By Courtney Tesvich, vice president of regulatory, Nextech.
Data interoperability is once again poised to take a giant leap forward and there are many factors propelling this evolution. For example, the Office of the National Coordinator’s (ONC) March 2020 introduction of the interoperability rule as part of the 21st Century Cures Act is set to advance interoperability regulations. COVID-19’s spotlight on the need for data transparency and seamless information exchange to enable efficient care delivery across diverse settings is revealing a critical use case.
The rapid onboarding and use of telehealth to virtually deliver safe and secure healthcare underscores the importance of modernizing interoperable solutions. Given all these factors, the time is right for healthcare organizations to evolve their thinking around data sharing.
While larger, multi-setting health systems may have teams of people dedicated to advancing their organization’s interoperability strategy, smaller entities (including specialty physician practices) are often left to figure out the right path forward on their own. This can be overwhelming, and it may be tempting for smaller organizations to delay work on this issue. However, it will only postpone the inevitable.
Over the next two years, the capabilities and requirements to exchange electronic health information will change drastically. The ONC is allowing two years to implement the new interoperability requirements and technology will likely change in that time. So, starting the effort now can make it easier to adapt as solutions evolve. The bottom line? To meet this deadline, practices need to develop their strategies, update compliance efforts, understand upcoming changes and begin to update processes to ensure they are fully prepared for the near future.
But how can an organization get started? Here are a few steps to consider.
Educate yourself on the intent and nuances of the ONC rule. The primary goal of the interoperability rule is to give patients greater access to their health information and allow them to share the data more easily with all providers. As electronic health record (EHR) vendors continue to develop their products to meet the updated requirements, more information than ever before will be available electronically both for patient use and for exchange. Factors that providers should be aware of include:
Future availability of free text notes in the patient portal as well as nearly all lab, radiology and pathology results. As EHR vendors develop and certify to the US Core Data for Interoperability requirements, patients will see additional data beyond the previously available CCDA information in their portal, including visit notes.
Patients will be able to seamlessly select independent apps to aggregate their own health records.
Ensure your practice understands how to handle requests for information in a timely manner. This includes requests by patients for their data as well as data requests by insurance companies, employers and consumer-facing apps. Develop a policy and train staff before the new Information Blocking deadline of April 5, 2021. Ensure you continue to follow HIPAA guidelines as well.
Practices will also need to regularly update clinician information in federal databases.
These suggestions merely scratch the surface of what the new rule requires. Providers should delve deeper and make sure they are moving towards compliance and not inadvertently standing in the way of information exchange.
Since the invention of the stethoscope, technology and innovation have been transforming how the healthcare industry delivers improved standards of care for individuals in every field of medicine. A more recent example of this is the widespread adoption of telehealth capabilities to bring care directly to patients no matter where they are.
This adoption trend has accelerated in response to COVID-19, when the use of telehealth technology skyrocketed with 48% of physicians meeting patients online in April. Since then, telehealth appointments have begun to level off and decline, but over the past year and the foreseeable future, telehealth and the delivery of care through screens and mobile devices will likely play a key role in the future of healthcare.
However, the increased use of telehealth creates additional risks stemming from increased data generation and data sharing such as video recordings, email exchanges between physicians and patients, and broader sharing of protected health information (PHI) between patients, providers and third-party organizations. This level of sharing increases the likelihood that data may become stored in an unsecured location. As for the healthcare providers and all other organizations that handle PHI, the challenge is now to get a better grasp on compliance, protect patient data and mitigate the risk of malicious actors or reputation damaging fines. Here’s how to do it:
Understanding the Rising Risk to Patient Data
The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996 and has since served to give patients power over their health records and hold healthcare organizations and their partners accountable for safeguarding the PHI data of patients.
HIPAA generally applies to PHI in all forms, but the Security Rule applies specifically to electronic PHI (ePHI). And as telehealth becomes a new normal and the administrative workforce continues to work remotely, ePHI’s presence will proliferate making compliance an even more extensive task. Meaning that while telehealth offers many tangible benefits to patients and providers, it is also a double-edged sword that requires heightened attention not just now but at all times. Here are a few things to keep in mind:
The patient was prepped and ready on the operating table when the surgeon realized he only had a report of a CT scan and would need the actual images that were taken by another health system to successfully perform the procedure. Normally, this would either delay the surgery or tempt the doctors to try the procedure without all the relevant information.
