Your SlideShare is downloading. ×
HIPAA Compliance Dangers for Digital Doctors
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

HIPAA Compliance Dangers for Digital Doctors


Published on

Presentation at the HIPAA Summit West, 10/4/10, breakout session on HIPAA for HIT and EHRs

Presentation at the HIPAA Summit West, 10/4/10, breakout session on HIPAA for HIT and EHRs

Published in: Health & Medicine

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • For the purposes of this talk, we’ll use the terms EMR and EHR interchangeably. There are nuanced differences, but we’ll ignore that for now.EMR use elevates health data:from: simple individual-patient medical recordkeeping (just like with paper)to: tools that can aggregate data from many different patient charts and help us conduct population management (can’t do that with paper)
  • HIPAA was initially about standardizing data interchange for electronic claims submission, claims payment and adjudication.But it is the Privacy and Security elements that have drawn most of our attention.
  • To quote from the HHS web site on Health Information Privacy:Widespread use of health IT within the health care industry will improve the quality of health care, prevent medical errors, reduce health care costs, increase administrative efficiencies, decrease paperwork, and expand access to affordable health care.  It is imperative that the privacy and security of electronic health information be ensured as this information is maintained and transmitted electronically.
  • On July 8, 2010, HHS announced proposed regulations under HIPAA, with an open comment period that just finished on September 13th.In addition, the ONC and the Office for Civil Rights (OCR) – in charge of enforcing privacy and security – established a new Chief Privacy Officer (Joy Pritts, JD) to help the ONC design new policies.The ONC has convened a privacy and security workgroup (known as the “Tiger Team”) of the Health Information Technology Policy Committee (HITPC) with strong consumer participation to hold public deliberations and make recommendations about patient choice of how health information is exchanged.
  • Let’s look at the issues: Privacy and Security, and what that means at the individual practice level (more than the national-policy level)We’ll look at Security first
  • PHI needs to be encrypted wherever it is housed.The encryption key should NOT be on the same machine where the encrypted data resides (that would be like leaving the keys in the car).There is a safe haven around the theft of devices with PHI on it:if it is sufficiently encrypted (there are NIST standards for this), and the keys are not on the same machine, then the PHI has been rendered unreadable and unusablein this case, theft does not need to be reported (it has been completely scrambled, and the keys are still safe)Otherwise, PHI loss needs to be reported to the individuals affected. If >500 records are involved, then the loss needs to be reported to HHS as well.
  • PHI that is exchanged needs to be encrypted too. This is true for sending data across the web. Fortunately, good security tools for this have already been developed (thanks to internet banking with a 15+ year history of experience doing this)sending data within a local network, if the EMR is locally housed and uses workstations within a LANthere is an option to have in-LAN data exchange be unencrypted, if the LAN can be demonstrated to be completely walled off from the outside world – however, many LANs may have leaks to outside sources that could compromise thisit is preferable to have EMR data traffic within a secure LAN be encrypted too.
  • I’m making a distinction here between Clinical Data Exchange and Data Sharing.Clinical Data Exchange involves packaging up a piece of PHI (like a CCD or CCR file) and sending it from one EMR system to another one across secure channels. Like mailing a letter.Data Sharing has to do with allowing additional people the right to see a single, shared data source. Chart Sharing (possible with web-based EHRs) – one patient, one chart – deals with this.The idea of “limited data set” has been mostly applied to sending medical information to insurance plansyou only send the minimum amount of info needed to pay a billIt also pertains to chart sharing, and determining how a patient can grant permission for what elements of the chart to be shared with which specialists. Highly granular chart-element sharing is at the forefront of technology right now, and is not yet mainstream.
  • Bottom line: how do we build trust?By creating a secure framework that will EARN public trust.Banking had to go through this 15-20 years agoHealth IT is just starting on this journey
  • Risk: do it badly, and Private Health Information leaks out.Benefit: medical data is shared between elements of the health care system, so they work in a coordinated fashion (patients want this). No more “filling out the same form over and over again”Doctors need to:keep data secure when housed in-housekeep data secure when exchanging itunderstand privacy. As physicians, we are CUSTODIANS of the patient’s health data – patients are the owners of it. When in doubt, ask permission.The vision for the future of healthcare is to promote a coordinated system of care, where health information can follow the patient wherever and whenever it is needed. HIPAA represents a framework for enabling this to happen.As the title of the joint statement on privacy and security (between the ONC and OCR) states, it’s about “building trust in health information exchange”
  • Transcript

    • 1. HIPAA Compliance Dangers for Digital Doctors
      Robert Rowley, MD
      Practice Fusion, Chief Medical Officer
    • 2. HIPAA Landscape
      As doctors across the country switch from paper charts to electronic medical records – new questions and regulations around patient privacy are emerging.
      EMR systems are changing the way health data is managed – creating risks and opportunities.
    • 3. Portability
      HIPAA has a reputation for privacy – but the goal is really portability. Portable health data has the power to improve the safety, efficiency and quality of healthcare.
    • 4. Positive Perspective
      Let’s turn the HIPAA question around from the “don’t step on land mines” approach to a positive one – how can HIPAA create a framework of privacy and security in order to gain trust from patients and from the public?
    • 5. Rights Under HIPAA
      The new HIPAA rules expand individual rights to:
      Access their information
      Restrict disclosures of PHI to health plans
      Extend applicability of Privacy and Security Rules to business associates
      Establish new limitations on use and disclosure of PHI for marketing and fundraising purposes
      Prohibit sale of PHI without patient authorization
      (Source: ONC for Health Information Technology)
    • 6. What Does It Mean?
      This is all designed to promote patient trust in the security and privacy on PHI, necessary to build the HIT infrastructure envisioned for health delivery improvement.
      What does it mean for healthcare providers?
    • 7. Security at Rest
      Security: PHI must remain secure wherever it is encountered.
      At rest:
      Local workstations
      Data backup media
      Other devices (i.e. faxes and copy machines)
      Most PHI breaches have been from theft of computers with unencrypted PHI on them
    • 8. Security in Transit
      In transit:
      Avoid using non-secure communications for PHI exchange:
      Standard email
      Avoiding public portals
    • 9. Privacy
      PHI exchange must be for a documented reason (like clinical care), and must be via permission.
      The principle of “limited data set”
      Challenges for clinical data exchange
      Data sharing
      Survey results show that patients want their data available and portable
    • 10. Trust Around PHI
      What do “digital doctors” need to do to help build the trust relationship around PHI?
      Make sure that data security breach risks are minimized:
      Encrypt data on servers
      Destroy local copies of PHI after upload
      Make sure any data backup is encrypted
      Make sure that all “trashed” PHI is securely destroyed
    • 11. Trust Around PHI
      Avoid using insecure methods of communication when it comes to PHI
      Avoid standard emails that disclose PHI
      Avoid social networking sites around PHI
      Use secure web tools for communicating with patients
    • 12. Trust Around PHI
      Make sure that HIPAA Business Associate agreements are in place with everyone who handles your PHI downstream
      Hosting web-based EHRs
      If there is an in-house EHR, have BA agreements in place
      Shredding companies
      If there is any doubt about sharing PHI with someone else, get the patient’s specific permission.
    • 13. Conclusion
      Risk vs. benefit
      Most important things to remember for protecting data
      What HIPAA can unlock for the future of healthcare