Blog

HIPAA Meaning Blog Header Image
The Myths and Meaning of HIPAA 600 237 Andy Nieto

The Myths and Meaning of HIPAA

When I was a child, the threat “just wait ‘til your father gets home” was enough to make me change my attitude. I wasn’t punished much as a child, and time with my father was far happier and positive than not, but that phrase still resonated. For many, the meaning of The Health Insurance Portability and Accountability Act (HIPAA), is in many ways, like that threat.
HIPAA often inspires doom, gloom, and fear. Because of that, it can lead to unintended expectations and behaviors regarding patient information, making effective care coordination a challenge. In reality, HIPAA gives us some guidance about the protection of information and is a very real threat — only if you ignore it. However, it’s not all doom and gloom.

Can vs. Can't

First, let’s look at what you can do with patient medical data under HIPAA. You can:

  • Connect
  • Share
  • Cooperate
  • Consult
  • Question
  • Exchange
  • Communicate
  • Treat

That’s a significant list and it’s all about coordination.

Now let’s compare that to what you can’t do with this same information under HIPAA. You can’t:

  • Ignore
  • Distribute
  • Expose
  • Publish

It’s easy to see how this can be confusing. The security and privacy standards defined by HIPAA combined with the expanded responsibilities under the Omnibus Rule, have created layers of bureaucracy and whole industries have sprung up to “explain” the meaning of it.

Stewardship

So, let’s step back for a minute and look at what HIPAA is really supposed to be about, which to me, is stewardship. Stewardship is the responsible overseeing and protection of something considered worth caring for and preserving. On the official Federal site, it says that the HIPAA Privacy Rule “establishes national standards to protect individuals’ medical records and other personal health information.”

Stewardship implies a personal ownership and responsibility. The word “ethic” implies that very high personal and professional standards should be applied to the responsible management and protection of a patient’s information. It is really about taking care of the health information entrusted to you.

Perhaps the biggest shift in mindset for physicians in the last several years has been the emergence of patient health information as a valuable component of their practice and to treat it accordingly. Let me use an analogy and compare money to information. As a person, you don’t carelessly give away your money or leave it lying around. You don’t share your financial account logins with strangers and you certainly wouldn’t want your financial records being released, exposed or published. As part of our upbringing, from our initial allowance to our first job to your career today, we have been learning about money, its value, and the steps we should take to protect it. Being good stewards of money is a role we recognize and understand. Patient health information should be viewed in the same way.

Medical records are filled with personal data, otherwise known as protected health information (PHI). Once we make the connection that information or data has value and must be treated like money, the standards for HIPAA stop being cumbersome and start being understandable.

Can and Can't Revisited

So, with good stewardship in mind, let’s go back to the “can I” or “can’t I” question and ask yourself the following:

  • Can I connect with another person about a patient? Yes, just make sure that your method of connection is safe and that you have a valid reason for doing so.
  • Can I share a patient’s record with another provider? Absolutely, provided you take steps to ensure the information is protected.
  • Can I cooperate and consult on patients? Of course, but do so in a manner that maintains a patient’s privacy and the protection of the data.

There are a lot of myths around HIPAA, and while the “letter of the law” be confusing at times, “the spirit” and meaning is clear. HIPAA really does not need to be confusing. Be a good steward of the information in your practice of medicine, and you’ll be a long way down the path of complying with HIPAA regulations.

Need to exchange patient records but want to ensure you’re HIPAA compliant?

We can help!

Learn More
Population Health Management Communication Blog Header Image
HIPAA Compliance in the Age of Population Health Management 600 237 Thomas Donhauser

HIPAA Compliance in the Age of Population Health Management

The goal of Population Health Management (PHM) communication is to improve the health outcomes of a group of patients with similar characteristics. One example of a population in this context are patients suffering from the same chronic condition. The care of patients in this group may be managed similarly, often involving the same treatments, tests, procedures and other forms of care.

The treatment of chronic conditions typically involves multiple parties, from a primary care physician to multiple specialists and of course the patient. This, in turn, requires frequent communications between the parties.

