By Deborah Hsieh, chief policy and strategy officer, Ciox Health.
Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. In the 25 years since, healthcare and technology have advanced beyond what any of the original writers of HIPAA could have imagined, creating innovative new tools and mechanisms to share information and to better engage individuals in their healthcare.
Recognizing the challenges in ensuring HIPAA remains relevant for technology, business practices, and patient needs of today, the U.S. Department of Health and Human Services (HHS) released proposed updates to HIPAA’s regulations. The proposed changes include needed flexibilities to promote information sharing, but fail to ensure patient privacy protections remain relevant for the changed context, and, in fact, encourage actions that could expose patients’ healthcare data. Rather than strengthening healthcare privacy protections, the proposal creates a new pathway for non-HIPAA-covered entities to freely access and exploit patients’ healthcare data.
In the proposed rule, HHS seeks to go beyond the existing statute and regulations that ensure patients have a right to direct a covered entity to transmit an electronic copy of their protected health information (PHI) in an electronic health record (EHR) to a designated person or entity of the patient’s choice (also called “patient directive”). HHS now proposes to create a wholly new, unprotected and unauthorized pathway enabling so-called personal health applications — third parties that meet a minimal set of criteria – to gain free access to electronic and paper-based data.
While HHS creates and encourages use of this new pathway for personal health applications, HHS is not able to regulate what these applications do. Because a personal health application “is not acting on behalf of, or at the direction of a covered entity,” it is not subject to HIPAA rules and obligations. Health data that a patient directs to a personal health application is no longer protected by HIPAA and patients are left to fend for themselves.
HHS states personal health applications are managed and controlled by the individual; however, there is no requirement that patients be informed their data is no longer being covered by HIPAA and what that means. Patients will lose their ability to control their access to and the use of their healthcare data and may be fully unaware that third parties may use personal health applications as a backdoor to gain access to millions of patients’ private health information for their own commercial purposes.
Communication is one of the most important parts of the healthcare industry, but as it stands it may be the most challenging element as well. To reach the best patient outcomes, it is critical for patients, doctors, hospitals, and facilities to communicate with one another seamlessly, securely, and digitally.
The incredible amount of information that needs to be accurately communicated presents a challenge by itself, but the extensive regulations create an added layer of difficulty. The Health Insurance Portability and Accountability Act (HIPAA) strives to protect the private data of a patient but creates challenges when having to quickly communicate critical information from different parts of the medical team.
Currently, many organizations are decentralized and use multiple digital outlets. There is company-sponsored email, instant message, and portals, plus personal email accounts, mobile and messaging applications—all with the potential to complicate and compromise the quality and security of communication.
Software has the ability to automate certain administrative tasks, enabling medical professionals to focus on patient care and improving patient outcomes. In a notoriously and widely distributed workforce where communication is essential, introducing an effective unified communication tool will increase operational efficiency, decrease infrastructure and maintenance costs.
A unified communication tool needs to connect all personnel across distributed locations, divisions, departments, and functions. A unified system should:
Be flexible and extensible—enabling adaption to future needs
Support multiple communication methods (voice, text, data, video)
Integrate with existing systems. Put the user experience at the forefront rivaling widely-used mobile communication platforms (WhatsApp and Facebook Messenger)
Cater to user requirements by including unique, job-enhancing features based on real scenarios.
Increase operational efficiency while being secure and HIPAA compliant
Tips on how to create an effective communications system:
Diagnose the problem: Run a discovery phase to identify organizational issues and opportunities for improvement through story mapping workshops with stakeholders, interviewing end-users, and conducting surveys. Then, create a service blueprint noting your findings. Ensure all stakeholders are aligned.
Define the minimum viable product (MVP): Prioritize the most significant issues and tackle those first to define the goals for the MVP. Validate your wireframes and prototypes with the original group of individuals who determined the problem space to inform the solution. Allow the test group to try the product early and often, allowing them to guide the solution and feel involved in the process.
Anyone dealing with healthcare IT in the US will come across HIPAA and HITECH and HITRUST — and it’s easy to get them confused. They’re interrelated and they all concern health information and they all impact healthcare IT. But that certainly doesn’t mean they’re all the same.
