Guest post by Martin Edwards, MS, CHC, CHPC, compliance officer, Dell Healthcare.
Patient portals offer an unprecedented opportunity to engage consumers, provide a customized care experience and potentially change behavior. Yet they also introduce new security concerns for both patients and providers.
A question we often hear from healthcare providers regarding security is: How much protection against negligence does meeting the HIPAA requirements really provide? That question is particularly germane to patient portals, which create an additional entry point and more risk to the security of protected health information (PHI). The laws and regulations in these cases can be confusing.
Fortunately for providers, “safe harbor” is offered in those cases where the provider can prove that they have properly encrypted all devices that contain PHI. Under the HIPAA security rule, as long as PHI is encrypted according to National Institute for Standards and Technology (NIST) guidelines, it is no longer considered “unsecured” and providers are effectively exempt from improper disclosure being considered a “breach.” Thus, the HIPAA breach notification rule doesn’t apply, and, by extension, the provider can avoid potential fines from the Office for Civil Rights (OCR). Since most breaches of PHI reported to the U.S. Department of Health and Human Services (HHS) to date have related to the theft or loss of unencrypted mobile devices, encrypting the data is a primary defense against data loss and against the consequences of improper disclosure.
While patient portals add risk, they also confer many benefits to healthcare organizations, including enhanced patient-provider communication and empowerment of patients. Some studies have found that portals can also enable better outcomes for patients. These benefits are behind the HIPAA privacy rule’s “right of access,” which allows individuals to examine and obtain a copy of their PHI. Meaningful use requirements also require eligible professionals to exchange secure emails with at least 5 percent of their unique patients. Since portals are an ideal way to meet this requirement, organizations seeking to comply with Stage 2 criteria have an incentive to adopt them.
Prime allows users a way to make sure their friends, family and emergency contacts have access to their health by granting them full access at every hospital they visit. With Prime, users can stop worrying about keeping everyone up to date, and “tell the people that need to know, what they need to know.” Verifying that all HIPAA requirements are met, Prime secures information with bank-level security: All information is protected by state-of-the-art encryption. Access to the information is always monitored, and every member of the Prime team has been fully HIPAA trained.
Elevator pitch
Prime’s free mobile app helps patients aggregate their healthcare information from multiple sources into a single view on the go. Prime helps patients and their loved ones achieve a better healthcare experience by putting all their health information in one place.
Product/service description
Prime empowers people to take control of their personal health records on the go. Users can apply information from multiple sources into a single view giving them complete access to important data. The end result is individuals and their loved ones achieve a better healthcare experience. Prime is a free, HIPAA-complaint mobile app available for download in the Apple App Store. The company launched out of Techstars in 2014. We have helped users connect to more than 50,000 personal health records.
The recent theft of 4.5 million medical records by Chinese hackers coupled with the news that as-yet unidentified hackers were able to penetrate the U.S. government’s health care portal have ignited consumer concerns about the safety of health care records – and rightly so. No patient should have to worry that his or her protected health information (PHI) may fall into the hands of thieves.
The medical industry experiences more security breaches than any other U.S. industry today, serving to undermine public confidence in electronic health records and the industry at large. Last year alone, more than 7 million patient health records were breached, up 138 percent over the previous year, according to a February report by IT security consultant Redspin. Theft or loss of unencrypted portable computing devices (i.e., laptops) or digital media containing PHI was the leading cause of PHI data breach, impacting 83 percent of records breached. Unauthorized access and hacking incidents impacted less than 7 percent of records breached.
It’s reassuring to see the industry break new ground in studying security flaws and addressing vulnerabilities. For example, the Health Information Trust Alliance (HITRUST) teamed with the Department of Health and Human Services (DHHS) last spring to lead CyberRX, a series of no cost, industry-wide exercises designed to simulate cyber attacks on participating health care organizations and help them identify weaknesses in preparedness. Two important findings emerged:
Organizations that participate in cyber exercises are better prepared for a cyber attack, regardless of the maturity and comprehensiveness of their information security program.
