The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies...
Transcript of The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies...
![Page 1: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/1.jpg)
The Patient Portal Ecosystem: Engaging Patients while Protecting Privacy and Security
1
NCHICA 11th Academic Medical Center Security & Privacy Conference,
June 22-24, 2015
Panel Leader: Amy Leopard, JD (Bradley Arant Boult Cummings) Panelists: Patricia Corn (Wake Forest Baptist Health) Becky Tate (MEDHOST)
![Page 2: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/2.jpg)
Agenda
Overview of uses of Portals and PHRs Review state and federal laws and regulations Consider practical issues providers must manage
– Email sharing among patients – Allowing API for “view, download, transmit” – Patient managed access – Managing patient directed disclosures (third parties) – Patients managing information from multiple vendors – Authorization process – Patients managing proxy access for others – Amendment of PHI
2
![Page 3: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/3.jpg)
3
Overview of Portals and PHRs
![Page 4: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/4.jpg)
Consumer Driven Healthcare Movement
4
Hospitals
Consumer
HSA
Rx
Physicians Payer
![Page 5: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/5.jpg)
Patient empowerment and Consumerism
5
0
10
20
30
40
50OverblownTrend
Real, we'regearing up
issues weneed to payattn to
2009 HDM Poll of 137
![Page 6: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/6.jpg)
Goals of a PHR – Patient Perspective
Easily manage access Organize health information from disparate
providers in a single location Tools that support wellness and self-management Manage data sharing with health care providers Desire ease of use Automation - Manual entry of information is error-
prone and time consuming
6
![Page 7: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/7.jpg)
Goals of a PHR - Provider Perspective
Tools to better manage health Analytics to monitor treatment Continuity of care and accessibility of data for
paper-based system Tools promoting patient engagement
7
![Page 8: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/8.jpg)
Uses for PHRs:
Store health information Health risk assessment profile Targeted educational modules Clinical decision support for
patient self-management of health risks
Provider interaction for appointment and Rx refills
Patient monitoring from medical device interface
8
![Page 9: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/9.jpg)
9
PHR DATA SET
Name, demographics Lab, Pharmacy, Ancillary
Family History Health risk assessment
Immunizations Medical Power of Attorney
Recent encounters Claims data and benefit coverage
Hospitalizations, surgeries, procedures
Medical and wellness device results
Medication List Progress Notes
PHR Data Set
![Page 10: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/10.jpg)
Different PHR Models
Provider Patient Portal – Most common form of personal health record
Health Plan Consumer Portal – United, Shared Health, AHIP and BCBSA
Health Information Trust Custodian – eHealth Trust™ Model
Employer consortium for data repository on member employees – Dossia
Private label PHR for employers and health plans – WebMD license
10
![Page 11: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/11.jpg)
Patient Risks
Risks of View – Public computer, logoff
Risks of Download – Authentication, notice that patient has
responsibility to protect Risks of transmitting health information Identity proofing and authentication of patients,
personal representatives, other family, friends
11
HIT Policy Committee Privacy and Security Workgroup
![Page 12: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/12.jpg)
Regulatory Environment and PHRs
12
![Page 13: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/13.jpg)
Which Federal Agency Should Enforce Privacy /Security Laws Against Vendors? . . .
13
![Page 14: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/14.jpg)
HITECH and ARRA Drivers
Meaningful Use View online, download, transmit PHI
HITECH e-Copy Rights
Any provider or health plan digital format
Forward to designate @ labor cost
Significantly expand access and PHI transmission
to
HIE
PHR Vendors
Application Developers
Competitors
![Page 15: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/15.jpg)
15
Covered Entity under HIPAA?
Providers filing claims electronically.
Hospitals, physician groups, nursing homes, labs, pharmacies, doctors, nurses, dentists, psychotherapists
Plans or Payors. MMO, Cigna, United Health Care, Anthem, Aetna
Employer > 50 with self funding
Clearinghouses standardizing PHI for others such as most billing services like WebMD Envoy® .
Business Associates – Who create or receive PHI in order to perform function on behalf of Covered Entity – now subject to certain HIPAA Privacy and Security provision under HITECH
![Page 16: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/16.jpg)
HIPAA Business Associates Definition
HITECH definition of BA includes: – Vendors contracting with CE to allow CE to offer
patients PHR as part of its eHR – Organizations transmitting PHI data to a CE or
its BA and requiring access to the PHI on routine basis HIE Organization, RHIO, Eprescribing
Gateway
PHR Vendors are not regulated directly by HIPAA unless BA above:
But could be regulated by HITECH . . .
16
![Page 17: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/17.jpg)
17
Data Flow is a Critical Regulatory Issue
PHR = electronic record of individual health information drawn from multiple sources and managed, shared, and controlled by or for individual
PHR Business Associate:
Vendors contracting with CE to allow CE to offer patients a portal or a PHR as part of its EHR
Source: {text}
PHR Vendor Entity, other than a CE, that offers or maintains a PHR directly with individual
Tethered?
