balancing patient privacy with patient engagement efforts · 2017-07-20 · patient access =...
TRANSCRIPT
1
Balancing Patient Privacy With Patient Engagement Efforts
Session #181 February 22, 2016
David Holtzman, JD, CIPP VP Compliance Strategies, CynergisTek
Mercy del Rey Chief Privacy Officer, Baptist Health South Florida
2
Speaker Introduction
•Subject matter expert in health
information privacy policy and compliance
issues involving the HIPAA Privacy,
Security and Breach Notification Rules
•Former senior advisor for health
information technology and the HIPAA
Security Rule, Office for Civil Rights
David Holtzman, JD,
CIPP/G
CynergisTek, Inc.
3
Speaker Introduction
• Chief Privacy Officer for complex health system with 16,000 employees and 220 medical staff members supporting 6 hospitals, region-wide outpatient facilities, the new Miami Cancer Institute, 6 Centers of Excellence, the Baptist Health Medical Group, the Baptist Health Quality Network and the Baptist Health employer sponsored group health plans.
• Over 25 years of diverse healthcare experience that includes regulatory compliance, human resources management and healthcare operations.
Mercy del Rey
Assistant Vice President/Chief Privacy Officer
Baptist Health South Florida
4
Conflict of Interest
David Holtzman, JD, CIPP
Has no real or apparent conflicts of interest to report.
5
Conflict of Interest
Mercy del Rey
Has no real or apparent conflicts of interest to report.
6
Agenda
1) HIPAA’s Right of Access to PHI
2) Who is Authorized Access to PHI
3) Patient’s Right to Amend
4) PHRs and EHRs
5) Questions
7
Learning Objectives
• Identify key drivers of federal policy empowering patient
control and access to their health records
• Evaluate current OCR guidance on patient access to
health information and sharing with third parties
• Describe best practices for giving patient choices in
access and sharing their health information
8
Benefits Were Realized for the Value of Health IT• The Value Steps Impacted Were:
– Electronic Secure Data
– Patient Engagement and Population Management
• Enabled meeting Meaningful Use requirements which increased Medicare reimbursement
• Patients received online access to care summaries
• Patients directed copies of health records and care summaries to trusted 3rd parties
9
HIPAA’s Right of Access to PHI?
10
HIPAA’s Right of Access to PHI• HIPAA: Patient is entitled to “designated record set”
– Medical record
– Billing record
– Other records used to make decisions about patient
• EHR Portal is limited portion of medical record
– Patient is entitled to more information than is available through EHR portal
11
HIPAA’s Right of Access• HIPAA provides that individual is entitled to requested for or format, if
readily producible
– If not readily producible, default is hard copy or electronic copy, depending on whether maintained electronically
• EHR portal is not everyone’s requested form or format
– Covered entity must continue to provide alternatives, such as hard copies or email attachment
12
HIPAA’s Right of Access• HIPAA permits covered entity to deny access for numerous reasons
– Reasonably likely to endanger life or physical safety
– References another person and reasonably likely to cause substantial harm to such person
– Request by personal representative and access is reasonably likely to cause harm
– Obtained from non-health care provider under promise of confidentiality
13
Patient Access = Patient Engagement• Incentivizing (penalizing) health care through Medicare payment policy
– Meaningful Use
– MIPS/Advancing Care Information
• Provide Patient Access
– Directly to the patient or their authorized 3rd party
• View online
• Download
• Transmit
– Through an API that can be used by applications chosen by the patient
14
Limiting Patient Access to Their PHI
• To what extent does EHR portal include information that may cause harm?
• Can clinician act proactively to flag information that could cause harm?
15
Accessing PHI at Baptist Health • Traditional Access to PHI via HIM
– Patient requests and authorizations drive the release of
information workflow
– Well-established process at Baptist Health
• Direct Access to PHI via Patient Portal
– Patient and/or designee may access available PHI at their
discretion.
– Currently transitioning to new EHR portal
16
Accessing PHI at Baptist Health • Complete records provided in the patient’s format of choice
– Hard Copy - CD’s*
– Mail - Thumb Drives*
– Faxes - Email*
• Our patient portal is evolving with the implementation of a new EHR to
include a more robust record set
Portal Current State: CCDA and basic PHI
Portal Future State: All pertinent records
17
Patient Access and Engagement
Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sept
9,705 9,401 10,903 9,940 11,281 12,395 12,361 12,694 13,174 14,299 15,713 13,321
1,000
3,000
5,000
7,000
9,000
11,000
13,000
15,000
17,000
RE
QU
ES
TS
Total Request Volume - FY 2016
18
Patient Access and Engagement
Electronic 78,919
Paper66,363
Total Requests for Records Fiscal Year 2016
Electronic Paper
19
Who is Authorized Access to PHI?