More preparation exercises like CyberRX would benefit health organizations by helping them to evaluate their programs, refine policies and procedures, and develop and implement effective communications among internal departments, the industry at-large, and government.
HIMSS released the following infographic that summarizes the findings of 25 years of health IT from its annual leadership surveys. It’s a pretty good depiction of how health IT has changed in the last quarter century. Looking back on the past twenty five years in healthcare, something are fairly interesting. For example, physicians in 1993 said they would not adopt their use in healthcare until they became easier to use. The sentiment still remains, to a certain degree, especially in regard to systems like electronic health records.
Another interesting factoid, is that in 1994, 14 percent predicted that digital patient information would be shared nationwide in one to three years.
Finally, the number of health IT priorities that has changed in the course of the last 25 years is either alarming or inspiring, based on the level of change in the space and how quickly things continue to change. However, the number of changes and their frequency remind me of a dog on a trail stalking down one scent after another without a real sense of purpose – Y2K, HIPAA, patient safety, reducing medical errors, financial survival, meaningful use, etc.
By Stephen Cobb, senior researcher, ESET North America.
The benefits of making health records available electronically would seem to be obvious. For a start, faster access to more accurate patient information – which is one of the promises of EHRs (electronic health records) and HIEs (health information exchanges) – could save lives. The author of a recent report on the many thousands of lethal “patient adverse events” that occur in America every year, Dr. John T. James, pointed to “more accurate and streamlined medical recordkeeping” as a top priority in the effort to reduce these deadly medical errors. Yet headlines about healthcare facilities exposing confidential patient data to potential abuse have been all over the media this year. So, will security issues and privacy concerns stymie EHR adoption or slow down HIE rollouts?
Today, more than half of all Americans probably have at least some part of their medical record stored on computer. In January, the CDC reported that roughly four out of five office-based physicians are now using some type of EHR system, up from one in five in 2001. A few months later, in a Harris poll sponsored by ESET, only 17 percent of adult Americans said that, to their knowledge, their health records were not in electronic format.
During that same survey of 1,734 American adults, we asked “are you concerned about the security and privacy of your electronic patient health records” and 40 percent said they were. Slightly more of them, 43 percent said they were not. However, if we take out the 17 percent whose records were not in electronic format, the “concerned or not?” question breaks down as 48 percent Yes, versus 50 percent No, a statistical tie.
Lance Speck, general manager of Actian cloud and healthcare, speaks here about healthcare big data and how it can be used in healthcare to improve processes from care coordination to coding for ICD-10. In his day job, he is focused on delivering healthcare solutions to help payers and providers address an estimated $450 billion annual opportunity created through data analytics, ranging from fraud analytics to patient re-admission reduction to staff optimization to accountable care reporting and clinical auto-coding. For more than 20 years, Lance has served in a variety of management, sales and product roles in the software industry including a decade focused on SaaS, cloud and healthcare.
How can big data analytics improve patient care?
According to a recent PwC survey, 95 percent of healthcare CEOs are exploring better ways of using and managing big data; however, only 36 percent have made any headway in getting to grips with big data. All agree that big data analytics has the potential to improve the quality and cost of care, but many are still struggling with finding the right ways to infuse analytics into everyday operations. Assuming they realize that they already have access to the data, what do they do with it? What are the areas that will have the biggest impact? Where do they start?
Start with the basics. Organizations should focus in infusing big data analytics where a big impact can be recognized. They should ask themselves:
Is there enough value in solving the problem?
Can the problem can be predicted?
Can the problem be prevented?
Can the predictive action be delivered accurately, and in a timely fashion to make a difference?
Very early in the process, organizations should address how they plan to incorporate big data into the everyday workflow of clinicians, financial staff and other healthcare stakeholders for organizations to:
Use predictive analytics against historical and external data to anticipate patient occupancy needs to adjust staffing levels to have the right care available at the right time.
Use science to determine with accuracy health trends in specific communities and take action to prevent costly
Determine patients’ risk of readmission before they are discharged to improve patient outcomes and reduce costs and penalties by nearly $70 billion.
