This document summarizes privacy, security, and professionalism considerations for digital communications among health care professionals and between professionals and patients. It discusses how HIPAA and state laws apply to electronic communications. Encryption is recommended but not required under HIPAA. Professionals must take care to send information to the right recipient and patient. Communications should maintain professional standards regardless of format. Guidance from medical societies can help set policies for using digital tools. The document also briefly discusses FDA regulation of mobile medical apps and acceptance of data from patients.
2. Health Privacy Project at CDT
Our theory: Privacy = enabler to flows of data that have
the potential to improve individual, public and
population health
Aim is to build public trust in these data flows, through
balanced & workable protections, as they are essential
to patient engagement, health reform and building a
“learning health care system.”
3. Privacy and Security Considerations for Digital
Communications Among Health Care
Professionals
HIPAA and NY State law likely apply
Privacy protections apply to communications on paper or in
digital form
If you could send it on paper, you can send it digitally
(NY law requires consent for even routine disclosures)
HIPAA Security Rule – which sets forth detailed security
specifications - only applies to ePHI (electronic protected
health information).
HIPAA also applies to “business associates” (contractors)
4. Privacy and Security Considerations for Digital
Communications Among Professionals
Communications must be secure under federal and state
law
Encryption is an “addressable implementation
specification” under HIPAA
Not required but expectation is that transmissions
will be encrypted (can use other security methods
but must document rationale)
Encryption using NIST standards provides federal
breach safe harbor
5. Privacy and Security Considerations for Digital
Communications Among Professionals
For mobile technologies, application of HIPAA Security
Rule is frequently a challenge
HHS Office for Civil Rights released guidance in
December 2012:
http://www.healthit.gov/providers-
professionals/your-mobile-device-and-health-
information-privacy-and-security
6. Privacy and Security Considerations for Digital
Communications Among Professionals
Must use reasonable efforts to send to correct
professional
Right digital address?
If send to right organization, expectation is that organization will
properly rout to correct recipient
Must send data on right patient
Sending data on wrong patient, or to wrong address, may
trigger breach notification obligations and potential
privacy law violation
7. Professional to Patient Digital
Communications
Generally: Providers are required to comply with privacy
and security laws when transmitting ePHI.
Three frequent questions that arise:
Is it possible to send a message to a patient that isn’t considered
ePHI?
Does the transmission have to comply with the HIPAA Security Rule?
Am I responsible for what the patient subsequently does with the
data in the communication?
Answer to last question: No. Whatever obligation the
provider has ends with the hand-off.
8. Professional to Patient Digital
Communications
Answer to last question: No. Whatever obligation the
professional has ends with the hand-off.
No federal or state privacy laws cover health information
shared by patients (for ex., on social networking sites,
storing in apps, etc.)
The Federal Trade Commission can hold companies
accountable for failing to comply with privacy commitments,
or failing to adopt even baseline security protections
Better protections for patient-generated health information
is an active area of policy discussion
9. ePHI
Protected health information does not have to include
actual clinical information in order to still be considered
PHI.
If the patient is or could be identified either in the
communication or by someone who receives the
communication – and the communication relates to health
status or the provision of health care (or payment for care),
it will be PHI.
10. ePHI
For example, if the patient is identifiable – and the recipient
knows that the communication came from a health care
health care professional, it is PHI, even if the
communication itself is fairly innocuous (such as an appt
reminder or a reminder to take an unspecified medication).
11. Security Rule and Transmissions to
Patients
Ordinarily, HIPAA Security Rule applies to all transmissions
of ePHI.
BUT recent omnibus rule suggests patient can choose to
receive communications in a form/format that works for
them, even if they are not secure.
http://projecthealthdesign.typepad.com/project_health_design/2013/02/new-hipaa-rules-clarify-
patients-right-to-access-their-health-data.html
12. Security Rule and Transmissions to
Patients Patient’s right to receive data - Omnibus rule (see quoted
text on next slide)
Rule says patients can choose to receive information via
unsecure e-mail if they choose to do so
Provider must provide light warning (this is unsecure –
are you sure?)
Arguably also relevant to other communications
Obligations to send to right patient (right data, right
address) still apply
13. Security Rule and Transmissions to
Patients
Text from Omnibus Rule (78 Fed. Reg. 5634 (1/26/13))
“We clarify that covered entities are permitted to send individuals
unencrypted emails if they have advised the individual of the risk, and the
individual still prefers the unencrypted email. We disagree that the “duty to
warn” individuals of risks associated with unencrypted email would be
unduly burdensome…. We do not expect covered entities to educate
individuals about encryption technology and the information security.
Rather, we merely expect the covered entity to notify the individual that
there may be some level of risk that the information in the email could be
read by a third party. If individuals are notified of the risks and still prefer
unencrypted email, the individual has the right to receive protected health
information in that way, and covered entities are not responsible for
unauthorized access of protected health information while in transmission
to the individual based on the individual’s request. Further, covered entities
are not responsible for safeguarding information once delivered to the
individual.”
14. Security Rule and Transmissions to
Patients NY law is not detailed on this point – but HIPAA trumps state
laws that are less protective of patient access rights.
Omnibus rule guidance was issued to address specific
question of patients requesting to receive copies of their
medical records by unencrypted e-mail – but rationale could
apply to proactive communications as well.
For example, seeking permission from patients about contacting
them via text message.
