Guest post by Lucy Doyle, Ph.D., vice president, data protection, information security and risk management, McKesson, and Karen Smith, J.D.,CHC, senior director, privacy and data protection, McKesson.
Today there are opportunities and initiatives to use big data to improve patient care, reduce costs and optimize performance, but there are challenges that must be met. Providers still have disparate systems, non-standard data, interoperability issues and legacy data silos, as well as the implementation of newer technologies. High data quality is critical, especially since the information may be used to support healthcare operations and patient care. The integration of privacy and security controls to support safe data handling practices is paramount.
Meeting these challenges will require continued implementation of data standards, processes, and policies across the industry. Data protection and accurate applications of de-identification methods are needed.
Empowering Data Through Proper De-Identification
Healthcare privacy and security professionals field requests to use patient data for a variety of use cases, including research, marketing, outcomes analysis and analytics for industry stakeholders. The HIPAA Privacy Rule established standards to protect individuals’ individually identifiable health information by requiring safeguards to shield the information and by setting limits and conditions on the uses and disclosures that may be made. It also provided two methods to de-identify data, providing a means to free valuable de-identified patient level information for a variety of important uses.
Depending on the methodology used and how it is applied, de-identification enables quality data that is highly useable, making it a valuable asset to the organization. One of the HIPAA- approved methods to de-identify data is the Safe Harbor Method. This method requires removal of 18 specified identifiers, protected health information, related to the individual or their relatives, employers or household members. The 18th element requires removal of any other unique characteristic or code that could lead to identifying an individual who is the subject of the information. To determine that the Safe Harbor criteria has been met, while appearing to be fairly straightforward and to be done properly, the process requires a thorough understanding of how to address certain components, which can be quite complex.
The second de-identification method is the expert method. This involves using a highly skilled specialist who utilizes statistical and scientific principles and methods to determine the risk of re-identification in rendering information not individually identifiable.
We need to encourage and support educational initiatives within our industry so more individuals become proficient in these complex techniques. At McKesson, we are educating our business units so employees can better understand and embrace de-identification and the value it can provide. This training gives them a basic understanding of how to identify and manage risks as well as how to ensure they are getting quality content.
Embracing Social Media and New and Improved Technologies
One of the challenges we face today in de-identifying data is adapting our mindset and methodologies to incorporate new emerging technologies and the adoption of social media. It is crucial to understand how the released data could potentially be exposed by being combined with other available data. New standards are needed.
While de-identifying data can be challenging and complex, the task is made easier when we remember and adhere to our core directive to safeguard data. With this in mind incorporating new technologies is part of an ongoing process of review.
When done properly, de-identification enables high quality, usable data, particularly when the expert method is used. De-identification should not be viewed as an obstacle to data usage, but rather as a powerful enabler that opens the door to a wealth of valuable information.
Guest post by Chris Strammiello, Vice President of Global Alliances & Strategic Marketing, Nuance.
The growing use of smart devices at the point of care exacerbates the dual, yet contradictory, challenges confronting hospital IT directors and compliance officers: Making patients’ health information easier to access and share, while at the same time keeping it more secure.
A major problem is that there are just too many touch points that can create risk when sharing protected health information (PHI) inside and outside of the hospital. In addition to securing communications on cell phones, tablets and laptops, these tools can send output to smart multi-function printers (MFPs) that not only print, but allow walk-up users to copy, scan, fax and email documents. This functionality is why the Office of the National Coordinator for Health Information Technology now defines MFPs as workstations where PHI must be protected. These protections need to include administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.
Accurate, Effective and Secure Use of Patient Information at Point of Care
Hospitals need to adopt an approach that automatically provides security and control at the smart MFP from which patient information is shared and distributed. This approach must also support the use of mobile computing technologies, which are helping to bring access to patient information and electronic health records (EHR) to the point of care. Advanced secure information technology and output management solutions can help hospitals protect patient health information as part of achieving HIPAA-compliant use of PHI with software by adding a layer of automated security and control to both electronic and paper-based processes. These solutions can minimize the manual work and decisions that invite human error, mitigate the risk of non-compliance and help hospitals avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.