Luckily for everyone involved, the hospital was a participant of a health information exchange (HIE). Within a few minutes, the surgeon had access to the necessary images through our secure portal and began a successful operation.
Interoperability is critical for planned and unplanned procedures. Today, COVID-19 patients often enter a hospital short of breath in desperate need of emergency attention – yet, as many hospitals work now, that patient is expected to produce their extensive medical record of allergies, conditions, medications, and previous operations while gasping for air.
Although medicine continues to greatly advance, most care providers still dwell in the world of dinosaurs: faxing, printing, burning CD-ROMs, and relying on the patient’s ability to produce medical histories.
A recent report by the National Academy of Medicine found that workflow and inadequate technology usability were major factors contributing to America’s alarming medical staff burnout rate. Customers who use modern network technology greatly benefit from seamless access to patient files that used to lie beyond their health system’s servers, easily communicating between other healthcare providers and patients themselves. Patient care is hard enough today without technical and communication failures.
covered entity and a business associate. It is a HIPAA law created to ensure that all of the HIPAA compliance risks (administrative, physical, and technical) are identified, and a roadmap is designed to plan the fixes necessary to resolve the issues found.
The risk assessment was not part of the original Health Insurance Portability and Accountability Act of 1996. Instead, it was first introduced in the 2003 Privacy Rule and Security Rule amendments and was then further expanded upon in the Final Omnibus Rule of 2013.
HIPAA legislation defines a Covered Entity (CE) as anyone that handles PHI during day-to-day business operations. Most businesses working in the healthcare industry are considered Covered Entities.
The U.S. Department of Health and Human Services (HHS) officially defines a CE as; Healthcare Providers such as doctors, dentists, nursing homes, pharmacies, health insurance companies, HMOs, Medicare, Medicaid, and Clearinghouses.
A business associate is any third party business or organization that handles individually identifiable health data on behalf of a covered entity, and the risk assessment is often considered the starting point to achieve HIPAA compliance.
What is a risk assessment?
A risk assessment is commonly the first task undertaken when a covered entity and a business associate enter into Business Associate Agreement (BAA). Its purpose is to identify areas within the business that process, store, and transmit protected health information (PHI) that are in the scope of HIPAA compliance.
PHI is patient data that the law is meant to safeguard, such as data that can be used to identify an individual personally. Examples may include patient names, email addresses, social security numbers, insurance certificates, and so on.
It takes a pandemic to reveal how much digital technologies are ignored in the healthcare sector. The COVID-19 pandemic is dramatically transforming the healthcare sector and how professionals gather medical intelligence. Almost every physician worldwide has been part of a telemedicine movement to encourage patients to embrace safe and virtual appointments.
Consequently, preparing for a virtual appointment requires some getting used to. As a rule of thumb, patients can struggle to explain some of their symptoms, even in face-to-face interaction. That’s where real-time medical examination can help reduce misunderstandings.
In the virtual world, gathering evidence such as taking photos or filming a video that shows your symptoms and asking the right questions can guide the doctor to the appropriate diagnosis.
However, while we focus on making telehealth more accessible to patients, we also need to prepare doctors to make the most of it.
Find reliable HIPAA-compliant hosting
Gathering and storing digital data is not a novelty for healthcare centers. Nevertheless, keeping data storage HIPAA-compliant can become a challenge with the increased number of telehealth appointments. Protecting patients’ records in a fully digital world means relying on a highly secured data hosting strategy, as per Atlantic.net.
Contrary to common belief, there is no such thing as a HIPAA hosting body that can verify the compliance claims of each provider. For healthcare centers that need to adapt to the growing telemedicine demand, the quest for a robust, reliable, and HIPAA hosting provider becomes tricky and expensive.
By Rahul Varshneya, founder and president, Arkenea.
Cloud computing has become the new watchword for healthcare organizations across the globe. The adoption of cloud technology has been escalating at a frenetic pace and, as recent research suggests, the global market for cloud technologies in the industry is expected to reach $35 billion by 2020.
The underlying reason behind the recent hype in this technology is simple though. If healthcare institutions were plainly service providers before, today, they’re true technology organizations that now depend on their IT departments for administrative, clinical, and financial purposes.And that’s not all. As new payment models are added to the equation and patient expectations change, technology has become vital to drive efficiency and improve patient care.
In this article, we’ll be looking at a few things that have been made possible in healthcare due to the rapid adoption of cloud technology.
