It’s perhaps the greatest gift a person can have, but we usually take it for granted until it’s gone. Without it, nothing else in life is quite the same. And once it’s gone, it can be very hard to get it back. And while patients play the ultimate role in safeguarding and directing their health, the truth is that no one can do it alone. No matter what your role in the healthcare industry may be, you are charged with a sacred obligation to treat your patients with respect, honor, and care.
No matter who our patients are — rich or poor, young or old, sick or well — they depend on healthcare experts to help them protect this most precious gift of health. They expect and assume that those whom they entrust with their lives and the lives of those they love will be respectful of that trust, will care for them and their dear ones ethically and honorably. But what does this mean for your clinical practice? What do healthcare ethics look like in the year 2020?
Honoring the Human in the Technological Age
Privacy is one of the most sacred rights and significant concerns in healthcare. However, there’s no escaping the fact that we live in the era of big data, and there’s also no escaping the fact that big data can be a tremendous asset in healthcare. Even if a patient is thousands of miles away from home and from their primary healthcare providers, electronic health data can facilitate the sharing of essential medical records, from scans to lab results, with just the click of a button.
But how, in this age of big data and breathtakingly fast technological evolution do we ensure that respect for the human is not lost? How do we avoid reducing individual patients to a mere system of lab results and scans? How do we prevent losing the person in a sea of data sets? That will and must be one of the principal ethical considerations in 2020.
The HIPAA outlines the standard security practices that organizations handling protected health information (PHI) need to adhere to. Whether your business is compliant with the HIPAA or not can have a huge impact on how you handle your business. If you are non-compliant, you risk being involved in data breaches, which results in a domino effect. A single breach can lead to the loss of valuable customer data, expensive lawsuits, PR nightmares, and even the loss of your business.
Even without a data breach affecting your business, you still need to be compliant to be competitive in the health industry. Security-conscious businesses in the industry will only agree to do business with you as long as you are compliant. Lastly, compliance will help you evade fines from regulatory bodies as well as appearing on the wall of shame, which is a site that lists health-related organizations that have undergone data breaches. Lucky for you, as long as you commit to understanding HIPAA compliance, it will typically be quite easy for you to know what to do.
Here are some insights on managing HIPAA compliance for your business:
What To Expect?
If you are supposed to be HIPAA compliant, you will either be a covered entity or business associate. Covered entities are organizations that have direct access to the customer and their PHI (doctors, insurance companies, and pharmacies). Business associates, on the other hand, work with the covered entities in a non-healthcare capacity, and they have access to PHI. These can be lawyers, IT personnel, accountants, and administrators. Regardless of where you fall, you need to adhere to four HIPAA rules:
1. The Privacy Rule
This rule looks to protect the privacy of PHI. It outlines how and when actors in the health industry can and cannot use health data. The data it protects includes past, present, and future health information of protected individuals, payment data, the details of the care any individual was provided with, contact information, identifying numbers (ID and social security numbers), and even fingerprints.
2. The Omnibus Rule
The Omnibus rule outlines how business associates should carry themselves out and how they interact with the covered entity. Recent updates to this rule expanded the omnibus rule to storage companies, sub-contractors, and even consultants. It prohibits actors from using PHI for the wrong reasons such as marketing or using genetic information to underwrite insurance policies.
3. The Security Rule
The security rule is meant to control how businesses handle electronic Protected Health Information (ePHI). It requires businesses to have the right safeguards for protecting the confidentiality security and integrity of ePHI. These safeguards are divided into three, including:
Dental hygiene related apps have been a feature of the medtech world for a few years, but only now are they permeating professional dental care. Forbes has noted the trickle of algorithm-led dentistry into clinics, and is now predicting that digital dentistry will become a key component of everyday practice. For many patients and clinics alike, these new developments will enable greater levels of care.
Involvement in daily habits
The key to healthy teeth is good habits. As noted by clinicians at the experienced Gresham emergency dentist, Main Street, education into how to keep teeth clean and what foods to avoid will do much of the work without individuals needing to visit a professional. When the patient returns home is where the hard work begins. Increasingly, dentists are using apps that combine with smart technology, such as the toothbrush, to gain an all-in picture of patients and their habits. According to the New York Times, these platforms are becoming increasingly common, and will become standard practice within years.