EHR systems were intended to facilitate these communications but have some shortcomings. And maintaining HIPAA compliance is a key challenge. This article looks at how organizations can use Direct Secure Messaging to overcome the technical and regulatory challenges of a Population Health Management communication scenario.

The Challenge of Managing Chronic Conditions

Chronic conditions are complex to manage. They typically involve multiple syndromes, symptoms, tests and treatments. They require multiple specialists to manage effectively, as well as a high degree of patient diligence.

Diabetes is a good example. It cannot be cured, only managed for the remainder of the patient’s life. As with most complex chronic conditions, managing diabetes involves regular visits with specialists to ensure that things don’t get worse. Managing a patient’s glucose level is always the short-term concern, but left unmanaged, diabetes can result in catastrophic outcomes such as the loss of a patient’s feet or eyes, or kidney or heart damage.

In addition to the patient’s primary care physician, medical professionals involved in the management of diabetes could include nurse educators, endocrinologists, ophthalmologists, cardiologists, dietitians, podiatrists, exercise physiologists, dentists and others. The coordination of care between so many providers – and with the patient – is essential.

Technical and Regulatory Challenges in Population Health Management Communication

Part of the promise of EHR systems was that they would facilitate the level of information exchange between healthcare providers that is necessary for coordinating the care of patients. To do that, the HL7 data standard emerged to ensure that the hundreds of EHR products in the market could “talk to” each other. Unfortunately, different EHR vendors interpret the HL7 standard differently, resulting in incompatible data formats. This, in turn, causes missing or inaccurate patient records.

In addition, some EHR vendors employ a proprietary data format that effectively blocks information exchange with EHRs from other vendors. And, some vendors charge providers to enable their systems to interoperate with others.

These constraints make it harder to manage patient care across providers, rendering the ultimate goal of PHM – better patient outcomes – harder to reach. The alternative for information exchange – provider-to-provider email, postal mail or faxes, can result in HIPAA violations (and are slow and unreliable).

Another challenge is that EHRs were designed to facilitate provider-to-provider care. But for PHM, the patient plays a pivotal role in achieving good outcomes. So, too, can family members or other caregivers, such as home health agencies, that might not have access to an EHR.

Electronic communication is by far the easiest, most efficient, most reliable, and most accountable means of communications between providers and patients. But standard email isn’t a viable option under HIPAA because the identity of the recipient – the reader of the email – cannot be validated. And, regular email is no more secure than sending a postcard with sensitive patient information written on it for all to see, which again presents HIPAA compliance issues. Moreover, regular email lacks a documentation and audit trail that all parties involved in the patient’s care can access.

The Value of Direct Secure Messaging

The ideal solution is Direct Secure Messaging (“Direct”) from DataMotion. Direct is a secure email-like communications channel that enables providers to communicate with each other – as well as with patients and other caregivers – in a secure, HIPAA-compliant way. All messages are encrypted and require authentication to send and receive.

Importantly, Direct is an enhancement to EHRs, not a replacement. Providers can access Direct from within most popular EHRs.

On the provider side, Direct helps improve patient outcomes in a PHM environment by facilitating the exchange of patient medical records in a standardized manner. This includes formatted and unformatted data, as well as large files such as radiologic studies and diagnostic images. Direct enables better coordination of care. It also reduces errors and delays over conventional means of information exchange; for instance, delays when records are sent by courier, and mistakes due to the illegibility of handwritten notes.

On the patient side, Direct gets patients engaged in the management of their condition, which boosts outcomes. Patients can, for example, provide timely feedback on how well treatments are working, allowing providers to make adjustments accordingly without a delay for the patient to make an appointment with the provider. Patients can report new symptoms, complications or other issues to the provider immediately, thereby potentially avoiding life-threatening situations. And providers can ensure that patients refilled prescriptions when scheduled, or remind patients of upcoming office visits or tests to take.

Managing healthcare is increasingly a team effort. Frequent, accurate communication between the team members – including the patient – is paramount to achieving good outcomes. Direct offers an effective enhancement to EHRs that can help care providers deliver better patient outcomes while complying fully with HIPAA rules for privacy and security.

