the patient portal ecosystem: engaging patients …...–not implementing stated privacy policies...

The Patient Portal Ecosystem: Engaging Patients while Protecting Privacy and Security

1

NCHICA 11th Academic Medical Center Security & Privacy Conference,

June 22-24, 2015

Panel Leader: Amy Leopard, JD (Bradley Arant Boult Cummings) Panelists: Patricia Corn (Wake Forest Baptist Health) Becky Tate (MEDHOST)

Agenda

Overview of uses of Portals and PHRs Review state and federal laws and regulations Consider practical issues providers must manage

– Email sharing among patients – Allowing API for “view, download, transmit” – Patient managed access – Managing patient directed disclosures (third parties) – Patients managing information from multiple vendors – Authorization process – Patients managing proxy access for others – Amendment of PHI

2

3

Overview of Portals and PHRs

Consumer Driven Healthcare Movement

4

Hospitals

Consumer

HSA

Rx

Physicians Payer

Patient empowerment and Consumerism

5

0

10

20

30

40

50OverblownTrend

Real, we'regearing up

issues weneed to payattn to

2009 HDM Poll of 137

Goals of a PHR – Patient Perspective

Easily manage access Organize health information from disparate

providers in a single location Tools that support wellness and self-management Manage data sharing with health care providers Desire ease of use Automation - Manual entry of information is error-

prone and time consuming

6

Goals of a PHR - Provider Perspective

Tools to better manage health Analytics to monitor treatment Continuity of care and accessibility of data for

paper-based system Tools promoting patient engagement

7

Uses for PHRs:

Store health information Health risk assessment profile Targeted educational modules Clinical decision support for

patient self-management of health risks

Provider interaction for appointment and Rx refills

Patient monitoring from medical device interface

8

9

PHR DATA SET

Name, demographics Lab, Pharmacy, Ancillary

Family History Health risk assessment

Immunizations Medical Power of Attorney

Recent encounters Claims data and benefit coverage

Hospitalizations, surgeries, procedures

Medical and wellness device results

Medication List Progress Notes

PHR Data Set

Different PHR Models

Provider Patient Portal – Most common form of personal health record

Health Plan Consumer Portal – United, Shared Health, AHIP and BCBSA

Health Information Trust Custodian – eHealth Trust™ Model

Employer consortium for data repository on member employees – Dossia

Private label PHR for employers and health plans – WebMD license

10

Patient Risks

Risks of View – Public computer, logoff

Risks of Download – Authentication, notice that patient has

responsibility to protect Risks of transmitting health information Identity proofing and authentication of patients,

personal representatives, other family, friends

11

HIT Policy Committee Privacy and Security Workgroup

Regulatory Environment and PHRs

12

Which Federal Agency Should Enforce Privacy /Security Laws Against Vendors? . . .

13

HITECH and ARRA Drivers

Meaningful Use View online, download, transmit PHI

HITECH e-Copy Rights

Any provider or health plan digital format

Forward to designate @ labor cost

Significantly expand access and PHI transmission

to

HIE

PHR Vendors

Application Developers

Competitors

15

Covered Entity under HIPAA?

Providers filing claims electronically.

Hospitals, physician groups, nursing homes, labs, pharmacies, doctors, nurses, dentists, psychotherapists

Plans or Payors. MMO, Cigna, United Health Care, Anthem, Aetna

Employer > 50 with self funding

Clearinghouses standardizing PHI for others such as most billing services like WebMD Envoy® .

Business Associates – Who create or receive PHI in order to perform function on behalf of Covered Entity – now subject to certain HIPAA Privacy and Security provision under HITECH

HIPAA Business Associates Definition

HITECH definition of BA includes: – Vendors contracting with CE to allow CE to offer

patients PHR as part of its eHR – Organizations transmitting PHI data to a CE or

its BA and requiring access to the PHI on routine basis HIE Organization, RHIO, Eprescribing

Gateway

PHR Vendors are not regulated directly by HIPAA unless BA above:

But could be regulated by HITECH . . .

16

17

Data Flow is a Critical Regulatory Issue

PHR = electronic record of individual health information drawn from multiple sources and managed, shared, and controlled by or for individual

PHR Business Associate:

Vendors contracting with CE to allow CE to offer patients a portal or a PHR as part of its EHR

Source: {text}

PHR Vendor Entity, other than a CE, that offers or maintains a PHR directly with individual

Tethered?

