the patient portal ecosystem: engaging patients …...–not implementing stated privacy policies...
TRANSCRIPT
The Patient Portal Ecosystem: Engaging Patients while Protecting Privacy and Security
1
NCHICA 11th Academic Medical Center Security & Privacy Conference,
June 22-24, 2015
Panel Leader: Amy Leopard, JD (Bradley Arant Boult Cummings) Panelists: Patricia Corn (Wake Forest Baptist Health) Becky Tate (MEDHOST)
Agenda
Overview of uses of Portals and PHRs Review state and federal laws and regulations Consider practical issues providers must manage
– Email sharing among patients – Allowing API for “view, download, transmit” – Patient managed access – Managing patient directed disclosures (third parties) – Patients managing information from multiple vendors – Authorization process – Patients managing proxy access for others – Amendment of PHI
2
3
Overview of Portals and PHRs
Consumer Driven Healthcare Movement
4
Hospitals
Consumer
HSA
Rx
Physicians Payer
Patient empowerment and Consumerism
5
0
10
20
30
40
50OverblownTrend
Real, we'regearing up
issues weneed to payattn to
2009 HDM Poll of 137
Goals of a PHR – Patient Perspective
Easily manage access Organize health information from disparate
providers in a single location Tools that support wellness and self-management Manage data sharing with health care providers Desire ease of use Automation - Manual entry of information is error-
prone and time consuming
6
Goals of a PHR - Provider Perspective
Tools to better manage health Analytics to monitor treatment Continuity of care and accessibility of data for
paper-based system Tools promoting patient engagement
7
Uses for PHRs:
Store health information Health risk assessment profile Targeted educational modules Clinical decision support for
patient self-management of health risks
Provider interaction for appointment and Rx refills
Patient monitoring from medical device interface
8
9
PHR DATA SET
Name, demographics Lab, Pharmacy, Ancillary
Family History Health risk assessment
Immunizations Medical Power of Attorney
Recent encounters Claims data and benefit coverage
Hospitalizations, surgeries, procedures
Medical and wellness device results
Medication List Progress Notes
PHR Data Set
Different PHR Models
Provider Patient Portal – Most common form of personal health record
Health Plan Consumer Portal – United, Shared Health, AHIP and BCBSA
Health Information Trust Custodian – eHealth Trust™ Model
Employer consortium for data repository on member employees – Dossia
Private label PHR for employers and health plans – WebMD license
10
Patient Risks
Risks of View – Public computer, logoff
Risks of Download – Authentication, notice that patient has
responsibility to protect Risks of transmitting health information Identity proofing and authentication of patients,
personal representatives, other family, friends
11
HIT Policy Committee Privacy and Security Workgroup
Regulatory Environment and PHRs
12
Which Federal Agency Should Enforce Privacy /Security Laws Against Vendors? . . .
13
HITECH and ARRA Drivers
Meaningful Use View online, download, transmit PHI
HITECH e-Copy Rights
Any provider or health plan digital format
Forward to designate @ labor cost
Significantly expand access and PHI transmission
to
HIE
PHR Vendors
Application Developers
Competitors
15
Covered Entity under HIPAA?
Providers filing claims electronically.
Hospitals, physician groups, nursing homes, labs, pharmacies, doctors, nurses, dentists, psychotherapists
Plans or Payors. MMO, Cigna, United Health Care, Anthem, Aetna
Employer > 50 with self funding
Clearinghouses standardizing PHI for others such as most billing services like WebMD Envoy® .
Business Associates – Who create or receive PHI in order to perform function on behalf of Covered Entity – now subject to certain HIPAA Privacy and Security provision under HITECH
HIPAA Business Associates Definition
HITECH definition of BA includes: – Vendors contracting with CE to allow CE to offer
patients PHR as part of its eHR – Organizations transmitting PHI data to a CE or
its BA and requiring access to the PHI on routine basis HIE Organization, RHIO, Eprescribing
Gateway
PHR Vendors are not regulated directly by HIPAA unless BA above:
But could be regulated by HITECH . . .
16
17
Data Flow is a Critical Regulatory Issue
PHR = electronic record of individual health information drawn from multiple sources and managed, shared, and controlled by or for individual
PHR Business Associate:
Vendors contracting with CE to allow CE to offer patients a portal or a PHR as part of its EHR
Source: {text}
PHR Vendor Entity, other than a CE, that offers or maintains a PHR directly with individual
Tethered?
