HIPAA and E-Mail:  Protecting PHI Maurene Caplan Grey Founder, Principal Analyst
HIPAA “101” <ul><ul><li>Health Insurance Reform </li></ul></ul><ul><ul><li>Administrative Simplification </li></ul></ul><u...
Today’s Topics <ul><li>How is the role of messaging evolving within the healthcare community? </li></ul><ul><li>What best ...
Healthcare Industry Evolution Targeted treatments Focus on wellness Customer is the consumer Mass market treatment Focus o...
Increasing Self-Management via E-Mail Physicians, Pharmacists, Peers… Source: Health Data Management Magazine, “Quick Poll...
Using an Online Consultation System for Self-Management
PHI within the Healthcare Community Patient’s PHI stored as record by the hospital. PHI sent to lab Insurance company stor...
The New Healthcare Community Suppliers Providers Payers Employers Government Consumers Physicians Life Sciences
Today’s Topics <ul><li>How is the role of messaging evolving within the healthcare community? </li></ul><ul><li>What best ...
Why Security and Privacy Policies Fail Rulings are ambiguous and untested Poor or no business processes Social engineering...
Approach 1: Gateway  1) File uploads to gateway 2) E-mail sent to recipient with URL that points to file 3) Recipient clic...
Approach 2: End-to-End, Gateway  1) File sent to gateway 2) E-mail sent to recipient with URL that points to file 3) Recip...
Approach 3: Gateway-to-Gateway  Sender Recipient Sender’s gateway to recipient’s gateway Recipient Sender Often used for  ...
Approach 4: End-to-End, Gateway-to-Gateway Sender’s gateway to recipient’s gateway Often used for  trusted relationships, ...
Scenario: University with Teaching Hospital <ul><li>Administrative Policies </li></ul><ul><li>Information Security </li></...
What You Need To Do Now  – People and Business <ul><li>Engage legal counsel to interpret HIPAA regulations for your scenar...
What You Need To Do Now   –  Technology <ul><li>Deploy secure e-mail technologies that fit the relationship model between ...
For further information on this topic, contact Grey Consulting [email_address]   845.531.5050 www.grey-consulting.com maki...
Upcoming SlideShare
Loading in …5
×

HIPAA and E-Mail: Protecting PHI

6,626 views

Published on

Topics:
-How is the role of messaging evolving within the healthcare community?
- What best practices should healthcare providers take to comply with regulations and plan for the future.

Published in: Technology, Health & Medicine
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,626
On SlideShare
0
From Embeds
0
Number of Embeds
92
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

