Priv&security&profin electrcommunicationsrev9 23


Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • FDA does not intend to regulate “mobile apps that are solely used to log, record, track, evaluate, or make decisions or suggestions related to developing or maintaining general health and wellness.”  Examples of health and wellness apps are provided in the guidance, and include dietary tracking logs, appointment reminders, dietary suggestions based on a calorie counter, posture suggestions, exercise suggestions, etc. In contrast, a mobile medical app is one that is intended for “curing, treating, seeking treatment for, mitigating, or diagnosing a specific disease, disorder, patient state, or any specific, identifiable health condition.” FDA intends to place most stringent requirements on devices that pose the most risk; general controls only for those that pose minimum risk to morbidity/mortality
  • Priv&security&profin electrcommunicationsrev9 23

    1. 1. Privacy, Security & Professionalism in Electronic Communications Deven McGraw Director, Health Privacy Project September 25, 2013
    2. 2. Health Privacy Project at CDT  Our theory: Privacy = enabler to flows of data that have the potential to improve individual, public and population health  Aim is to build public trust in these data flows, through balanced & workable protections, as they are essential to patient engagement, health reform and building a “learning health care system.”
    3. 3. Privacy and Security Considerations for Digital Communications Among Health Care Professionals  HIPAA and NY State law likely apply  Privacy protections apply to communications on paper or in digital form  If you could send it on paper, you can send it digitally (NY law requires consent for even routine disclosures)  HIPAA Security Rule – which sets forth detailed security specifications - only applies to ePHI (electronic protected health information).  HIPAA also applies to “business associates” (contractors)
    4. 4. Privacy and Security Considerations for Digital Communications Among Professionals  Communications must be secure under federal and state law  Encryption is an “addressable implementation specification” under HIPAA  Not required but expectation is that transmissions will be encrypted (can use other security methods but must document rationale)  Encryption using NIST standards provides federal breach safe harbor
    5. 5. Privacy and Security Considerations for Digital Communications Among Professionals  For mobile technologies, application of HIPAA Security Rule is frequently a challenge  HHS Office for Civil Rights released guidance in December 2012: professionals/your-mobile-device-and-health- information-privacy-and-security
    6. 6. Privacy and Security Considerations for Digital Communications Among Professionals  Must use reasonable efforts to send to correct professional  Right digital address?  If send to right organization, expectation is that organization will properly rout to correct recipient  Must send data on right patient  Sending data on wrong patient, or to wrong address, may trigger breach notification obligations and potential privacy law violation
    7. 7. Professional to Patient Digital Communications  Generally: Providers are required to comply with privacy and security laws when transmitting ePHI.  Three frequent questions that arise:  Is it possible to send a message to a patient that isn’t considered ePHI?  Does the transmission have to comply with the HIPAA Security Rule?  Am I responsible for what the patient subsequently does with the data in the communication?  Answer to last question: No. Whatever obligation the provider has ends with the hand-off.
    8. 8. Professional to Patient Digital Communications  Answer to last question: No. Whatever obligation the professional has ends with the hand-off.  No federal or state privacy laws cover health information shared by patients (for ex., on social networking sites, storing in apps, etc.)  The Federal Trade Commission can hold companies accountable for failing to comply with privacy commitments, or failing to adopt even baseline security protections  Better protections for patient-generated health information is an active area of policy discussion
    9. 9. ePHI  Protected health information does not have to include actual clinical information in order to still be considered PHI.  If the patient is or could be identified either in the communication or by someone who receives the communication – and the communication relates to health status or the provision of health care (or payment for care), it will be PHI.
    10. 10. ePHI  For example, if the patient is identifiable – and the recipient knows that the communication came from a health care health care professional, it is PHI, even if the communication itself is fairly innocuous (such as an appt reminder or a reminder to take an unspecified medication).
    11. 11. Security Rule and Transmissions to Patients  Ordinarily, HIPAA Security Rule applies to all transmissions of ePHI.  BUT recent omnibus rule suggests patient can choose to receive communications in a form/format that works for them, even if they are not secure. patients-right-to-access-their-health-data.html
    12. 12. Security Rule and Transmissions to Patients Patient’s right to receive data - Omnibus rule (see quoted text on next slide)  Rule says patients can choose to receive information via unsecure e-mail if they choose to do so  Provider must provide light warning (this is unsecure – are you sure?)  Arguably also relevant to other communications  Obligations to send to right patient (right data, right address) still apply
    13. 13. Security Rule and Transmissions to Patients  Text from Omnibus Rule (78 Fed. Reg. 5634 (1/26/13))  “We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome…. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.”