With this approach, vulnerabilities with capturing and sharing PHI are reduced with a process that ensures:
Authorization — only authorized staff can access specific devices, network applications and resources with password or smartcard based authentication. Network authentication is seamlessly integrated with the document workflow and to ensure optimal auditing and security, the documents containing PHI are captured and routed to various destinations such as email, folders, fax and EHR systems.
Authentication — user credentials must be verified at the device, by PIN/PIC code, proximity (ID), or by swiping a smart card access documents containing PHI. Once authenticated, the solution controls what users can and cannot do. It enables or restricts email or faxing and prohibits documents with PHI from being printed, faxed or emailed.
Encryption — communications between smart MFP’s and mobile terminals, the server and destinations, such as the EHR, are encrypted to ensure documents are only visible to those with proper authorization.
File destination control — simultaneously monitors and audits the patient information in documents, ensuring PHI is controlled before it is ever gets to its intended destination.
Content filtering — automatically enforces security policies to proactively prevent PHI from leaving the hospital by filtering outbound communications and intercepting documents – rendering misdirected or intercepted information unreadable to unauthorized users.
Electronic protected health information (ePHI) is patient information that is protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA compliance is a complex and confusing topic, and it only gets more daunting when it comes to communication between providers and patients. If you are sending protected health information over email as a healthcare organization or a healthcare organization’s business associate, HIPAA compliance applies to you. With fines for breaches that can land upwards of a million dollars, it’s a subject that is not to be taken lightly by any organization. Let’s take a moment to settle the score on the myths and facts revolving around ePHI and HIPAA-compliant emails.
Myth: All email is HIPAA-compliant
This is a dangerously false assumption. It may come as a surprise that most free email services are not HIPAA-compliant. This includes big players such as Yahoo!, Gmail, and Hotmail. No, ePHI should never be sent through these systems. If you must send ePHI to run your business, seek out an email provider that specializes in HIPAA compliance and is specifically geared towards protecting you and the patient data that flows through your organization.
Myth: My business is too small to worry about HIPAA
Practices and organizations of all sizes get hit with HIPAA violation fines – no one is exempt. HIPAA regulations apply across the board, regardless of the size of your business. Penalties for not being compliant can range from a simple slap on the wrist to a fine of $100 per email that contains ePHI sent through an unencrypted avenue. HIPAA compliance is everyone’s responsibility, and no business is too small to suffer a surprise audit that results in business-crushing fines. Protect yourself up-front by adhering to HIPAA guidelines, and you won’t find your business under the gun for non-compliance.
Myth: Any email with PHI must have encryption
If emails are sent in-office over a secure network, encryption over e-mail is not necessary. But once that email is sent out of the office over a wide area network, or through the internet, encryption is a must.
Myth: The recipient must have encrypted email
The majority of patients use a free, non-encrypted email host. According to the HIPAA Omnibus Rule, patients have the right to request that their ePHI be sent to them via an unsecured email system. Many secure email systems can send secure messages to people without secure email – and that can be okay. But it’s important to document that request from the patient and also to inform them that when using unsecured email and waiving their right to receive their ePHI privately, they inherit the risk of a potential security breach. Documentation protects you from future accusations of negligence.
Last fall, the provisions governing Business Associate Agreements under the HITECH law went into effect. Many covered entities used templates and models offered by professional societies and the Department of Health and Human Services, but it’s becoming increasingly clear that the “model” agreements were simply a stopgap measure, and that organizations that use BAAs need to conduct ongoing reviews of the documents and customize the language to meet the individual needs of their company.
The need for ongoing reviews to business associate agreements stems from an increased focus on compliance, and audits from the Office of Civil Rights (OCR) in DHHS. In the past, HIPAA compliance audits were limited to specifically covered entities, such as doctors’ offices and hospitals. Using HIPPA-compliant providers like healthcare fax companies to transmit protected data on their encrypted servers has been the best way for health care professionals to avoid audit issues.
However, the provisions of HITECH allow for audits of subcontractors as well, ensuring that they too are complying with the privacy and security policies of the act. Essentially, then, a business associate agreement serves as an agreement by the subcontractor that it will adhere to the rules and standards of HIPAA — and they understand the consequences of noncompliance.
