Health IT Data Security – An Overview of Privacy, Compliance, and Technology Options


Published on

Radical advancements in health IT development and implementation have pushed the issue of health data security to the forefront of the collective healthcare provider mindset as they attempt to strike a balance between patient access to electronic health record protected health information (PHI) and data protection. The fact that so many health IT vendors now have access to and possess protected health information necessitated shift changes in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 which was enacted to establish ground rules for the privacy protection of individually identifiable health information.

We invited Mac McMillan, Chair of the HIMSS Privacy and Security Task Force to discuss what these new changes are, define their parameters, the mission of the HIMSS PRivacy & Security Task Force, his definition of what “privacy” actually is, comments on new technology that are viable options for healthcare providers to implement as a way to protect access to sensitive patient data, and his thoughts on the increased adoption of PHI management applications such as Microsoft HealthVault.

Listen in to this podcast for more information on the latest health IT industry developments and regulations that govern PHI and for insight from Mac on why healthcare providers and third party vendors should pay close attention to compliance with recent HIPAA changes.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Health IT Data Security – An Overview of Privacy, Compliance, and Technology Options

  1. 1. M2SYS Healthcare Solutions Free Online Learning Podcasts Podcast length – 35:02 Topic: Healthcare IT Data Security – HIPAA compliance, HIMSS Privacy & Security Task Force Objectives, What is “Privacy”, Technology Options to Protect Patient Data, Adoption Trends for Personal Health Information (PHI) Applications Mac McMillan, Chair, HIMSS Privacy & Security Policy Task Force
  2. 2. Topics Covered in Podcast: HIMSS Privacy and Security Task Force Mission and Objectives Defined HIPAA Rule Changes and How it Effects Provider – Business Associate Relationship The Difference Between “Access” and “Possession” of PHI Information & How it Impacts HIPAA Compliance What Does “Privacy” Mean? How Does “Fear” Factor into Policies Surrounding Privacy?
  3. 3. Topics Covered in Podcast (continued): Viable Technologies to Protect Patient Data Do Biometrics for Patient ID Violate a Patient’s Privacy? PHI Application Patient Adoption Trends
  4. 4. • Made up of all volunteer staff • Primary purpose: Review policy issues affecting privacy and security in healthcare that arise from new legislation, regulation, or rules • Task Force also supports the official HIMSS review process for their responses to new legislation and new rules • Helps to ensure consistency for HIMSS responses that stay in line with goals • Mac’s experience in knowing how government works in terms of regulations, rules, directives, and standards has helped him understand role and direction as Chair of the HIMSS Privacy and Security Task Force HIMSS Privacy and Security Task Force Mission and Objectives
  5. 5. HIPAA Rule Changes and How it Effects Provider – Business Associate Relationship • September 23rd: HIPAA compliance deadline for providers & business associates on how Personal Health Information (PHI) is maintained and protected & changes to data breach notifications and enforcement • Changes: • Breach notification – changes to the reporting rules • Business Associate status – how does the rule apply to business associates and sub-contractors? • Privacy Provisions – helps protect patient privacy through more effective data management • Enforcement – new guidelines on what penalties are and how they should be enforced • Relationship between business associate and covered entities has not fundamentally changed – what changed is the responsibilities of both parties
  6. 6. HIPAA Rule Changes and How it Effects Provider – Business Associate Relationship (continued) • Business associates are now held more accountable for privacy and PHI data protection on work they are doing on behalf of the covered entity • Covered entities – greater emphasis on vendor management in terms of due diligence before vendor contracting, making sure you convey privacy and security expectations, making sure you monitor vendor relationships closely, ensuring you have measures in place for breach notifications & how to deal with data after contract terminations • New changes promote more accountability and transparency in the industry Nearly one-third of the 980 problems that HHS' Office of Civil Rights uncovered during privacy and data-security audits of 115 healthcare providers and insurers happened because the organizations were not aware of all of the requirements facing them, according to root-cause analyses performed by HHS contractor KPMG. Did you know? Source: Modern Healthcare, April 2013
