for a period of time while everyone within the industry figures out what can be done and how to do it. Ultimately, there are no easy answers or solutions. Attention to detail is a must as well as seeking assistance as needed. Don’t be afraid to ask questions and seek more information.
This article was originally published on The Pulse blog and is republished here with permission.