Priv&security&profin electrcommunicationsrev9 23
-
Upload
deven-mcgraw -
Category
Technology
-
view
283 -
download
1
description
Transcript of Priv&security&profin electrcommunicationsrev9 23
Privacy, Security & Professionalism in Electronic Communications
Deven McGrawDirector, Health Privacy ProjectSeptember 25, 2013
Health Privacy Project at CDT
Our theory: Privacy = enabler to flows of data that have the potential to improve individual, public and population health
Aim is to build public trust in these data flows, through balanced & workable protections, as they are essential to patient engagement, health reform and building a “learning health care system.”
Privacy and Security Considerations for Digital Communications Among Health Care Professionals
HIPAA and NY State law likely apply
Privacy protections apply to communications on paper or in digital form
If you could send it on paper, you can send it digitally (NY law requires consent for even routine disclosures)
HIPAA Security Rule – which sets forth detailed security specifications - only applies to ePHI (electronic protected health information).
HIPAA also applies to “business associates” (contractors)
Privacy and Security Considerations for Digital Communications Among Professionals
Communications must be secure under federal and state law
Encryption is an “addressable implementation specification” under HIPAA
Not required but expectation is that transmissions will be encrypted (can use other security methods but must document rationale)
Encryption using NIST standards provides federal breach safe harbor
Privacy and Security Considerations for Digital Communications Among Professionals
For mobile technologies, application of HIPAA Security Rule is frequently a challenge
HHS Office for Civil Rights released guidance in December 2012: http://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security
Privacy and Security Considerations for Digital Communications Among Professionals
Must use reasonable efforts to send to correct professional
Right digital address?
If send to right organization, expectation is that organization will properly rout to correct recipient
Must send data on right patient
Sending data on wrong patient, or to wrong address, may trigger breach notification obligations and potential privacy law violation
Professional to Patient Digital Communications
Generally: Providers are required to comply with privacy and security laws when transmitting ePHI.
Three frequent questions that arise:
Is it possible to send a message to a patient that isn’t considered ePHI?
Does the transmission have to comply with the HIPAA Security Rule?
Am I responsible for what the patient subsequently does with the data in the communication?
Answer to last question: No. Whatever obligation the provider has ends with the hand-off.
Professional to Patient Digital Communications
Answer to last question: No. Whatever obligation the professional has ends with the hand-off.
No federal or state privacy laws cover health information shared by patients (for ex., on social networking sites, storing in apps, etc.)
The Federal Trade Commission can hold companies accountable for failing to comply with privacy commitments, or failing to adopt even baseline security protections
Better protections for patient-generated health information is an active area of policy discussion
ePHI
Protected health information does not have to include actual clinical information in order to still be considered PHI.
If the patient is or could be identified either in the communication or by someone who receives the communication – and the communication relates to health status or the provision of health care (or payment for care), it will be PHI.
ePHI
For example, if the patient is identifiable – and the recipient knows that the communication came from a health care health care professional, it is PHI, even if the communication itself is fairly innocuous (such as an appt reminder or a reminder to take an unspecified medication).
Security Rule and Transmissions to Patients
Ordinarily, HIPAA Security Rule applies to all transmissions of ePHI.
BUT recent omnibus rule suggests patient can choose to receive communications in a form/format that works for them, even if they are not secure. http://projecthealthdesign.typepad.com/project_health_design/2013/02/new-hipaa-rules-clarify-patients-right-to-access-their-health-data.html
Security Rule and Transmissions to Patients Patient’s right to receive data - Omnibus rule (see
quoted text on next slide)
Rule says patients can choose to receive information via unsecure e-mail if they choose to do so
Provider must provide light warning (this is unsecure – are you sure?)
Arguably also relevant to other communications
Obligations to send to right patient (right data, right address) still apply
Security Rule and Transmissions to Patients
Text from Omnibus Rule (78 Fed. Reg. 5634 (1/26/13))
“We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the “duty to warn” individuals of risks associated with unencrypted email would be unduly burdensome…. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.”
Security Rule and Transmissions to Patients NY law is not detailed on this point – but HIPAA
trumps state laws that are less protective of patient access rights.
Omnibus rule guidance was issued to address specific question of patients requesting to receive copies of their medical records by unencrypted e-mail – but rationale could apply to proactive communications as well.
For example, seeking permission from patients about contacting them via text message.
