ensuring hipaa compliance when transmitting phi...
TRANSCRIPT
The audio portion of the conference may be accessed via the telephone or by using your computer's
speakers. Please refer to the instructions emailed to registrants for additional information. If you
have any questions, please contact Customer Service at 1-800-926-7926 ext. 10.
Presenting a live 90-minute webinar with interactive Q&A
Ensuring HIPAA Compliance When Transmitting
PHI via Patient Portals, Email and Texting Protecting Patient Privacy, Complying With State and Federal Regulations,
and Meeting Meaningful Use Stage 2 Standards
Today’s faculty features:
1pm Eastern | 12pm Central | 11am Mountain | 10am Pacific
WEDNESDAY, FEBRUARY 15, 2017
Ryan P. Blaney, Member, Cozen O’Connor, Washington, D.C.
Kim C. Stanger, Partner, Holland & Hart, Boise, Idaho
Tips for Optimal Quality
Sound Quality
If you are listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, you may listen via the phone: dial
1-866-927-5568 and enter your PIN when prompted. Otherwise, please
send us a chat or e-mail [email protected] immediately so we can
address the problem.
If you dialed in and have any difficulties during the call, press *0 for assistance.
Viewing Quality
To maximize your screen, press the F11 key on your keyboard. To exit full screen,
press the F11 key again.
FOR LIVE EVENT ONLY
Continuing Education Credits
In order for us to process your continuing education credit, you must confirm your
participation in this webinar by completing and submitting the Attendance
Affirmation/Evaluation after the webinar.
A link to the Attendance Affirmation/Evaluation will be in the thank you email
that you will receive immediately following the program.
For additional information about continuing education, call us at 1-800-926-7926
ext. 35.
FOR LIVE EVENT ONLY
Program Materials
If you have not printed the conference materials for this program, please
complete the following steps:
• Click on the ^ symbol next to “Conference Materials” in the middle of the left-
hand column on your screen.
• Click on the tab labeled “Handouts” that appears, and there you will see a
PDF of the slides for today's program.
• Double click on the PDF and a separate page will open.
• Print the slides by clicking on the printer icon.
FOR LIVE EVENT ONLY
This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The statements made as part of the presentation are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or Cozen O’Connor or any of its attorneys other than the speaker. This presentation is not intended to create an attorney-client relationship between you and Holland & Hart LLP and Cozen O’Connor. If you have specific questions as to the application of law to your activities, you should seek the advice of your legal counsel.
6
Overview of Presentation
Introduction & State of the Industry
Patient Portal Design & Contracting
Patient Portals Pitfalls
7
Consumer-focused Health Care???
Facts & Stats
8
Patient Interaction & Partnership
• 84% of US consumers with smart
phones/home computers – want access
to electronic medical records
• 41% willing to switch doctors over issue
• 70% of consumers believe it’s important
to be able to consult their providers via
email. – See Kaveh Safavi, M.D., J.D., Accenture Consumer
Survey on Patient Engagement, Sept. 2013.
9
What is a Patient Portal?
• A secure online
website that gives
you 24-hour access
to your personal
health information
and medical records
10
Outcomes-Based Healthcare
• Affordable Care Act
• New Payment Models (e.g., MSSPs)
• Data-Driven Care Delivery
– Enabling interoperability and meaningful
use of health IT.
12
What did HITECH do for Portals?
• In 2009, the HITECH Act – accelerates
the changing healthcare landscape.
– To qualify for payments from Medicare &
Medicaid EHR Incentive Program, health
care providers have accelerated the
implementation of EHR.
13
Meaningful Use Measures
• Patient portals are a way to meet the
meaningful use requirements (“measures”) • Core measures - i.e., providing patients with an electronic
copy of their health information; providing clinical summaries
for each office visit
• Menu measures – i.e., providing patients with timely
electronic access to their health information; patient-specific
education resources
14
HIPAA
• “Treatment purposes”: 45 C.F.R.
Section 164.506
• Business Associate Agreement (BAA)
• Third-Party Access to data
• Minimum Necessary Requirement
• Consent
15
Minimum Necessary Rule
• Covered Entities must make reasonable
efforts not to use or disclose more than
the minimum amount of health
information necessary to accomplish the
intended purpose of the disclosure
• With limited exceptions, the standard
generally applies to all uses and
disclosures of health information 45 CFR § 164.502(b)
16
What is PHI?
• Protected Health Information (PHI) is
individually identifiable health
information that is in all forms – paper,
oral, or electronic.
• PHI excludes employment records held
by an employer in it role as an employer
(e.g., physician's note)
17
What is Health Information?