Improving clinic efficiency
With the connection to patients made, startups have found ways in which to further develop technology’s role in the clinic. Most recently, Tech Crunch reported that developers VideaHealth have introduced a software suite that can help dentists to look into key signs of dental disease, and in some cases even cancers, such as misshaping of the mouth and throat. Using sophisticated imaging technology within peripherals or the toothbrush, this is ultimately improving efficiency in the dentist clinic – and keeping costs down.
Using big data
Data sharing has always been a sticky subject in the medical world. Measures like GDPR and HIPAA, while initially causing consternation and some frustration, have ultimately cleared the lines on what can and what can’t be shared, and how. As a result, big data is now there for use in medical applications, including dentistry. According to Dentistry IQ, this will enable dentist clinics to pull data from a staggering range of sources and improve patient outcomes.
Developments in technology have had a profound impact on nearly every aspect of our lives. We can hardly get through an hour without tech having an effect on what we’re doing, let alone a full day. From the morning alarm on our smartphones, to the Bluetooth sound system in our cars, to the social media accounts we share everything on, technology surrounds us.
Perhaps one of the aspects that many of us think the least about is how it has utterly transformed the way we manage our healthcare data. The development of electronic health records and, even more importantly, the cloud, have brought about all sorts of changes. Many have the potential to impact our lives in both positive and negative ways depending upon how they are managed.
When it comes to our health data, there is an added urgency in making sure everything is safe and secure no matter where it is ultimately stored. Well managed data can mean a more efficient and effective healthcare service, while mismanaged data can lead to the loss of personal information and an unraveling of the privacy most of us have come to expect in a professional healthcare setting.
Medical Records, HIPAA and the Cloud
In 1996, the United States government passed HIPAA, a landmark healthcare act that helped to create and enforce privacy and data security requirements associated with medical information. The act has since been expanded in an effort to keep up with modern technologies, and nearly everyone involved in the healthcare system is expected to follow the rules. Because of this legislation, one can expect that their medical records will be kept private unless they choose to release them, no matter where they are stored.
Cloud-based data storage and technology provides numerous benefits to the healthcare system including things such as better dataset analysis, improved efficiencies in individual patient care, and a much lower cost. However, it can also lead to a number of concerns, especially when it comes to HIPAA compliance. HIPAA rules not only apply to the medical facilities that are using cloud technology, but also to the tech vendors as well.
Unfortunately, just because cloud technology providers are not exempt from HIPAA rules, does not mean that they necessarily follow them. There is no real certification process and the government doesn’t exactly clear companies to work with healthcare organizations. It is completely up to the healthcare entity and the tech provider to make sure their services are meeting the necessary HIPAA standards.
Loopholes in the System
It may come as somewhat of a surprise to both patients and healthcare providers to learn that there are popular new aspects of medicine and technology that aren’t necessarily covered by HIPAA regulations. For instance, HIPAA does not cover anonymized data such as the data that is collected during genetic testing. Essentially, this allows for a patient’s anonymous information to be shared at will.
Today, the average cost of a healthcare data breach is $429 per record. When organizations factor in the loss of productivity, the amount of civil complaints and fines levied, plus the public relations besmirching, the cost implications skyrocket. In 2018, the Department of Health and Human Services Office of Civil Rights concluded a record year in HIPAA enforcement activity – 10 settlement cases and one judgment totaled a whopping $28.7 million.
Though every industry is susceptible to cyberattacks, healthcare has experienced the largest growth in attacks over the years because patient records, insurance information, and social security numbers are more valuable on the dark web. Unfortunately, legacy systems may to be blame for the uptick in cyberattacks. Forescout researchers determined 53% of common medical devices are still operating on traditional, legacy platforms.
