EHR and Health IT Consulting
33.7K views | +9 today
Follow
EHR and Health IT Consulting
Technical Doctor's insights and information collated from various sources on EHR selection, EHR implementation, EMR relevance for providers and decision makers
Your new post is loading...
Your new post is loading...
Scoop.it!

EHR Interoperability Plan Raises Concerns

EHR Interoperability Plan Raises Concerns | EHR and Health IT Consulting | Scoop.it

Several healthcare associations have raised concerns about some of the privacy and security components of the Office of the National Coordinator for Health IT's proposed 10-year electronic health record interoperability roadmap.


For example, they expressed concern about proposals related to obtaining patient consent for sharing health information, cybersecurity activities and governance "rules of the road" for national data exchange.


ONC, the unit of the Department of Health and Human Services responsible for standards and policies of the HITECH Act EHR incentive program, in January released a draft roadmap for achieving nationwide secure health data exchange built on interoperable EHR systems.

While the ONC draft is a 10-year vision, it contains critical actions that can be taken by regulators and healthcare stakeholders in increments over the next three, six and 10 years, to help remove technical, policy and regulatory barriers that are hindering information exchange. The idea behind the plan is to make it possible for clinicians to securely access and share timely, potentially life-saving data about a patient, no matter where that patient is treated.


Over the next several months, ONC will review the comments it received and consider how they might be reflected in the final version of its interoperability roadmap expected to be released later this year.

Patient Consent

ONC in its roadmap introduced the concepts of "basic choice" patient consent related mostly to information that's allowed to be disclosed by covered entities under HIPAA for treatment, payment and operations, versus "granular choice" consent that patients would provide to allow sharing of specific data, such as sensitive information related to substance abuse or mental health treatment.


Under the HIPAA Privacy Rule, an individual's written authorization is not required for the sharing of health information for treatment, payment or operations. But many covered entities choose to obtain an individual's consent anyways, ONC notes. And that's what ONC describes as "basic choice" consent.


ONC says "granular choice" consent refers "not only to granular choice among clinical conditions that are protected by laws in addition to HIPAA, but eventually, granular choice, should a patient wish to express it, regarding other data distinctions to be determined ... such as research ... in which an individual has chosen to participate."

Some organizations in their comments say they are opposed to federal regulators introducing the concept of granular choice consent. That's because they say it could potentially fuel more confusion among healthcare entities about the patient data that can or cannot be exchanged under HIPAA versus other government regulations, including state privacy laws.


For instance, the Healthcare Information and Management Systems Society says it "does not see the benefit of, nor is in favor of, the introduction of the concepts of 'basic' and 'granular' choice, particularly in view of these concepts being contradictory and inconsistent with applicable law, for example, HIPAA and state law."


HIMSS says it "supports the idea that interoperability efforts should focus on facilitating exchange of data when the law expressly authorizes use or disclosure of protected health information. ... HIPAA should not be essentially rewritten, through a reinterpretation, with respect to erroneously stating that individuals have the right to individual access and individual choice under the Nationwide Privacy and Security Framework, based on the Federal Trade Commission's Fair Information Practice Principles."


Similarly, as it relates to information sharing and consent, the American Hospital Association says that it opposes potential changes to current government privacy and security policies in the effort to drive healthcare providers to share electronic health information. "With regard to privacy and security issues, the AHA strongly believes that improving the infrastructure to support secure data sharing in support of clinical care can be accomplished within the existing HIPAA requirements."

Cybersecurity Activities

When it comes to issues related to cybersecurity, the AHA urges ONC to leverage existing guidance, including the National Institute for Standards and Technology's framework, rather than start from scratch.

"The roadmap includes proposed activities for ONC or HHS, but activities in this area must align with the ongoing collaboration of the Departments of Homeland Security and HHS with public-private collaborations, including the Healthcare and Public Health Sector Coordinating Council, to work through health sector-specific issues," AHA says.


"Further, any detailed standards should be aligned with the NIST Cybersecurity Framework, which is the overarching federal approach to cybersecurity, and the existing HIPAA security rules."