• Health information includes any
information created by a health care
provider, health plan, employer, school
or university
– And that relates to past, present, or future
physical or mental health or condition of the
individual,
– The provision of health care to the
individual, or
– The past, present, or future payment for
health care to the individual 18
What makes Health Information
“Individually Identifiable”? • Names
• Medical Record Numbers
• Social Security Numbers
• Account Numbers
• License/Certification numbers
• Vehicle Identifiers/Serial numbers/License plate numbers
• Internet protocol addresses
• Health plan numbers
• Full face photographic images and any comparable images
• Web universal resource locaters
(URLs)
• Any dates related to any individual
(date of birth)
• Telephone numbers
• Fax numbers
• Email addresses
• Biometric identifiers including finger
and voice prints
• Any other unique identifying number,
characteristic or code
19
20
What is a Business Associate
(“BA”)? • Definition:
– A person who (i) performs for or on behalf of a covered entity, or assists a covered entity, in performing an activity or function involving use or disclosure of health information (e.g., claims processing, utilization review, billing), or (ii) provides legal, actuarial, accounting, management, administrative, accreditation or financial services where the provision of such services involves the disclosure of health information from the entity or another business associate of the entity
• Includes anyone with health information from your health plans, providers and covered entities (could include attorneys, consultants, third party administrators, auditors, computer software service companies)
21
What are the Business Associate
Rules?
22
Contracting
• Don’t just sign the standard contract
placed in front of you!
• Pay attention to clauses/provisions:
– Who owns the data?
– Term and renewal
– Indemnification
– Limitations on Liability
– Reporting requirements and breaches
– Termination and data (discussed later)
23
Tips for Drafting &
Negotiating BAAs • Reporting requirements and timing (the
parties can and should agree on shorter
periods)
• Review the underlying services agreement
and modify services agreement and BAA to
be consistent
• Agency and subcontractor provisions
• Indemnification clauses
• Breach notification costs and responsibilities
• Termination and destruction of PHI
24
OCR Sample BAA Terms
BAA: Pro-Covered Entity Terms
• Covered entities may want to add these terms:
– Business associate must report or act within x days.
– Business associate must implement policies.
– Business associate must encrypt or implement other safeguards.
– Business associate must carry data breach insurance.
– Business associate notifies individuals of breaches and/or reimburses covered
entity for costs of the notice.
– Business associate defends and indemnifies for losses, claims, etc.
– Business associate is an independent contractor, not agent.
– Business associate assumes liability for subcontractors.
– Allow termination of underlying agreement.
– Must have consent to operate outside the United States.
– Covered entity has right to inspect and audit.
– Cooperate in HIPAA investigations or actions.
* Business associate may want these in subcontracts.
26
BAA: Pro-BA Terms • Business associates and subs probably want to add these:
– Covered entity will not disclose PHI unless necessary.
– Covered entity will not request action that violates HIPAA.
– Covered entity has obtained necessary authorizations.
– Covered entity will not agree to restrictions on PHI that will adversely affect
business associate.
– Covered entity will notify business associate of all such restrictions.
– Covered entity will reimburse for additional costs.
– Blanket reporting for security incidents.
– Specify business associate does not maintain designated record set.
– Reserve the right to terminate based on restrictions or other change that
adversely affects business associate.
– Subcontractors are independent contractors, not agents.
– Mutual indemnification.
– Limitation or cap on damages.
27
Business Associates
• Covered entity is liable for acts of business associate if:
– Knew or should know that business associate is
violating HIPAA and covered entity fails to act; or
– Business associate is the covered entity’s agent.
• Make sure business associate is an independent
contractor, not an agent.
– Business associate agreement should confirm same.
– Make sure you do not control method and manner of
business associate’s functions.
28
Business Associates
OCR targeting business associate issues, e.g.:
• Group paid $750K for no BAA after BA lost films.
• Hospital paid $1.55M for no BAA after BA lost laptop.
• Hospital system paid $400K for failing to update BAA to
include Omnibus Rule terms.
Make sure you have current,
updated BAAs in place with
your business associates!
29
HIPAA Audits
“HIPAA Compliance is like middle school math – you must show your work”
– Leon Rodriguez, Director Office of Civil Rights
•HIPAA related recordkeeping is essential.
•Audit: Leverage OCR’s HIPAA Privacy, Security and Breach Audit Protocol available online.
•Assessments: analysis of vulnerabilities, data criticality, remediation strategies and process for determining and accepting risks in the organization.