HIPAA and E-Mail: Protecting PHI

  1. 1. HIPAA and E-Mail: Protecting PHI Maurene Caplan Grey Founder, Principal Analyst
  2. 2. HIPAA “101” <ul><ul><li>Health Insurance Reform </li></ul></ul><ul><ul><li>Administrative Simplification </li></ul></ul><ul><ul><ul><li>Standards for electronic health information transactions </li></ul></ul></ul><ul><ul><ul><li>Mandate on providers and health plans, and timetable </li></ul></ul></ul><ul><ul><ul><li>Pre-emption of state law </li></ul></ul></ul><ul><ul><ul><li>Penalties </li></ul></ul></ul><ul><ul><ul><li>Privacy </li></ul></ul></ul><ul><ul><li>http://www.cms.hhs.gov/hipaa/hipaa2/default.asp (CMS: HIPPA – Administrative Simplification, updated September 2005) </li></ul></ul><ul><ul><li>http://www.hipaadvisory.com/regs/compliancecal.htm (Status of HIPAA Regulations Compliance Calendar, updated August 2005) </li></ul></ul>
  3. 3. Today’s Topics <ul><li>How is the role of messaging evolving within the healthcare community? </li></ul><ul><li>What best practices should healthcare providers take to conform with regulations and plan for the future? </li></ul>
  4. 4. Healthcare Industry Evolution Targeted treatments Focus on wellness Customer is the consumer Mass market treatment Focus on illness Customer is the doctor
  5. 5. Increasing Self-Management via E-Mail Physicians, Pharmacists, Peers… Source: Health Data Management Magazine, “Quick Poll,” 9 Sept 2005 Physician resistance to communicating with patients via e-mail is decreasing. I wonder if I have diabetes? What more can I find out? What are other people doing to control it? Patient = Consumer Is this serious? Do I need a checkup? 32.43 24 Disagree 67.7 50 Agree Percentage Respondents
  6. 6. Using an Online Consultation System for Self-Management
  7. 7. PHI within the Healthcare Community Patient’s PHI stored as record by the hospital. PHI sent to lab Insurance company stores patient record Lab report sent to doctor Hospital MD gathers PHI from patient Invoice sent to patient’s healthcare insurance
  8. 8. The New Healthcare Community Suppliers Providers Payers Employers Government Consumers Physicians Life Sciences
  9. 9. Today’s Topics <ul><li>How is the role of messaging evolving within the healthcare community? </li></ul><ul><li>What best practices should healthcare providers take to conform with regulations and plan for the future? </li></ul>
  10. 10. Why Security and Privacy Policies Fail Rulings are ambiguous and untested Poor or no business processes Social engineering Wrong technology Right technology, poorly implemented No auditing Lack of user training Poor or no governance Rulings change Fraud “ Lost” PHI Local hard drives, cache, memory sticks, PDAs, smart phones, server storage, application data stores…
  11. 11. Approach 1: Gateway 1) File uploads to gateway 2) E-mail sent to recipient with URL that points to file 3) Recipient clicks on URL, authenticates to the gateway and downloads file Often used for ad hoc relationships
  12. 12. Approach 2: End-to-End, Gateway 1) File sent to gateway 2) E-mail sent to recipient with URL that points to file 3) Recipient clicks on URL, authenticates to gateway and downloads file Often used for ad hoc relationships, where extra security is required Commercial PGP, OpenPGP, S/MIME … Commercial PGP, OpenPGP, S/MIME …
  13. 13. Approach 3: Gateway-to-Gateway Sender Recipient Sender’s gateway to recipient’s gateway Recipient Sender Often used for trusted relationships
  14. 14. Approach 4: End-to-End, Gateway-to-Gateway Sender’s gateway to recipient’s gateway Often used for trusted relationships, where extra security is required Commercial PGP, OpenPGP, S/MIME … Commercial PGP, OpenPGP, S/MIME … Sender Recipient Recipient Sender
  15. 15. Scenario: University with Teaching Hospital <ul><li>Administrative Policies </li></ul><ul><li>Information Security </li></ul><ul><li>Information Management </li></ul><ul><li>Securing E-Mail </li></ul><ul><li>University’s standards </li></ul><ul><li>Technology options </li></ul><ul><li>Employee responsibilities </li></ul><ul><li>Security </li></ul><ul><li>Risk assessment templates </li></ul><ul><li>HIPAA assessment plan </li></ul><ul><li>Sys Admin toolkits </li></ul><ul><li>Governance board </li></ul><ul><li>Chancellor’s Office </li></ul><ul><li>School of Dentistry </li></ul><ul><li>School of Medicine </li></ul><ul><li>School of Nursing </li></ul><ul><li>School of Pharmacy </li></ul><ul><li>Medical Center – IT </li></ul><ul><li>Medical Center – Non-IT </li></ul><ul><li>Student Academic Affairs </li></ul><ul><li>Information Security Officer </li></ul><ul><li>Privacy Officer </li></ul>Training
  16. 16. What You Need To Do Now – People and Business <ul><li>Engage legal counsel to interpret HIPAA regulations for your scenario. </li></ul><ul><li>Conduct, and reinforce, employee training. </li></ul><ul><li>Appoint a privacy officer (rule requires). </li></ul><ul><li>Educate business partners on your PHI security and privacy policies. </li></ul>
  17. 17. What You Need To Do Now – Technology <ul><li>Deploy secure e-mail technologies that fit the relationship model between sender and recipient. Simplicity at the user end is key for adoption. </li></ul><ul><li>Develop secure e-mail frameworks that are extensible as healthcare community needs evolve. </li></ul><ul><li>Budget for and carry out continuous vulnerability testing and security audits. </li></ul><ul><li>HIPAA is designed to protect patient privacy. Architect security measures accordingly. </li></ul>
  18. 18. For further information on this topic, contact Grey Consulting [email_address] 845.531.5050 www.grey-consulting.com making messaging and collaboration work

×