Priv&security&profin electrcommunicationsrev9 23

26
Privacy, Security & Professionalism in Electronic Communications Deven McGraw Director, Health Privacy Project September 25, 2013

description

 

Transcript of Priv&security&profin electrcommunicationsrev9 23

Page 1: Priv&security&profin electrcommunicationsrev9 23

Privacy, Security & Professionalism in Electronic Communications

Deven McGrawDirector, Health Privacy ProjectSeptember 25, 2013

Page 2: Priv&security&profin electrcommunicationsrev9 23

Health Privacy Project at CDT

Our theory: Privacy = enabler to flows of data that have the potential to improve individual, public and population health

Aim is to build public trust in these data flows, through balanced & workable protections, as they are essential to patient engagement, health reform and building a “learning health care system.”

Page 3: Priv&security&profin electrcommunicationsrev9 23

Privacy and Security Considerations for Digital Communications Among Health Care Professionals

HIPAA and NY State law likely apply

Privacy protections apply to communications on paper or in digital form

If you could send it on paper, you can send it digitally (NY law requires consent for even routine disclosures)

HIPAA Security Rule – which sets forth detailed security specifications - only applies to ePHI (electronic protected health information).

HIPAA also applies to “business associates” (contractors)

Page 4: Priv&security&profin electrcommunicationsrev9 23

Privacy and Security Considerations for Digital Communications Among Professionals

Communications must be secure under federal and state law

Encryption is an “addressable implementation specification” under HIPAA

Not required but expectation is that transmissions will be encrypted (can use other security methods but must document rationale)

Encryption using NIST standards provides federal breach safe harbor

Page 5: Priv&security&profin electrcommunicationsrev9 23

Privacy and Security Considerations for Digital Communications Among Professionals

For mobile technologies, application of HIPAA Security Rule is frequently a challenge

HHS Office for Civil Rights released guidance in December 2012: http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security

Page 6: Priv&security&profin electrcommunicationsrev9 23

Privacy and Security Considerations for Digital Communications Among Professionals

Must use reasonable efforts to send to correct professional

Right digital address?

If send to right organization, expectation is that organization will properly rout to correct recipient

Must send data on right patient

Sending data on wrong patient, or to wrong address, may trigger breach notification obligations and potential privacy law violation

Page 7: Priv&security&profin electrcommunicationsrev9 23

Professional to Patient Digital Communications

Generally: Providers are required to comply with privacy and security laws when transmitting ePHI.

Three frequent questions that arise:

Is it possible to send a message to a patient that isn’t considered ePHI?

Does the transmission have to comply with the HIPAA Security Rule?

Am I responsible for what the patient subsequently does with the data in the communication?

Answer to last question: No. Whatever obligation the provider has ends with the hand-off.

Page 8: Priv&security&profin electrcommunicationsrev9 23

Professional to Patient Digital Communications

Answer to last question: No. Whatever obligation the professional has ends with the hand-off.

No federal or state privacy laws cover health information shared by patients (for ex., on social networking sites, storing in apps, etc.)

The Federal Trade Commission can hold companies accountable for failing to comply with privacy commitments, or failing to adopt even baseline security protections

Better protections for patient-generated health information is an active area of policy discussion

Page 9: Priv&security&profin electrcommunicationsrev9 23

ePHI

Protected health information does not have to include actual clinical information in order to still be considered PHI.

If the patient is or could be identified either in the communication or by someone who receives the communication – and the communication relates to health status or the provision of health care (or payment for care), it will be PHI.

Page 10: Priv&security&profin electrcommunicationsrev9 23

ePHI

For example, if the patient is identifiable – and the recipient knows that the communication came from a health care health care professional, it is PHI, even if the communication itself is fairly innocuous (such as an appt reminder or a reminder to take an unspecified medication).

Page 11: Priv&security&profin electrcommunicationsrev9 23

Security Rule and Transmissions to Patients

Ordinarily, HIPAA Security Rule applies to all transmissions of ePHI.

BUT recent omnibus rule suggests patient can choose to receive communications in a form/format that works for them, even if they are not secure. http://projecthealthdesign.typepad.com/project_health_design/2013/02/new-hipaa-rules-clarify-patients-right-to-access-their-health-data.html

Page 12: Priv&security&profin electrcommunicationsrev9 23

Security Rule and Transmissions to Patients Patient’s right to receive data - Omnibus rule (see

quoted text on next slide)

Rule says patients can choose to receive information via unsecure e-mail if they choose to do so

Provider must provide light warning (this is unsecure – are you sure?)

Arguably also relevant to other communications

Obligations to send to right patient (right data, right address) still apply

Page 13: Priv&security&profin electrcommunicationsrev9 23

Security Rule and Transmissions to Patients

Text from Omnibus Rule (78 Fed. Reg. 5634 (1/26/13))

“We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome…. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.”

Page 14: Priv&security&profin electrcommunicationsrev9 23

Security Rule and Transmissions to Patients NY law is not detailed on this point – but HIPAA

trumps state laws that are less protective of patient access rights.

Omnibus rule guidance was issued to address specific question of patients requesting to receive copies of their medical records by unencrypted e-mail – but rationale could apply to proactive communications as well.

For example, seeking permission from patients about contacting them via text message.

