Electronic protected health information (ePHI) is patient information that is protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA compliance is a complex and confusing topic, and it only gets more daunting when it comes to communication between providers and patients. If you are sending protected health information over email as a healthcare organization or a healthcare organization’s business associate, HIPAA compliance applies to you. With fines for breaches that can land upwards of a million dollars, it’s a subject that is not to be taken lightly by any organization. Let’s take a moment to settle the score on the myths and facts revolving around ePHI and HIPAA-compliant emails.
Myth: All email is HIPAA-compliant
This is a dangerously false assumption. It may come as a surprise that most free email services are not HIPAA-compliant. This includes big players such as Yahoo!, Gmail, and Hotmail. No, ePHI should never be sent through these systems. If you must send ePHI to run your business, seek out an email provider that specializes in HIPAA compliance and is specifically geared towards protecting you and the patient data that flows through your organization.
Myth: My business is too small to worry about HIPAA
Practices and organizations of all sizes get hit with HIPAA violation fines – no one is exempt. HIPAA regulations apply across the board, regardless of the size of your business. Penalties for not being compliant can range from a simple slap on the wrist to a fine of $100 per email that contains ePHI sent through an unencrypted avenue. HIPAA compliance is everyone’s responsibility, and no business is too small to suffer a surprise audit that results in business-crushing fines. Protect yourself up-front by adhering to HIPAA guidelines, and you won’t find your business under the gun for non-compliance.
Myth: Any email with PHI must have encryption
If emails are sent in-office over a secure network, encryption over e-mail is not necessary. But once that email is sent out of the office over a wide area network, or through the internet, encryption is a must.
Myth: The recipient must have encrypted email
The majority of patients use a free, non-encrypted email host. According to the HIPAA Omnibus Rule, patients have the right to request that their ePHI be sent to them via an unsecured email system. Many secure email systems can send secure messages to people without secure email – and that can be okay. But it’s important to document that request from the patient and also to inform them that when using unsecured email and waiving their right to receive their ePHI privately, they inherit the risk of a potential security breach. Documentation protects you from future accusations of negligence.
Last fall, the provisions governing Business Associate Agreements under the HITECH law went into effect. Many covered entities used templates and models offered by professional societies and the Department of Health and Human Services, but it’s becoming increasingly clear that the “model” agreements were simply a stopgap measure, and that organizations that use BAAs need to conduct ongoing reviews of the documents and customize the language to meet the individual needs of their company.
The need for ongoing reviews to business associate agreements stems from an increased focus on compliance, and audits from the Office of Civil Rights (OCR) in DHHS. In the past, HIPAA compliance audits were limited to specifically covered entities, such as doctors’ offices and hospitals. Using HIPPA-compliant providers like healthcare fax companies to transmit protected data on their encrypted servers has been the best way for health care professionals to avoid audit issues.
However, the provisions of HITECH allow for audits of subcontractors as well, ensuring that they too are complying with the privacy and security policies of the act. Essentially, then, a business associate agreement serves as an agreement by the subcontractor that it will adhere to the rules and standards of HIPAA — and they understand the consequences of noncompliance.
Some argue that the notion of business associate agreements is outdated, given that HITECH holds all subcontractors who have access to HIPAA-protected data to the same privacy and security standards as the covered entity itself, even without the written agreement. The law still states, though, that covered entities must negotiate and maintain compliant BAAs with the companies that have access to their data — even those that may not directly have access to the data.
The simple fact that the OCR is conducting audits of business associate agreements and the companies covered by the agreements, highlights the importance of maintaining up-to-date and comprehensive agreements — meaning that the “boilerplate” agreement that you signed to meet the basic compliance standards may not be enough at this point.
Considerations for Review
Since it’s been a year since the new provisions went into effect, it’s very likely that your BAAs are reasonably up-to-date, and in compliance with the laws. That being said, if you used a template, or you only made minor changes to existing agreements, it’s best to review the agreements you have on file to ensure they comply with current law.
Many experts agree that BAAs should be reviewed at least once a year or more often if they expire, or if there are significant changes to the business relationship.