Some argue that the notion of business associate agreements is outdated, given that HITECH holds all subcontractors who have access to HIPAA-protected data to the same privacy and security standards as the covered entity itself, even without the written agreement. The law still states, though, that covered entities must negotiate and maintain compliant BAAs with the companies that have access to their data — even those that may not directly have access to the data.
The simple fact that the OCR is conducting audits of business associate agreements and the companies covered by the agreements, highlights the importance of maintaining up-to-date and comprehensive agreements — meaning that the “boilerplate” agreement that you signed to meet the basic compliance standards may not be enough at this point.
Considerations for Review
Since it’s been a year since the new provisions went into effect, it’s very likely that your BAAs are reasonably up-to-date, and in compliance with the laws. That being said, if you used a template, or you only made minor changes to existing agreements, it’s best to review the agreements you have on file to ensure they comply with current law.
Many experts agree that BAAs should be reviewed at least once a year or more often if they expire, or if there are significant changes to the business relationship.
When reviewing your business associate agreements, there are a few key points to pay close attention to:
Today’s physicians face an increasing array of non-clinical demands on their time, from filling out paperwork to sorting through insurance denials. As a result, the amount of time doctors have to actually see patients has been reduced.
The combination of decreasing number of physicians, increasing demand for quality care, and rising costs of healthcare has created a challenging environment for both patients and healthcare professionals.
Nearly all of us have experienced long wait times at a physician’s office, often for minor ailments or routine follow-ups. These lengthy wait times are causing more and more patients to skip follow-up visits or turn to unreliable online medical services and websites for information. This not only erodes the doctor-patient relationship, but it puts patient health at risk. Furthermore, the information is not properly shared with the patient’s actual physician.
Today’s ultra-connected world has a solution that can bring the doctor-patient relationship into the 21st century: telemedicine.
Telemedicine is a suite of technology solutions that enables doctors to communicate with and treat patients via text, video and audio – and it can be used by physicians, nurses, office staff, any healthcare professional and, of course, patients. Telemedicine allows physicians to provide more convenient, real-time interactions with their own patients, for triaging acute issues and for quick follow up visits that can save the entire health system time and money.
And it’s far from the latest medical fad. Telemedicine is already one of the fastest growing segments in healthcare. According to the American Telemedicine Association, half of all U.S. hospitals now use some form of telemedicine. Similarly, Health Affairs has predicted an increase in domestic telehealth revenue by almost 20 percent per year, to $1.9 billion by 2018.
Connecting to patients, anywhere and anytime
Clearly, these solutions have ushered in a new age of medicine. Technology can also provide real-time data on patient vital signs, blood sugars and other information to improve the monitoring of chronic conditions, reducing readmission rates and keeping our patients healthier outside of the hospital.
Factors fueling the growth of telemedicine are as follows: a shortage of physicians in rural and remote areas, the high prevalence of chronic diseases, growing elderly populations, increasing numbers of smartphone users and the need for improved quality of care.
Telemedicine solutions fall into two broad categories: remote patient monitoring and online/digital communications. Remote patient monitoring links home healthcare equipment (heart monitors, dialysis equipment, etc.) to the internet and then securely reports patient data back to a healthcare provider.
Guest post by Ali Din, senior vice president, dinCloud.
With support having ended for Windows Server 2003, many organizations are left asking how to proceed with the soon-to-be obsolete server operating system. For organizations held to regulatory compliance standards, this question holds additional complexity. One of the industries undoubtedly scratching its proverbial head this week as support ends is healthcare.
Over the past few years, HIPAA, the Health Insurance Portability and Accountability Act of 1996, and HITECH, The Health Information Technology for Economic and Clinical Health Act, have largely determined the trajectory of IT and operations in healthcare. Perhaps most notably, HIPAA has helped govern patient security as healthcare institutions were incentivized to migrate health records to an electronic format through meaningful use. As EHRs, cloud and mobility solutions abounded, HIPAA guidelines dictated privacy and security standards for the industry. Today, many healthcare organizations are faced with a similar transition. Like all organizations, healthcare institutions have the option to migrate their servers to a supported operating system, which typically includes a corresponding hardware upgrade. Alternatively, they can migrate these workloads to the cloud. However, as reported by the Wall Street Journal, “analysts say that the technology [Windows Server 2003] is more prevalent in healthcare, utilities and government,” demonstrating that inaction seems to be more prevalent in the healthcare sector than one would think.