    14. 14. Security Rule and Transmissions to Patients NY law is not detailed on this point – but HIPAA trumps state laws that are less protective of patient access rights.  Omnibus rule guidance was issued to address specific question of patients requesting to receive copies of their medical records by unencrypted e-mail – but rationale could apply to proactive communications as well.  For example, seeking permission from patients about contacting them via text message.
    15. 15. Professionalism  Professional and ethical obligations apply to all communications, regardless of format  If you wouldn’t or shouldn’t send it on paper, don’t send it digitally  Electronic communication is “Public, Permanent, and Powerful.” (Spector et al., eProfessionalism: Challenges in the Age of Information, J. of Peds., vol 156, No. 3 (2010))  E-communications should always be done professionally.
    16. 16. Professionalism  Single, most consistent piece of advice: Adopt policies governing use of digital communication tools  Specialty societies are developing – one example comes from 2013 Policy Statement from the American College of Physicians and the Federation of State Medical Boards  Developed for physicians but can be adapted for other professionals.
    17. 17. Online Medical Professionalism (from ACP Guidance)  Communications with patients using e-mail, text, and instant messaging  Establish guidelines for types of issues appropriate for digital communication  Reserve digital communication only for patients who maintain face- to-face follow-up  Use of social media sites to gather information about patients  Consider intent of search and application of findings  Consider implications (trust) for ongoing care
    18. 18. Online Medical Professionalism (from ACP Guidance)  Use of online educational resources and related information with patients  Vet information to ensure accuracy of content  Refer patients only to reputable sites and sources  Physician-produced blogs, microblogs, and physician posting of comments by others  “Pause before posting”  Consider the content and the message it sends about a physician as an individual and the profession.
    19. 19. Online Medical Professionalism (from ACP Guidance)  Physician posting of physician personal information on public social media sites  Maintain separate personas, personal and professional, for online social behavior  Scrutinize material available for public consumption  Physician use of digital venues (e.g., text and web) for communicating with colleagues about patient care  Implement health IT solutions for secure messaging and information sharing  Follow institutional practice and policy for remote and mobile access of protected health information
    20. 20. Other Potential Resources for Using Social Media, Other Tools to Engage Patients  Engage! Transforming Healthcare Through Digital Patient Engagement, HIMSS, digital-patient-engagement44809  Federation of State Medical Boards, Model Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice,  8 Steps to Launch a Successful Social Media Strategy (A Guide for Health Care), media-polic/  Mt. Sinai Medical Center Social Media Guideline, us/services-and-resources/faculty-resources/handbooks-and-policies/faculty- handbook/institutional-policies/social-media-guidelines
    21. 21. Accepting Digital Data from Patients  Unique issues may arise in communicating back and forth with patients, particular with respect to accepting digital data from patients  Provenance and data integrity  Professional liability risk for data stream? RWJ Project HealthDesign experience  Importance of managing expectations  Data does not necessarily have to flow into EHR to be useful
    22. 22. FDA Regulation of Apps, EHRs  FDA takes the position that EHRs and other medical software applications are medical devices, subject to FDA regulatory authority  Issued & sought public comment on initial draft guidance for “mobile medical apps” (July 2011)  Seeking to regulate apps that more clearly perform the role of a medical device; does not include apps designed to be used for general health & wellness (like a fitness tracking app)  Distinction not always that clear
    23. 23. FDA Regulation of Apps Controversial  Guidance generated some controversy.  Congress (in FDASIA) called for federal advisory committee to examine issue, make recommendations  Health IT Policy Committee recently recommended a risk- based framework for regulating medical software ( endationsDraft030913_v2.pdf)
    24. 24. Final Guidance Issued 9/23  uidance/GuidanceDocuments/UCM263366.pdf  Focuses on how app is intended to be used; platform agnostic  More clarity on where FDA will focus oversight. Medical apps that:  Are extensions of one or more medical devices (such as those that display device data);  Transform a mobile platform into a regulated device; or  Perform “patient-specific” analysis or provide “patient-specific” diagnosis or treatment recommendations Will be subject to device regulation.
    25. 25. Final Guidance Issued 9/23  Guidance also lists types of apps for which FDA intends to exercise “enforcement discretion” (no enforcement at this time):  Apps that provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in a daily environment.  Apps that provide patients with simple tools to organize and track their health information.  Mobile apps that provide easy access to information on a patient’s health conditions or treatments  Apps specifically marketed to help patients document, show or communicate to providers potential medical conditions.  Apps that perform simple calculations routinely used in clinical practice.  Apps that enable individuals to interact with PHR or EHR systems.  More examples provided in guidance.
    26. 26. Questions? Deven McGraw 202-637-9800 x115