When reviewing your business associate agreements, there are a few key points to pay close attention to:
Big news from HIMSS today about HIMSS16, especially for sports fans. What may make the following news even bigger is if Peyton Manning is in the midst of a retirement reflection period following this current football season. What news it would be if he decided to make an announcement about the future of his career from the HIMSS podium — HIMSSanity!
Here’s the full announcement:
Denver Broncos quarterback Peyton Manning, the NFL’s only five-time Most Valuable Player and a 14-time Pro Bowl selection, will be the closing keynote speaker at HIMSS16. He takes to the podium at 1 p.m. PDT, on Friday, Mar. 4, 2016. The HIMSS Conference & Exhibition ranked as the largest medical conference in North America during the first half of 2015 (Trade Show Executive, September 2015).
Peyton Manning has earned his place among the greatest quarterbacks in league history as the active leader in nearly every statistical passing category.
In each of his three seasons with Denver, Manning has led the Broncos to an AFC West Division title and a first-round playoff bye. During that time, he ranks first in the NFL in regular-season wins, passing touchdowns and completion percentage.
Named 2013 Sportsman of the Year by Sports Illustrated, Manning’s season ended with a trip to Super Bowl XLVIII, making him only the third quarterback in NFL history to lead multiple teams to a Super Bowl.
For his actions off the field, Manning was honored as the recipient of the Byron “Whizzer” White Humanitarian Award and the NFL’s Walter Payton Man of the Year in 2005 as well as the Bart Starr Award in 2015.
Manning serves as a member of the American Red Cross National Celebrity Cabinet and The Pat Summit Foundation Advisory Board. He and his wife, Ashley, established the PeyBack Foundation in 1999 to promote the future success of disadvantaged youth by assisting programs that provide leadership and growth opportunities for children at risk.
The Centers for Medicare & Medicaid Services (CMS) and Office of the National Coordinator for Health Information Technology (ONC) today released final rules that simplify requirements and add new flexibilities for providers to make electronic health information available when and where it matters most and for health care providers and consumers to be able to readily, safely, and securely exchange that information. The final rule for 2015 Edition Health IT Certification Criteria (2015 Edition) and final rule with comment period for the Medicare and Medicaid Electronic Health Records (EHRs) Incentive Programs will help continue to move the health care industry away from a paper-based system, where a doctor’s handwriting needed to be interpreted and patient files could be misplaced.
“We have a shared goal of electronic health records helping physicians, clinicians, and hospitals to deliver better care, smarter spending, and healthier people. We eliminated unnecessary requirements, simplified and increased flexibility for those that remain, and focused on interoperability, information exchange, and patient engagement. By 2018, these rules move us beyond the staged approach of ‘meaningful use’ and focus on broader delivery system reform,” said Dr. Patrick Conway, M.D., M.Sc., CMS deputy administrator for innovation and quality and chief medical officer. “Most importantly we are seeking additional public comments and plan for active engagement of stakeholders so we take time to get broad input on how to improve these programs over time.”
HHS heard from physicians and other providers about the challenges they face making this technology work well for their individual practices and for their patients. In recognition of these concerns, the regulations announced today make significant changes in current requirements. They will ease the reporting burden for providers, support interoperability, and improve patient outcomes. Providers can choose the measures of progress that are most meaningful to their practice and have more time to implement changes to program requirements. Providers are encouraged to apply for hardship exceptions if they need to switch or have other technology difficulties with their EHR vendor. Additionally, the new rules give developers more time to create user-friendly technologies that give individuals easier access to their information so they can be engaged and empowered in their care.
As part of today’s regulations, CMS announced a 60-day public comment period to gather additional feedback about the EHR Incentive Programs going forward, in particular with the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA), which established the Merit-based Incentive Payment System and consolidates certain aspects of a number of quality measurement and federal incentive programs into one more efficient framework. We will use this feedback to inform future policy developments for the EHR Incentive Programs, as well as consider it during rulemaking to implement MACRA, which we expect to release in the spring of 2016.