Rules of the Road

ONC's draft interoperability roadmap also included "a call to action" for healthcare IT stakeholders to come together to establish a coordinated governance process for nationwide interoperability. Those proposals also included the possibility that ONC would consider regulatory options to ensure compliance to so-called governance "rules of the road."


But some organizations, including the College of Healthcare Information Management Executives and the Association of Medical Directors of Information Systems, oppose too much government intervention in governance issues.


"We caution against being overly ambitious with the development of a nationwide governance mechanism and encourage focused prioritization through ingrained collaboration among private and public sector stakeholders," CHIME and AMDIS say in its joint comments to ONC. "In our view, interoperability in the service of high quality, safe patient care should remain the principal focus of the near-term."

Other Recommendations

As part of its comments on the interoperability roadmap, HIMSS also made several privacy and security recommendations. Those include suggestions that ONC, federal partners and industry stakeholder groups collaborate on developing:


  • A central portal that aggregates cyberthreat indicators and vulnerability information, across critical infrastructure sectors;
  • Guidance for what a thorough, holistic risk management program looks like - including plans, policies, procedures, application security testing, penetration testing, networking monitoring and detection, incident response, continuity, disaster recovery and resilience; and
  • Guidance on issues related to encryption, including practical guidelines on encryption requirements for protected health information stored or accessed via devices and software.


"Encryption is not a silver bullet, but it can be a useful safeguard when the right technology and know-how are used appropriately to keep information both private and secure," HIMSS notes.


more...
No comment yet.
Scoop.it!

EHR audit catches snooping employee

EHR audit catches snooping employee | EHR and Health IT Consulting | Scoop.it
Electronic health records not only enable faster access to real-time patient data; they also make it a heck of a lot easier to catch snooping employees who inappropriately view patients' confidential information, as one California hospital has observed this past week. 
 
Officials at the 785-bed California Pacific Medical Center in San Francisco – part of Sutter Health system – notified a total of 844 patients Jan. 23 after discovering a pharmacist employee had been inappropriately snooping on patients' medical data for an entire year.

The incident was discovered after the hospital conducted an EHRaudit back in October 2014. when it was first discovered only 14 individuals had had their PHI compromised. 

Following an "expanded investigation," hospital officials discovered the HIPAA breach was significantly larger than they had originally found, with 844 additional patients being identified as having there information inappropriately accessed. The staff member, whose employment has since been terminated, snooped on patient records from October 2013 to October 2014, including patient demographics, clinical diagnoses, prescription data and clinical notes. 
 
As officials pointed out, the hospital has "reiterated to all staff that policy allows them to access patient information only when necessary to perform job duties and that violating this policy may result in loss of employment," they wrote in a Jan. 23 press notification. 
 
The biggest way to avoid the employee snooping problem? Audit your users and the data, said Suzanne Widup, senior analyst on the Verizon RISK team, who spoke to Healthcare IT News in spring 2014 on Verizon's annual breach report. "You need to know who has the data, who has access the data, and you need to monitor it," Widup pointed out. "When you see organizations implement some sort of auditing scheme, suddenly they start finding a lot of stuff they couldn't see before."
 
This snooping incident at California Pacific Medical Center is far from an isolated event. As more hospitals conduct more regular EHR audits, cases like this are only increasing in number. 
 
One of the more egregious incidents was reported by the five-hospital Riverside Health Systemback in December 2013. Following a random company audit, officials discovered an employee had unrestricted access to Social Security numbers and clinical data of close to 1,000 patients for a period of four years. 
 
Then, of course, there was the HIPAA breach at University Hospitals just in December, where an employee had been reading confidential medical recordsof nearly 700 patients. What's more, the employee had unfettered access to the records for nearly three and a half years before being discovered and was only caught because the health system had received a snooping complaint. 
 
This kind of employee behavior has long been on the minds of chief information officers nationwide. 
 
In an interview with Texas Health Resources Chief Information Officer Ed Marx this past summer, he told us: "The biggest risk, as much as we talk about the hackers and people trying to get in and steal healthcare data, I think the biggest risk is still the individual employee who maybe forgot what the policy was and does something they shouldn't do."
 
