For the purposes of this talk, we’ll use the terms EMR and EHR interchangeably. There are nuanced differences, but we’ll ignore that for now.EMR use elevates health data:from: simple individual-patient medical recordkeeping (just like with paper)to: tools that can aggregate data from many different patient charts and help us conduct population management (can’t do that with paper)
HIPAA was initially about standardizing data interchange for electronic claims submission, claims payment and adjudication.But it is the Privacy and Security elements that have drawn most of our attention.
To quote from the HHS web site on Health Information Privacy:Widespread use of health IT within the health care industry will improve the quality of health care, prevent medical errors, reduce health care costs, increase administrative efficiencies, decrease paperwork, and expand access to affordable health care. It is imperative that the privacy and security of electronic health information be ensured as this information is maintained and transmitted electronically.
On July 8, 2010, HHS announced proposed regulations under HIPAA, with an open comment period that just finished on September 13th.In addition, the ONC and the Office for Civil Rights (OCR) – in charge of enforcing privacy and security – established a new Chief Privacy Officer (Joy Pritts, JD) to help the ONC design new policies.The ONC has convened a privacy and security workgroup (known as the “Tiger Team”) of the Health Information Technology Policy Committee (HITPC) with strong consumer participation to hold public deliberations and make recommendations about patient choice of how health information is exchanged.
Let’s look at the issues: Privacy and Security, and what that means at the individual practice level (more than the national-policy level)We’ll look at Security first
PHI needs to be encrypted wherever it is housed.The encryption key should NOT be on the same machine where the encrypted data resides (that would be like leaving the keys in the car).There is a safe haven around the theft of devices with PHI on it:if it is sufficiently encrypted (there are NIST standards for this), and the keys are not on the same machine, then the PHI has been rendered unreadable and unusablein this case, theft does not need to be reported (it has been completely scrambled, and the keys are still safe)Otherwise, PHI loss needs to be reported to the individuals affected. If >500 records are involved, then the loss needs to be reported to HHS as well.
PHI that is exchanged needs to be encrypted too. This is true for sending data across the web. Fortunately, good security tools for this have already been developed (thanks to internet banking with a 15+ year history of experience doing this)sending data within a local network, if the EMR is locally housed and uses workstations within a LANthere is an option to have in-LAN data exchange be unencrypted, if the LAN can be demonstrated to be completely walled off from the outside world – however, many LANs may have leaks to outside sources that could compromise thisit is preferable to have EMR data traffic within a secure LAN be encrypted too.
I’m making a distinction here between Clinical Data Exchange and Data Sharing.Clinical Data Exchange involves packaging up a piece of PHI (like a CCD or CCR file) and sending it from one EMR system to another one across secure channels. Like mailing a letter.Data Sharing has to do with allowing additional people the right to see a single, shared data source. Chart Sharing (possible with web-based EHRs) – one patient, one chart – deals with this.The idea of “limited data set” has been mostly applied to sending medical information to insurance plansyou only send the minimum amount of info needed to pay a billIt also pertains to chart sharing, and determining how a patient can grant permission for what elements of the chart to be shared with which specialists. Highly granular chart-element sharing is at the forefront of technology right now, and is not yet mainstream.
Bottom line: how do we build trust?By creating a secure framework that will EARN public trust.Banking had to go through this 15-20 years agoHealth IT is just starting on this journey
Risk: do it badly, and Private Health Information leaks out.Benefit: medical data is shared between elements of the health care system, so they work in a coordinated fashion (patients want this). No more “filling out the same form over and over again”Doctors need to:keep data secure when housed in-housekeep data secure when exchanging itunderstand privacy. As physicians, we are CUSTODIANS of the patient’s health data – patients are the owners of it. When in doubt, ask permission.The vision for the future of healthcare is to promote a coordinated system of care, where health information can follow the patient wherever and whenever it is needed. HIPAA represents a framework for enabling this to happen.As the title of the joint statement on privacy and security (between the ONC and OCR) states, it’s about “building trust in health information exchange”
HIPAA Compliance Dangers for Digital Doctors
HIPAA Compliance Dangers for Digital Doctors<br />Robert Rowley, MD<br />Practice Fusion, Chief Medical Officer<br />
HIPAA Landscape<br />As doctors across the country switch from paper charts to electronic medical records – new questions and regulations around patient privacy are emerging. <br />EMR systems are changing the way health data is managed – creating risks and opportunities. <br />
Portability<br />HIPAA has a reputation for privacy – but the goal is really portability. Portable health data has the power to improve the safety, efficiency and quality of healthcare.<br />
Positive Perspective<br />Let’s turn the HIPAA question around from the “don’t step on land mines” approach to a positive one – how can HIPAA create a framework of privacy and security in order to gain trust from patients and from the public?<br />
Rights Under HIPAA<br />The new HIPAA rules expand individual rights to:<br />Access their information<br />Restrict disclosures of PHI to health plans<br />Extend applicability of Privacy and Security Rules to business associates<br />Establish new limitations on use and disclosure of PHI for marketing and fundraising purposes<br />Prohibit sale of PHI without patient authorization<br />(Source: ONC for Health Information Technology)<br />
What Does It Mean?<br />This is all designed to promote patient trust in the security and privacy on PHI, necessary to build the HIT infrastructure envisioned for health delivery improvement. <br />What does it mean for healthcare providers?<br />
Security at Rest<br />Security: PHI must remain secure wherever it is encountered.<br />At rest:<br />Servers<br />Local workstations<br />Data backup media<br />Other devices (i.e. faxes and copy machines)<br />Most PHI breaches have been from theft of computers with unencrypted PHI on them<br />
Security in Transit<br />In transit:<br />Web-based<br />Local<br />Avoid using non-secure communications for PHI exchange:<br />Standard email<br />Avoiding public portals<br />
Privacy<br />PHI exchange must be for a documented reason (like clinical care), and must be via permission.<br />The principle of “limited data set” <br />Challenges for clinical data exchange <br />Data sharing<br />Survey results show that patients want their data available and portable<br />
Trust Around PHI<br />What do “digital doctors” need to do to help build the trust relationship around PHI?<br />Make sure that data security breach risks are minimized:<br />Encrypt data on servers<br />Destroy local copies of PHI after upload<br />Make sure any data backup is encrypted<br />Make sure that all “trashed” PHI is securely destroyed<br />
Trust Around PHI<br />Avoid using insecure methods of communication when it comes to PHI<br />Avoid standard emails that disclose PHI<br />Avoid social networking sites around PHI<br />Use secure web tools for communicating with patients <br />
Trust Around PHI<br />Make sure that HIPAA Business Associate agreements are in place with everyone who handles your PHI downstream<br />Hosting web-based EHRs <br />If there is an in-house EHR, have BA agreements in place<br />Shredding companies<br />If there is any doubt about sharing PHI with someone else, get the patient’s specific permission. <br />
Conclusion<br />Conclusion: <br />Risk vs. benefit<br />Most important things to remember for protecting data<br />What HIPAA can unlock for the future of healthcare<br />Q&A<br />