Following the release today of the finalized modified rules for the current stage of meaningful use, CHIME released the following statement, summarizing the position of many in healthcare. Overall, the organization supports the modifications, including the adopted 90-day reporting period:
We are pleased that the Centers for Medicare & Medicaid Services today finalized modifications to the current stages of the Meaningful Use program and agreed to extend the comment period on Stage 3. CHIME and its 1,700-plus members agree with CMS that it is time to focus the meaningful use program on adoption of information technology systems that improve both the quality and safety of patient care.
The 752-page rule grants flexibility for providers who are doing their best to not only meet the intent of the federal program, but also ensure the adoption of health information technology that improves patient care.
Importantly, the rule adopts a 90-day reporting period for the current stages of the program, down from 365 days. CHIME has long called for a 90-day reporting period and applauds CMS for adopting this new standard. While several members are positioned to take advantage of this shorter period, others will be challenged to meet it since there are fewer than 90 days remaining in the year. We urge CMS to implement a hardship exemption for those unable to meet this timeframe.
CHIME also applauds the agency for modifying requirements surrounding patient access to electronic records. The rule stipulates that for 2015 and 2016, one patient discharged from a hospital view, download or transmit their electronic record.
With regard to Stage 3, the extra comment period will enable providers, CMS and other stakeholders to ensure that the next stage of Meaningful Use advances interoperability and takes into account new payment models being advanced by Medicare.
Also today, the Office of the National Coordinator for Health Information Technology finalized a rule on certification of electronic health records. CHIME supports key provisions in the rule that should lead to greater transparency regarding vendor products; improved testing and surveillance of health IT, and an improved focus on user-centered design.
We are reviewing the regulations and will have more detailed comments in the coming days.
TapCloud creates a real-time stream of data that enables care teams to quickly grasp whether a patient is getting better or worse, assess the effectiveness of treatments and medications and identify the onset of emerging complications. TapCloud is currently being used in settings from single practitioner to national hospital systems.
Elevator pitch
TapCloud allows patient’s and provider’s to communicate in ways never before possible to improve the doctor/patient relationship, focus clinicians on patients that need the most attention and insure that the patients that require services receive them in a timely manner to maximize health benefits to the patient (including quality of life, not just physical issues) and minimize the expenditure of health resources.
Product/service description
TapCloud is a solution for gathering key patient information in between clinical visits. There are two parts to the TapCloud solution: a patient facing instructional and information collecting APP and a web-based clinician dashboard. Typical use is for patients to follow/consume their provider-based care plan/educational info and enter their well-being, pain levels, symptoms, side effects, medication compliance and vitals into the APP (unique design allows patients to complete this in less than 1 minute per day). This information is then presented in a comprehensive dashboard that allows clinicians to rapidly interpret key insights into a patients overall well-being. Based on this patient reported information, clinical protocols will dictate if any specific patient needs to be seen, have a home health visit or meds adjusted, etc.
Origin story
Tom Riley
Our CEO, Tom Riley, is a former health insurance executive who spent the past 25 years living at the intersection of healthcare and technology. A few years ago, after his mom was diagnosed with ovarian cancer, his experience with the healthcare system became much more personal as he became a primary caregiver for her. During that time he attended office visits with his mom on a regular basis, and discovered that there is an inherent gap in communications between the way doctors organize/accept information from patients, and the way patients organize and deliver information to their doctors and other clinical staff.
Over and over again, he found himself serving as a translator between his mom and her doctors. He would help his mom by creating easy to understand checklists of things she was supposed to be doing each day, activity, medications, etc. And he would help the doctors by keeping track of his mom’s symptoms and watching for developing complications and then making sure that the information was shared during her appointments. It frequently made a significant impact on the diagnosis of issues, and the assessment of treatment effectiveness. It also helped his mom regain a measure of “quality of life” by making sure that even non-critical complications like chronic constipation were identified and addressed.
After his mom passed away, he decided to devote his time to taking what he had learned first-hand and developing a solution to improve patient-doctor communications in acute-care settings like post-surgical recovery and chemotherapy and since has morphed into a chronic disease management solution as well. TapCloud runs on smart-phones and tablets and includes personalized services for the patient, helping them organize and customize generic discharge/care plan instructions into a personalized daily plan for them to follow. At the same time, the technology uses a sophisticated, but incredibly easy to use, interface to probe for indications of developing complications and/or medication side-effects. It allows clinicians to effectively monitor patient progress remotely and focus their attention on the right patients. It also ensures that doctors are aware of all of the issues affecting a patient, not just the life-threatening ones that have their patients end up in the ED or admitted to the hospital without them even realizing their patients were experiencing any issues.