About DataMotion™ Direct

Based on the national encryption standard for securely exchanging clinical healthcare data via the Internet, DataMotion™ Direct enables secure messaging for healthcare providers, patients, business associates, and clinical systems. Using DataMotion™ Direct, PHI can be sent and received securely, in a manner that conforms to MU2 guidelines. It supports the transmission of a variety of sensitive data, including summary of care documents, large images, and personal messages. Best of all it integrates easily with existing EMR/EHR and other Health IT solutions to fully support in-network and out-of-network communications.

DataMotion is an accredited Health Information Service Provider (HISP), provisioning Direct services that are fully interoperable with other HISPs. Secure data delivery has been the core of DataMotion’s business since 1999, ensuring your ability to meet HIPAA compliance and Meaningful Use requirements.

Is DataMotion Direct right for your organization?

Contact us to learn more.

Contact Us
Happy Holidays from DataMotion! 640 252 Monica Hutton

Happy Holidays from DataMotion!

Happy Holidays and a very Happy New Year from everyone at DataMotion!

Personal Health Record (PHR) Blog
Where is your personal health record? 600 237 Thomas Donhauser

Where is your personal health record?

As the US healthcare industry continues its journey to digital / electronic health records that can be easily exchanged as patients move between care settings, practical questions abound:

  • Who owns your electronic health records?
  • Where are your health records?
  • How can they be consolidated?
  • Where should they be stored?
  • Who should have access?
  • How can they be shared?

Legally (HIPAA regulation) – each individual ‘owns’ their personal health data and records, but very few of us have actual ‘control’ over them – at least from a storage, curation and management standpoint. An individual’s ‘longitudinal record’ – which is a comprehensive collection of well-care records (annual physicals and labs, ob-gyn visits, etc.), and episodic care records (diagnosis and treatment for illness, injury, etc.) – is not typically in one place – electronically or otherwise.

There are attempts at this – state or private health information exchanges (HIEs) were established as part of the HITECH components of the American Recovery and Reinvestment Act of 2009.The idea is to have a regional repository for all electronic medical records (EMRs) regardless of where the care was provided. Then a patient’s EMR can be accessed by any clinical entity on an as needed basis to inform past history when that person ‘presents’ for care. A good idea, but a challenging business model – who pays for it? Who ensures that all your care providers are submitting your data? And without a national patient identifier – how to reconcile inevitable name mix-ups?

There is a new ONC / CMS campaign for health insurers to be the new ‘HIE’ – to maintain EMR’s for their plan members. Since they likely participate in each clinical episode from a payment standpoint (wellcare or otherwise), they are positioned to collect the clinical data along with the claims data in a single repository. This may become law, for better or worse, as part of a current set of rules in review under the 21stCentury Cures Act.

A third push is for the patient/person to collect, maintain and curate their own EMR using a cloud service and application (or webservice – portal). These are known as a PHRs, or personal health record apps and systems. For many reasons (privacy, control and accuracy / completeness) – it makes sense – especially for tech savvy ‘digital natives’. And showing up in a clinical setting with all your health information accessible from your iPhone is the type of immediacy and control digital natives expect.

The personal health record (PHR) model is a grassroots approach, and needs a boost from a major cloud services player – Google and Apple being the most likely candidates. There needs to be some critical mass / pump priming to get these apps adopted and the data flowing from clinical repositories into PHRs at population scale. Then the patient control and resulting consumerization of healthcare can help drive more value from clinical service providers.

In the absence of a Google/Apple initiative, it’s possible for medical associations representing chronic conditions or cancers to build critical mass among their patients. If the American Cancer Society or the American Diabetes Association offered an app that included a PHR function, it’s possible they could build a base of users that would not only control their health records as they moved through their care plans and clinical settings, but they could also provide population health data for research and candidates for clinical trials – perhaps as easily as an ‘opt-in’ offer.

One way or another – the push for more data to be accessible to patients and their care-givers programmatically will continue, and the demand for clinical information exchange technologies and services that are interoperable and cost efficient will expand rapidly as well.

At DataMotion, we are huge fans of patient centered control. Working on a PHR strategy? Talk to us – we’re happy to share our expertise!

Looking for clinical information exchange technologies and services?

Learn more about our solutions.