Briefly, HIPAA is a law and compliance is mandatory. HITECH is another law that was subsequently folded into HIPAA. And HITRUST is a voluntary means to ensure compliance with laws such as HIPAA, including its HITECH provisions and any others that might come along. Here’s how it all breaks down:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered a lot of healthcare modernization issues, including provisions addressing insurance and taxes. But when we reference HIPAA in the IT world, we’re generally concerned with details in the Act’s Title II.
HIPAA Title II stipulates national standards for digital healthcare information management and movement. Its intent was to establish comprehensive guidance on the way personal health information (PHI) is maintained, exchanged, and protected from unauthorized exposure and theft in healthcare industries. Since the Act was signed into law at the dawn of the dot.com days, it has naturally required amendment over the years.
The Health Information Technology for Economic and Clinical Health (HITECH) Act was part of the American Recovery and Reinvestment Act of 2009. HITECH allocated $28B to fund greater adoption of electronic health records (EHRs) through incentives, resulting in a massive digitization of health information. It also outlined additional sets of stipulations for digital standardization and added more privacy and security protections for healthcare data enforced by penalties for compliance failures.
HITECH was consolidated into HIPAA Title II in 2013 with the Final Omnibus Rule, which also expanded security and breach notification details and, notably, extended HIPAA-compliance requirements to business associate agreements. A business associate is any entity that “creates, receives, maintains, or transmits protected health information” for a HIPAA-covered entity. So pretty much anyone handling PHI has to comply with HIPAA — not just hospitals and insurance companies.
By Courtney Tesvich, vice president of regulatory, Nextech.
Data interoperability is once again poised to take a giant leap forward and there are many factors propelling this evolution. For example, the Office of the National Coordinator’s (ONC) March 2020 introduction of the interoperability rule as part of the 21st Century Cures Act is set to advance interoperability regulations. COVID-19’s spotlight on the need for data transparency and seamless information exchange to enable efficient care delivery across diverse settings is revealing a critical use case.
The rapid onboarding and use of telehealth to virtually deliver safe and secure healthcare underscores the importance of modernizing interoperable solutions. Given all these factors, the time is right for healthcare organizations to evolve their thinking around data sharing.
While larger, multi-setting health systems may have teams of people dedicated to advancing their organization’s interoperability strategy, smaller entities (including specialty physician practices) are often left to figure out the right path forward on their own. This can be overwhelming, and it may be tempting for smaller organizations to delay work on this issue. However, it will only postpone the inevitable.
Over the next two years, the capabilities and requirements to exchange electronic health information will change drastically. The ONC is allowing two years to implement the new interoperability requirements and technology will likely change in that time. So, starting the effort now can make it easier to adapt as solutions evolve. The bottom line? To meet this deadline, practices need to develop their strategies, update compliance efforts, understand upcoming changes and begin to update processes to ensure they are fully prepared for the near future.
But how can an organization get started? Here are a few steps to consider.
Educate yourself on the intent and nuances of the ONC rule. The primary goal of the interoperability rule is to give patients greater access to their health information and allow them to share the data more easily with all providers. As electronic health record (EHR) vendors continue to develop their products to meet the updated requirements, more information than ever before will be available electronically both for patient use and for exchange. Factors that providers should be aware of include:
Future availability of free text notes in the patient portal as well as nearly all lab, radiology and pathology results. As EHR vendors develop and certify to the US Core Data for Interoperability requirements, patients will see additional data beyond the previously available CCDA information in their portal, including visit notes.
Patients will be able to seamlessly select independent apps to aggregate their own health records.
Ensure your practice understands how to handle requests for information in a timely manner. This includes requests by patients for their data as well as data requests by insurance companies, employers and consumer-facing apps. Develop a policy and train staff before the new Information Blocking deadline of April 5, 2021. Ensure you continue to follow HIPAA guidelines as well.
Practices will also need to regularly update clinician information in federal databases.
These suggestions merely scratch the surface of what the new rule requires. Providers should delve deeper and make sure they are moving towards compliance and not inadvertently standing in the way of information exchange.
Since the invention of the stethoscope, technology and innovation have been transforming how the healthcare industry delivers improved standards of care for individuals in every field of medicine. A more recent example of this is the widespread adoption of telehealth capabilities to bring care directly to patients no matter where they are.
This adoption trend has accelerated in response to COVID-19, when the use of telehealth technology skyrocketed with 48% of physicians meeting patients online in April. Since then, telehealth appointments have begun to level off and decline, but over the past year and the foreseeable future, telehealth and the delivery of care through screens and mobile devices will likely play a key role in the future of healthcare.
