M2SYS Healthcare Solutions

Free Online Learning Podcasts

Mac McMillan, Chair, HIMSS Privacy & Security Policy Task Force

Topic: Healthcare IT Data Security – HIPAA compliance, HIMSS Privacy & Security Task Force Objectives, What is “Privacy”, Technology Options to Protect Patient Data, Adoption Trends for Personal Health Information (PHI) Applications
Podcast length – 35:02

Topics Covered in Podcast:
HIMSS Privacy and Security Task Force Mission and Objectives Defined HIPAA Rule Changes and How it Effects Provider – Business Associate Relationship The Difference Between “Access” and “Possession” of PHI Information & How it Impacts HIPAA Compliance What Does “Privacy” Mean? How Does “Fear” Factor into Policies Surrounding Privacy?

Topics Covered in Podcast (continued):
Viable Technologies to Protect Patient Data Do Biometrics for Patient ID Violate a Patient’s Privacy?

PHI Application Patient Adoption Trends

HIMSS Privacy and Security Task Force Mission and Objectives
• • • Made up of all volunteer staff Primary purpose: Review policy issues affecting privacy and security in healthcare that arise from new legislation, regulation, or rules Task Force also supports the official HIMSS review process for their responses to new legislation and new rules Helps to ensure consistency for HIMSS responses that stay in line with goals Mac’s experience in knowing how government works in terms of regulations, rules, directives, and standards has helped him understand role and direction as Chair of the HIMSS Privacy and Security Task Force


HIPAA Rule Changes and How it Effects Provider – Business Associate Relationship
• September 23rd: HIPAA compliance deadline for providers & business associates on how Personal Health Information (PHI) is maintained and protected & changes to data breach notifications and enforcement Changes: • Breach notification – changes to the reporting rules • Business Associate status – how does the rule apply to business associates and sub-contractors? • Privacy Provisions – helps protect patient privacy through more effective data management • Enforcement – new guidelines on what penalties are and how they should be enforced Relationship between business associate and covered entities has not fundamentally changed – what changed is the responsibilities of both parties

HIPAA Rule Changes and How it Effects Provider – Business Associate Relationship (continued)
• Business associates are now held more accountable for privacy and PHI data protection on work they are doing on behalf of the covered entity • Covered entities – greater emphasis on vendor management in terms of due diligence before vendor contracting, making sure you convey privacy and security expectations, making sure you monitor vendor relationships closely, ensuring you have measures in place for breach notifications & how to deal with data after contract terminations • New changes promote more accountability and transparency in the industry
Did you know? Nearly one-third of the 980 problems that HHS' Office of Civil Rights uncovered during privacy and data-security audits of 115 healthcare providers and insurers happened because the organizations were not aware of all of the requirements facing them, according to root-cause analyses performed by HHS contractor KPMG.
Source: Modern Healthcare, April 2013

The Difference Between “Access” and “Possession” of PHI Information & How it Impacts HIPAA Compliance
• If you create PHI, either originally or derivatively, if you transmit or receive it, you are considered a business associate. If you have possession of the data – whether it be in your system or your environment, or you have perpetual access to the information. • Can’t claim “conduit exemption” unless you are only maintaining the data in your environment for as long as it takes the system to perform the transference process - otherwise if you take possession of the data for any other reason, (hosting, backing up, storing, etc.) you are a business associate. • Even if the covered entity sends encrypted information, if you possess it, you are still considered a business associate – business associates are responsible for the entire security rule. • New rule defines “possession” to information as stipulant for compliance – “possession” assumes “access”

What Does “Privacy” Mean?
• • • Privacy is a tough thing to define in today’s world because of shifting social norms and generational changes What one generation thinks of privacy may not be shared by others Privacy as it relates to law and the HIPPA rule is very black and white – patient information belongs to an individual and the right to access it should only come from the individual's care team or to someone who is involved with the care of the individual – the individual gives authorization for the information to be used or disseminated for something other than medical care (e.g. – marketing purposes) The trust between caregiver and patient is often defined by how well the provider maintains and protects patient PHI Patient confidence can erode quickly when PHI information is not handled properly The healthcare industry’s definition of privacy is constantly evolving & it’s different to write a rule with the shifting privacy landscape Key is recognizing differences and perceptions and make decisions on how law defines privacy

• • •

How Does “Fear” Factor into Policies Surrounding Privacy?

Important to not make decisions or establish policy guidelines based on fear – it’s better to enact policy on what is known Patients may fear the known more than the unknown – (e.g. – data breaches, medical identity theft, fraud) Consumers understand that their information is at risk • Consumers have a much higher level of confidence in their healthcare provider’s ability to protect PHI than organizations or the government Organizations should base their policies on what they know (what is the threat), what the risks are, and what their controls environment will enable and make smart decisions on how they craft policies to alleviate or mitigate the risk of negative occurrences Fear is a good motivator for making organizational change

Viable Technologies to Protect Patient Data
• Access Control & Patient Identification – Biometrics

**The problem that a lot of modern technological solutions for healthcare have is many do not necessarily have apt security functionality due to a lack of industry standards or protocols
Did you know?
More healthcare facilities are researching the use of biometric identification for employee access control and accurate patient identification. Biometrics has great potential to increase patient safety, reduce the cost of care, and eliminate fraud and identity theft.

Biometrics for Access Control

Biometrics for Patient ID

Do Biometrics for Patient ID Violate a Patient’s Privacy?
• • • They enhance patient privacy – biometrics for patient ID were developed with a positive purpose in mind If they are deployed, utilized, and explained properly to patients: • Biometrics elevates a patient’s level of confidence in how the technology is used and how it protects their safety and privacy Because biometrics uniquely identify a patient, the more likely the healthcare industry is to eliminate impermissible disclosures The more accurate the healthcare industry is on identifying who is accessing medical records and information, the better chance they have of limiting impermissible disclosures

PHI Application Patient Adoption Trends


Patients have more confidence in a portal that is provided by their caregiver rather than a third party vendor Patients will start to adopt more responsibility for their medical information – they are seeking more visibility and portable platforms Patient engagement as part of Meaningful Use Stage 2 will help drive up adoption of PHI applications Almost every hospital now has their own version of a patient portal – increased accessibility will also drive up adoption rates
Did you know? Approximately 50% of U.S. hospitals and 40 percent of U.S. physicians in ambulatory practice possess some type of patient portal technology, mostly acquired as a module of their practice management (PM) or electronic health record (EHR) system.
Source: Frost & Sullivan report, September 2013

Thank you to Mac for his time and knowledge for this podcast! Please follow Mac on Twitter (@mmcmillan07) and visit his Web page: www.cynergistek.com

Contact Information
John Trader PR and Marketing Manager M2SYS Healthcare Solutions 1050 Crown Pointe Pkwy. Suite 850 Atlanta, GA 30338 jtrader@m2sys.com 770-821-1734 www.m2sys.com Podcast home page: http://www.m2sys.com/healthcare/healthcare-biometricspodcasts/ : twitter.com/rightpatient : facebook.com/rightpatient : linkedin.com/company/m2sys-technology

Sign up to vote on this title
UsefulNot useful