Those who have not yet migrated from Windows Server 2003 will be exposed to significant security risk and may compromise HIPAA compliance, as it is unlikely the operating system will remain a HIPAA supported platform.
The implications of not migrating extend beyond just the affected server. One unpatched vulnerability can compromise an organization’s entire infrastructure.
End of support means that Microsoft will no longer issue patches and security updates for Windows Serer 2003, and the resulting security risk is so severe, US-CERT, a branch of the Department of Homeland Security, issued a security alert warning of the “impact” of end of support. The alert states, “organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements while running Windows Server 2003.”
Like the security risk, cost for extended support will also compound for healthcare organizations. Microsoft is charging $600 per server for the service, which will quickly add up.
With the risk and cost associated with not migrating, why are so many healthcare organizations approaching the deadline with no foreseeable migration plan? Like many goings-on in the industry, it’s complicated.
One factor is that some mission critical applications may not transition to a supported platform. That leaves IT administrators choosing between migration and applications that, in some cases, may be in daily use by their workforce.
And, finally, if it ain’t broke (yet), don’t fix it. Like many industries, healthcare organizations are often seeing heightened demand placed on smaller teams, which doesn’t leave ample time for proactivity. In these scenarios, migration planning may not have been prioritized with budget or resource allocation.
However, with end of support approaching in just a few days, regardless of the reason why these organizations didn’t migrate, they will soon be faced with the consequences.
Guest post by Amit Cohen, co-founder and CEO, FortyCloud.
Remote access is changing the practice of medicine – from data collected remotely from newly developed telemedicine devices, to surgery conducted by a surgeon in an offsite location. A smartphone application, currently in development, is set to monitor a user’s voice to detect mood changes for individuals with bipolar disorder. Devices and applications such as these not only improve the quality of care available to patients across the globe, their use also results in exponential growth in the sources and volumes of data. These cutting-edge technologies present new challenges for IT professionals who are responsible for ensuring high availability (always-accessible data), scalability and flexibility for their healthcare organizations.
To enable scalable, high performance from at lower costs, even from remote locations, healthcare and pharmaceutical IT have adopted the cloud. Since cloud data centers can be diversified across the globe, cloud computing provides quick access to globally diverse users.
The cloud also offers the scalability to handle the massive influx of new data generated by new health care applications expected from the implementation of the U.S. Patient Protection and Affordable Care Act (PPACA). The U.S. Department of Health and Human Services (HHS) Stage 3 Proposed Rule, is also likely to result in additional volumes of digital data. This Rule seeks to align the EHR Incentive Programs with other CMS quality reporting programs that use certified EHR technology to promote improved patient outcomes and health.
Therefore, it is not surprising that healthcare cloud computing is forecasted to grow to $9.48 billion by 2020, according a recent study; an impressive increase from the current, 2015 market value of $3.73 billion.
Technology and healthcare have never been more dependent on each other and
ensuring your data is stored on HIPAA-compliant storage systems can be a
challenge. InfoTech Healthcare attempts to take this burden off the healthcare
facilities and provides customers with mobile storage platform to store data from X-rays to office documents. How many times do users email documents back and forth to share information and it not be encrypted? InfoTech Healthcare’s goal is to provide healthcare customers with a worry free solution that requires zero administration action from
the customer while providing information quickly to users no matter the location.
InfoTech Healthcare makes it easy for healthcare organizations to share and store information on a highly secure HIPAA-compliant system that requires not administrative effort by the customer. InfoTech Healthcare provides the tools for users to operate with unlimited storage and share information
with other authorized staff quickly. The InfoTech Healthcare storage app is available for Windows, MAC, iPhone, iPad and Android to keep users connected from any location.
Healthcare providers count on storing their office and patient information in a safe and easy to use location. InfoTech Healthcare ensures that healthcare providers have an easy to use system that meets all the security
requirements of the industry. Our team manages all the backend requirements so healthcare providers can focus on using the system and not managing it. Highly detailed auditing is automatically turned on so that data can be reviewed by managed if ever needed. Our systems can be configured so that our support staff can retrieve information deleted from the system by any user. This prevents unauthorized data destruction and ensuring your organization is compliant with record management. Providing multiple layers of granular security, information can be restricted to seven levels of access ranging from ownership to denied access.