Legacy systems, insufficient access controls, and the proliferation of medical IoT devices have created security vulnerabilities that leave hospitals wide open to cyberattacks. Research from Vectra found that the majority of legacy systems are unsecured because healthcare organizations simply can’t afford the amount of downtime that patching requires.
To guarantee that unstructured data is transmitted securely, healthcare organizations must extend their analog fax machines to a hybrid-cloud network that is HIPAA complaint and provides end-to-end encryption, two-factor authentication, and direct faxing capabilities.
By leveraging the cloud and delivering all faxes via HTTPS, outdated fax boards, media gateways, and the complex telephony stack are eliminated. Unlike a legacy analog fax infrastructure, hybrid cloud technology can ensure that time-sensitive protected health information (PHI) are delivered within seconds with high-resolution, near-diagnostic image quality, and the highest levels of encryption. The accessibility of fax, coupled with the scalability of the cloud, ensures the exchange of PHI among the healthcare ecosystem is protected. This allows patients to receive high-quality care without compromising their personal information.
By Dan Potter, vice president of product marketing, Attunity, a division of Qlik.
Data is the lifeblood of every hospital and healthcare organization. Without it, doctors can’t access updated patient records for proper treatment; billing departments are unable to correctly process insurance claims; and research teams are limited in their ability to uncover new findings. Today there are issues with both data availability and access to the right information, for all users in a governed HIPAA compliant structure, that keeps healthcare organizations from effectively scaling the use of data to impact lives.
Data analytics is often discussed as a key element because of its potential to uncover insights that improve operations while also increasing care quality and efficiency. In today’s world of tight budgets and rising costs, its essential that organizations maximize staff time allocated to care and minimize costs. However, even if a hospital provides access to all its data, a lack of data literacy – an individual’s knowledge on how to use and analyze data – could limit data’s effectiveness towards improving care and operations.
Healthcare organizations must find a data cure that will address both data challenges: access to and use of information. The emerging methodology known as DataOps addresses both issues.
DataOps is a new approach to agile data integration that looks at the challenge from a holistic perspective of people, process and technology. It focuses on improved collaboration and automation of data flows across an organization. When done correctly, it results in an overall data set of processes that help the organization manage and use their data in real time to transform patience care and experience.
Fighting the Data Access Challenge
As the amount of data increases daily, one of the biggest issues is how to capture and manage it all efficiently. For healthcare this includes allowing appropriate real time access for all users to that data for analytics – while keeping it protected in accordance with HIPAA. One of the first steps is implementing modern data architectures that can handle the growing data volume. Open architectures based on hybrid and multi-cloud provide the greatest efficiency along with agility to improve patient care and increase operational efficiencies.
Home health agencies need to be able to access and share PHI while they are on-the-go – often while using their smartphones or tablets. It’s critical that these types of communication are both fast and secure. However, many home health agencies allow staff to use text messaging when sharing patient data with each other, colleagues, or the patients themselves.
Text isn’t always best despite its popularity for convenient communications. Agencies might be more at risk than they think if staff members are texting each other information about patients. And, free consumer group messaging apps utilize vulnerable platforms which are unable to address health care-specific needs in terms of security and compliance.
An agency places itself and its patients at risk when sending ePHI via unencrypted text messaging. Traditional texting may not meet security or compliance requirements set forth under HIPAA. The HIPAA Journal indicates that the fine for a single breach of HIPAA can be anything up to $50,000 per day the vulnerability responsible for the breach is not attended to. Organizations which text in violation of HIPAA can also face civil charges from the patients whose data has been exposed if the breach results in identity theft or other fraud.
Immediacy, privacy and trust are key when communicating PHI among agency clinicians and the broader care team (e.g., the referring physician, a specialist, a pharmacist, etc.). For example, the patient or the field nurse can snap a picture of a patient’s wound and then send it securely to the wound care specialist for his/her recommendation. A wound care specialist can make a decision remotely – saving drive time and expenses – and immediately provide assistance to the field nurse.
Decision-making is accelerated, helping patients receive timely care and assistance. Staff productivity is optimized, helping the agencies better leverage specialists across a larger number of cases. ER visits and re-admissions are reduced, helping enhance patient satisfaction and outcomes.
