Skip to content

NY Clarifies Minor Patient Data Access, Maintains Security

Qualified providers can now have secure patient data access through a clinical information exchange for minor patients.

January 18, 2017 – Health data security is often a top concern with patient data access, especially as the push for interoperability continues and covered entities continue to utilize electronic devices.

Ambiguity can make this process more difficult, and both patients and providers need to understand how data can be accessed, under what circumstances, and be reassured that it will not fall into the wrong hands.

New York recently changed a patient data access policy, with providers now able to securely access data through Western New York’s clinical information exchange (HEALTHeLINK) for patients who are ages 10 to 17.

The minor’s parent or guardian must sign an affirmative HEALTHeLINK consent form on behalf of the minor patient. The changed policy now allows access to patient data through a qualified entity such as HEALTHeLINK.

HEALTHeLINK Executive Director Dan Porreca explained to that there are eight regional health information organizations (RHIOs) in New York, and that HEALTHeLINK is part of the Statewide Health Information Network of New York (SHIN-NY).

The information exchange is part of a larger collaborative process, Porreca said, that factor in state and federal law, as well as other policies. HEALTHeLINK works as the public-private partnership with the state of New York that facilitates the coordination of those policies and standards in the state that it adheres to, he added.

“It was this minor consent policy revision for minors between the age of 10 and 17 was driven by a clarification,” Porreca stated. “There was some ambiguity in New York state law relative to minor consented services, and the policies as a result of that ambiguity tended to be on the conservative side.”

The Department of Health submitted a regulation in April 2016, Porreca explained. The regulation clarified how to correctly interpret the state law. That interpretation allowed for RHIOs or qualified entities to rese their policy to allow a parent to consent for doctors to get access to minors between the ages of 10 and 17 data for treatment purposes.

Porreca noted that the exchange has been able to capture consent for parents for minors who are under the age of 10. Essentially, a doctor who is treating that patient can gain access via HEALTHeLINK for any of that data that it has on the patient.

Nearly every hospital in the community is connected to HEALTHeLINK, he said. Various types of clinical data, such as lab results, radiology information, and discharge summaries can all be sent.

There are also practice EMRs, independent labs, and independent radiology. A lot of data from across the community is available in HEALTHeLINK, but the patient holds the key to unlocking the data. New York is an opt-in state, meaning that the parent holds the key for the minor patient, Porreca explained.

Parents and guardians should not be concerned with data security through the exchange. This in fact can give parents and guardians comfort in knowing that if their child needs services, specialists can get access to the necessary information to better treat the minor patient.

“In both the short and the long-term, there is the potential for better, more efficient care for the minor, because their information is more readily accessible when it’s needed at the point of care,” Porreca said.

Data privacy and security is a top priority and is taken very seriously at HEALTHeLINK, he added.

“Our business model is predicated on trust,” Porreca stated. “Trust of the providers, trust of the patients, and the trust of our community that we’re taking good care of the information that we’ve been entrusted with. We’re doing everything in our power to make sure that the information is secure.”

Along with utilizing two-factor authentication, Porreca said that the latest data encryption methods are also a method that HEALTHeLINK stays on top of.

“That’s one of the guiding principles that we adhere to here,” he maintained. “We have to stay on top of it. We have to understand what the latest, what the best practices are for securing the data, and ensuring privacy, and continue to work hard at it. Ultimately, there are bad guys out there that have bad intentions. We need to do what we can to avoid those potential negative consequences.”

As recently discussed on, patients need to understand how their data is stored, accessed, and exchanged. Otherwise, this could lead to increased dissatisfaction.

The 2016 Connected Care and Patient Experience report found that 94 percent of survey respondents want their data stored electronically in a single location. Furthermore, 99 percent said that someone should have complete access to their medical records.

The majority – 93 percent – added that provider access to medical history data would save time as a result. A similar amount of respondents said electronic access to centralized health information was a means of avoiding medical errors.

However, those surveyed explained that the time spent on paperwork and verbally sharing their medical history during each doctor’s visit was a piece of dissatisfaction. Eighty percent maintained that filling out paperwork should not be repeated beyond their initial visit.

Click here to view the full article.