1) Reduced Costs of Data Storage
On-premises healthcare data centers not only demand an investment in hardware ahead of time, but they also come with ongoing costs of maintaining physical spaces, servers, and cooling solutions among many other things.
“Cloud solutions are very beneficial from the standpoint that as you migrate data, you don’t need to maintain your own datasets which can be costly and expensive,” explains Forward Health Group CTO Jeff Thomas. “Maintaining datasets on-site can also be expensive in that it takes up real estate which can sometimes be used for something else.”
By managing the structure, harmonious functioning and maintenance of cloud storage services, cloud computing vendors can significantly aid organizations in lowering their data storage costs and enable them to concentrate their efforts on caring for their patients.
Healthcare organizations can also leverage custom cloud EMR or EHR software to fit the needs of their specific practice. That way, they get exactly what they’re looking for without them having to dig a hole in their pockets.
The scale of the coronavirus pandemic is impacting every facet of daily life. As COVID-19 continues its global spread, authorities are restricting large gatherings of people and enforcing stay at home protocols. This crisis is forcing us to adapt to a “new normal,” and technology is taking center stage to help us through the transition.
In fact, as the popularity and usefulness of video delivery over the internet grows, reports reveal that live streaming has already attracted 47% more users than this time last year. Through the influx of telehealth, remote learning, remote video conferencing and canceled events, live streaming has become a versatile — and essential — tool that is changing the way we stay in contact with others, particularly in the age of social distancing.
Live streaming is gaining in popularity across many different industries. Until the advent of live streaming technologies, 911 operators only had one source of information to assess an emergency situation: the caller. Now, thanks to advances in live streaming technologies, 911 operators are empowered with unprecedented access to emergency situations via live video.
Carbyne, a technology company that delivers actionable data from connected mobile devices to emergency communications centers, uses live streaming to enhance critical response capabilities. Through the combination of real-time video and location data, Carbyne provides emergency personnel with a more accurate assessment of the scene before they arrive, reducing emergency response times by more than 60%.
While Carbyne’s technology has proven beneficial across the globe for several years, the COVID-19 pandemic has brought additional benefits to the technology. Carbyne is effectively able to remotely evaluate potential COVID-19 cases and forward potentially infected individuals to medical professionals via telehealth services while maintaining HIPAA compliance.
Additionally, the Carbyne platform has been used in some cities to help track COVID-19 cases, delivering a heat map that details coronavirus-related calls so the municipality can better allocate resources and prevent the disease from spreading. As one hotspot hit hard by the virus, New Orleans uses Carbyne’s COVID-19 service to manage emergency calls and help individuals who have contracted the virus contact telehealth professionals instead of flooding emergency rooms. Carbyne has been fielding 70% of the city’s emergency calls, a majority of which were related to COVID-19 symptoms.
By Heather Annolino, senior director healthcare practice, Ventiv.
As hospitals are working vigorously to address the health care needs of its patient population during the COVID-19 pandemic, they are unintentionally leaving themselves and their patients exposed to cybersecurity risks.
Measures implemented to protect workers and patients, including expanded use of telehealth and telemedicine, remote work and bringing new equipment such as ventilators online can leave data exposed, and institutions vulnerable to hackers and scammers. These cyberattacks can affect supply chains and the ability to leverage healthcare data from the COVID-19 pandemic for use in the future for other crises.
In March 2020, the Office for Civil Rights announced it would not enforce penalties for HIPAA noncompliance against providers leveraging telehealth platforms that may not comply with privacy regulations. This measure rapidly expanded the use of telehealth and telemedicine over the past several weeks, allowing providers to utilize videoconferencing platforms, including WebEx, Zoom and Skype.
The use of telemedicine improves patient access and assists with alleviating the additional burden on healthcare systems by limiting in-person care during the COVID-19 pandemic. If any incidents do occur, they should be entered into the facility’s health care risk management/patient safety software system. This technology is designed to help healthcare organizations see all of their data in one place, making it easier to learn from the incidents through analysis. While doing that now might be difficult, it is essential to capture this data to improve preparation for the next disaster and prevent patient harm.
Although telemedicine presents a lower risk from a risk management perspective, it is still important to provide consistent processes and protections to mitigate potential threats. During these uncertain times, telemedicine is the best option for providers to continue treating select segments of their patient population, as well as triage potential COVID-19 cases. Whether health care organizations are looking to expand (or even begin) the use of telemedicine capabilities, it is crucial to outline best practices for consent, credentialing, and security and privacy to assist with mitigating potential risks.