20
Who May Access PHI on the Portal?• Individual
• Authorized person
– Authorization my comply with HIPAA
– There may be state law requirements
• Designee
– Must be in writing (including electronic)
– Must designate who and to what address (physical or electronic)
21
Personal Representatives and Minors
• Personal representative has rights of individual-including right to
access in form or format requested if readily producible
– Personal representatives rights should cut off at age of majority
• Personal representative can authorize access by 3rd party
– Guidance to Privacy Rule that authorization survives age of
majority, so 3rd party can continue to access EHR
22
Challenges and Strategies for Patient Portal Access
• Granting individual access requires sound security policies and workflows
• Granting designees access is NO EASY task and requires a great deal of forethought, planning and attention to detail!
– Segmenting data and restricting access is not always technically possible
• The development of patient portal strategies require a multi-disciplinary approach that
includes IT, Privacy, Security, Legal, Risk Management, Marketing, Operations Leaders,
Physicians, Clinicians and the Patient Representatives.
• A phased implementation strategy should be considered to enable individual access before implementing designee access.
23
Patient Right to Amend
24
HIPAA’s Right of Amendment• Patient has right to request amendment of designated record set
information
• Covered entity has limited basis for denial
– PHI was not created by covered entity
– Outside of designated record set
– Accurate and complete
• If denial, individual can add statement of disagreement to record
25
Amendments at Baptist Health• Amendment requests are handled by the Privacy Office
• With the implementation of a patient portal, expect increases in both
the volume and complexity of amendment requests
FY 2014 FY2015 FY2016
148 173 153
26
PHRs and EHRs
27
PHRs and EHR Portals• Personal health record (PHR) is patient controlled record
• EHR portal is window into EHR
• PHR and EHR portal can work together
– Patient gets to see EHR portal
– EHR portal feeds into PHR
– Patient gets to add information in PHR & chooses whether to share through EHR portal
28
PHRs and EHR Portals
• Is PHR considered PHI of covered entity?
– Is PHR operating on servers of the covered entity or their business associate?
• Does covered entity have right to access PHR?
– Patient permission required?
29
HIPAA’s Right of Amendment
• EHR portal provides potential means for submission of amendment requirements
• Amendment functionality of EHR may differ significantly
30
PHR Use and Access to Information• PHRs not covered by HIPAA can be lightly regulated
– FTC PHR Breach Notification Rule
– FTC Act Section 5 prohibition on Unfair and Deceptive Trade Practices
– Jurisdiction limited to for-profit entities
– State law breach notification reporting
– Model PHR Privacy Notice
• PHR companies can use to communicate their privacy and security policies
and data sharing practices to individuals.
– https://www.healthit.gov/policy-researchers-implementers/personal-health-record-
phr-model-privacy-notice
31
State Law and EHR Portals• Will portal include sensitive information subject to state law restrictions?
– HIV test results or other HIV or STD information
– Mental health information
– Genetic test results
– Alcohol or substance abuse treatment information
• Also subject to federal confidentiality requirements
• Will a more detailed authorization suffice?
– Is a separate authorization required for each disclosure?
32
• Dual portals currently on-line
• Individual access provided to all patients at time of discharge or registration
• Parental access offered to new moms and dads through until child turns 11
• Sensitive information restricted
• Electronic data exchange with PCPs and downstream providers
33
514,267
34,539
NextGen Portal June 2014 - December 2016
Invitations Sent
Patients Enrolled
6.7% Patient Participation
Rate
34
115,328
13,187
Cerner Portal August - December 2016
Invitations Sent
Patients Enrolled
11.4% Patient Participation Rate
35
Transmission of Summary of Care
36
Exceeding
Meaningful Use
patient
engagement
measures results
in > Medicare
reimbursement
54% of
patients
received
Summary of
Care
transmitted
electronically
through portal
STEPS: Patient Engagement & Population Management
37
54% of patient
requests for
access to their
PHI fulfilled
electronically.
Requests
increased 28%
in FY16
Enrolled
thousands of
Patients to use
of EHR portal
which
enhances data
sharing with
patients
STEPS: Secure Electronic Data
38
Questions?David Holtzman
@HITPrivacy
Mercy del Rey
Please complete the online evaluation for this session