30
Breaches
The Omnibus Rule made significant changes to the interim final breach notification rule by:
•Adding a presumption that any unauthorized use or disclosure of unsecured PHI is a breach
•Removing the prior “risk of harm“ standard.
•Requires Covered Entities to evaluate and demonstrate that “low probability” PHI has been “compromised” otherwise notification to patients required
* 31
How? Sources of Data Breach
Source: Ponemon Institute LLC
2014 Cost of Data Breach Study: Global Analysis (IBM sponsored)
http://www-935.ibm.com/services/us/en/it-services/security-services/cost-of-data-breach/
32
What cyber criminals have
already taken… • Intellectual Property – Loss varies on nature of
industry
• State Secrets – Destabilizing American infrastructure
• Medical Records – Average Black Market Value =
$60 > cc
• Credit Cards – PCI violations range from $10K -
$100K
• Identity Theft – Companies pay approx. $180 per
compromised customer
• Corporate Espionage – Loss of contracts = loss of
revenue
33
Costs of Data Breaches
• $145/record, avg. of > 28k records
(Ponemon Institute Survey)
• $159 when caused by malicious attacks
(Ponemon Institute Survey)
• Average financial impact to surveyed
companies with for one or more
incidents = $3.5 million
34
Patient Portal Risk Areas
• Security
• “User error”
– By patients
– By staff
35
Designing Portal
• Keep it simple and user friendly.
– Portal is no good if patients or staff can’t or won’t use it.
– May lead to non- or miscommunication and frustration.
• Ease of use > Complex functionality
36
Determine Functionality
• Communicate via e-mail
• Appointment reminders
• Schedule non-urgent appointments
• Request prescription refills
• Check benefits and coverage
• Update contact info
• Make payments
• Download and complete forms
• Access records
– Which records?
Fun
ctio
na
lity
37
Limit Access to Some Records
• Portal Access < Patient’s Right of Access
• Under HIPAA, may limit access to PHI if:
– Not part of designated record set
– Psychotherapy notes
– Obtained under a promise of confidentiality
– Access may cause substantial harm to patient or other
person.
(45 CFR 164.524(a))
• May limit access to additional records in portal.
• Create a process to flag or limit access to certain
records.
38
Limit Access to Some Records
• Check other laws for additional limits.
– State laws
• HIV/STDs
• Mental health
• Substance abuse
• Genetic tests
– Federally funded drug and alcohol programs have
additional limits (see 42 CFR part 2)
– Others?
39
Access by Others
• Parents or personal representatives
• Third parties
40
Access by Personal Reps
• Under HIPAA, personal representative has the right
to access patient info.
– Personal Rep = Patient
• “Personal representative” = person with authority
under state law to make decisions concerning the
patient’s health care.
– Parent of unemancipated minor
– Legal guardian or surrogate of incompetent patient
– Others per state law (45 CFR 164.502(g))
41
Access by Personal Reps
• May (should) deny personal rep access if:
– Minor reaches age of majority.
– Patient may consent to their own care under state law,
e.g., minor seeks care for:
• Sexually transmitted disease
• Drug or alcohol treatment
• Mental health
• Reproductive health
– Parent or guardian agrees to confidentiality.
– Provider determines that allowing personal rep to
access may endanger patient or not in patient’s interest. (45 CFR 164.502(g))
Check state law
42
Access by Personal Reps
• Build in limits to portal access by personal reps, e.g.:
– Patient age 0-12: parents may access all records
– Patient age 12-17: hold back or restrict parental access to
certain sensitive records, e.g.,
• Women’s health
• Psychiatry
• Substance abuse
• Others for which patient may consent on their own
– Age 18 and over: terminate parental right to access unless:
• Patient did not object and relevant to parent’s involvement.
• Patient authorization or consent.
• Check state law!
43
Access by Third Parties
• Warn patient against allowing third parties to use password.
• As practical matter, patient may allow anyone to access.
– Provider may disclose to family members and others involved
in care if patient does not object. (45 CFR 164.510)
• Provider may not knowingly allow third parties to access
unless HIPAA exception applies, e.g.,
– HIPAA-compliant authorization. (45 CFR 164.508)
– Patient directs that PHI sent to third party. (45 CFR 164.524)
– Family members and others involved in care so long as
patient has not objected. (45 CFR 164.510)
– Personal representative. (45 CFR 164.502)
– Other?
44
Access by Third Parties
• Options:
– Allow third party to use patient’s user name and
password.
• Perhaps problems with Security Rule requiring unique user ID.
– Give third party their own user name and password if
patient agrees.