With secure messaging functionality, home health staff members can easily and securely communicate and collaborate with colleagues, their patients and family caregivers, and with other care team members such as the referring physician or another specialist. HIPAA-compliant secure messaging is critical to securing ePHI in staff-to-staff and staff-to-patient communications.
The trend in cybersecurity news is to focus on the latest buzz words like artificial intelligence, blockchain, ransomware, denials of service or HIPAA fines. Recent hacks are front page news. Trends also includes the increasing cybersecurity regulatory mandates such as state laws providing private consumer rights (class actions) against offending healthcare providers and their officers and directors. Another hot topic is the dearth of cybersecurity skills.
CISOs and other business leaders responsible for security of ePHI and business continuity are the intended audience and are being inundated with the tornado of cyber security trends—much of which is vendor driven. They’re also being pulled in many different directions internally with competing priorities. At a recent panel discussion of CISOs at Northern California HIMSS’ CXO Summit, one busy CISO described how he is repeatedly added to committees on all sorts of different subjects, some of which he had never heard of.
Whitepapers discussing the “top 10 priorities” or “top 10 trends” are commonplace. They’re usually vendor driven and focus largely on the most prevalent asset type — computers. That is, desktops, laptops and servers about perimeter security or internal threats from user behavior; including training users not to click on suspect emails to prevent phishing attacks.
Overlooking Second Most Prevalent Asset Type — Printers
But no one is talking about, or including in the top 10 lists, the second most prevalent asset type in all healthcare providers’ IT enterprises — their printers. For some reason, networked printers (any device that creates an image, electronic or otherwise, including multi-function, single-functions, faxes, scanners, label printers, etc.) are not perceived as the same risk as other computers, even though in the past few years there have been reported hacks of 50,000 to 150,000 networked printers. Also, a research house exposed that faxes can be easily exploited to hack printers and the corporate networks where they reside.
Why is this trend not hot on the minds of top security professionals? It could be because of the origins of today’s modern business printers as “dummy copiers” or the fact that they are often not procured or managed by the information technology department or visible to the information security department. Or, it could be because vulnerability management, intrusion detection and information security consulting vendors driving today’s messaging do not include printers in their solutions.
Little Known Facts about Print Fleets
Whatever the reason, here are few important facts that you should know about almost all printers in healthcare:
Printers are mission critical to patient care and part of providers’ tier one applications.
Printers are everywhere. There can be as many as one printer to one employee or between 1:6 and 1:10.
Printers are often accessible or visible in public areas and not in protected data centers or offices like many other computers.
They aren’t assigned users like desktops or laptops, or system administrators like servers in data centers.
Printers have built-in security settings, but they are not being set or maintained.
HIPAA requires that all printers be included in the comprehensive risk analysis and cyber hardened for security of ePHI regardless of make, model, age or type.
Printers are shipped and regularly deployed and maintained on networks with factory default settings including published factory default administrator passwords to enable bad actors to take control of them.
Even if security settings on printers are set at time of deployment, they get unknowingly reset back to factory defaults (turned off).
Why Act Now to Secure Printers?
The easiest answer: because it’s the law (HIPAA) and you’re exposing your company to serious and long-lasting financial risk if you are not acting now to secure (and keep secured) all the printers in your print fleet. Also, the fact that other regulations are being regularly enacted that go beyond HIPAA mandates exposing companies to even more severe penalties.
Any healthcare facility that wants to keep its customers happy must have patient portals. It is easy to create these portals, but keeping the data safe from hackers can be tough. In the US, at least half of the healthcare consumers are using patient portals. About 80 percent of these patients have expressed their satisfaction with the level of ownership they have with their health data and the convenience of its accessibility.
Because of the security issues involved, the Affordable Care Act and meaningful use regulations have worked towards incentivizing the healthcare industry to make health records digital and more accessible to the patients. The portal allows patients to manage their personal details including medication lists and lab test results as well as financial information. This is enough data to set a patient up to hackers. Because the use of patient portal will keep rising, the risk will only get bigger, which means a better approach towards protecting this information needs to be realized.
