This post is Part 3 of a series based on Nursine Jackson’s article, “What about that Device Data?”.

Why should the Plaintiff have Access to Device Data?

HIPAA states that the patient should have access to “Records That Are Used, In Whole Or Part, By Or For The Above Provider To Make Decisions About The Above Individual.”[1] Device data certainly fits within that description of information.[2] The information blocking provision of the Cures Act, (section 4006(a)) supports both the patient’s and/or his designee’s access to the patient’s electronic health information.[3] Further, the standard for audit trails, ASTM e2147, gives patients access to audit trails:

4.2 The purpose of audit data and disclosure logs is to document and maintain a permanent, trustworthy, and immutable record of all authorized and unauthorized activities of any nature whatsoever and disclosure of confidential health information … This further facilitates the purpose that patients, [emphasis added] healthcare providers, organizations, and others can obtain a verifiable, self-authenticating record documenting all activities with respect to that record.[4]

Think about the facts of your case to identify whether devices were utilized and whether their data might be useful to tell the medical story of your case.

How can the Plaintiff’s Team verify that Biomedical Devices were used?

Biomedical devices are commonly associated with the electronic medical records, as evidenced in the following example of an audit trail. This information might be found by performing simple search of the EMR audit trail in the form of an Excel spreadsheet. Using the search term “device,” useful information was found within seconds buried among many thousands of cells on the audit trail.

The excerpt, below, demonstrated when this patient’s monitoring started and ended, in addition to identifying the users and the identification numbers of the devices. In the next phase of discovery, the plaintiff’s attorney would have provided this audit trail information in a request for production, in which they would then learn the specifics about the devices that were associated to the EMR. Having acquired this information, in the next phase of request, they would have asked for the relevant devices’ audit trails using the language and information acquired in prior discovery.

EMR Discovery can help maximize your use of the audit trail, including looking for device data references to support further requests.

Stay tuned for Part 4 of this series, “Pulse Oximeter Case Study”.

[1] Health Insurance Portability and Accountability Act (HIPAA). (1996). Personal Health Records and the HIPAA Privacy Rule. Retrieved from https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/healthit/phrs.pdf

[2] HHS/HIPAA Home/for Professionals/FAQ: What personal health information do individuals have a right under HIPAA to access from their health care providers and health plans? Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html

Content created Office of Civil Rights (OCR). Content last reviewed June 24, 2016.

[3] Federal Register, 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program, a Proposed Rule by the Health and Human Services Department. Retrieved from https://www.federalregister.gov/documents/2019/03/04/2019-02224/21st-century-cures-act-interoperability-information-blocking-and-the-onc-health-it-certification. A proposed rule by Health and Human Services on 03/04/2019.

[4] ASTM e2147-18. Standard Specification for Audit and Disclosure Logs for Use in Health Information. Systems. Retrieved from https://www.astm.org/Standards/E2147.htm.