• HIPAA authorization. (45 CFR 164.508)
• Patient request to disclose. (45 CFR 164.524)
– Set up separate account with different parameters, e.g.,
allow proxy to view but not change any fields.
45
Security of Portal
• Ensure portal complies with HIPAA Security Rule if
transmitting PHI.
46
Security of Portal
• See security rule requirements, especially those related to
access controls.
• Unique user ID
• Automatic logoff
• Integrity
• Authentication
• Transmission security
• Encryption and decryption
(45 CFR 164.312)
• Use software that is certified as compliant by the Office of
the National Coordinator for Health Info Technology.
47
Security of Portal • Encryption is an addressable standard:
(e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to [ePHI] that is being transmitted over an electronic communications network.
(2)(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.
(45 CFR 164.312)
• ePHI that is properly encrypted is “secured”.
– Not subject to breach reporting per 45 CFR 164.400.
• OCR presumes that loss of unencrypted data, laptop, USB, mobile device is reportable breach.
48
Security of Portal
• Initial authentication
– In-person: check identity and set up portal access in
person during appointment.
– Online or remote: check identity through asking
questions (e.g., nature of last bill, last four digits of SSN,
etc.)
• Log-in authentication
– User name + password.
– Multi-factor authentication, e.g., password and sending
code to cell phone.
– Consider giving patient option. 51
Security of Portal
• Manage passwords
– Consider strength of password required.
– Establish response to consecutive failed login attempts.
– Establish rules for password resets.
– Prohibit sharing of passwords.
52
Security of Portal
• Test portal frequently.
– Penetration testing.
• Audit usage.
• Include portal in regular risk assessment.
– Risk of intercept during transmission.
– Risk of unauthorized access through portal.
53
Communicating by E-mail or Text
• Rules differ between communication with patients
or other providers, third parties. 55
E-mails and Texts
• HIPAA Privacy Rule allows resident to request communications by alternative means or at alternative locations.
– Including unencrypted e-mail. (45 CFR 164.522(b))
• Omnibus Rule commentary states that covered entity or business associate may communicate with resident via unsecured e-mail so long as they warn resident of risks and resident elects to communicate via unsecured e-mail to text.
(78 FR 5634)
56
57
E-mails and Texts
Can you use texting to communicate health information, even if it is to another provider or professional?
Answer: It depends. Text messages are generally not secure because they lack encryption, and the sender does not know with certainty the message is received by the intended recipient. Also, the telecommunication vendor/wireless carrier may store the text messages. However, your organization may approve texting after performing a risk analysis or implementing a third-party messaging solution that incorporates measures to establish a secure communication platform that will allow texting on approved mobile devices.
(HealthIT.gov FAQ) 58
Integrate Portal
Communications
• Ensure portal communications are incorporated
into the medical record.
– Relays information to providers who review record.
– Documents communications with patients to protect
providers.
– Supports reimbursement.
59
Educate Patients
• Functionality and limits of portal.
– Information that should/should not be shared through portal.
• Risks associated with portal.
60
Educate Patients Appropriate Topics for E-mail Inappropriate Topics for E-mail
• Appointment reminders. • Requests for prescription
refills. • Data used for chronic disease
management such as vital signs.
• Short questions that may be answered briefly.
• Short, patient-initiated updates about non-urgent clinical treatment matters (e.g., “started the medication; no side effects).
• Urgent or time-sensitive information.
• Sensitive and highly confidential subjects (e.g., HIV, psychiatric symptoms, etc.).
• Complex concerns or matters requiring extended exchange.
61
Educate Patients
• Disclaimers or warnings:
– Cannot create patient-physician relationship through e-
mail.
– No internet-based diagnosis
– Do not use portal for urgent messages.
• In emergency, contact emergency room directly.
– May be delay in response to e-mail.
– Info provided through portal may be seen by others, e.g.,
• Those who access the patient’s device.
• Those to whom the patient shares access.
• Info submitted that becomes part of the medical record.
62
Educate Patients
• Disclaimers or warnings:
– Protect passwords and do not share with others.
– E-mails and texts outside portal may not be secure.
– Notify provider of improper access or use.
– Provider not responsible for third party content, e.g.,
educational material provided from others.
– No warranty concerning any product.
– User assumes risk related to viewing info on user’s computer
via a third-party network.
– Prohibit reproduction or personal use of info protected by
copyright, trademark, etc.
63
Portal Documentation
• Registration form
– Sufficient info to identify patient and link to record.
• Access agreement
– Terms and conditions of portal use.
– Instructions for portal use.
– Disclaimers and warnings.
