Sharing of Secure Patient Information Requires Strong Breach and Notification Policies

Roy Bossen
Roy Bossen

Guest post by Roy Bossen, partner, Hinshaw and Culbertson.

With the implementation of the Affordable Care Act pushing hospitals and health systems to provide services more efficiently, a significant number of hospitals, health systems and providers are sharing secure patient information through health information exchanges (“HIEs”), and accountable care organizations (“ACOs”). The advent of both the HIEs and the ACOs are additional opportunities for protected health information to be shared by hospitals, doctors and other providers.

HIEs allow for patient information, including lab tests, imaging tests, prescriptions and treatments, to be shared by the participants in the HIE. The development of these electronic HIEs allow for the secure exchange of health information among entities participating in the HIE. Generally, the rights and responsibilities of those entitled to share the information is governed by participation agreements. Many providers believe that sharing data will improve healthcare and promote not only quality of care, but efficient care, as well. Similarly, the development of ACOs by otherwise independent providers results in more patient information shared in electronic fashion. The advent of both HIEs and ACOs provide another medium for possible breaches of the privacy rule.

The privacy rule requires that covered entities verify the identity and authority of persons requesting Protected Health Information (“PHI”) if the individual requesting it is not known to the entity.  The Rule, however, does not specify in great detail the verification that must be made and, thus, there is flexibility that can be applied with regard to HIEs and ACOs.

Generally, in a HIE, the participants agree, by contract or otherwise, to provide to the HIE a list of authorized persons so the HIE can appropriately authenticate users of the network. Documentation required for uses and disclosures may be provided in electronic form, and documentation requiring signatures may be provided as scanned images. It is important from an HIE perspective for the various participants to agree on a common set of privacy safeguards that are appropriate to the risk associated with exchanging PHI to and through the HIE. Similarly, with ACOs, the ACO should establish a common set of privacy safeguards that are appropriate to the privacy risks associated with multiple providers using PHI. These common standards would include a breach notification policy or procedure. To fully understand what must be done, one must have a basic understanding of what is considered a breach.

Continue Reading

Lessons Learned Deploying a BYOD Solution

Jason Thomas
Jason Thomas

Guest post by Jason Thomas, CIO and IT director of Green Clinic Health System, and Dell Software solutions user.

Across the healthcare landscape, organizations are expected be in complete compliance with all security and privacy policies on all devices – even personal devices brought in by doctors, nurses, clinicians and administrators.

Being compliant involves many things, including training staff, revising business agreements, modifying policies, staying up-to-date on the newest technologies and updating notices of privacy practices as new regulations go into effect – such as the HIPAA Omnibus Final Rule.

While most of the industry’s current compliance strategies are focused on maintaining privacy and protecting patient data, the more recent addition of bring-your-own-device (BYOD) brings a whole new level of complexity into the compliancy equation.

David Willis, vice president and distinguished analyst at Gartner, recently stated, “BYOD strategies are the most radical change to the economics and the culture of client computing in business in decades.” He added that the benefits of BYOD include creating new mobile workforce opportunities, increasing employee satisfaction and reducing or avoiding costs.

Continue Reading