Page 15: Priv&security&profin electrcommunicationsrev9 23

Professionalism Professional and ethical obligations apply to all

communications, regardless of format

If you wouldn’t or shouldn’t send it on paper, don’t send it digitally

Electronic communication is “Public, Permanent, and Powerful.” (Spector et al., eProfessionalism: Challenges in the Age of Information, J. of Peds., vol 156, No. 3 (2010))

E-communications should always be done professionally.

Page 16: Priv&security&profin electrcommunicationsrev9 23

Professionalism Single, most consistent piece of advice: Adopt

policies governing use of digital communication tools

Specialty societies are developing – one example comes from 2013 Policy Statement from the American College of Physicians and the Federation of State Medical Boards http://annals.org/article.aspx?articleid=1675927

Developed for physicians but can be adapted for other professionals.

Page 17: Priv&security&profin electrcommunicationsrev9 23

Online Medical Professionalism (from ACP Guidance)

Communications with patients using e-mail, text, and instant messaging

Establish guidelines for types of issues appropriate for digital communication

Reserve digital communication only for patients who maintain face-to-face follow-up

Use of social media sites to gather information about patients

Consider intent of search and application of findings

Consider implications (trust) for ongoing care

Page 18: Priv&security&profin electrcommunicationsrev9 23

Online Medical Professionalism (from ACP Guidance)

Use of online educational resources and related information with patients

Vet information to ensure accuracy of content

Refer patients only to reputable sites and sources

Physician-produced blogs, microblogs, and physician posting of comments by others

“Pause before posting”

Consider the content and the message it sends about a physician as an individual and the profession.

Page 19: Priv&security&profin electrcommunicationsrev9 23

Online Medical Professionalism (from ACP Guidance)

Physician posting of physician personal information on public social media sites

Maintain separate personas, personal and professional, for online social behavior

Scrutinize material available for public consumption

Physician use of digital venues (e.g., text and web) for communicating with colleagues about patient care

Implement health IT solutions for secure messaging and information sharing

Follow institutional practice and policy for remote and mobile access of protected health information

Page 20: Priv&security&profin electrcommunicationsrev9 23

Other Potential Resources for Using Social Media, Other Tools to Engage Patients Engage! Transforming Healthcare Through Digital Patient

Engagement, HIMSS, http://ebooks.himss.org/product/engage-transforming-healthcare-through-digital-patient-engagement44809

Federation of State Medical Boards, Model Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice, http://www.fsmb.org/pdf/pub-social-media-guidelines.pdf

8 Steps to Launch a Successful Social Media Strategy (A Guide for Health Care), http://www.hivestrategies.com/2011/02/rules-fo-a-hipaa-compliant-social-media-polic/

Mt. Sinai Medical Center Social Media Guideline, http://icahn.mssm.edu/about-us/services-and-resources/faculty-resources/handbooks-and-policies/faculty-handbook/institutional-policies/social-media-guidelines

Page 21: Priv&security&profin electrcommunicationsrev9 23

Accepting Digital Data from Patients

Unique issues may arise in communicating back and forth with patients, particular with respect to accepting digital data from patients

Provenance and data integrity

Professional liability risk for data stream? RWJ Project HealthDesign experience

Importance of managing expectations Data does not necessarily have to flow into

EHR to be useful

Page 22: Priv&security&profin electrcommunicationsrev9 23

FDA Regulation of Apps, EHRs

FDA takes the position that EHRs and other medical software applications are medical devices, subject to FDA regulatory authority

Issued & sought public comment on initial draft guidance for “mobile medical apps” (July 2011) Seeking to regulate apps that more clearly perform the role

of a medical device; does not include apps designed to be used for general health & wellness (like a fitness tracking app)

Distinction not always that clear

Page 23: Priv&security&profin electrcommunicationsrev9 23

FDA Regulation of Apps Controversial Guidance generated some controversy.

Congress (in FDASIA) called for federal advisory committee to examine issue, make recommendations

Health IT Policy Committee recently recommended a risk-based framework for regulating medical software (http://www.healthit.gov/FACAS/sites/faca/files/FDASIARecommendationsDraft030913_v2.pdf)

Page 24: Priv&security&profin electrcommunicationsrev9 23

Final Guidance Issued 9/23

http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM263366.pdf

Focuses on how app is intended to be used; platform agnostic

More clarity on where FDA will focus oversight. Medical apps that:

Are extensions of one or more medical devices (such as those that display device data);

Transform a mobile platform into a regulated device; or

Perform “patient-specific” analysis or provide “patient-specific” diagnosis or treatment recommendations

Will be subject to device regulation.

Page 25: Priv&security&profin electrcommunicationsrev9 23

Final Guidance Issued 9/23

Guidance also lists types of apps for which FDA intends to exercise “enforcement discretion” (no enforcement at this time):

Apps that provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in a daily environment.

Apps that provide patients with simple tools to organize and track their health information.

Mobile apps that provide easy access to information on a patient’s health conditions or treatments

Apps specifically marketed to help patients document, show or communicate to providers potential medical conditions.

Apps that perform simple calculations routinely used in clinical practice.

Apps that enable individuals to interact with PHR or EHR systems.

More examples provided in guidance.

Page 26: Priv&security&profin electrcommunicationsrev9 23

Questions?

Deven McGraw

202-637-9800 x115

[email protected]

www.cdt.org/healthprivacy