However, the increased use of telehealth creates additional risks stemming from increased data generation and data sharing such as video recordings, email exchanges between physicians and patients, and broader sharing of protected health information (PHI) between patients, providers and third-party organizations. This level of sharing increases the likelihood that data may become stored in an unsecured location. As for the healthcare providers and all other organizations that handle PHI, the challenge is now to get a better grasp on compliance, protect patient data and mitigate the risk of malicious actors or reputation damaging fines. Here’s how to do it:
Understanding the Rising Risk to Patient Data
The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996 and has since served to give patients power over their health records and hold healthcare organizations and their partners accountable for safeguarding the PHI data of patients.
HIPAA generally applies to PHI in all forms, but the Security Rule applies specifically to electronic PHI (ePHI). And as telehealth becomes a new normal and the administrative workforce continues to work remotely, ePHI’s presence will proliferate making compliance an even more extensive task. Meaning that while telehealth offers many tangible benefits to patients and providers, it is also a double-edged sword that requires heightened attention not just now but at all times. Here are a few things to keep in mind:
The patient was prepped and ready on the operating table when the surgeon realized he only had a report of a CT scan and would need the actual images that were taken by another health system to successfully perform the procedure. Normally, this would either delay the surgery or tempt the doctors to try the procedure without all the relevant information.
Luckily for everyone involved, the hospital was a participant of a health information exchange (HIE). Within a few minutes, the surgeon had access to the necessary images through our secure portal and began a successful operation.
Interoperability is critical for planned and unplanned procedures. Today, COVID-19 patients often enter a hospital short of breath in desperate need of emergency attention – yet, as many hospitals work now, that patient is expected to produce their extensive medical record of allergies, conditions, medications, and previous operations while gasping for air.
Although medicine continues to greatly advance, most care providers still dwell in the world of dinosaurs: faxing, printing, burning CD-ROMs, and relying on the patient’s ability to produce medical histories.
A recent report by the National Academy of Medicine found that workflow and inadequate technology usability were major factors contributing to America’s alarming medical staff burnout rate. Customers who use modern network technology greatly benefit from seamless access to patient files that used to lie beyond their health system’s servers, easily communicating between other healthcare providers and patients themselves. Patient care is hard enough today without technical and communication failures.
covered entity and a business associate. It is a HIPAA law created to ensure that all of the HIPAA compliance risks (administrative, physical, and technical) are identified, and a roadmap is designed to plan the fixes necessary to resolve the issues found.
The risk assessment was not part of the original Health Insurance Portability and Accountability Act of 1996. Instead, it was first introduced in the 2003 Privacy Rule and Security Rule amendments and was then further expanded upon in the Final Omnibus Rule of 2013.
HIPAA legislation defines a Covered Entity (CE) as anyone that handles PHI during day-to-day business operations. Most businesses working in the healthcare industry are considered Covered Entities.
The U.S. Department of Health and Human Services (HHS) officially defines a CE as; Healthcare Providers such as doctors, dentists, nursing homes, pharmacies, health insurance companies, HMOs, Medicare, Medicaid, and Clearinghouses.
A business associate is any third party business or organization that handles individually identifiable health data on behalf of a covered entity, and the risk assessment is often considered the starting point to achieve HIPAA compliance.
What is a risk assessment?
A risk assessment is commonly the first task undertaken when a covered entity and a business associate enter into Business Associate Agreement (BAA). Its purpose is to identify areas within the business that process, store, and transmit protected health information (PHI) that are in the scope of HIPAA compliance.
PHI is patient data that the law is meant to safeguard, such as data that can be used to identify an individual personally. Examples may include patient names, email addresses, social security numbers, insurance certificates, and so on.
It takes a pandemic to reveal how much digital technologies are ignored in the healthcare sector. The COVID-19 pandemic is dramatically transforming the healthcare sector and how professionals gather medical intelligence. Almost every physician worldwide has been part of a telemedicine movement to encourage patients to embrace safe and virtual appointments.
Consequently, preparing for a virtual appointment requires some getting used to. As a rule of thumb, patients can struggle to explain some of their symptoms, even in face-to-face interaction. That’s where real-time medical examination can help reduce misunderstandings.