Learn More
Secure Data - Secure Message Blog
5 Signs Your Self-Service Portal Needs a Secure Message Center 600 237 Christian Grunkemeyer

5 Signs Your Self-Service Portal Needs a Secure Message Center

5 Signs your self-service portal needs a Secure Message Center

  1. You are a financial services, insurance or healthcare company
  2. You have a self-service portal or app
  3. Your customers want to use email and share documents and secure messages electronically
  4. Your employees need to manage inquiries from a single desktop
  5. Security and privacy regulations require it

You are a financial services, insurance or healthcare company

Exchanging sensitive, regulated information with your customers is required to resolve many contact center inquiries and cases. Whether it’s answering sensitive questions, exchanging completed forms, supplying supporting documentation or exchanging a medical record – to resolve customer issues, you need to accelerate and track actionable communications supported by documents that may contain PII and or PHI. And that must be done in compliance with privacy and security regulations.

You have a self-service portal or app

You already provide customers a secure, self-service portal  or mobile application which gives them access to a wide range of information and services they can utilize to get more value from their relationship with you. That’s excellent – but when they get stuck and need to contact support – what options do you offer to secure message, email or share documents necessary for a streamlined resolution? If you limit their choice to out-of-band options (call us, fax us or send us a letter), or if you put restrictions on what they can discuss or share (“email us – but no sensitive info please”) – your CX score will suffer. A recent report by IDC indicates that companies growing at high rates are focused on digital transformation and customer experience – so this REALLY MATTERS to your top and bottom lines.

Your customers are asking for it

Customers want to engage your organization using smartphones, tablets, and laptops – online and through your secure self-service contact center or mobile application. They want to use secure messaging, email, file sharing – and they need to trust you when asking financial or health questions, and when they are sharing their private information and documents. They don’t want to use yesteryear’s technologies – fax, stamps, FedEx or in-person delivery. They would prefer not to call your support number and wait in queue on hold. They want you to make it easy to process their requests and meet their needs thru safe, digital transactions.

Your employees need it

Productive employees are happy employees. Happy employees make happier customers. Happier customers do more business. It’s a virtuous cycle. If you limit the ways your employees can communicate and resolve customer issues – less of those things happen. Customers are disappointed with communication and info exchange options, employees are often left waiting on slower delivery processes, are transcribing information, or working in multiple systems to cobble together a resolution (or get a complete customer history view). If you light up an integrated secure message channel with document sharing capabilities in their contact center desktop – it makes their job less cumbersome – so productivity, happiness and growth can thrive. The virtuous cycle of business life. The wheel of good fortune. (There may just be an Elton John / Disney song in there somewhere….)

Security and privacy regulations require it

And…. that’s the sticky wicket. HIPAA, GLBA, PCI-DSS, HITECH, DPA, GDPR – all there for the right reasons – protecting your customers sensitive information is your obligation – but it sure adds a lot of friction to digitizing your business processes.

And that’s where a Secure Message Center delivers its fundamental value. It allows you to get all the benefits of integrated messaging channels such as tracked email with file attachments, webforms, eforms, native webmail interfaces – with contact center integration. It enables – an efficient flow of inquiry and resolution that moves your business forward, all while providing the trusted security and verifiable compliance your organization needs, and your customers expect.

So what is a Secure Message Center and how easily can it drop into your current ecosystem to light up a secure messaging, email and file sharing channel in your contact center? Happily, there’s no ocean to boil. Learn more about it here, or contact us with your situation – we exist to make implementing this light work for you, and the contact center experience better for your customers.

Learn more about the Secure Message Center
Learn More
Happy Thanksgiving from DataMotion 600 237 Monica Hutton

Happy Thanksgiving from DataMotion

Hoping everyone has a very happy Thanksgiving this year! What are you thankful for?

Digital Background - DKIM blog
What is DKIM for DataMotion SecureMail? 1000 395 Alex Mushkin

What is DKIM for DataMotion SecureMail?

As of November 13, 2019, DataMotion SecureMail and SecureMail Gateway support DKIM so outgoing email messages sent via SMTP are delivered to intended recipients and not rejected or quarantined by anti-spam and anti-spoofing protection measures deployed on recipients’ mail servers. SPF and DMARC are also supported, and defined below.