  7. 7. The Difference Between “Access” and “Possession” of PHI Information & How it Impacts HIPAA Compliance • If you create PHI, either originally or derivatively, if you transmit or receive it, you are considered a business associate. If you have possession of the data – whether it be in your system or your environment, or you have perpetual access to the information. • Can’t claim “conduit exemption” unless you are only maintaining the data in your environment for as long as it takes the system to perform the transference process - otherwise if you take possession of the data for any other reason, (hosting, backing up, storing, etc.) you are a business associate. • Even if the covered entity sends encrypted information, if you possess it, you are still considered a business associate – business associates are responsible for the entire security rule. • New rule defines “possession” to information as stipulant for compliance – “possession” assumes “access”
  8. 8. What Does “Privacy” Mean? • Privacy is a tough thing to define in today’s world because of shifting social norms and generational changes • What one generation thinks of privacy may not be shared by others • Privacy as it relates to law and the HIPPA rule is very black and white – patient information belongs to an individual and the right to access it should only come from the individual's care team or to someone who is involved with the care of the individual – the individual gives authorization for the information to be used or disseminated for something other than medical care (e.g. – marketing purposes) • The trust between caregiver and patient is often defined by how well the provider maintains and protects patient PHI • Patient confidence can erode quickly when PHI information is not handled properly • The healthcare industry’s definition of privacy is constantly evolving & it’s different to write a rule with the shifting privacy landscape • Key is recognizing differences and perceptions and make decisions on how law defines privacy
  9. 9. How Does “Fear” Factor into Policies Surrounding Privacy? • Important to not make decisions or establish policy guidelines based on fear – it’s better to enact policy on what is known • Patients may fear the known more than the unknown – (e.g. – data breaches, medical identity theft, fraud) • Consumers understand that their information is at risk • Consumers have a much higher level of confidence in their healthcare provider’s ability to protect PHI than organizations or the government • Organizations should base their policies on what they know (what is the threat), what the risks are, and what their controls environment will enable and make smart decisions on how they craft policies to alleviate or mitigate the risk of negative occurrences • Fear is a good motivator for making organizational change
  10. 10. • Access Control & Patient Identification – Biometrics **The problem that a lot of modern technological solutions for healthcare have is many do not necessarily have apt security functionality due to a lack of industry standards or protocols Viable Technologies to Protect Patient Data Did you know? More healthcare facilities are researching the use of biometric identification for employee access control and accurate patient identification. Biometrics has great potential to increase patient safety, reduce the cost of care, and eliminate fraud and identity theft. Biometrics for Access Control Biometrics for Patient ID
  11. 11. Do Biometrics for Patient ID Violate a Patient’s Privacy? • They enhance patient privacy – biometrics for patient ID were developed with a positive purpose in mind • If they are deployed, utilized, and explained properly to patients: • Biometrics elevates a patient’s level of confidence in how the technology is used and how it protects their safety and privacy • Because biometrics uniquely identify a patient, the more likely the healthcare industry is to eliminate impermissible disclosures • The more accurate the healthcare industry is on identifying who is accessing medical records and information, the better chance they have of limiting impermissible disclosures
  12. 12. PHI Application Patient Adoption Trends • Patients have more confidence in a portal that is provided by their caregiver rather than a third party vendor • Patients will start to adopt more responsibility for their medical information – they are seeking more visibility and portable platforms • Patient engagement as part of Meaningful Use Stage 2 will help drive up adoption of PHI applications • Almost every hospital now has their own version of a patient portal – increased accessibility will also drive up adoption rates Did you know? Approximately 50% of U.S. hospitals and 40 percent of U.S. physicians in ambulatory practice possess some type of patient portal technology, mostly acquired as a module of their practice management (PM) or electronic health record (EHR) system. Source: Frost & Sullivan report, September 2013
  13. 13. Thank you to Mac for his time and knowledge for this podcast! Please follow Mac on Twitter (@mmcmillan07) and visit his Web page:
  14. 14. John Trader PR and Marketing Manager M2SYS Healthcare Solutions 1050 Crown Pointe Pkwy. Suite 850 Atlanta, GA 30338 770-821-1734 Podcast home page: podcasts/ : : : Contact Information