In the virtual world, gathering evidence such as taking photos or filming a video that shows your symptoms and asking the right questions can guide the doctor to the appropriate diagnosis.
However, while we focus on making telehealth more accessible to patients, we also need to prepare doctors to make the most of it.
Find reliable HIPAA-compliant hosting
Gathering and storing digital data is not a novelty for healthcare centers. Nevertheless, keeping data storage HIPAA-compliant can become a challenge with the increased number of telehealth appointments. Protecting patients’ records in a fully digital world means relying on a highly secured data hosting strategy, as per Atlantic.net.
Contrary to common belief, there is no such thing as a HIPAA hosting body that can verify the compliance claims of each provider. For healthcare centers that need to adapt to the growing telemedicine demand, the quest for a robust, reliable, and HIPAA hosting provider becomes tricky and expensive.
By Rahul Varshneya, founder and president, Arkenea.
Cloud computing has become the new watchword for healthcare organizations across the globe. The adoption of cloud technology has been escalating at a frenetic pace and, as recent research suggests, the global market for cloud technologies in the industry is expected to reach $35 billion by 2020.
The underlying reason behind the recent hype in this technology is simple though. If healthcare institutions were plainly service providers before, today, they’re true technology organizations that now depend on their IT departments for administrative, clinical, and financial purposes.And that’s not all. As new payment models are added to the equation and patient expectations change, technology has become vital to drive efficiency and improve patient care.
In this article, we’ll be looking at a few things that have been made possible in healthcare due to the rapid adoption of cloud technology.
1) Reduced Costs of Data Storage
On-premises healthcare data centers not only demand an investment in hardware ahead of time, but they also come with ongoing costs of maintaining physical spaces, servers, and cooling solutions among many other things.
“Cloud solutions are very beneficial from the standpoint that as you migrate data, you don’t need to maintain your own datasets which can be costly and expensive,” explains Forward Health Group CTO Jeff Thomas. “Maintaining datasets on-site can also be expensive in that it takes up real estate which can sometimes be used for something else.”
By managing the structure, harmonious functioning and maintenance of cloud storage services, cloud computing vendors can significantly aid organizations in lowering their data storage costs and enable them to concentrate their efforts on caring for their patients.
Healthcare organizations can also leverage custom cloud EMR or EHR software to fit the needs of their specific practice. That way, they get exactly what they’re looking for without them having to dig a hole in their pockets.
The scale of the coronavirus pandemic is impacting every facet of daily life. As COVID-19 continues its global spread, authorities are restricting large gatherings of people and enforcing stay at home protocols. This crisis is forcing us to adapt to a “new normal,” and technology is taking center stage to help us through the transition.
In fact, as the popularity and usefulness of video delivery over the internet grows, reports reveal that live streaming has already attracted 47% more users than this time last year. Through the influx of telehealth, remote learning, remote video conferencing and canceled events, live streaming has become a versatile — and essential — tool that is changing the way we stay in contact with others, particularly in the age of social distancing.
Live streaming is gaining in popularity across many different industries. Until the advent of live streaming technologies, 911 operators only had one source of information to assess an emergency situation: the caller. Now, thanks to advances in live streaming technologies, 911 operators are empowered with unprecedented access to emergency situations via live video.
Carbyne, a technology company that delivers actionable data from connected mobile devices to emergency communications centers, uses live streaming to enhance critical response capabilities. Through the combination of real-time video and location data, Carbyne provides emergency personnel with a more accurate assessment of the scene before they arrive, reducing emergency response times by more than 60%.
While Carbyne’s technology has proven beneficial across the globe for several years, the COVID-19 pandemic has brought additional benefits to the technology. Carbyne is effectively able to remotely evaluate potential COVID-19 cases and forward potentially infected individuals to medical professionals via telehealth services while maintaining HIPAA compliance.
Additionally, the Carbyne platform has been used in some cities to help track COVID-19 cases, delivering a heat map that details coronavirus-related calls so the municipality can better allocate resources and prevent the disease from spreading. As one hotspot hit hard by the virus, New Orleans uses Carbyne’s COVID-19 service to manage emergency calls and help individuals who have contracted the virus contact telehealth professionals instead of flooding emergency rooms. Carbyne has been fielding 70% of the city’s emergency calls, a majority of which were related to COVID-19 symptoms.