Personal Health Data
Check Data Flow and Covered Entity Status!! –Data from Individuals to Covered entities = PHI
Permissible uses and disclosures or HIPAA authorization Marketing Rules Sale of PHI
–PHI may also be regulated by FTC
Consumer Directly Supplies Health Information to Non-Covered Entities
HIPAA does not apply to PHRs offered by employers or by PHR vendors directly to consumers FTC regulates PHR Vendors as well as compliance with privacy policies of entity offering PHR (See ONC Model PHR Notice)
Medicare and Medicaid EHR ‘Meaningful Use’
To be eligible for Medicare/Medicaid incentives, providers must demonstrate – Certified EHR provides for electronic exchange of
health information to improve quality of care – EHR Measures and Objectives for “Meaningful Use”
enable patients to “view, download and transmit” their health information
ONC being urged to consider connection to
PHR – NCVHS health plan testimony: QI, disease mgt, and
care coordination support portability of data in PHRs to aid transition to meaningful use of EHRs..
20
Meaningful Use Stage 3 NPRM
Allowing API for “view, download, transmit”
HIT Policy Committee Privacy and Security Workgroup studying Privacy and Security Issues Related to Increasing Patient Access to Data through either VDT Technologies or open APIs
Increasing number of APIs connecting EHR
21
HITECH digital rights . . .
Right to Access PHI in Electronic Format – patients may – request copy of eHR in electronic format
maintained by CE – instruct CE to forward EHR to any designated
person at entity’s labor cost only. Significantly expand patient access to
electronic formats and increase PHI transmission to others – PHR vendors, health record data banks and
HIE/RHIOs.
Who “owns” data? – More importantly who has right to access and
control data?
22
FTC Regulation and Exercise of Enforcement Authority Under FTC Act §5
Section 5 of the FTC Act: “Unfair and Deceptive” Acts or Practices Deceptive:
–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected I used, maintained, and protected
Unfair: –Alleged failure to implement reasonable and appropriate security measures (or to ensure service providers did so)
–BUT HIPAA MAY NOT BE THE STANDARD!!!!
FTC PHR Breach Notice Rule -- for Non-HIPAA CEs and BAs
PHR Vendors (200)
– “entity, other than HIPAA-CE or BA of HIPAA-CE that offers or maintains a PHR”
PHR Related Entities (500) Non-covered entities or
BAs that: – offer products or services via website of
PHR vendor CEs offering PHRs
– access PHR information or send info o PHR
3rd Party Service Providers to PHR Entities (200) – Provides services to above PHR Entities and as a result, – Access, maintain, retain, modify, record, store, destroy or
otherwise hold, use or disclose unsecured PHR IHI
24
Other Legal Considerations – Contractual Obligations
Contracts – Ownership general governed by contract, but legal
ownership may be secondary to concerns over uses and disclosures of copies of the data
Documentation – Consent – Enrollment and verification – Patient EULA’s
Terms and Conditions Privacy and Security Ownership of data Uses and disclosures Warnings re: urgent and emergent care
– Disclaimers and Limits of Liabilities
Other Legal Considerations – State Laws
State Law Issues • “Personal Data” • Sensitive information • Consumer Protection Laws • Consent issues • Proxies • Minors • Malpractice • Constitutional Right to Privacy
Other Legal Considerations: Secondary Uses
Threshold issue: Provide transparency to consumers via disclosure of secondary uses and safeguards – De-identified data – Authorization from Individual – Limited Data Sets for
Research, public health or QI Population-based activities to improve
health or reduce healthcare costs
27
Risks with De-identified Data
28
29
PHRs – Practical Considerations
Practical Considerations
30
Educating patients about their role in protecting their health information
Patient managed access – Patient education (staff support) – Patient identity validation
Shared Emails
– Proxy access management Release of information Sensitive info Minors and state consent laws
Practical Considerations
31
Documentation – Are existing notices and forms sufficient? (NOPP,
Authorization Form, Terms of Use of Patient Portal/PHR)
Managing sensitive information
Using and managing consumer driven data
Practical Considerations
32
Addressing amendment requests Encouraging patient use in order to decrease
printing of PHI
QUESTIONS? Amy Leopard [email protected] Patricia Corn [email protected] Becky Tate [email protected]
33