![Page 18: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/18.jpg)
Personal Health Data
Check Data Flow and Covered Entity Status!! –Data from Individuals to Covered entities = PHI
Permissible uses and disclosures or HIPAA authorization Marketing Rules Sale of PHI
–PHI may also be regulated by FTC
![Page 19: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/19.jpg)
Consumer Directly Supplies Health Information to Non-Covered Entities
HIPAA does not apply to PHRs offered by employers or by PHR vendors directly to consumers FTC regulates PHR Vendors as well as compliance with privacy policies of entity offering PHR (See ONC Model PHR Notice)
![Page 20: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/20.jpg)
Medicare and Medicaid EHR ‘Meaningful Use’
To be eligible for Medicare/Medicaid incentives, providers must demonstrate – Certified EHR provides for electronic exchange of
health information to improve quality of care – EHR Measures and Objectives for “Meaningful Use”
enable patients to “view, download and transmit” their health information
ONC being urged to consider connection to
PHR – NCVHS health plan testimony: QI, disease mgt, and
care coordination support portability of data in PHRs to aid transition to meaningful use of EHRs..
20
![Page 21: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/21.jpg)
Meaningful Use Stage 3 NPRM
Allowing API for “view, download, transmit”
HIT Policy Committee Privacy and Security Workgroup studying Privacy and Security Issues Related to Increasing Patient Access to Data through either VDT Technologies or open APIs
Increasing number of APIs connecting EHR
21
![Page 22: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/22.jpg)
HITECH digital rights . . .
Right to Access PHI in Electronic Format – patients may – request copy of eHR in electronic format
maintained by CE – instruct CE to forward EHR to any designated
person at entity’s labor cost only. Significantly expand patient access to
electronic formats and increase PHI transmission to others – PHR vendors, health record data banks and
HIE/RHIOs.
Who “owns” data? – More importantly who has right to access and
control data?
22
![Page 23: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/23.jpg)
FTC Regulation and Exercise of Enforcement Authority Under FTC Act §5
Section 5 of the FTC Act: “Unfair and Deceptive” Acts or Practices Deceptive:
–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected I used, maintained, and protected
Unfair: –Alleged failure to implement reasonable and appropriate security measures (or to ensure service providers did so)
–BUT HIPAA MAY NOT BE THE STANDARD!!!!
![Page 24: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/24.jpg)
FTC PHR Breach Notice Rule -- for Non-HIPAA CEs and BAs
PHR Vendors (200)
– “entity, other than HIPAA-CE or BA of HIPAA-CE that offers or maintains a PHR”
PHR Related Entities (500) Non-covered entities or
BAs that: – offer products or services via website of
PHR vendor CEs offering PHRs
– access PHR information or send info o PHR
3rd Party Service Providers to PHR Entities (200) – Provides services to above PHR Entities and as a result, – Access, maintain, retain, modify, record, store, destroy or
otherwise hold, use or disclose unsecured PHR IHI
24
![Page 25: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/25.jpg)
Other Legal Considerations – Contractual Obligations
Contracts – Ownership general governed by contract, but legal
ownership may be secondary to concerns over uses and disclosures of copies of the data
Documentation – Consent – Enrollment and verification – Patient EULA’s
Terms and Conditions Privacy and Security Ownership of data Uses and disclosures Warnings re: urgent and emergent care
– Disclaimers and Limits of Liabilities
![Page 26: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/26.jpg)
Other Legal Considerations – State Laws
State Law Issues • “Personal Data” • Sensitive information • Consumer Protection Laws • Consent issues • Proxies • Minors • Malpractice • Constitutional Right to Privacy
![Page 27: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/27.jpg)
Other Legal Considerations: Secondary Uses
Threshold issue: Provide transparency to consumers via disclosure of secondary uses and safeguards – De-identified data – Authorization from Individual – Limited Data Sets for
Research, public health or QI Population-based activities to improve
health or reduce healthcare costs
27
![Page 28: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/28.jpg)
Risks with De-identified Data
28
![Page 29: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/29.jpg)
29
PHRs – Practical Considerations
![Page 30: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/30.jpg)
Practical Considerations
30
Educating patients about their role in protecting their health information
Patient managed access – Patient education (staff support) – Patient identity validation
Shared Emails
– Proxy access management Release of information Sensitive info Minors and state consent laws
![Page 31: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/31.jpg)
Practical Considerations
31
Documentation – Are existing notices and forms sufficient? (NOPP,
Authorization Form, Terms of Use of Patient Portal/PHR)
Managing sensitive information
Using and managing consumer driven data
![Page 32: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/32.jpg)
Practical Considerations
32
Addressing amendment requests Encouraging patient use in order to decrease
printing of PHI
![Page 33: The Patient Portal Ecosystem: Engaging Patients …...–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected](https://reader033.fdocuments.net/reader033/viewer/2022060323/5f0dbe0a7e708231d43bdc41/html5/thumbnails/33.jpg)
QUESTIONS? Amy Leopard [email protected] Patricia Corn [email protected] Becky Tate [email protected]
33