The survival of highly regulated industries such as healthcare depend on secure information exchange.
Healthcare organizations, or “covered entities,” as they’re known, exchange large volumes of sensitive data daily: billing and medical records, prescriptions and refill requests, lab requisitions, clinical field trial results, patient clinical data, plus insurance claims, denials, appeals, and invoices.
Traditional analog fax, relic that it is, still transmits over the public telephone network, and remains difficult, if not impossible to intercept. For this reason, it is regarded as a more secure form of communication than email. In fact, a report on the health industry’s use of fax machines showed 75 percent of medical communication in the United States takes place via fax. Recent high-profile incidents of massive cyber-attacks exposing the personal details of millions of customers and patients reinforce the view that email remains a highly vulnerable means of business communication.
However, fax remains a viable means of exchanging protected healthcare information (PHI) for other reasons too. A recent IDC study noted that 25% of large businesses surveyed prefer fax over email because they believe it reduces their risk of violating data privacy regulations. An additional 28% prefer fax because it makes document tracking easier and sends alerts as to the success or failure of a transmission.
Then there’s the regulatory factor. Federal regulators who enforce healthcare data-privacy rules have exempted fax (and phone calls) from certain aspects of the HIPAA Security Rules. This has led to the widespread perception that fax is more compliant than other types of electronic communication for the transmission of PHI.
So fax persists. But the world has changed, and so have old notions about fax reliability. In fact, the issue has taken on greater importance with the Centers for Medicare & Medicaid Services Administrator Seema Verma challenging software developers to make physicians’ offices fax-free by 2020.
The Trouble with Legacy Fax
If you still use a fax machine, multifunction printer, or rely upon on-premises fax servers to transmit your faxes, then you support legacy fax.
This is a huge problem! Why? Because legacy fax can fail in ways that threaten an organization’s data security, and if in today’s data-driven world covered entities can’t keep the PHI of patients free from unauthorized exposure, they’d better, well, cover their entities as HIPAA violations are expensive and can torpedo your reputation, even your livelihood.
Guest post by Martin Edwards, MS, CHC, CHPC, compliance officer, Dell Healthcare.
Patient portals offer an unprecedented opportunity to engage consumers, provide a customized care experience and potentially change behavior. Yet they also introduce new security concerns for both patients and providers.
A question we often hear from healthcare providers regarding security is: How much protection against negligence does meeting the HIPAA requirements really provide? That question is particularly germane to patient portals, which create an additional entry point and more risk to the security of protected health information (PHI). The laws and regulations in these cases can be confusing.
Fortunately for providers, “safe harbor” is offered in those cases where the provider can prove that they have properly encrypted all devices that contain PHI. Under the HIPAA security rule, as long as PHI is encrypted according to National Institute for Standards and Technology (NIST) guidelines, it is no longer considered “unsecured” and providers are effectively exempt from improper disclosure being considered a “breach.” Thus, the HIPAA breach notification rule doesn’t apply, and, by extension, the provider can avoid potential fines from the Office for Civil Rights (OCR). Since most breaches of PHI reported to the U.S. Department of Health and Human Services (HHS) to date have related to the theft or loss of unencrypted mobile devices, encrypting the data is a primary defense against data loss and against the consequences of improper disclosure.
While patient portals add risk, they also confer many benefits to healthcare organizations, including enhanced patient-provider communication and empowerment of patients. Some studies have found that portals can also enable better outcomes for patients. These benefits are behind the HIPAA privacy rule’s “right of access,” which allows individuals to examine and obtain a copy of their PHI. Meaningful use requirements also require eligible professionals to exchange secure emails with at least 5 percent of their unique patients. Since portals are an ideal way to meet this requirement, organizations seeking to comply with Stage 2 criteria have an incentive to adopt them.
With the implementation of the Affordable Care Act pushing hospitals and health systems to provide services more efficiently, a significant number of hospitals, health systems and providers are sharing secure patient information through health information exchanges (“HIEs”), and accountable care organizations (“ACOs”). The advent of both the HIEs and the ACOs are additional opportunities for protected health information to be shared by hospitals, doctors and other providers.
HIEs allow for patient information, including lab tests, imaging tests, prescriptions and treatments, to be shared by the participants in the HIE. The development of these electronic HIEs allow for the secure exchange of health information among entities participating in the HIE. Generally, the rights and responsibilities of those entitled to share the information is governed by participation agreements. Many providers believe that sharing data will improve healthcare and promote not only quality of care, but efficient care, as well. Similarly, the development of ACOs by otherwise independent providers results in more patient information shared in electronic fashion. The advent of both HIEs and ACOs provide another medium for possible breaches of the privacy rule.
The privacy rule requires that covered entities verify the identity and authority of persons requesting Protected Health Information (“PHI”) if the individual requesting it is not known to the entity. The Rule, however, does not specify in great detail the verification that must be made and, thus, there is flexibility that can be applied with regard to HIEs and ACOs.
Generally, in a HIE, the participants agree, by contract or otherwise, to provide to the HIE a list of authorized persons so the HIE can appropriately authenticate users of the network. Documentation required for uses and disclosures may be provided in electronic form, and documentation requiring signatures may be provided as scanned images. It is important from an HIE perspective for the various participants to agree on a common set of privacy safeguards that are appropriate to the risk associated with exchanging PHI to and through the HIE. Similarly, with ACOs, the ACO should establish a common set of privacy safeguards that are appropriate to the privacy risks associated with multiple providers using PHI. These common standards would include a breach notification policy or procedure. To fully understand what must be done, one must have a basic understanding of what is considered a breach.
The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by “covered entities.”These entities generally include healthcare clearinghouses, employer sponsored health plans, health insurers, and healthcare providers.
PHI is any information held by a covered entity concerning the health status, provision of healthcare, or payment for healthcare that can be linked to an individual.
Covered entities must disclose PHI to the individual within 30 days upon request. They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies.