Regulatory Compliance

HIPAA Meaning Blog Header Image
The Myths and Meaning of HIPAA 600 237 Andy Nieto

The Myths and Meaning of HIPAA

When I was a child, the threat “just wait ‘til your father gets home” was enough to make me change my attitude. I wasn’t punished much as a child, and time with my father was far happier and positive than not, but that phrase still resonated. For many, the meaning of The Health Insurance Portability and Accountability Act (HIPAA), is in many ways, like that threat.
HIPAA often inspires doom, gloom, and fear. Because of that, it can lead to unintended expectations and behaviors regarding patient information, making effective care coordination a challenge. In reality, HIPAA gives us some guidance about the protection of information and is a very real threat — only if you ignore it. However, it’s not all doom and gloom.

Can vs. Can't

First, let’s look at what you can do with patient medical data under HIPAA. You can:

  • Connect
  • Share
  • Cooperate
  • Consult
  • Question
  • Exchange
  • Communicate
  • Treat

That’s a significant list and it’s all about coordination.

Now let’s compare that to what you can’t do with this same information under HIPAA. You can’t:

  • Ignore
  • Distribute
  • Expose
  • Publish

It’s easy to see how this can be confusing. The security and privacy standards defined by HIPAA combined with the expanded responsibilities under the Omnibus Rule, have created layers of bureaucracy and whole industries have sprung up to “explain” the meaning of it.

Stewardship

So, let’s step back for a minute and look at what HIPAA is really supposed to be about, which to me, is stewardship. Stewardship is the responsible overseeing and protection of something considered worth caring for and preserving. On the official Federal site, it says that the HIPAA Privacy Rule “establishes national standards to protect individuals’ medical records and other personal health information.”

Stewardship implies a personal ownership and responsibility. The word “ethic” implies that very high personal and professional standards should be applied to the responsible management and protection of a patient’s information. It is really about taking care of the health information entrusted to you.

Perhaps the biggest shift in mindset for physicians in the last several years has been the emergence of patient health information as a valuable component of their practice and to treat it accordingly. Let me use an analogy and compare money to information. As a person, you don’t carelessly give away your money or leave it lying around. You don’t share your financial account logins with strangers and you certainly wouldn’t want your financial records being released, exposed or published. As part of our upbringing, from our initial allowance to our first job to your career today, we have been learning about money, its value, and the steps we should take to protect it. Being good stewards of money is a role we recognize and understand. Patient health information should be viewed in the same way.

Medical records are filled with personal data, otherwise known as protected health information (PHI). Once we make the connection that information or data has value and must be treated like money, the standards for HIPAA stop being cumbersome and start being understandable.

Can and Can't Revisited

So, with good stewardship in mind, let’s go back to the “can I” or “can’t I” question and ask yourself the following:

  • Can I connect with another person about a patient? Yes, just make sure that your method of connection is safe and that you have a valid reason for doing so.
  • Can I share a patient’s record with another provider? Absolutely, provided you take steps to ensure the information is protected.
  • Can I cooperate and consult on patients? Of course, but do so in a manner that maintains a patient’s privacy and the protection of the data.

There are a lot of myths around HIPAA, and while the “letter of the law” be confusing at times, “the spirit” and meaning is clear. HIPAA really does not need to be confusing. Be a good steward of the information in your practice of medicine, and you’ll be a long way down the path of complying with HIPAA regulations.

Need to exchange patient records but want to ensure you’re HIPAA compliant?

We can help!

Learn More
Population Health Management Communication Blog Header Image
HIPAA Compliance in the Age of Population Health Management 600 237 Thomas Donhauser

HIPAA Compliance in the Age of Population Health Management

The goal of Population Health Management (PHM) communication is to improve the health outcomes of a group of patients with similar characteristics. One example of a population in this context are patients suffering from the same chronic condition. The care of patients in this group may be managed similarly, often involving the same treatments, tests, procedures and other forms of care.

The treatment of chronic conditions typically involves multiple parties, from a primary care physician to multiple specialists and of course the patient. This, in turn, requires frequent communications between the parties.

EHR systems were intended to facilitate these communications but have some shortcomings. And maintaining HIPAA compliance is a key challenge. This article looks at how organizations can use Direct Secure Messaging to overcome the technical and regulatory challenges of a Population Health Management communication scenario.

The Challenge of Managing Chronic Conditions

Chronic conditions are complex to manage. They typically involve multiple syndromes, symptoms, tests and treatments. They require multiple specialists to manage effectively, as well as a high degree of patient diligence.

Diabetes is a good example. It cannot be cured, only managed for the remainder of the patient’s life. As with most complex chronic conditions, managing diabetes involves regular visits with specialists to ensure that things don’t get worse. Managing a patient’s glucose level is always the short-term concern, but left unmanaged, diabetes can result in catastrophic outcomes such as the loss of a patient’s feet or eyes, or kidney or heart damage.

In addition to the patient’s primary care physician, medical professionals involved in the management of diabetes could include nurse educators, endocrinologists, ophthalmologists, cardiologists, dietitians, podiatrists, exercise physiologists, dentists and others. The coordination of care between so many providers – and with the patient – is essential.

Technical and Regulatory Challenges in Population Health Management Communication

Part of the promise of EHR systems was that they would facilitate the level of information exchange between healthcare providers that is necessary for coordinating the care of patients. To do that, the HL7 data standard emerged to ensure that the hundreds of EHR products in the market could “talk to” each other. Unfortunately, different EHR vendors interpret the HL7 standard differently, resulting in incompatible data formats. This, in turn, causes missing or inaccurate patient records.

In addition, some EHR vendors employ a proprietary data format that effectively blocks information exchange with EHRs from other vendors. And, some vendors charge providers to enable their systems to interoperate with others.

These constraints make it harder to manage patient care across providers, rendering the ultimate goal of PHM – better patient outcomes – harder to reach. The alternative for information exchange – provider-to-provider email, postal mail or faxes, can result in HIPAA violations (and are slow and unreliable).

Another challenge is that EHRs were designed to facilitate provider-to-provider care. But for PHM, the patient plays a pivotal role in achieving good outcomes. So, too, can family members or other caregivers, such as home health agencies, that might not have access to an EHR.

Electronic communication is by far the easiest, most efficient, most reliable, and most accountable means of communications between providers and patients. But standard email isn’t a viable option under HIPAA because the identity of the recipient – the reader of the email – cannot be validated. And, regular email is no more secure than sending a postcard with sensitive patient information written on it for all to see, which again presents HIPAA compliance issues. Moreover, regular email lacks a documentation and audit trail that all parties involved in the patient’s care can access.

The Value of Direct Secure Messaging

The ideal solution is Direct Secure Messaging (“Direct”) from DataMotion. Direct is a secure email-like communications channel that enables providers to communicate with each other – as well as with patients and other caregivers – in a secure, HIPAA-compliant way. All messages are encrypted and require authentication to send and receive.

Importantly, Direct is an enhancement to EHRs, not a replacement. Providers can access Direct from within most popular EHRs.

On the provider side, Direct helps improve patient outcomes in a PHM environment by facilitating the exchange of patient medical records in a standardized manner. This includes formatted and unformatted data, as well as large files such as radiologic studies and diagnostic images. Direct enables better coordination of care. It also reduces errors and delays over conventional means of information exchange; for instance, delays when records are sent by courier, and mistakes due to the illegibility of handwritten notes.

On the patient side, Direct gets patients engaged in the management of their condition, which boosts outcomes. Patients can, for example, provide timely feedback on how well treatments are working, allowing providers to make adjustments accordingly without a delay for the patient to make an appointment with the provider. Patients can report new symptoms, complications or other issues to the provider immediately, thereby potentially avoiding life-threatening situations. And providers can ensure that patients refilled prescriptions when scheduled, or remind patients of upcoming office visits or tests to take.

Managing healthcare is increasingly a team effort. Frequent, accurate communication between the team members – including the patient – is paramount to achieving good outcomes. Direct offers an effective enhancement to EHRs that can help care providers deliver better patient outcomes while complying fully with HIPAA rules for privacy and security.

About DataMotion™ Direct

Based on the national encryption standard for securely exchanging clinical healthcare data via the Internet, DataMotion™ Direct enables secure messaging for healthcare providers, patients, business associates, and clinical systems. Using DataMotion™ Direct, PHI can be sent and received securely, in a manner that conforms to MU2 guidelines. It supports the transmission of a variety of sensitive data, including summary of care documents, large images, and personal messages. Best of all it integrates easily with existing EMR/EHR and other Health IT solutions to fully support in-network and out-of-network communications.

DataMotion is an accredited Health Information Service Provider (HISP), provisioning Direct services that are fully interoperable with other HISPs. Secure data delivery has been the core of DataMotion’s business since 1999, ensuring your ability to meet HIPAA compliance and Meaningful Use requirements.

Is DataMotion Direct right for your organization?

Contact us to learn more.

Contact Us
Personal Health Record (PHR) Blog
Where is your personal health record? 600 237 Thomas Donhauser

Where is your personal health record?

As the US healthcare industry continues its journey to digital / electronic health records that can be easily exchanged as patients move between care settings, practical questions abound:

  • Who owns your electronic health records?
  • Where are your health records?
  • How can they be consolidated?
  • Where should they be stored?
  • Who should have access?
  • How can they be shared?

Legally (HIPAA regulation) – each individual ‘owns’ their personal health data and records, but very few of us have actual ‘control’ over them – at least from a storage, curation and management standpoint. An individual’s ‘longitudinal record’ – which is a comprehensive collection of well-care records (annual physicals and labs, ob-gyn visits, etc.), and episodic care records (diagnosis and treatment for illness, injury, etc.) – is not typically in one place – electronically or otherwise.

There are attempts at this – state or private health information exchanges (HIEs) were established as part of the HITECH components of the American Recovery and Reinvestment Act of 2009.The idea is to have a regional repository for all electronic medical records (EMRs) regardless of where the care was provided. Then a patient’s EMR can be accessed by any clinical entity on an as needed basis to inform past history when that person ‘presents’ for care. A good idea, but a challenging business model – who pays for it? Who ensures that all your care providers are submitting your data? And without a national patient identifier – how to reconcile inevitable name mix-ups?

There is a new ONC / CMS campaign for health insurers to be the new ‘HIE’ – to maintain EMR’s for their plan members. Since they likely participate in each clinical episode from a payment standpoint (wellcare or otherwise), they are positioned to collect the clinical data along with the claims data in a single repository. This may become law, for better or worse, as part of a current set of rules in review under the 21stCentury Cures Act.

A third push is for the patient/person to collect, maintain and curate their own EMR using a cloud service and application (or webservice – portal). These are known as a PHRs, or personal health record apps and systems. For many reasons (privacy, control and accuracy / completeness) – it makes sense – especially for tech savvy ‘digital natives’. And showing up in a clinical setting with all your health information accessible from your iPhone is the type of immediacy and control digital natives expect.

The personal health record (PHR) model is a grassroots approach, and needs a boost from a major cloud services player – Google and Apple being the most likely candidates. There needs to be some critical mass / pump priming to get these apps adopted and the data flowing from clinical repositories into PHRs at population scale. Then the patient control and resulting consumerization of healthcare can help drive more value from clinical service providers.

In the absence of a Google/Apple initiative, it’s possible for medical associations representing chronic conditions or cancers to build critical mass among their patients. If the American Cancer Society or the American Diabetes Association offered an app that included a PHR function, it’s possible they could build a base of users that would not only control their health records as they moved through their care plans and clinical settings, but they could also provide population health data for research and candidates for clinical trials – perhaps as easily as an ‘opt-in’ offer.

One way or another – the push for more data to be accessible to patients and their care-givers programmatically will continue, and the demand for clinical information exchange technologies and services that are interoperable and cost efficient will expand rapidly as well.

At DataMotion, we are huge fans of patient centered control. Working on a PHR strategy? Talk to us – we’re happy to share our expertise!

Looking for clinical information exchange technologies and services?

Learn more about our solutions.

Learn More
Header: Illustration with medical background having heart beat, doctor and stethoscope
4 Data Driven Healthcare Regulation Risks that the C-Suite Must Navigate Today 600 237 Hugh Gilenson

4 Data Driven Healthcare Regulation Risks that the C-Suite Must Navigate Today

For most healthcare C-Suite execs, HIPAA represents the most important regulatory risk related to data security and privacy. While HIPAA will continue to figure importantly in ongoing risk monitoring, a new generation of healthcare regulation is about to spawn additional threats that deserve a place alongside HIPAA on executives’ risk assessment dashboard.

Far-reaching data sharing mandates driving today’s healthcare transformation trends, including value-based contracting, patient centered care, and digital automation – are squarely in the cross-hairs of new regulatory initiatives.  These mandates have the potential to unleash unprecedented volumes of electronic health information (EHI) which will need to be sourced, transported, delivered, and archived according to strict guidelines – of which HIPAA privacy and security rules are mere table stakes.

According to an October 2019 survey conducted by Accenture, a majority of provider and payer executives are not aware of key mandates, nor are they prepared to comply with them.  In view of the new healthcare regulations, the C-suite that has only HIPAA privacy and security risk on its radar is most likely underestimating its true exposure.

The new generation of rules which was born of the 2011 Medicare and Medicaid EHR Incentive Program and are currently evolving under the 21stCentury Cures Act, are considerably more complex than those launched under HIPAA in 1996.   While data security and privacy remain foundational, the expanded scope of these rules carries mandates for mobilizing siloed data and delivering it, in high volumes and at high velocity, across disparate systems to a variety of recipients across the care continuum, including the full spectrum of providers, as well as patients and caregivers.

Of the many rules that are likely to have impact as data is shared more widely, there are 4 that deserve elevated visibility on executives’ threat and vulnerability dashboards today:

1. 21st Century Cures Act – Significant penalties of up to $1 million per violation are authorized, under these (pending) rules:

a. The Interoperability and Patient Access Proposed Rule (CMS)
b. “21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program

2. OCR “Right of Access Initiative” – Up to $100,000 per infraction/violation (avg)

3. Updated HIPAA Breach-Violation Enforcement – $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation

4. GDPR / The California Consumer Privacy Act (CCPA) – January 1, 2020 – Converging European and US standards

a. fines of up to 10 million Euros applicable to PHI exchanged with patients residing in the EU
b. CCPA

i. $7,500 per violation
ii. Individual right to bring lawsuits for breach of “non-encrypted or non-redacted personal information”

1. $100-$750 per incident or more with damages exceeding $750

Awareness of the above rules is an essential first step toward assessing risk exposure and designing a relevant management strategy.  To succeed in this endeavor, it’s critical to understand that:

  • the new risks are multi-faceted, driven by policies with data sharing objectives beyond the traditional scope of HIPAA
  • while cybersecurity-focused strategies were sufficient to mitigate risk in the past, today’s risk landscape requires added expertise in interoperability and methods of embedding security, privacy, and interoperability in complex clinical workflows that can deliver data at high velocity and to multiple recipients, including physicians, patients, and other caregivers.

Concurrent with the obvious risks surrounding regulations, there are also opportunities.  A follow-up installment of this blog will explore revenue opportunities triggered by healthcare regulations and how an optimal plan for responding to regulatory change should consider solutions that both mitigate risk and maximize opportunities.

For more information on how DataMotion can help you mitigate data driven healthcare regulation risks, visit: DataMotion Direct Benefits and DataMotion Direct Secure Messaging.

For a consultation or additional information, please contact us.

Achieve Office 365 CJIS Compliance 1024 403 Christian Grunkemeyer

Achieve Office 365 CJIS Compliance

Moving from an on-premises Exchange server to Microsoft Office 365 (O365) can have numerous benefits. Microsoft promotes its cloud productivity suite to yield better collaboration, increased productivity and a reduced cost of ownership.  Many state and local government agencies eager for those benefits are making a move to the cloud with O365. According to Microsoft, approximately 5.2 million people use Microsoft Cloud for Government services including Azure Government, Office 365 Government, and Dynamics CRM Online Government, an impressive figure. However some government agencies need to access the FBI’s Criminal Justice Information Systems (CJIS) database to fulfill their mission. These agencies must achieve Office 365 CJIS compliance for security rules that restrict their ability to use O365 to exchange CJIS information, or CJI for short. This information must be protected in motion and at rest whenever it is outside a secure CJIS datacenter.  Specific rules and the entire FBI CJIS Security Policy are posted here.

According to its website, Microsoft will sign a CJIS Security Addendum for Office 365 CJIS compliance in states where they have established CJIS Information Agreements. At this time there are 26 states where Microsoft has a signed CJIS Security Addendum – the most recent being with Missouri (February 2017).   States that don’t have CJIS approval for O365 as of March 2017 include Alabama, Connecticut, Florida, Idaho, Indiana, Iowa, Louisiana, Maine, Maryland, Mississippi, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Dakota, Ohio, Oklahoma, Rhode Island, South Dakota, Vermont, West Virginia, Wisconsin and Wyoming.

While these states are not prohibited from using cloud services, they must be able to demonstrate Office 365 CJIS compliance if using those services.   For them to use O365 to transmit CJI and PII (Personally Identifiable Information), the following CJIS security policy sections must be addressed.

“5.8        Policy Area 8: Media Protection

Media protection policy and procedures shall be documented and implemented to ensure that access to digital and physical media in all forms is restricted to authorized individuals. Procedures shall be defined for securely handling, transporting and storing media.

5.8.1      Media Storage and Access

The agency shall securely store digital and physical media within physically secure locations or controlled areas. The agency shall restrict access to digital and physical media to authorized individuals. If physical and personnel restrictions are not feasible then the data shall be encrypted per Section 5.10.1.2.

5.8.2      Media Transport

The agency shall protect and control digital and physical media during transport outside of controlled areas and restrict the activities associated with transport of such media to authorized personnel.

5.8.2.1   Digital Media during Transport

 Controls shall be in place to protect digital media containing CJI while in transport (physically moved from one location to another) to help prevent compromise of the data. Encryption, as defined in Section 5.10.1.2 of this Policy, is the optimal control during transport; however, if encryption of the data isn’t possible then each agency shall institute physical controls to ensure the security of the data.”

When an agency moves from an on premise secure Exchange server to O365, emails containing CJI must be protected – and that is commonly done through encryption. While O365 does contain an email encryption capability, that encryption occurs after the O365 cloud receives the unencrypted data.  For those 24 states without a Microsoft CJIS Security Addendum, this is a violation of CJIS security policy. To achieve Office 365 CJIS compliance, the email must be encrypted before it arrives in the O365 cloud, and must remain encrypted until it is received or retrieved by the intended recipient.

One solution to this issue is to employ a third party email encryption solution designed to enhance the security of O365 and address the CJIS security policy issues.  Such solutions offer more depth in encryption features and capabilities and integrate well with the Office 365 suite of applications. To achieve this end-to-end encryption requirement, the email can be encrypted at the Outlook client using an encryption plug-in, and routed through O365 to the recipient, or to an email encryption platform in a CJIS compliant datacenter to await recipient retrieval. In this way – O365 can be adopted, while maintaining CJIS compliance for PII and CJI. You can learn more about securing email in Office 365 here.

Office 365 is a great tool and can offer state and local agencies many benefits – and with proper implementation can meet the stringent requirements for CJIS security.

Learn more about how we can help state and local agencies meet CJIS compliance requirements

Learn More
Salesforce Service Cloud and HIPAA Compliance 1024 403 Hugh Gilenson

Salesforce Service Cloud and HIPAA Compliance

Q: My company sells to the healthcare industry. Is it a HIPAA violation when my Customer Service Rep replies to a support ticket on Service Cloud? I mean, Salesforce is HIPAA compliant, right?

A: You very well may be in violation of HIPAA standards.  Here’s why.

Yes, the Salesforce platform itself can be made HIPAA compliant.  Salesforce will sign a Business Associates Agreement (BAA) and if you connect Shield you’ll get monitoring, encryption, and auditing functionality of your Salesforce instance.  But that’s only part of the compliance story because it only covers the data while it’s residing within the Salesforce ecosystem – the data at rest.

HIPAA also applies to data in motion.  Simply stated; data containing protected health information traveling over a public network (like the Internet) must be encrypted in transit.

Get some tips on how you can protect data at rest, in use, and in motion button

So let’s take a look at your scenario:  Suppose you’re a CSR using Service Cloud to view a new support ticket.  A customer sends an inquiry explaining that his doctor wants him to get additional testing to rule out prostate cancer and he wants to know if his insurance covers the new tests.  The customer’s contact information plus a medical condition equals Protected Health Information (PHI) and needs to comply with HIPAA.

While you’re viewing the information on Service Cloud, it’s covered by HIPAA (see the first paragraph above).  But when you reply to that ticket the PHI is almost always copied as part of the ongoing dialogue thread and is sent from your company to the customer via email or other messaging format.  It’s now data in motion traveling over the Internet, and your company (not Salesforce) is responsible to encrypt the message before it’s sent in order to be HIPAA compliant.

Luckily, there are solutions, like DataMotion SecureMail, that integrate easily with Salesforce, and have the ability to filter by policy rules and keywords and automatically encrypt messages containing PHI.  Our solution also adds logging and tracking for better visibility and governance (proof you need in the event of a HIPAA audit by the feds)!

Summary

Yes, the Salesforce Platform can be made HIPAA compliant.  But when you reply to a Service Cloud ticket, that’s data in motion and it’s not Salesforce’s responsibility.  Your company needs to ensure those messages are encrypted between Salesforce and your customers.  If not, you’re subject to fines, penalties and loss of reputation.

Contact us to learn how DataMotion SecureMail can integrate with Salesforce to ensure compliance with HIPAA regulations.

Contact Us