How to Stay Compliant
The 1996 Health Insurance Portability and Accountability Act (HIPAA) highlighted the protection of the rights of patients. It compels health providers to keep customer data confidential. HIPAA also introduces a measure of safety and imposes precise compliance standards. Breaches carry hefty penalties. Here are a few tactics to help you keep customer data safe:
1. Foster Security Mindset in Your Organization
Protected health information (PHI) according to HIPAA means more than just electronic records. Whether you are speaking on the phone or working on a physical file, the principles apply. Regulatory compliance in healthcare organizations means that every health facility must store customer data securely. The most ideal tool is remote access software. This software does not restrict a user to approved databases and desktop logins.
2. Focus on the People and Not Just the Data
EHRs- electronic health records can only be kept private when only the people permitted to see them are allowed to access. That means giving access to involved parties such as the lab, doctor, and the insurance provider. Breaches and lapses occur when too many people are involved. This is why categorizing them by persona is essential. If, for instance, the patient is at a critical condition, different labs may be involved. It is, therefore, crucial to customize the profile for each user.
3. Give Patients Full Access to Their Records
Patients want to be sure their personal data is stored safely and securely. This is why healthcare providers need to allow patients to view their medical records. Some patients download and send the details to a third party, which is inherently insecure. Instead of giving the data to patients in different copies, it is crucial that the EHR be stored in one database. Because the idea is to have the data accessed remotely, a single EHR version can be shared by different devices.
The American Health Information Management Association (AHIMA) sent a joint letter to Congressional leaders today voicing concerns that certain provisions of the Office of the National Coordinator for Health Information Technology’s (ONC’s) recent 21st Century Cures Act (Cures) proposed rule on information blocking jeopardizes goals to foster a healthcare system that is interoperable, patient-engaged and reduces burdens for those delivering care.
The letter, co-signed by seven organizations representing the nation’s clinicians, hospitals, health systems and experts in health informatics and health information management, outlines several recommendations aimed at furthering the objectives of Cures, while ensuring that the final regulations do not unreasonably increase provider burden or hinder patient care.
“We support the intent of the Cures Act to eradicate practices that unreasonably limit the access, exchange and use of electronic health information for authorized and permitted purposes that have frustrated care coordination and improvements in healthcare quality and efficiency,” said AHIMA CEO Wylecia Wiggs Harris, PhD, CAE. “However, in light of the lessons learned from the meaningful use program, we believe it is crucial that we get this right. We look forward to discussing the details of these recommendations with congressional staff and ONC.”
Recommendations outlined in the letter include:
Additional rulemaking prior to finalization: ONC should seek further input from impacted stakeholders on issues including modifying the information blocking proposal to ensure that the requirements and exceptions are well-defined and understandable, and clinicians, hospitals and health information professionals are not inappropriately penalized if they are unable to provide a patient’s entire electronic health information through an application programming interface (API).
Enhanced privacy and security: The proposed rule does not sufficiently address Cures’ directives to protect patient data privacy and ensure health IT security. It is imperative that the Committee continues its oversight of privacy and security issues that fall outside of the Health Insurance Portability and Accountability Act (HIPAA) regulatory framework. This includes ensuring certified APIs include mechanisms to strengthen patients’ control over their data—including privacy notices, transparency statements and adherence to industry-recognized best practices.
Appropriate implementation timelines: ONC should establish reasonable timelines for any required use of certified health IT (CEHRT). Providers must be given sufficient time to deploy and test these systems, which must take into account competing regulatory mandates.
Revised enforcement: The U.S. Department of Health and Human Services should use discretion in its initial enforcement of the data blocking provisions of the regulation, prioritizing education and corrective action plans over monetary penalties.
For additional information on these recommendations, click here.
Signatories of the letter include:
American Health Information Management Association (AHIMA)
American Medical Association (AMA)
American Medical Informatics Association (AMIA)
College of Healthcare Information Management Executives (CHIME)
Federation of American Hospitals (FAH)
Medical Group Management Association (MGMA)