Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
GKC HIMSS Cybersecurity EventSeptember 24, 2019
Presented bySusan Thomas, MSHA, CHC, CIA, CRMA, CPC, CCSFP, CHIAPPYA, P.C. KC Office Consulting Manager
Patient Right to Access
How to Communicate Securely in the Technology Age
Prepared for GKC HIMSS Cybersecurity Event Page 1
About PYA
PYA, P.C. is a national healthcare advisory services firm providing consulting, audit, and tax services including:
Regulatory compliance
Risk assessments
Information Technology advisory
Mergers and acquisitions due diligence
Business valuations
Physician Compensation fair market value (FMV) assessments
Strategic planning
Operations optimization
Tax, audit, and assurance
Prepared for GKC HIMSS Cybersecurity Event Page 2
Today’s Objectives
Define Patient Right to Access
Review the methods for electronic patient communication
Consider associated security and privacy issues for each type of electronic communication
Review key regulatory requirements
Discuss best practices for secure patient communications
Work through some real life examples of patient right to access issues
Special thanks to Tom Walsh for his expertise and contribution to the material in this presentation!
Patient Right to Access
Prepared for GKC HIMSS Cybersecurity Event Page 4
Guidance issued by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR)
Outlines the right of patients to request their Protected Health Information (PHI) from a HIPAA covered entity and receive it in a timely manner
The guidance was released in response to ‘obstacles’ faced by patients, and called it “an important step toward ensuring that individuals can take advantage of their HIPAA right of access”*
*Source: https://www.hiv.gov/blog/understanding-individuals-right-under-hipaa-to-access-their-health-information
Individual’s Right Under HIPAA to Access Their PHI
Prepared for GKC HIMSS Cybersecurity Event Page 5
According to Stage 2 Meaningful Use*, eligible providers must give patients the ability to:
View health information online
Download and transmit their health information within four business days of the information being available to the organization
Individual’s Right Under HIPAA to Access Their PHI
*Source: https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Stage2MedicaidModified_Require.html
As technology continues to evolve, there has been a push for individuals to be able to access their medical records electronically.
Prepared for GKC HIMSS Cybersecurity Event Page 6
Individual’s Right Under HIPAA to Access Their PHI
Practical Application
The rise of digital health tools for PHI access
Mobile apps and portals improve patient engagement.
The availability of tools and platforms caters to increasing patient demand to offer greater PHI accessibility.
Technology offers more convenience and is in lockstep with the rise of the digital health movement.
Inherent risk
Patient identities compromised, stolen, or shared
Direct threat to patient safety and provider medical error liability
Provider reputational damage
Electronic Patient Communication
Prepared for GKC HIMSS Cybersecurity Event Page 8
Electronic Communication
Electronic communication is the dominant mode of human interaction in our society (retail, banking, and now healthcare)
This new normal is possible using personal computing devices that have revolutionized how people live and interact with service providers
Patient engagement and patient experience requires new thought leadership on how to positively affect patient communication
Prepared for GKC HIMSS Cybersecurity Event Page 9
Methods for Communicating
Patient portals
Email Text messages
Instant messaging, chat, social media, etc.
Video conferencing or videotelephony
Voicemail messages
Prepared for GKC HIMSS Cybersecurity Event Page 10
Patient Portals
Why Patient Portals?
Patients want to interact over the internet
Patient portals are convenient for both the patient and the healthcare provider
Patient portal interactions are less expensive for both the patient and the healthcare provider
Meaningful Use objectives
Patient Portal Capabilities
Patient Registration
Scheduling appointments and procedures
Support billing (statement access, make payments)
Patient health records
Patient history gathering
Provider-Patient Messaging
Prepared for GKC HIMSS Cybersecurity Event Page 11
Essential form of communication
Almost everyone has at least one email account
Many personal email accounts are free – and over-trusted!
Data stored in an email is being data mined by the email service provider (PHI contained within an email is vulnerable)
Free email is often the target of attacks
Malware
Phishing
Social Engineering
Unintentional acts by authorized users
Email providers are vulnerable to hackers -- potentially exposing users’ data
Microsoft Just Revealed a Big Email Hack (outlook.com, April 2019)
Prepared for GKC HIMSS Cybersecurity Event Page 12
Texting
Text messaging is often used and preferred by physicians because it is fast and convenient. And everyone always has a smart phone!
Physicians may not have an awareness of:
Regulatory requirements, including:
HIPAA – Health Information Portability and Accountability Act
FCC – Federal Communications Commission
FTC – Federal Trade Commission
MMA – Mobile Marketing Association
The ramifications and personal liabilities that could occur while using text messaging
No guarantees . . .
Texting was not designed to be reliable or a priority communication for cellphone towers.
Texts may be delayed depending on the strength of the network in the area and overall text volume being handled on the provider’s network
Prepared for GKC HIMSS Cybersecurity Event Page 13
Texting PHI
On December 28, 2017, CMS issued a Memorandum* on text messaging:
Texting patient information among members of a healthcare team is permissible if accomplished through a secure platform.
Texting patient orders is prohibited regardless of the platform.
Computerized Provider Order Entry (CPOE) is the preferred method of order entry by a provider.
*Source: https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/Survey-and-Cert-Letter-18-10.pdf
Prepared for GKC HIMSS Cybersecurity Event Page 14
Instant Messaging/Online Chat
On-demand conversations with patients
Easy way for patients to ask questions and make an appointment
Example: Website has a chat box that pops up
Near real-time communications
Example: Facebook Messenger, Whatsapp
Prepared for GKC HIMSS Cybersecurity Event Page 15
Telehealth/Telemedicine
The Compelling Case for Telehealth
“De-Limits” healthcare services
Video, mobile apps, text-based messaging, sensors, and social platforms deliver health services in a way that is independent of time or location.