– Reserve right to terminate for misuse.
– Acknowledgment, agreement and signature
• Proxy agreement
– Sufficient info to identify patient and proxy.
– Define scope and warn patient of proxy rights.
– Signed by patient. 64
Train Staff
• Flag or exclude records that should not be accessed via portal.
• Review portal communications in timely manner.
• Consider sending unsecure e-mail advising patient of
message that is waiting for them.
• Do not rely on portals to communicate important info.
– Patients may not pick it up.
– Communicate separately by:
• Phone or letter.
• Unsecure e-mail or text, if patient has agreed and
comply with HIPAA requirements.
65
Train Staff
• Do not use e-mail to establish a patient-provider
relationship.
• Beware state telemedicine rules.
– Portal may trigger state limits on telemedicine, e.g.,
• Require in-person evaluations to prescribe medication or
engage in certain other actions.
• Require specified consents.
– May cross state lines and result in unauthorized practice
in the other state.
• Ensure you comply with applicable standard of care.
• See AMA Guidelines for e-communication.
66
Train Staff • Portal may increase patient’s exercise of HIPAA rights:
– Request to access records.
• See OCR Guidance re patient’s right to access information at
https://www.hhs.gov/hipaa/for-
professionals/privacy/guidance/access/.
• Must provide records in requested format if reasonable.
– Request amendment of records.
– Accounting of disclosures.
• HITECH allows patient to get a report of certain disclosures.
• Proposed rule would allow patient to get a report of access for
treatment, payment and operations.
• Watch for final rule.
(45 CFR 164.522 to .528) 67
The TCPA in the Health Care
Context
68
Telephone Consumer Protection Act of
1991 (TCPA) •Enacted by Congress in 1991 to protect
consumers by placing limitations on telemarketing “calls”
• Distinction between: residential vs. wireless calls
• Also applies to all text messaging
•FCC issues Declaratory Rulings (DR) that sheds light on the TCPA
• July 10, 2015 DR responds to 21 requests to seek clarification under the TCPA
69
Residential Lines & Consent •Residential Lines
• Restriction on use of artificial/prerecorded voice to deliver message
• Unless prior express written consent
• Exemption from consent:
• Emergencies
• Noncommericial purpose
• Commercial purpose but not telemarketing (no advertisement)
• Delivery of a health care message by/on behalf of a CE or BA
• Message by/on behalf of tax-exempt NFP
70
Wireless Numbers & Consent
•Contacting Wireless Numbers
• More restrictive than residential lines
• Wireless (e.g., cellphone; any service that charges a party for a call)
• Prohibitions:
• On use of an automatic telephone dialing system/artificial or prerecorded voice to initiate calls:
• Advertisements and Telemarketing
• Express, written consent required
• Express consent oral or written if not for advertising or telemarketing
71
July 10, 2015 DR
•TCPA applies to calls and all forms of text messages
•Text messaging - not more similar to emailing
•Phone-to-Phone texting similar to Internet-to-Phone text messaging
•TCPA and the CAN-SPAM Act both apply to unsolicited messages
•Limited exception for healthcare calls (calls that are subject to HIPAA)
72
TCPA’s Healthcare Call
Exception •Prior Express Consent is achieved by
• Giving a health care provide your number
• Only “health care” messages from a provider
• Health care as defined under HIPAA
• Use - “within the scope of the consent given”
• Closely related to purpose for which the number was provided
• Providers should consider:
• Does the call meet HIPAA’s definition of health care?
• Is the call within the scope of the consent?
73
TCPA’s HealthCare Call
Exception •Express Consent (Period of Incapacity)
• Exception applies if a person is incapacitated and a third party provides prior express consent for health care calls
•Non-Telemarketing Healthcare Calls Exemption
• No charge to consumer for text messages, exempted from prior express consent
• Calls must be exigent and have a health care treatment purpose (e.g., appointments)
• Applies to calls subject to HIPAA (Privacy Rule)
74
TCPA’s Healthcare Call
Exception • Several Conditions for the non-telemarketing healthcare
calls exemption include:
• Voice calls/text message - only to a patient who provides wireless number
• Voice calls/text messages – include name/contact info. of provider
• Voice calls/text messages - limited in purpose
• No telemarketing, solicitation, advertising or financial purpose (billing, debt collection, accounting)
• Must comply with HIPAA
• Opting-out must be available and be honored
75
76
Need for Speed Average
smartphone
has more
computer
power than
all of NASA
in 1969
77
Kim C. Stanger
(208) 383-3913
Ryan P. Blaney
(202) 463-2528
78