Patient Right to Access€¦ · The rise of digital health tools for PHI access Mobile apps and portals improve patient engagement. The availability of tools and platforms caters

GKC HIMSS Cybersecurity EventSeptember 24, 2019

Presented bySusan Thomas, MSHA, CHC, CIA, CRMA, CPC, CCSFP, CHIAPPYA, P.C. KC Office Consulting Manager

Patient Right to Access

How to Communicate Securely in the Technology Age

Prepared for GKC HIMSS Cybersecurity Event Page 1

About PYA

PYA, P.C. is a national healthcare advisory services firm providing consulting, audit, and tax services including:

Regulatory compliance

Risk assessments

Information Technology advisory

Mergers and acquisitions due diligence

Business valuations

Physician Compensation fair market value (FMV) assessments

Strategic planning

Operations optimization

Tax, audit, and assurance


Today’s Objectives

Define Patient Right to Access

Review the methods for electronic patient communication

Consider associated security and privacy issues for each type of electronic communication

Review key regulatory requirements

Discuss best practices for secure patient communications

Work through some real life examples of patient right to access issues

Special thanks to Tom Walsh for his expertise and contribution to the material in this presentation!

Patient Right to Access


Guidance issued by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR)

Outlines the right of patients to request their Protected Health Information (PHI) from a HIPAA covered entity and receive it in a timely manner

The guidance was released in response to ‘obstacles’ faced by patients, and called it “an important step toward ensuring that individuals can take advantage of their HIPAA right of access”*

*Source: https://www.hiv.gov/blog/understanding-individuals-right-under-hipaa-to-access-their-health-information

Individual’s Right Under HIPAA to Access Their PHI


According to Stage 2 Meaningful Use*, eligible providers must give patients the ability to:

View health information online

Download and transmit their health information within four business days of the information being available to the organization


*Source: https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Stage2MedicaidModified_Require.html

As technology continues to evolve, there has been a push for individuals to be able to access their medical records electronically.



Practical Application

The rise of digital health tools for PHI access

Mobile apps and portals improve patient engagement.

The availability of tools and platforms caters to increasing patient demand to offer greater PHI accessibility.

Technology offers more convenience and is in lockstep with the rise of the digital health movement.

Inherent risk

Patient identities compromised, stolen, or shared

Direct threat to patient safety and provider medical error liability

Provider reputational damage

Electronic Patient Communication


Electronic Communication

Electronic communication is the dominant mode of human interaction in our society (retail, banking, and now healthcare)

This new normal is possible using personal computing devices that have revolutionized how people live and interact with service providers

Patient engagement and patient experience requires new thought leadership on how to positively affect patient communication


Methods for Communicating

Patient portals

Email Text messages

Instant messaging, chat, social media, etc.

Video conferencing or videotelephony

Voicemail messages


Patient Portals

Why Patient Portals?

Patients want to interact over the internet

Patient portals are convenient for both the patient and the healthcare provider

Patient portal interactions are less expensive for both the patient and the healthcare provider

Meaningful Use objectives

Patient Portal Capabilities

Patient Registration

Scheduling appointments and procedures

Support billing (statement access, make payments)

Patient health records

Patient history gathering

Provider-Patient Messaging


Email

Essential form of communication

Almost everyone has at least one email account

Many personal email accounts are free – and over-trusted!

Data stored in an email is being data mined by the email service provider (PHI contained within an email is vulnerable)

Free email is often the target of attacks

Malware

Phishing

Social Engineering

Unintentional acts by authorized users

Email providers are vulnerable to hackers -- potentially exposing users’ data

Microsoft Just Revealed a Big Email Hack (outlook.com, April 2019)


Texting

Text messaging is often used and preferred by physicians because it is fast and convenient. And everyone always has a smart phone!

Physicians may not have an awareness of:

Regulatory requirements, including:

HIPAA – Health Information Portability and Accountability Act

FCC – Federal Communications Commission

FTC – Federal Trade Commission

MMA – Mobile Marketing Association

The ramifications and personal liabilities that could occur while using text messaging

No guarantees . . .

Texting was not designed to be reliable or a priority communication for cellphone towers.

Texts may be delayed depending on the strength of the network in the area and overall text volume being handled on the provider’s network


Texting PHI

On December 28, 2017, CMS issued a Memorandum* on text messaging:

Texting patient information among members of a healthcare team is permissible if accomplished through a secure platform.

Texting patient orders is prohibited regardless of the platform.

Computerized Provider Order Entry (CPOE) is the preferred method of order entry by a provider.

*Source: https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/Survey-and-Cert-Letter-18-10.pdf


Instant Messaging/Online Chat

On-demand conversations with patients

Easy way for patients to ask questions and make an appointment

Example: Website has a chat box that pops up

Near real-time communications

Example: Facebook Messenger, Whatsapp


Telehealth/Telemedicine

The Compelling Case for Telehealth

“De-Limits” healthcare services

Video, mobile apps, text-based messaging, sensors, and social platforms deliver health services in a way that is independent of time or location.