DKIM, or ‘DomainKeys Identified Mail’ is an internet standard email authentication method designed to combat email spoofing. It allows receiving SMTP servers to check whether an email which came from a specific domain (@xyz.com) was in fact authorized by the owner of that domain. DKIM involves signing each outgoing email message with a private key linked to the sender’s domain name. The recipient system verifies the digital signature by looking up the associated public key published in DNS. Put simply, the DKIM signer uses the private key and the DKIM verifier uses the corresponding public key.  In order for it to work, the sending SMTP servers must insert DKIM-Signature email header fields on outgoing email messages. The owner of the sending domain must also create a DKIMDNS TXT public record.

As stated in the IETF (Internet Engineering Task Force) RFC 6376:

“DomainKeys Identified Mail (DKIM) permits a person, role, or organization that owns the signing domain to claim some responsibility for a message by associating the domain with the message. This can be an author’s organization, an operational relay, or one of their agents. DKIM separates the question of the identity of the Signer of the message from the purported author of the message. Assertion of responsibility is validated through a cryptographic signature and by querying the Signer’s domain directly to retrieve the appropriate public key. Message transit from author to recipient is through relays that typically make no substantive change to the message content and thus preserve the DKIM signature.”

SPF is an email authentication method which is also supported, to combat email spoofing. It allows receiving SMTP servers to check whether an email which came from a specific domain was in fact from an IP address authorized by the owner of that domain. The owner of the domain must create an SPF DNS TXT record. The sending SMTP servers do not need to do additional work for SPF.

DMARC is an email authentication protocol (set of rules) to combat email spoofing, also supported by SecureMail. It allows receiving SMTP servers to authenticate based upon instructions published by the owner of a specific domain. The owner of the domain must create a DMARC DNS TXT record which specifies which email authentication methods (DKIM, SPF, or both) are supported for that domain. The sending SMTP servers do not need to do additional work for DMARC.

For information on enabling DKIM, SPF and /or DMARC, please visit our knowledge base, or contact support.

Learn More about DataMotion SecureMail
Learn More
Learn More about DataMotion SecureMail Gateway
Learn More
Code Header - Email Encryption API Blog
3 Things to Look for When Selecting Email Encryption APIs 600 237 Alex Mushkin

3 Things to Look for When Selecting Email Encryption APIs

If your business process and workflow applications handle sensitive data or are in industries subject to privacy laws and regulations, adding encrypted email functionality can give you an edge. By incorporating secure email technology, you can reduce the risks associated with data theft, accidental exposure and regulatory compliance audits. An easy and fast way to add this functionality is to leverage email encryption application programming interfaces (APIs).

Application programming interfaces, or APIs, can be a blessing – or a nightmare. Use the right one and your application just expanded its reach and functionality, adding to your bottom line.  Use the wrong one, and you’ll be in development for perpetuity – or worse.

Here are three things to look for when selecting email encryption APIs for securely moving data:

1. API depth and breadth. Depth and breadth give you control over more aspects of how the API works with your app. Look for multiple types of APIs and, ones that can operate at multiple levels including:

    • Secure Messaging APIs. These are the APIs that send and retrieve data, usually by leveraging a standard email address or an internal one derived from a user’s account number. Look for APIs that can handle multiple types of data, including encrypted email, files and form data.
    • Administrative APIs. Capabilities to look for here include things like password reset, managing users and their account settings, and integrating with Single Sign-On (SSO).
    • Provisioning APIs. When the use of your application takes off and grows, so must your API. Look for the ability to programmatically provision service and on-board new users.
Check out our API developer site CTA

2. Full support from the API provider. In addition to standard consulting and ongoing technical guidance, look for:

    • Software Development Kits (SDK) with multiple language support, including C#, VB.Net, Java and PHP, along with SOAP and REST protocols.
    • Technical reference guides that accurately document each API function and data structure. Sloppy documentation could indicate subpar operations.
    • Demos for each supported programming language, including working sample applications with documented source code that demonstrates the implementation.

