HIPAA Compliance Dangers for Digital Doctors

Uploaded on

Presentation at the HIPAA Summit West, 10/4/10, breakout session on HIPAA for HIT and EHRs

Presentation at the HIPAA Summit West, 10/4/10, breakout session on HIPAA for HIT and EHRs

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • For the purposes of this talk, we’ll use the terms EMR and EHR interchangeably. There are nuanced differences, but we’ll ignore that for now.EMR use elevates health data:from: simple individual-patient medical recordkeeping (just like with paper)to: tools that can aggregate data from many different patient charts and help us conduct population management (can’t do that with paper)
  • HIPAA was initially about standardizing data interchange for electronic claims submission, claims payment and adjudication.But it is the Privacy and Security elements that have drawn most of our attention.
  • To quote from the HHS web site on Health Information Privacy:Widespread use of health IT within the health care industry will improve the quality of health care, prevent medical errors, reduce health care costs, increase administrative efficiencies, decrease paperwork, and expand access to affordable health care.  It is imperative that the privacy and security of electronic health information be ensured as this information is maintained and transmitted electronically.
  • On July 8, 2010, HHS announced proposed regulations under HIPAA, with an open comment period that just finished on September 13th.In addition, the ONC and the Office for Civil Rights (OCR) – in charge of enforcing privacy and security – established a new Chief Privacy Officer (Joy Pritts, JD) to help the ONC design new policies.The ONC has convened a privacy and security workgroup (known as the “Tiger Team”) of the Health Information Technology Policy Committee (HITPC) with strong consumer participation to hold public deliberations and make recommendations about patient choice of how health information is exchanged.
  • Let’s look at the issues: Privacy and Security, and what that means at the individual practice level (more than the national-policy level)We’ll look at Security first
  • PHI needs to be encrypted wherever it is housed.The encryption key should NOT be on the same machine where the encrypted data resides (that would be like leaving the keys in the car).There is a safe haven around the theft of devices with PHI on it:if it is sufficiently encrypted (there are NIST standards for this), and the keys are not on the same machine, then the PHI has been rendered unreadable and unusablein this case, theft does not need to be reported (it has been completely scrambled, and the keys are still safe)Otherwise, PHI loss needs to be reported to the individuals affected. If >500 records are involved, then the loss needs to be reported to HHS as well.
  • PHI that is exchanged needs to be encrypted too. This is true for sending data across the web. Fortunately, good security tools for this have already been developed (thanks to internet banking with a 15+ year history of experience doing this)sending data within a local network, if the EMR is locally housed and uses workstations within a LANthere is an option to have in-LAN data exchange be unencrypted, if the LAN can be demonstrated to be completely walled off from the outside world – however, many LANs may have leaks to outside sources that could compromise thisit is preferable to have EMR data traffic within a secure LAN be encrypted too.
  • I’m making a distinction here between Clinical Data Exchange and Data Sharing.Clinical Data Exchange involves packaging up a piece of PHI (like a CCD or CCR file) and sending it from one EMR system to another one across secure channels. Like mailing a letter.Data Sharing has to do with allowing additional people the right to see a single, shared data source. Chart Sharing (possible with web-based EHRs) – one patient, one chart – deals with this.The idea of “limited data set” has been mostly applied to sending medical information to insurance plansyou only send the minimum amount of info needed to pay a billIt also pertains to chart sharing, and determining how a patient can grant permission for what elements of the chart to be shared with which specialists. Highly granular chart-element sharing is at the forefront of technology right now, and is not yet mainstream.
  • Bottom line: how do we build trust?By creating a secure framework that will EARN public trust.Banking had to go through this 15-20 years agoHealth IT is just starting on this journey
  • Risk: do it badly, and Private Health Information leaks out.Benefit: medical data is shared between elements of the health care system, so they work in a coordinated fashion (patients want this). No more “filling out the same form over and over again”Doctors need to:keep data secure when housed in-housekeep data secure when exchanging itunderstand privacy. As physicians, we are CUSTODIANS of the patient’s health data – patients are the owners of it. When in doubt, ask permission.The vision for the future of healthcare is to promote a coordinated system of care, where health information can follow the patient wherever and whenever it is needed. HIPAA represents a framework for enabling this to happen.As the title of the joint statement on privacy and security (between the ONC and OCR) states, it’s about “building trust in health information exchange”


  • 1. HIPAA Compliance Dangers for Digital Doctors
    Robert Rowley, MD
    Practice Fusion, Chief Medical Officer
  • 2. HIPAA Landscape
    As doctors across the country switch from paper charts to electronic medical records – new questions and regulations around patient privacy are emerging.
    EMR systems are changing the way health data is managed – creating risks and opportunities.
  • 3. Portability
    HIPAA has a reputation for privacy – but the goal is really portability. Portable health data has the power to improve the safety, efficiency and quality of healthcare.
  • 4. Positive Perspective
    Let’s turn the HIPAA question around from the “don’t step on land mines” approach to a positive one – how can HIPAA create a framework of privacy and security in order to gain trust from patients and from the public?
  • 5. Rights Under HIPAA
    The new HIPAA rules expand individual rights to:
    Access their information
    Restrict disclosures of PHI to health plans
    Extend applicability of Privacy and Security Rules to business associates
    Establish new limitations on use and disclosure of PHI for marketing and fundraising purposes
    Prohibit sale of PHI without patient authorization
    (Source: ONC for Health Information Technology)
  • 6. What Does It Mean?
    This is all designed to promote patient trust in the security and privacy on PHI, necessary to build the HIT infrastructure envisioned for health delivery improvement.
    What does it mean for healthcare providers?
  • 7. Security at Rest
    Security: PHI must remain secure wherever it is encountered.
    At rest:
    Local workstations
    Data backup media
    Other devices (i.e. faxes and copy machines)
    Most PHI breaches have been from theft of computers with unencrypted PHI on them
  • 8. Security in Transit
    In transit:
    Avoid using non-secure communications for PHI exchange:
    Standard email
    Avoiding public portals
  • 9. Privacy
    PHI exchange must be for a documented reason (like clinical care), and must be via permission.
    The principle of “limited data set”
    Challenges for clinical data exchange
    Data sharing
    Survey results show that patients want their data available and portable
  • 10. Trust Around PHI
    What do “digital doctors” need to do to help build the trust relationship around PHI?
    Make sure that data security breach risks are minimized:
    Encrypt data on servers
    Destroy local copies of PHI after upload
    Make sure any data backup is encrypted
    Make sure that all “trashed” PHI is securely destroyed
  • 11. Trust Around PHI
    Avoid using insecure methods of communication when it comes to PHI
    Avoid standard emails that disclose PHI
    Avoid social networking sites around PHI
    Use secure web tools for communicating with patients
  • 12. Trust Around PHI
    Make sure that HIPAA Business Associate agreements are in place with everyone who handles your PHI downstream
    Hosting web-based EHRs
    If there is an in-house EHR, have BA agreements in place
    Shredding companies
    If there is any doubt about sharing PHI with someone else, get the patient’s specific permission.
  • 13. Conclusion
    Risk vs. benefit
    Most important things to remember for protecting data
    What HIPAA can unlock for the future of healthcare