Professionalism Professional and ethical obligations apply to all
communications, regardless of format
If you wouldn’t or shouldn’t send it on paper, don’t send it digitally
Electronic communication is “Public, Permanent, and Powerful.” (Spector et al., eProfessionalism: Challenges in the Age of Information, J. of Peds., vol 156, No. 3 (2010))
E-communications should always be done professionally.
Professionalism Single, most consistent piece of advice: Adopt
policies governing use of digital communication tools
Specialty societies are developing – one example comes from 2013 Policy Statement from the American College of Physicians and the Federation of State Medical Boards http://annals.org/article.aspx?articleid=1675927
Developed for physicians but can be adapted for other professionals.
Online Medical Professionalism (from ACP Guidance)
Communications with patients using e-mail, text, and instant messaging
Establish guidelines for types of issues appropriate for digital communication
Reserve digital communication only for patients who maintain face-to-face follow-up
Use of social media sites to gather information about patients
Consider intent of search and application of findings
Consider implications (trust) for ongoing care
Online Medical Professionalism (from ACP Guidance)
Use of online educational resources and related information with patients
Vet information to ensure accuracy of content
Refer patients only to reputable sites and sources
Physician-produced blogs, microblogs, and physician posting of comments by others
“Pause before posting”
Consider the content and the message it sends about a physician as an individual and the profession.
Online Medical Professionalism (from ACP Guidance)
Physician posting of physician personal information on public social media sites
Maintain separate personas, personal and professional, for online social behavior
Scrutinize material available for public consumption
Physician use of digital venues (e.g., text and web) for communicating with colleagues about patient care
Implement health IT solutions for secure messaging and information sharing
Follow institutional practice and policy for remote and mobile access of protected health information
Other Potential Resources for Using Social Media, Other Tools to Engage Patients Engage! Transforming Healthcare Through Digital Patient
Engagement, HIMSS, http://ebooks.himss.org/product/engage-transforming-healthcare-through-digital-patient-engagement44809
Federation of State Medical Boards, Model Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice, http://www.fsmb.org/pdf/pub-social-media-guidelines.pdf
8 Steps to Launch a Successful Social Media Strategy (A Guide for Health Care), http://www.hivestrategies.com/2011/02/rules-fo-a-hipaa-compliant-social-media-polic/
Mt. Sinai Medical Center Social Media Guideline, http://icahn.mssm.edu/about-us/services-and-resources/faculty-resources/handbooks-and-policies/faculty-handbook/institutional-policies/social-media-guidelines
Accepting Digital Data from Patients
Unique issues may arise in communicating back and forth with patients, particular with respect to accepting digital data from patients
Provenance and data integrity
Professional liability risk for data stream? RWJ Project HealthDesign experience
Importance of managing expectations Data does not necessarily have to flow into
EHR to be useful
FDA Regulation of Apps, EHRs
FDA takes the position that EHRs and other medical software applications are medical devices, subject to FDA regulatory authority
Issued & sought public comment on initial draft guidance for “mobile medical apps” (July 2011) Seeking to regulate apps that more clearly perform the role
of a medical device; does not include apps designed to be used for general health & wellness (like a fitness tracking app)
Distinction not always that clear
FDA Regulation of Apps Controversial Guidance generated some controversy.
Congress (in FDASIA) called for federal advisory committee to examine issue, make recommendations
Health IT Policy Committee recently recommended a risk-based framework for regulating medical software (http://www.healthit.gov/FACAS/sites/faca/files/FDASIARecommendationsDraft030913_v2.pdf)
Final Guidance Issued 9/23
http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM263366.pdf
Focuses on how app is intended to be used; platform agnostic
More clarity on where FDA will focus oversight. Medical apps that:
Are extensions of one or more medical devices (such as those that display device data);
Transform a mobile platform into a regulated device; or
Perform “patient-specific” analysis or provide “patient-specific” diagnosis or treatment recommendations
Will be subject to device regulation.
Final Guidance Issued 9/23
Guidance also lists types of apps for which FDA intends to exercise “enforcement discretion” (no enforcement at this time):
Apps that provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in a daily environment.
Apps that provide patients with simple tools to organize and track their health information.
Mobile apps that provide easy access to information on a patient’s health conditions or treatments
Apps specifically marketed to help patients document, show or communicate to providers potential medical conditions.
Apps that perform simple calculations routinely used in clinical practice.
Apps that enable individuals to interact with PHR or EHR systems.
More examples provided in guidance.