3. Pre-production sandbox environment. A full service, fully contained, pre-production environment allows you to quickly and safely create, test and preview your application.

Look for these three things and you’ll be well on your way to a successful API integration.

Ready for a Free API Trial?

Free Trial
Email API
Email Encryption As a Solution or A Feature? 600 237 Bob Janacek

Email Encryption As a Solution or A Feature?

Technology products often evolve over time from standalone solutions to integrated features. This can take years, or even decades to occur, depending on the sophistication of the solution, and how easily it fits into an existing application to add value in a broad set of use cases.

The most obvious examples are on the smartphone where we have long ago (in tech years) absorbed our digital cameras and GPS devices, and perhaps more subtly, photo editing software and directory services.

Email Encryption – from product to feature

Email encryption has been an adjunct service and solution that overlays and complements most email services and UIs, Microsoft Exchange and Outlook as prime examples. Virtually all email encryption solutions work with the Microsoft email server and client, even as it migrated to the cloud as part of Office 365. Microsoft introduced its own email encryption solution, Office Message Encryption, as an option and integrated feature of Office 365 in 2014. It has been improved since introduction, and while it still has some limitations (link to Osterman webinar), for many users that need an ad hoc solution for HR and legal departments – it is quite sufficient, and eliminates the need for a specialty vendor (DataMotion included). While it’s not without cost, it is appealing to organizations seeking to reduce the number of 3rdparty solutions and vendors in their IT mix.

Also, in the cloud email service provider space, Gmail has implemented a widely enabled encryption technique as a default (TLS), and in so doing, provides opportunistic security for all email traffic originating from their service. While it doesn’t assure compliance, it does take a significant step towards ‘email encryption as a standard feature’ vs an overlaid 3rd party solution.

Email Encryption as a feature – benefit

As noted – most email encryption solutions already integrated very well with Outlook and Exchange, which in effect make them a plug-in toolbar button feature of Outlook, invoked with a click. So it has already been reduced to a feature of email in this way for most ad hoc, desktop requirements. Yet, the use of email for messaging and file exchange is not always a desktop ad hoc function.

Email Encryption, CRM, Contact Centers and Mobile Apps

In fact – where it matters most – in high volume business processes handling regulated information, Outlook (or any webmail interface for that matter), is not the best place to send and receive messages and files. CRMs, contact centers, practice management software, electronic health record systems, and custom database applications are the applications that often house the data and track the interactions with customers, partners (or patients). Shouldn’t email encryption be a standard feature of those solutions? And for situations where the customer, client or patient need to initiate an inquiry – shouldn’t a secure email channel be a feature easily accessible to them too through customer facing interfaces and apps such as websites, portals and mobile apps?

Enter the EMAIL ENCRYPTION API

While email encryption vendors can extend the existing Outlook style ‘plug-in’ model of creating applets to expose their email encryption service as a ‘toolbar button’ in popular CRM UI’s (Salesforce for instance) – this approach doesn’t scale well, and doesn’t always accommodate the use case at hand, or fit into customer facing services such as self-service portals or mobile apps. In these cases, a native solution is best, using web service email encryption APIs to provide secure messaging, file and form exchange to support high volume applications with trusted security and verifiable compliance.

This application of email encryption APIs lends itself best to healthcare, financial services, insurance and government applications, at enterprise scale. These organizations are best positioned to migrate off standalone email encryption solutions, and leverage the benefits of email encryption as a feature thru the use of APIs.

Email Encryption APIs for Mid-Market Solution Providers

While enterprise class organizations have the resources and transaction volumes to leverage APIs for integrating email encryption as a feature into their workflow process and enterprise apps, broader market benefits are derived from integration with platforms that provide core utility in the healthcare, insurance, financial services and government sectors. Digital banking platforms, digital insurance platforms, electronic health record systems, chronic care management systems, practice management systems – all can benefit from a robust secure messaging and file exchange feature – and email encryption APIs deliver both a ubiquitous method of sending and receiving messages (and files) as a toolbar feature of the application’s UI.

Email Encryption APIs: innovation and disruption

Viewed thru this lens – the email encryption API is both an innovation and a disruption to the existing email encryption product status quo. There are dozens of companies offering email encryption as a subscription service, with very little differentiation, and frankly – very little end user love. Most email encryption solutions are burdened with cumbersome, multi-step processes either for the recipient, the sender, or both. It is a mature solution – most organizations that need it have a subscription (SaaS). It is a software solution that is ripe for disruption, and ready to be consumed as a feature instead of a separate product. Email encryption APIs can deliver that disruption – and yield a better tool for moving sensitive business communications and processes forward.

Are our APIs right for your email encryption solution?

Try them out with our free, 14 day trial.

Free Trial
Header: Illustration with medical background having heart beat, doctor and stethoscope
4 Data Driven Healthcare Regulation Risks that the C-Suite Must Navigate Today 600 237 Hugh Gilenson

4 Data Driven Healthcare Regulation Risks that the C-Suite Must Navigate Today

For most healthcare C-Suite execs, HIPAA represents the most important regulatory risk related to data security and privacy. While HIPAA will continue to figure importantly in ongoing risk monitoring, a new generation of healthcare regulation is about to spawn additional threats that deserve a place alongside HIPAA on executives’ risk assessment dashboard.

Far-reaching data sharing mandates driving today’s healthcare transformation trends, including value-based contracting, patient centered care, and digital automation – are squarely in the cross-hairs of new regulatory initiatives.  These mandates have the potential to unleash unprecedented volumes of electronic health information (EHI) which will need to be sourced, transported, delivered, and archived according to strict guidelines – of which HIPAA privacy and security rules are mere table stakes.

According to an October 2019 survey conducted by Accenture, a majority of provider and payer executives are not aware of key mandates, nor are they prepared to comply with them.  In view of the new healthcare regulations, the C-suite that has only HIPAA privacy and security risk on its radar is most likely underestimating its true exposure.

The new generation of rules which was born of the 2011 Medicare and Medicaid EHR Incentive Program and are currently evolving under the 21stCentury Cures Act, are considerably more complex than those launched under HIPAA in 1996.   While data security and privacy remain foundational, the expanded scope of these rules carries mandates for mobilizing siloed data and delivering it, in high volumes and at high velocity, across disparate systems to a variety of recipients across the care continuum, including the full spectrum of providers, as well as patients and caregivers.

Of the many rules that are likely to have impact as data is shared more widely, there are 4 that deserve elevated visibility on executives’ threat and vulnerability dashboards today:

1. 21st Century Cures Act – Significant penalties of up to $1 million per violation are authorized, under these (pending) rules:

a. The Interoperability and Patient Access Proposed Rule (CMS)
b. “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program

2. OCR “Right of Access Initiative” – Up to $100,000 per infraction/violation (avg)

3. Updated HIPAA Breach-Violation Enforcement – $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation

4. GDPR / The California Consumer Privacy Act (CCPA) – January 1, 2020 – Converging European and US standards

a. fines of up to 10 million Euros applicable to PHI exchanged with patients residing in the EU
b. CCPA

i. $7,500 per violation
ii. Individual right to bring lawsuits for breach of “non-encrypted or non-redacted personal information”

1. $100-$750 per incident or more with damages exceeding $750

Awareness of the above rules is an essential first step toward assessing risk exposure and designing a relevant management strategy.  To succeed in this endeavor, it’s critical to understand that:

  • the new risks are multi-faceted, driven by policies with data sharing objectives beyond the traditional scope of HIPAA
  • while cybersecurity-focused strategies were sufficient to mitigate risk in the past, today’s risk landscape requires added expertise in interoperability and methods of embedding security, privacy, and interoperability in complex clinical workflows that can deliver data at high velocity and to multiple recipients, including physicians, patients, and other caregivers.

Concurrent with the obvious risks surrounding regulations, there are also opportunities.  A follow-up installment of this blog will explore revenue opportunities triggered by healthcare regulations and how an optimal plan for responding to regulatory change should consider solutions that both mitigate risk and maximize opportunities.

For more information on how DataMotion can help you mitigate data driven healthcare regulation risks, visit: DataMotion Direct Benefits and DataMotion Direct Secure Messaging.

For a consultation or additional information, please contact us.