Realize that for this insight to be effective, you must put this information into the hands of the clinicians and the patients in the format that fits their daily flow.
How can healthcare providers transition to ICD-10 as simply as possible?
Add to the list of known certainties: death, taxes, and the need to lower the cost of healthcare.
Neither HIPAA standards nor encryption were created with the purpose of lowering the cost of healthcare, but neither was penicillin originally purposed as an antibiotic. Both welcome side effects in the world of medicine.
Cloud Computing and Healthcare
Healthcare and medical companies are migrating to cloud computing in record numbers. The cloud offers flexibility and scalability to manage ever-growing databases of patient records. At the same time, it offers mobility to enable care providers to access patient information remotely and shareability to share data with colleagues, specialists, and labs. The cloud, perhaps most importantly, enables cost reduction on several levels.
It eliminates the need healthcare organization have to purchase, maintain, upgrade, and replace costly computing equipment and staff.
It saves costs of multiple providers running multiple tests by enabling them to share and track the results.
It saves time and money by enabling paperless transmission of prescriptions and insurance claims. It also increases the accuracy of reimbursement coding.
Now, HIPAA omnibus and the American Recovery and Reinvestment Act (ARRA) requirements stipulate everyone in the healthcare industry begin migrating patient records and other data to cloud computing. Essentially, by 2015, all medical professionals with access to patient records must utilize electronic medical and health records (EMR and EHR), or face penalties.
Guest post by Brandee Norris, assistant professor healthcare administration and management school of business and technology, Trevecca Nazarene University.
The health information technology (HIT) industry is on the verge of a dramatic dawning. As more healthcare organizations transition to paperless systems and to meaningful use of a certified electronic health record (EHR), the need to ensure the safety and integrity of healthcare data and to eliminate the risk of health IT breaches increases. In the past five years, the Department of Health and Human Services reported more than 800 breaches of healthcare patient data, breaches that affected more than 30 million patients. Breaches in electronic healthcare data cause serious negative outcomes for patients, stakeholders, and organizations—both public and private—and result in millions of dollars in fines and losses.
As the use of HIT systems increases within the healthcare industry, hospitals and providers of private practices are seeking effective methods to enhance data storage and streamline access to patient information without jeopardizing the privacy of the data. A possible solution to this problem is the transference of protected health information from a local system’s network to a cloud-based electronic medical records (EMR) service. Cloud computing may be categorized as private or public. Based on HIPAA regulations, professionals in the healthcare industry continue to dispute the legitimacy of public cloud computing and compliance with specific requirements of the HIPAA.
Contrary to provisions mandated by HIPAA, cloud-based platforms could accommodate the growing needs of healthcare organizations and provide flexibility to adapt to frequent changes, while providing significant cost savings. The primary objectives of using any variation of a cloud-based program are efficient leveraging of healthcare information, enhancement of patient experience, versatility for providers, and improved clinical outcomes. Cloud-based programs permit 24-hour patient access to electronic records.
Consumers in the 21st century prefer convenient methods to access healthcare services and manage personal information. Consequently, healthcare organizations have adopted patient-centered models to deliver health care and increase provider-patient communication. In addition, cloud-based platforms can facilitate the use of mobile devices, such as smartphones and iPads, allowing patients and providers to access health software applications. The number of healthcare consumers using smartphones to access health information soared from more than 60 million to more than70 million in the last two years. Anderson projects an estimated 20 percent annual increase of software application sales during the next five years.
Healthcare providers have suggested that significant benefits could occur for patients using mobile software applications to monitor their health status. Currently, numerous types of health software applications exist that are free or obtainable at a reasonable fee. Last year, healthcare providers used health software applications for obtaining diagnostic test results, sending alerts for patients to self- medicate, track and monitor levels of chronic pain, and store vital signs and emergency contact information. Consumers should be aware that a compatible operating system and adequate storage space are required to download health software applications to a mobile device.