Improves patient satisfaction
Access to care, improved communication, greater control over care, decreased transmission of communicable diseases, eliminates transportation issues
Enhances efficiency
Mobile imaging, interact with patients in their environment, remove the incidence of the “whitecoat syndrome”
On the downside, transmission signals could be compromised
Prepared for GKC HIMSS Cybersecurity Event Page 16
Voicemail
Service providers offer a feature to translate a voicemail message into a text message.
The technology is innovative, but what is the accuracy of the transcription
It takes what was an audio communication and now makes it a stored, electronic communication (PHI to ePHI)
Cannot control who will listen to the voicemail message
Security and Privacy Issues to Consider
Prepared for GKC HIMSS Cybersecurity Event Page 18
Security and Privacy Issues
Exposure to the outside world increases security risks
Messages may include photographs with identifiable features
Posting communications on social media or forwarding to friends/family
Lack of true authentication with any online access/electronic communication
Risk of unintended recipients seeing/hearing a message
What risk mitigation steps does your organization have in place to address these risks?
Prepared for GKC HIMSS Cybersecurity Event Page 19
Risks with Communications
Data may be stored (unencrypted) on the sender’s and the recipient’s:
Phone, tablet, laptop, or workstation
Local cache (memory storage) of messages and/or attachments, pictures, etc.
Cell phone service provider’s servers/cloud storage
Mobile devices are frequently lost or stolen or shared
Messages could be sent via an unsecured communications channel
Open wireless network – Public WiFi
Rogue Wi-Fi networks
Man-in-the-middle attacks
Distribution of malware over unsecured Wi-Fi
Snooping and sniffing
Password and username vulnerability
Prepared for GKC HIMSS Cybersecurity Event Page 20
Risks with Communications
Text messages are not encrypted
Message integrity
Auto-correct!!!
Sending PHI in a text message is a HIPAA violation, unless there is a proper patient consent form
There is a potential for misunderstanding information delivered via electronic messages
Tone
Word choice
Key Regulatory Requirements
Prepared for GKC HIMSS Cybersecurity Event Page 22
HIPAA
Healthcare providers must protect private patient data while rendering patient care as efficiently as possible.
Technology can make day-to-day operations more efficient, but new technologies also bring about new concerns with HIPAA compliance
HIPAA Privacy and Security Rules:
Because PHI is being exchanged, the applicable HIPAA rules apply.
Fines and penalties for PHI data breaches:
Possible fines and corrective action plans (CAPs) from the Office for Civil Rights (OCR)
State attorneys general will take a larger role in enforcing HIPAA
Prepared for GKC HIMSS Cybersecurity Event Page 23
Patient Consent
Patient consent
Patients can choose form of communications in a way which is convenient for them, provided they have been properly informed of the risks.
Help patients make informed decisions.
Ensure employees and physicians are well-versed in privacy and confidentiality
Share accurate and up-to-date information on patient privacy and confidentiality
Reinforce the organization’s commitment to privacy and confidentiality during patient interactions
Provide options for communication methods
Involve caregivers and family members as necessary and appropriate
Risks
Data can be mined or intercepted (unless encrypted).
Providers cannot control where data could possibly flow once it is released.
Prepared for GKC HIMSS Cybersecurity Event Page 24
42 CFR Part 2
Confidentiality of PHI created by Substance Abuse Disorder (SUD) Treatment Programs
Determine when and how some medical records are subject to Part 2.
Segregate records to avoid the entire medical record from becoming subject to Part 2.
Other provisions include:
Medical emergencies
Research
Central registries
Undercover agents and informants
Important considerations include information available on the patient portal , appointment reminders, consent for disclosure, redisclosure issues
Best Practices
Prepared for GKC HIMSS Cybersecurity Event Page 26
Best Practices
Create or update an existing policy to address communications with patients.
Educate your workforce on the policy.
Send periodic reminders.
Teach them how to educate the patients, too.
Create patient polices pertaining to how the health center/clinic/practice communicates.
Notice of Privacy Practices
Allow patients to:
1. Opt-out of HIEs and fundraising activities
2. Request an alternate means for confidential communications
*Source: HIPAA Privacy Rule: §164.522(b)(1)
Prepared for GKC HIMSS Cybersecurity Event Page 27
Best Practices
Honor patient rights and offer options:
Most importantly – have a consent form
Allow a patient to opt-in/out of communications
Require:
Account lockout after a predetermined number of unsuccessful logon attempts
Strong passwords or multifactor authentication
Encrypt PHI (data at rest/data in transit):
Or implement compensating controls to prevent unauthorized access unless there is a signed consent
Prepared for GKC HIMSS Cybersecurity Event Page 28
Best Practices
Apply a “Defenses in Depth” strategy for security.
Prevention (proactive)
Access controls; education and training
Detection (reactive)
Audit logs; monitoring
Assurance (proactive)
Assessment of the communication process(es)
Recovery (reactive)
Incident response / data breach notification plan
Real Life Scenarios
Prepared for GKC HIMSS Cybersecurity Event Page 30
Examples of Patient Access Issues
Reportable HIPAA breach situations
Violation of the right of access
Machine learning on EMR data
Penalties for Part 2 non-compliance
Prepared for GKC HIMSS Cybersecurity Event Page 31
Questions?
PYA, P.C.
800.270.9629 | www.pyapc.com
Susan ThomasMSHA, CHC, CIA, CRMA, CPC, CCSFP, CHIAP
Thank you!