Improves patient satisfaction

Access to care, improved communication, greater control over care, decreased transmission of communicable diseases, eliminates transportation issues

Enhances efficiency

Mobile imaging, interact with patients in their environment, remove the incidence of the “whitecoat syndrome”

On the downside, transmission signals could be compromised


Voicemail

Service providers offer a feature to translate a voicemail message into a text message.

The technology is innovative, but what is the accuracy of the transcription

It takes what was an audio communication and now makes it a stored, electronic communication (PHI to ePHI)

Cannot control who will listen to the voicemail message

Security and Privacy Issues to Consider


Security and Privacy Issues

Exposure to the outside world increases security risks

Messages may include photographs with identifiable features

Posting communications on social media or forwarding to friends/family

Lack of true authentication with any online access/electronic communication

Risk of unintended recipients seeing/hearing a message

What risk mitigation steps does your organization have in place to address these risks?


Risks with Communications

Data may be stored (unencrypted) on the sender’s and the recipient’s:

Phone, tablet, laptop, or workstation

Local cache (memory storage) of messages and/or attachments, pictures, etc.

Cell phone service provider’s servers/cloud storage

Mobile devices are frequently lost or stolen or shared

Messages could be sent via an unsecured communications channel

Open wireless network – Public WiFi

Rogue Wi-Fi networks

Man-in-the-middle attacks

Distribution of malware over unsecured Wi-Fi

Snooping and sniffing

Password and username vulnerability


Risks with Communications

Text messages are not encrypted

Message integrity

Auto-correct!!!

Sending PHI in a text message is a HIPAA violation, unless there is a proper patient consent form

There is a potential for misunderstanding information delivered via electronic messages

Tone

Word choice

Key Regulatory Requirements


HIPAA

Healthcare providers must protect private patient data while rendering patient care as efficiently as possible.

Technology can make day-to-day operations more efficient, but new technologies also bring about new concerns with HIPAA compliance

HIPAA Privacy and Security Rules:

Because PHI is being exchanged, the applicable HIPAA rules apply.

Fines and penalties for PHI data breaches:

Possible fines and corrective action plans (CAPs) from the Office for Civil Rights (OCR)

State attorneys general will take a larger role in enforcing HIPAA


Patient Consent

Patient consent

Patients can choose form of communications in a way which is convenient for them, provided they have been properly informed of the risks.

Help patients make informed decisions.

Ensure employees and physicians are well-versed in privacy and confidentiality

Share accurate and up-to-date information on patient privacy and confidentiality

Reinforce the organization’s commitment to privacy and confidentiality during patient interactions

Provide options for communication methods

Involve caregivers and family members as necessary and appropriate

Risks

Data can be mined or intercepted (unless encrypted).

Providers cannot control where data could possibly flow once it is released.


42 CFR Part 2

Confidentiality of PHI created by Substance Abuse Disorder (SUD) Treatment Programs

Determine when and how some medical records are subject to Part 2.

Segregate records to avoid the entire medical record from becoming subject to Part 2.

Other provisions include:

Medical emergencies

Research

Central registries

Undercover agents and informants

Important considerations include information available on the patient portal , appointment reminders, consent for disclosure, redisclosure issues

Best Practices


Best Practices

Create or update an existing policy to address communications with patients.

Educate your workforce on the policy.

Send periodic reminders.

Teach them how to educate the patients, too.

Create patient polices pertaining to how the health center/clinic/practice communicates.

Notice of Privacy Practices

Allow patients to:

1. Opt-out of HIEs and fundraising activities

2. Request an alternate means for confidential communications

*Source: HIPAA Privacy Rule: §164.522(b)(1)


Best Practices

Honor patient rights and offer options:

Most importantly – have a consent form

Allow a patient to opt-in/out of communications

Require:

Account lockout after a predetermined number of unsuccessful logon attempts

Strong passwords or multifactor authentication

Encrypt PHI (data at rest/data in transit):

Or implement compensating controls to prevent unauthorized access unless there is a signed consent


Best Practices

Apply a “Defenses in Depth” strategy for security.

Prevention (proactive)

Access controls; education and training

Detection (reactive)

Audit logs; monitoring

Assurance (proactive)

Assessment of the communication process(es)

Recovery (reactive)

Incident response / data breach notification plan

Real Life Scenarios


Examples of Patient Access Issues

Reportable HIPAA breach situations

Violation of the right of access

Machine learning on EMR data

Penalties for Part 2 non-compliance


Questions?

PYA, P.C.

800.270.9629 | www.pyapc.com

Susan ThomasMSHA, CHC, CIA, CRMA, CPC, CCSFP, CHIAP

[email protected]

Thank you!

Documents

Patient Right to Access€¦ · The rise of digital health tools for PHI access Mobile apps and portals improve patient engagement. The availability of tools and platforms caters