Personal Health Data

Check Data Flow and Covered Entity Status!! –Data from Individuals to Covered entities = PHI

Permissible uses and disclosures or HIPAA authorization Marketing Rules Sale of PHI

–PHI may also be regulated by FTC

Consumer Directly Supplies Health Information to Non-Covered Entities

HIPAA does not apply to PHRs offered by employers or by PHR vendors directly to consumers FTC regulates PHR Vendors as well as compliance with privacy policies of entity offering PHR (See ONC Model PHR Notice)

Medicare and Medicaid EHR ‘Meaningful Use’

To be eligible for Medicare/Medicaid incentives, providers must demonstrate – Certified EHR provides for electronic exchange of

health information to improve quality of care – EHR Measures and Objectives for “Meaningful Use”

enable patients to “view, download and transmit” their health information

ONC being urged to consider connection to

PHR – NCVHS health plan testimony: QI, disease mgt, and

care coordination support portability of data in PHRs to aid transition to meaningful use of EHRs..

20

Meaningful Use Stage 3 NPRM

Allowing API for “view, download, transmit”

HIT Policy Committee Privacy and Security Workgroup studying Privacy and Security Issues Related to Increasing Patient Access to Data through either VDT Technologies or open APIs

Increasing number of APIs connecting EHR

21

HITECH digital rights . . .

Right to Access PHI in Electronic Format – patients may – request copy of eHR in electronic format

maintained by CE – instruct CE to forward EHR to any designated

person at entity’s labor cost only. Significantly expand patient access to

electronic formats and increase PHI transmission to others – PHR vendors, health record data banks and

HIE/RHIOs.

Who “owns” data? – More importantly who has right to access and

control data?

22

FTC Regulation and Exercise of Enforcement Authority Under FTC Act §5

Section 5 of the FTC Act: “Unfair and Deceptive” Acts or Practices Deceptive:

–Not implementing stated privacy policies –Misrepresenting the extent to which privacy and security of information collected I used, maintained, and protected

Unfair: –Alleged failure to implement reasonable and appropriate security measures (or to ensure service providers did so)

–BUT HIPAA MAY NOT BE THE STANDARD!!!!

FTC PHR Breach Notice Rule -- for Non-HIPAA CEs and BAs

PHR Vendors (200)

– “entity, other than HIPAA-CE or BA of HIPAA-CE that offers or maintains a PHR”

PHR Related Entities (500) Non-covered entities or

BAs that: – offer products or services via website of

PHR vendor CEs offering PHRs

– access PHR information or send info o PHR

3rd Party Service Providers to PHR Entities (200) – Provides services to above PHR Entities and as a result, – Access, maintain, retain, modify, record, store, destroy or

otherwise hold, use or disclose unsecured PHR IHI

24

Other Legal Considerations – Contractual Obligations

Contracts – Ownership general governed by contract, but legal

ownership may be secondary to concerns over uses and disclosures of copies of the data

Documentation – Consent – Enrollment and verification – Patient EULA’s

Terms and Conditions Privacy and Security Ownership of data Uses and disclosures Warnings re: urgent and emergent care

– Disclaimers and Limits of Liabilities

Other Legal Considerations – State Laws

State Law Issues • “Personal Data” • Sensitive information • Consumer Protection Laws • Consent issues • Proxies • Minors • Malpractice • Constitutional Right to Privacy

Other Legal Considerations: Secondary Uses

Threshold issue: Provide transparency to consumers via disclosure of secondary uses and safeguards – De-identified data – Authorization from Individual – Limited Data Sets for

Research, public health or QI Population-based activities to improve

health or reduce healthcare costs

27

Risks with De-identified Data

28

29

PHRs – Practical Considerations

Practical Considerations

30

Educating patients about their role in protecting their health information

Patient managed access – Patient education (staff support) – Patient identity validation

Shared Emails

– Proxy access management Release of information Sensitive info Minors and state consent laws

Practical Considerations

31

Documentation – Are existing notices and forms sufficient? (NOPP,

Authorization Form, Terms of Use of Patient Portal/PHR)

Managing sensitive information

Using and managing consumer driven data

Practical Considerations

32

Addressing amendment requests Encouraging patient use in order to decrease

printing of PHI

QUESTIONS? Amy Leopard aleopard@babc.com Patricia Corn pcorn@wakehealth.edu Becky Tate becky.tate@medhost.com

33