Here are a few strategies facilities should consider:
Security and Privacy
Under normal circumstances, healthcare facilities have difficulty bringing key equipment online securely. As facilities are currently working tirelessly to address COVID-19 patients’ needs in addition to continuing to provide care to non-COVID-19 patients, there is a potential increase of security risks as additional medical equipment and medical IoT devices integrate into the network.
By investing in and deploying cybersecurity procedures and protections, including backup and downtime procedures, healthcare facilities can reduce the risk of potential phishing and ransomware attempts. These measures should include ensuring all practitioners are using communication apps recommended by the U.S. Department of Health & Human Services Office for Civil Rights and secure telephone connections as well.
By Carl Kunkleman, senior vice president and co-founder, ClearDATA.
Working in the world of healthcare security and compliance, I find one of the biggest dangers organizations face is having a false sense of security that their PHI is adequately protected. I’ve done hundreds of security risk assessments, and I have yet to find one single organization that did not have a security gap they were unaware they had in one or more of their administrative, technical or physical safeguards.
Add to this, the complicated current state of healthcare battling COVID-19, and we are likely to see administrative systems that have gaps in off-boarding or off-boarding employees, technical infrastructures that didn’t have time or resources for patch management, and physical scenarios in makeshift triage units with compromised physical safeguards that simply cannot be addressed in the current haste to stop the spread of the virus.
Sadly, this sense of chaos creates the ideal conditions for the hackers of the world looking to infiltrate via phishing, malware and ransomware and more. Once this spread is arrested and we all get a moment to catch our breath and assess business practices, a good move would be to conduct a security risk assessment known as an SRA. Your internal teams and resources are stressed, overworked and possibly burned out and an SRA can identify security gaps that will inevitably arise and present an actionable plan to remediate. This will help reduce risks while protecting your organization’s finances and reputation while we all find out what “getting back to normal” will mean.
Right now, we are all doing everything we can. And the Department of Health and Human Services recognized that with their decision last week to waive penalties for providers that are serving patients through everyday communications technologies during the COVID-19 public health emergency. A security risk assessment this summer will help you put the compliance health of your organization back in order. In addition to the HIPAA requirement that you have an SRA on file annually, it helps unite your team in a strategic path forward by articulating what your highest and lowest risks are, before a hacker uncovers them.
Because an SRA covers administrative, technical and security safeguards, your entire organization will benefit from the process. I continue to find organizations who think their PHI is protected because they have password protected their computers and mobile devices. Our penetration testing has revealed that passwords are relatively easy to defeat. We continue to find gaps in encryption, patch management and even with PHI inventories. If you don’t know where all of your PHI resides, how can you protect it?
Virtual visits help providers increase productivity by adding revenue and reducing travel to different clinical settings. However, despite these obvious advantages, 2019 saw an abysmally low utilization rate of less than 10%. Things have monumentally changed. As a local physician characterized telehealth today, convenience is the new quality. Love it or hate it, telehealth is here to stay.
The primary care collaborative conducts a weekly survey of physicians, nurse practitioners, and physician assistants working in primary care on how their practices are responding to the COVID-19 outbreak. Over 80% of respondents indicate their patients accept telehealth visits and nearly half of the respondents plan to continue using telehealth after the COVID-19 crisis is controlled.
Prior to the pandemic, telehealth was seen as convenient and time efficient for patients. It also showed promise for providing access to care for various underserved populations. Today we’ve gone beyond convenience as telehealth has become a necessity for both patients and providers. Increased utilization has been made possible by the relaxation of rules and requirements by both government and commercial health plans. Notably, the use of telehealth had been restricted by design.
Health plans wanted to control how and where telehealth was offered along with who could provide the service. For the duration of the COVID-19 health emergency, most health plans are allowing telehealth to be used in place of in-person encounters. Many are waiving patient cost share and paying providers the same rate as an in-person visit.
Medicare has made the following changes effective during the COVID-19 health emergency: telehealth can be used with both new and established patients, telehealth via telephone will be reimbursed, and providers are allowed to treat patients across state lines. In addition, the Centers for Medicare and Medicaid Services (CMS) is waiving HIPAA violation penalties for utilizing technologies such as FaceTime or Skype.