Radical advancements in health IT development and implementation have pushed the issue of health data security to the forefront of the collective healthcare provider mindset as they attempt to strike a balance between patient access to electronic health record protected health information (PHI) and data protection. The fact that so many health IT vendors now have access to and possess protected health information necessitated shift changes in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 which was enacted to establish ground rules for the privacy protection of individually identifiable health information.
We invited Mac McMillan, Chair of the HIMSS Privacy and Security Task Force to discuss what these new changes are, define their parameters, the mission of the HIMSS PRivacy & Security Task Force, his definition of what “privacy” actually is, comments on new technology that are viable options for healthcare providers to implement as a way to protect access to sensitive patient data, and his thoughts on the increased adoption of PHI management applications such as Microsoft HealthVault.
Listen in to this podcast for more information on the latest health IT industry developments and regulations that govern PHI and for insight from Mac on why healthcare providers and third party vendors should pay close attention to compliance with recent HIPAA changes.
Health IT Data Security – An Overview of Privacy, Compliance, and Technology Options
1. M2SYS Healthcare Solutions
Free Online Learning Podcasts
Podcast length – 35:02
Topic: Healthcare IT Data Security – HIPAA compliance,
HIMSS Privacy & Security Task Force Objectives, What is
“Privacy”, Technology Options to Protect Patient Data,
Adoption Trends for Personal Health Information (PHI)
Applications
Mac McMillan, Chair, HIMSS Privacy & Security Policy Task Force
2. Topics Covered in Podcast:
HIMSS Privacy and Security Task Force Mission and Objectives
Defined
HIPAA Rule Changes and How it Effects Provider – Business
Associate Relationship
The Difference Between “Access” and “Possession” of PHI
Information & How it Impacts HIPAA Compliance
What Does “Privacy” Mean?
How Does “Fear” Factor into Policies Surrounding Privacy?
3. Topics Covered in Podcast (continued):
Viable Technologies to Protect Patient Data
Do Biometrics for Patient ID Violate a Patient’s Privacy?
PHI Application Patient Adoption Trends
4. • Made up of all volunteer staff
• Primary purpose: Review policy issues affecting privacy and security in
healthcare that arise from new legislation, regulation, or rules
• Task Force also supports the official HIMSS review process for their
responses to new legislation and new rules
• Helps to ensure consistency for HIMSS responses that stay in line with
goals
• Mac’s experience in knowing how government works in terms of
regulations, rules, directives, and standards has helped him understand
role and direction as Chair of the HIMSS Privacy and Security Task Force
HIMSS Privacy and Security Task Force Mission and
Objectives
5. HIPAA Rule Changes and How it Effects Provider –
Business Associate Relationship
• September 23rd: HIPAA compliance deadline for providers & business
associates on how Personal Health Information (PHI) is maintained and
protected & changes to data breach notifications and enforcement
• Changes:
• Breach notification – changes to the reporting rules
• Business Associate status – how does the rule apply to business
associates and sub-contractors?
• Privacy Provisions – helps protect patient privacy through more
effective data management
• Enforcement – new guidelines on what penalties are and how they
should be enforced
• Relationship between business associate and covered entities has not
fundamentally changed – what changed is the responsibilities of both
parties
6. HIPAA Rule Changes and How it Effects Provider –
Business Associate Relationship (continued)
• Business associates are now held more accountable for privacy and PHI
data protection on work they are doing on behalf of the covered entity
• Covered entities – greater emphasis on vendor management in terms of
due diligence before vendor contracting, making sure you convey privacy
and security expectations, making sure you monitor vendor relationships
closely, ensuring you have measures in place for breach notifications &
how to deal with data after contract terminations
• New changes promote more accountability and transparency in the
industry
Nearly one-third of the 980 problems that HHS' Office of Civil Rights uncovered during
privacy and data-security audits of 115 healthcare providers and insurers happened
because the organizations were not aware of all of the requirements facing them,
according to root-cause analyses performed by HHS contractor KPMG.
Did you know?
Source: Modern Healthcare, April 2013
7. The Difference Between “Access” and “Possession”
of PHI Information & How it Impacts HIPAA
Compliance
• If you create PHI, either originally or derivatively, if you transmit or receive
it, you are considered a business associate. If you have possession of the
data – whether it be in your system or your environment, or you have
perpetual access to the information.
• Can’t claim “conduit exemption” unless you are only maintaining the data
in your environment for as long as it takes the system to perform the
transference process - otherwise if you take possession of the data for any
other reason, (hosting, backing up, storing, etc.) you are a business
associate.
• Even if the covered entity sends encrypted information, if you possess it,
you are still considered a business associate – business associates are
responsible for the entire security rule.
• New rule defines “possession” to information as stipulant for compliance –
“possession” assumes “access”
8. What Does “Privacy” Mean?
• Privacy is a tough thing to define in today’s world because of shifting
social norms and generational changes
• What one generation thinks of privacy may not be shared by others
• Privacy as it relates to law and the HIPPA rule is very black and white –
patient information belongs to an individual and the right to access it
should only come from the individual's care team or to someone who is
involved with the care of the individual – the individual gives
authorization for the information to be used or disseminated for
something other than medical care (e.g. – marketing purposes)
• The trust between caregiver and patient is often defined by how well
the provider maintains and protects patient PHI
• Patient confidence can erode quickly when PHI information is not
handled properly
• The healthcare industry’s definition of privacy is constantly evolving &
it’s different to write a rule with the shifting privacy landscape
• Key is recognizing differences and perceptions and make decisions on
how law defines privacy
9. How Does “Fear” Factor into Policies Surrounding
Privacy?
• Important to not make decisions or establish policy guidelines based on
fear – it’s better to enact policy on what is known
• Patients may fear the known more than the unknown – (e.g. – data
breaches, medical identity theft, fraud)
• Consumers understand that their information is at risk
• Consumers have a much higher level of confidence in their
healthcare provider’s ability to protect PHI than organizations or the
government
• Organizations should base their policies on what they know (what is the
threat), what the risks are, and what their controls environment will
enable and make smart decisions on how they craft policies to alleviate
or mitigate the risk of negative occurrences
• Fear is a good motivator for making organizational change
10. • Access Control & Patient Identification – Biometrics
**The problem that a lot of modern technological solutions for healthcare
have is many do not necessarily have apt security functionality due to a lack of
industry standards or protocols
Viable Technologies to Protect Patient Data
Did you know?
More healthcare facilities are researching the
use of biometric identification for employee
access control and accurate patient
identification. Biometrics has great potential to
increase patient safety, reduce the cost of care,
and eliminate fraud and identity theft.
Biometrics for
Access Control
Biometrics for
Patient ID
11. Do Biometrics for Patient ID Violate a Patient’s
Privacy?
• They enhance patient privacy – biometrics for patient ID were developed
with a positive purpose in mind
• If they are deployed, utilized, and explained properly to patients:
• Biometrics elevates a patient’s level of confidence in how the
technology is used and how it protects their safety and privacy
• Because biometrics uniquely identify a patient, the more likely the
healthcare industry is to eliminate impermissible disclosures
• The more accurate the healthcare industry is on identifying who is
accessing medical records and information, the better chance they have
of limiting impermissible disclosures
12. PHI Application Patient Adoption Trends
• Patients have more confidence in a portal that is provided by their
caregiver rather than a third party vendor
• Patients will start to adopt more responsibility for their medical
information – they are seeking more visibility and portable platforms
• Patient engagement as part of Meaningful Use Stage 2 will help drive up
adoption of PHI applications
• Almost every hospital now has their own version of a patient portal –
increased accessibility will also drive up adoption rates
Did you know?
Approximately 50% of U.S. hospitals and 40
percent of U.S. physicians in ambulatory
practice possess some type of patient portal
technology, mostly acquired as a module of
their practice management (PM) or electronic
health record (EHR) system.
Source: Frost & Sullivan report, September 2013
13. Thank you to Mac for his time and
knowledge for this podcast!
Please follow Mac on Twitter
(@mmcmillan07) and visit his Web page:
www.cynergistek.com
14. John Trader
PR and Marketing Manager
M2SYS Healthcare Solutions
1050 Crown Pointe Pkwy.
Suite 850
Atlanta, GA 30338
jtrader@m2sys.com
770-821-1734
www.m2sys.com
Podcast home page: http://www.m2sys.com/healthcare/healthcare-biometrics-
podcasts/
: twitter.com/rightpatient
: facebook.com/rightpatient
: linkedin.com/company/m2sys-technology
Contact Information