John Penland is the CEO and founder of InfoTech Healthcare. John’s passion for cloud solutions started out of college when working with other healthcare software companies. To be successful, John realized that customers needed a safe and reliable service backed by outstanding customer support and education. John developed key partnerships with other vendors in the market to deliver customers a great set of services for healthcare providers that met all compliance regulations for HIPAA storage. InfoTech Healthcare storage systems are designed to lead the way in cloud storage for healthcare and other business organizations.
In January of this year, Anthem, Inc. a managed care provider, learned of a cyber attack to their IT system. This attack, which occurred over several weeks beginning in December, 2014, compromised the identities over 80 million customers. The breach, in which the healthcare information of millions were compromised, constitutes a serious HIPAA violation, exposing the provider to potentially devastating legal liability.
Unfortunately, this sort of breach perpetrated against healthcare providers is becoming ever more common. The Ponemon Institute, along with ID Experts, issued a report in May this year that showcased healthcare data breaches. The Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data calculates a 125 percent growth in healthcare cyber attacks over the past five years. Although employee negligence and lost or stolen devices still result in many data breaches, a shift is occurring from accidental loss to intentional targeting of data that reveals individuals’ names, Social Security numbers, and other personal information.
The reason that healthcare providers are being targeted is that the information they maintain to provide care for their patients is often substantial enough that cyber criminals can use the data from a single healthcare provider to engage in identity theft. Moreover, cyber criminals target healthcare data because they recognize that many healthcare facilities, including insurance companies, don’t have the resources or technologies to prevent or to detect attacks.
Anthem is a large corporate entity that can afford and use the technology required to protect HIPAA sensitive data, and yet the breach still occurred. What can other healthcare businesses do to prevent or detect a cyber attack on HIPAA sensitive data?
Meeting Standards, Avoiding Fines
The growing use of electronic health records and electronic protected health information (ePHI) accounts for the need to protect information contained in these records. But while these records are often well secured, an often overlooked vulnerability point is credit card processing. Payment Card Industry Data Security Standard (PCI DSS) and HIPAA rules require entities to maintain reasonable and appropriate safeguards for protecting credit card payments. What this actually translates into actionable steps, however, is less clear. To that end, here are four rules to follow when accepting credit card payments to ensure that you’re meeting HIPAA/PCI mandated or suggested compliance guidelines:
At HIMSS this year, multiple speakers laid out visions for a future where parents could consult with a pediatrician via a telemedicine encounter during the middle of the night, take their children to receive immunization shots at a retail clinic, and have all of this information aggregated in their primary care provider’s record so that providing an up to date immunization record at the start of the next school year is as simple as logging into the PCP’s patient portal and printing out the immunization record. In short, multiple speakers presented visions of a truly interoperable future where patient information is exchanged seamlessly between providers, healthcare applications on smartphones, and insurers.
While initiatives such as the CommonWell Health Alliance, Epic’s Care Everywhere, and regional health information exchanges attempt to address the interoperability challenge, these fall short of fully supporting the future vision described above. Today’s solutions do not address smartphone applications and still require manual intervention to ensure that suggested record matches truly belong to the same patient before the records are linked. This process is costly but manageable in an environment where a low volume of patient records are matched between large provider organizations. In a future world where patient data is available from a multitude of websites, smartphone applications and traditional healthcare organizations, it would be cost prohibitive to manually review and verify all potential record matches.
Of course, one solution to this dilemma would be to improve patient matching algorithms and no longer require manual review of records before they are linked. However, for this to be possible, a standard set of data attributes would need to be captured by any application that would use or generate patient data. In a 2014 industry report to the Office of the National Coordinator for Health Information Technology, first name, last name, middle name, suffix, date of birth, current address, historical address, current phone number, historical phone number, and gender were identified as data attributes that should be standardized. Many of the suggestions in this report were incorporated into the Shared Nationwide Interoperability Roadmap that the ONC released in January 2015.