Out of the nearly 42 million individuals that have had their protected health information compromised in reportable HIPAA privacy and security breaches, nearly 13 percent of them involve inappropriate access or disclosure of patient records, according to data from the Department of Health and Human Services. 


more...
No comment yet.
Scoop.it!

Records Exchange Raises Privacy Worries

Records Exchange Raises Privacy Worries | EHR and Health IT Consulting | Scoop.it

A new survey shows that many consumers are concerned about whether their healthcare information will remain private once electronic records are routinely exchanged among providers. But experts say a good way to address those concerns is for organizations to be transparent with patients about who's accessing their data and why.

Devore Culver, executive director and CEO of HealthInfoNet, Maine's statewide health information exchange organization, says that HIEs and healthcare providers should take key steps to earn patients' trust that their records will remain private.


"Acknowledge their concerns," Culver says. "Be clear and transparent about how data will be used and by whom. Confirm that the organization adheres to current data security practices and standards. ... Provide the option for consumers to access audit reports of who is looking at their data."

Survey Results

The new survey, published this month in the Journal of the American Medical Informatics Association, found that more than half of California consumers believe that EHRs worsen information privacy and nearly 43 percent believe they worsen security.

When it comes to the impact of health information exchange, 40 percent of consumers surveyed say it worsens privacy and 43 percent say it worsens security.

The report was based on a phone survey of 800 consumers in California conducted by researchers at the University of California's Sacramento and San Diego campuses.

"While consumers show willingness to share health information electronically, they value individual control and privacy," the researchers wrote. "Responsiveness to these needs, rather than mere reliance on HIPAA may improve support of data networks."

Access Reports

Consumer confidence in EHRs and HIEs could be boosted if patients are given the opportunity to get reports on who accesses their records, says David Whitlinger, executive director of the New York eHealth Collaborative. The group coordinates activities for the Statewide Health Information Network of New York, which is the state's health information exchange.

SHIN-NY plans to provide consumers will such access reports through the HIE's patient portal, he says.

"They'll be able to look to see who accessed their records via SHIN-NY," he says. Providing patients with access reports about their health records is akin to credit bureaus providing consumers with reports about who accessed their credit reports, he says. "If patients ask who has accessed their records, and can get a report, that will go a long way to alleviate concerns."

Regulatory Activity

In fact, federal regulators have been working on a proposals regarding an accounting of health information disclosures and EHR access reports for patients.

The HITECH Act mandated the Department of Health and Human Services update HIPAA requirements for an accounting of disclosures of protected health information. In May 2011, HHS' Office for Civil Rights issued a notice of proposed rulemaking for updating accounting of disclosures requirements under HIPAA. The proposal generated hundreds of complaints from healthcare providers and others. Many of the complaints were aimed at a controversial new "access report" provision.

As proposed, the access report would need to contain the date and time of access, name of the person or entity accessing protected health information, and a description of the information and user action, such as whether information was created, modified or deleted. That access report would include EHR disclosures for treatment, operations and payment, which are categories of disclosures exempt from the current HIPAA accounting of disclosures rule.

Many of the public comments that HHS received on the access report proposal claimed that it would prove to be technically unfeasible for EHR vendors to implement, and complex and expensive for healthcare organizations.

But Whitlinger doesn't buy those arguments. "The provider community realizes that they will get challenged about who accessed [a patient's] record, and they don't want to deal with that," he says. And he believes that some EHR vendors "don't want to have to go down the path of how to make these access reports representative and valuable" for patients.

OCR Director Jocelyn Samuels said in January that the agency was considering a possible request for additional public input on HHS' proposed accounting of disclosures rule making. OCR is still evaluating the comments it received on the proposed accounting of disclosures rule it issued in 2011, as well as recommendations from the HIT Policy Committee about refining the rule, she said.

Patient Control

An executive at EHR vendor Athenahealth says that patients will become more confident in the security and privacy of their health records if they have more control over that information.

"Too often, patient data and its sharing is controlled not by the patient but by large care organizations and their health IT vendors," says Dan Healy, Athenahealth's vice president of government and regulatory affairs. "Our vision is of a system of patient-centered information exchange, putting control back in the hands of the patient. That will do more than anything else to increase confidence."


more...
No comment yet.