15. Professionalism
Professional and ethical obligations apply to all
communications, regardless of format
If you wouldn’t or shouldn’t send it on paper, don’t send
it digitally
Electronic communication is “Public, Permanent, and
Powerful.” (Spector et al., eProfessionalism: Challenges in the Age of
Information, J. of Peds., vol 156, No. 3 (2010))
E-communications should always be done professionally.
16. Professionalism
Single, most consistent piece of advice: Adopt policies
governing use of digital communication tools
Specialty societies are developing – one example comes
from 2013 Policy Statement from the American College of
Physicians and the Federation of State Medical Boards
http://annals.org/article.aspx?articleid=1675927
Developed for physicians but can be adapted for other
professionals.
17. Online Medical Professionalism (from ACP
Guidance)
Communications with patients using e-mail, text, and
instant messaging
Establish guidelines for types of issues appropriate for digital
communication
Reserve digital communication only for patients who maintain face-
to-face follow-up
Use of social media sites to gather information about
patients
Consider intent of search and application of findings
Consider implications (trust) for ongoing care
18. Online Medical Professionalism (from ACP
Guidance)
Use of online educational resources and related information
with patients
Vet information to ensure accuracy of content
Refer patients only to reputable sites and sources
Physician-produced blogs, microblogs, and physician
posting of comments by others
“Pause before posting”
Consider the content and the message it sends about a physician as
an individual and the profession.
19. Online Medical Professionalism (from ACP
Guidance)
Physician posting of physician personal information on
public social media sites
Maintain separate personas, personal and professional, for online
social behavior
Scrutinize material available for public consumption
Physician use of digital venues (e.g., text and web) for
communicating with colleagues about patient care
Implement health IT solutions for secure messaging and information
sharing
Follow institutional practice and policy for remote and mobile
access of protected health information
20. Other Potential Resources for Using Social
Media, Other Tools to Engage Patients
Engage! Transforming Healthcare Through Digital Patient Engagement, HIMSS,
http://ebooks.himss.org/product/engage-transforming-healthcare-through-
digital-patient-engagement44809
Federation of State Medical Boards, Model Policy Guidelines for the Appropriate
Use of Social Media and Social Networking in Medical Practice,
http://www.fsmb.org/pdf/pub-social-media-guidelines.pdf
8 Steps to Launch a Successful Social Media Strategy (A Guide for Health Care),
http://www.hivestrategies.com/2011/02/rules-fo-a-hipaa-compliant-social-
media-polic/
Mt. Sinai Medical Center Social Media Guideline, http://icahn.mssm.edu/about-
us/services-and-resources/faculty-resources/handbooks-and-policies/faculty-
handbook/institutional-policies/social-media-guidelines
21. Accepting Digital Data from Patients
Unique issues may arise in communicating back and forth
with patients, particular with respect to accepting digital
data from patients
Provenance and data integrity
Professional liability risk for data stream? RWJ Project
HealthDesign experience
Importance of managing expectations
Data does not necessarily have to flow into EHR to
be useful
22. FDA Regulation of Apps, EHRs
FDA takes the position that EHRs and other
medical software applications are medical
devices, subject to FDA regulatory authority
Issued & sought public comment on initial draft
guidance for “mobile medical apps” (July 2011)
Seeking to regulate apps that more clearly perform the role of a
medical device; does not include apps designed to be used for
general health & wellness (like a fitness tracking app)
Distinction not always that clear
23. FDA Regulation of Apps Controversial
Guidance generated some controversy.
Congress (in FDASIA) called for federal advisory committee
to examine issue, make recommendations
Health IT Policy Committee recently recommended a risk-
based framework for regulating medical software
(http://www.healthit.gov/FACAS/sites/faca/files/FDASIARecomm
endationsDraft030913_v2.pdf)
24. Final Guidance Issued 9/23
http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandG
uidance/GuidanceDocuments/UCM263366.pdf
Focuses on how app is intended to be used; platform agnostic
More clarity on where FDA will focus oversight. Medical apps that:
Are extensions of one or more medical devices (such as those that
display device data);
Transform a mobile platform into a regulated device; or
Perform “patient-specific” analysis or provide “patient-specific”
diagnosis or treatment recommendations
Will be subject to device regulation.
25. Final Guidance Issued 9/23
Guidance also lists types of apps for which FDA intends to
exercise “enforcement discretion” (no enforcement at this
time):
Apps that provide or facilitate supplemental clinical care, by coaching or
prompting, to help patients manage their health in a daily environment.
Apps that provide patients with simple tools to organize and track their health
information.
Mobile apps that provide easy access to information on a patient’s health
conditions or treatments
Apps specifically marketed to help patients document, show or communicate to
providers potential medical conditions.
Apps that perform simple calculations routinely used in clinical practice.
Apps that enable individuals to interact with PHR or EHR systems.
More examples provided in guidance.
FDA does not intend to regulate “mobile apps that are solely used to log, record, track, evaluate, or make decisions or suggestions related to developing or maintaining general health and wellness.” Examples of health and wellness apps are provided in the guidance, and include dietary tracking logs, appointment reminders, dietary suggestions based on a calorie counter, posture suggestions, exercise suggestions, etc. In contrast, a mobile medical app is one that is intended for “curing, treating, seeking treatment for, mitigating, or diagnosing a specific disease, disorder, patient state, or any specific, identifiable health condition.” FDA intends to place most stringent requirements on devices that pose the most risk; general controls only for those that pose minimum risk to morbidity/mortality