Guest post by Ken Perez, vice president of healthcare policy, Omnicell.
Ken Perez
“I get by with a little help from my friends.”– The Beatles
In simple terms, healthcare delivery reform under the Patient Protection and Affordable Care Act (ACA) is catalyzed by the Centers for Medicare and Medicaid Services (CMS) through establishment of performance standards or goals and application of behavioral economics—financial carrots and sticks—to encourage improved quality and reduced cost. The financial incentives—both positive and negative—are usually offered to healthcare provider organizations, such as accountable care organizations, which are on the hook to meet numerous quality measures and hold costs below targeted benchmarks, or commercial health insurers running Medicare Advantage plans, which pass along some of the onus to maintain quality performance onto providers.
However, these applications of behavioral economics do not directly target or impact the central player in the healthcare system—the individual member or patient. Engagement by the patient in their care is critical and explains why billions of dollars are spent each year on patient outreach and communications, as well as development and promotion of consumer-friendly apps and wearable devices. When patients are engaged, the healthcare system can more effectively and efficiently prevent, diagnose and treat health conditions.
On Sept. 1, 2015, CMS’s Center for Medicare and Medicaid Innovation (Innovation Center) announced the Medicare Advantage (MA) Value-Based Insurance Design (VBID) Model, an initiative that will test whether allowing health plans administering MA plans to offer targeted additional benefits or reduced cost sharing to enrollees who have certain chronic conditions will result in better quality and more cost-effective care.
The model’s goals are to enhance enrollee health, decrease the use of avoidable high-cost care, and reduce costs for MA plans, beneficiaries, and ultimately, the Medicare program. The model focuses on MA enrollees with the following chronic conditions: diabetes, congestive heart failure, chronic obstructive pulmonary disease (COPD), past stroke, hypertension, coronary artery disease, and mood disorders.
The MA VBID Model will take effect Jan. 1, 2017, and run for five years in seven states which were deemed representative of the overall national MA market: Arizona, Indiana, Iowa, Massachusetts, Oregon, Pennsylvania, and Tennessee.
It’s here. The day has arrived. The biggest thing to happen to the administration of healthcare in decades is upon us: Today is ICD-10 conversion day.
It’s been a long and winding road. But we’re here. The trip has certainly not been easy and there have been multiple detours. But, the destination has arrived. “Momma, are we there yet?”
Yes.
Take a breath. Stretch your legs and try to find some joy in the tumultuous trip. You’ve earned it. It’s been a long ride.
But the trip is not over yet. Like all road trips, there’s the way back. And that, too, is a long road ahead. There’s still much to see and do, and much to prepare. Much to look forward to on the road ahead.
For a minute, though, on perhaps the most important day, why not take a moment to reflect on the journey and congratulate yourself on a job done well, which you’ve done with integrity and professionalism, in which you have been filled with excitement and glib, where you’ve experienced pain, pressure and perhaps even a little joy as you pushed yourself to the max.
Many of us never thought this day would come. Some of you hoped it never would.
Now, thankfully, we can move on to a new goal, a new destination.
Last fall, the provisions governing Business Associate Agreements under the HITECH law went into effect. Many covered entities used templates and models offered by professional societies and the Department of Health and Human Services, but it’s becoming increasingly clear that the “model” agreements were simply a stopgap measure, and that organizations that use BAAs need to conduct ongoing reviews of the documents and customize the language to meet the individual needs of their company.
Big news from HIMSS today about HIMSS16, especially for sports fans. What may make the following news even bigger is if Peyton Manning is in the midst of a retirement reflection period following this current football season. What news it would be if he decided to make an announcement about the future of his career from the HIMSS podium — HIMSSanity!
TapCloud creates a real-time stream of data that enables care teams to quickly grasp whether a patient is getting better or worse, assess the effectiveness of treatments and medications and identify the onset of emerging complications. TapCloud is currently being used in settings from single practitioner to national hospital systems.
