HIPAA supporting your Telehealth Program

Presented by: Susan Clarke, Health Care Information Security and Privacy Practitioner

June 5 & 6, 2019

Susan Clarke, HCISPP

• (ISC)2 certified Healthcare Information Security and Privacy Practitioner and Computer Scientist.

• 20 years of Healthcare Experience.• 10 years design and coding EHR software

including HL7 Healthcare application development.

• Served on IT Security, Disaster Recovery and Joint Commission steering committee at Mayo Clinic affiliated Healthcare system.

• Served as communications unit lead during Healthcare system’s ready and complete alerts.

2

Mountain-Pacific

Mountain-Pacific Quality Health is a private, non-profit, community-based organization that has dedicated more than three decades to improving health and health care in: Alaska, Hawaii (including some U.S. Pacific Territories), Montana and Wyoming. Our goal is to increase access to high-quality health care that is affordable, safe and of value to the patients we serve.

3

The presenter is not an attorney and the information provided is the presenter(s)’ opinion and should not be taken as legal advice. The information is presented for informational purposes only.

Compliance with regulations can involve legal subject matter with serious consequences. The information contained in the webinar(s) and related materials (including, but not limited to, recordings, handouts, and presentation documents) is not intended to constitute legal advice or the rendering of legal, consulting or other professional services of any kind. Users of the webinar(s) and webinar materials should not in any manner rely upon or construe the information as legal, or other professional advice. Users should seek the services of a competent legal or other professional before acting, or failing to act, based upon the information contained in the webinar(s) in order to ascertain what is may be best for the users individual needs.

Legal Disclaimer

4

• BA: Business Associate• CE: Covered Entity• CEHRT: Certified Electronic Health Record Technology• CMS: Centers for Medicare and Medicaid Services• EHR: Electronic Health Record• ePHI: Electronic Protected Health Information• HHS: Department of Health and Human Services• HIPAA: Health Insurance Portability and Accountability Act• HIT: Health Information Technology• IT: Information Technology• NIST: National Institute of Standards and Technology• OCR: Office for Civil Rights• PHI: Protected Health Information• PHR: Personal Health Record• SP: Special Publication• SRA: Security Risk Analysis

Acronyms…

5

• HIPAA Overview • What is Telehealth?• HIPAA Considerations• Privacy and Security Considerations• Mobile Medical Apps• What’s App with Apple?• EHR Tips and Constraints

Today’s Overview

6

Who is Covered under HIPAA?

Covered Entities: Health care providers who transmit health information

electronically in connection with a transaction for which there is a HIPAA standard

Health plans Health care clearinghouses

Business Associates: Agents, contractors, and others hired to do the work of, or to

work for, the covered entity, and such work requires the use or disclosure of protected health information

3 Rules of HIPAA =

Privacy Rule + Security Rule + Breach NotificationRule

7

Business Associate

• Telehealth can have a greater number of platforms, role of telehealth company (BA) in data storage, reporting, billing.

• BAs must comply with the technical, administrative, and physical safeguard requirements under the Security Rule; liable for Security Rule violations.

• Technical vendors who can access PHI and work on behalf of provider is a business associate, and need a business associate agreement.

• BA definition expressly includes Health Information Organizations, E-prescribing Gateways, and PHR vendors that provide services to covered entities.

8

What is a PHR?

A personal health record (PHR) is health information technology that individuals can use to engage in their own health care to improve the quality and efficiency of that care. There are several types of PHRs available to individuals with varying functionalities. Some PHRs are offered by health care providers and health plans covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, known as HIPAA covered entities. The HIPAA Privacy Rule applies to these PHRs and protects the privacy of the information in them. Alternatively, some PHRs are not offered by HIPAA covered entities, and, in these cases, other applicable laws may apply but not the HIPAA Privacy Rule.

9

https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/healthit/phrs.pdf

Telehealth Privacy Considerations

• Consider what type of informed consent from patient before telehealth is used. Explain purpose, risks, benefits, alternatives

• State laws vary, if multiple States use strictest to standardize processes.

• There must be a private and uninterrupted space in which the equipment is kept where the client/patient will consult with the provider.

• Providers and patients using televideo equipment often speak louder than normal.

• HIPAA laws that govern use, disclosure and breach must be followed faithfully.

• There should be a door that closes and is able to be locked when room is not is use.

• A telephone is needed as backup in case the televideo connection drops.

10

Example of Informed Consent

Telemedicine consent recommends: • Identification of physician and credentials; • Types of transmissions permitted, e.g.

prescription refills, appointment, scheduling, etc.; • That the physician determines if the condition is

appropriate for a telemedicine encounter. • Security measures, e.g., encryption, password

protected screen savers, authentication;• Hold harmless if info lost with technical failures; • Express consent to forward information.

Source=http://www.njha.com/media/483152/EDU-1792-PPT-M-Davino.pdf11

Telehealth Security Considerations

• Data Security including encryption, authentication and data storage.

• Challenge of protecting ePHI as it moves through the healthcare system.

• A robust IT department will support telehealth security requirements.

• Telehealth access to the local EHR, use of consumer data, deidentification for mining.

• Some medications require a “wet signature”.• Credentialing staff, this can be a lengthy process.• Telehealth may be unfamiliar territory for security

professionals.

12

13https://www.health.org.uk/flo

No License, No Problem

Patients beware:There are an increasing number of web-based businesses that allow customers to consult doctors overseas, who don’t have US medical licenses, but post disclaimers that they are providing information and not medical advice. Patients and physicians are anonymous.

14

Source: https://www.firstderm.com/how-it-works/ 15

16

-Informed consent for telemedicine.-Mental health information.-Substance abuse information.-HIV/AIDS/communicable disease data.-Genetic data.-Marketing restrictions.

HIPAA & HITECH

Telehealth State and Federal Laws

Medical Devices

When equipment or software is intended for use in the diagnosis or treatment of a disease or other condition, FDA considers it to be a medical device.Medical Devices requires registration and listing, premarket notification or approval, good manufacturing practices, and post-market surveillance..

17

YES, FDA REGSMobile apps considered medical devices and subject to FDA regs assist with diagnosis or treatment of a disease or other condition.

NO, FDA RegsGenerate appt reminders, track claims, note taking, perform simple calculations. Reference materials, educational tools, automate office operations.

MAYBE, FDA Regs, Will Exercise Enforcement DiscretionRecords clinical conversation, emergency call or send alert to first responder, track of meds and provide reminders.

FDA has discretionary enforcement priority for mobile medical apps that pose a low risk to the public

Source=http://www.fda.gov/MedicalDevices/DigitalHealth/MobileMedicalApplications/ucm368743.htm

FDA & Mobile Medical Apps

18

HIPAA and Mobile Medical Apps

A Mobile App developer is typically NOT a covered entity subject to HIPAA, or a business associate even if the App collects health related data.A wearable health App by a consumer is not

subject to HIPAA, or a medication-adherence health app for patient self-use.

19

What’s app with Apple?

https://support.apple.com/en-us/HT208680 20

App Considerations• Uses FHIR API to extract health record to iPhone or iPad.• Allows for sharing of record, two facilities in Montana.• Apple security controls--they do not have access to health

records and records encrypted at rest & in transit.• Careful with backup, if using iCloud there is a setting to

encrypt, not all backups use encryption.• App policy does not mention HIPAA.• If this app is provided by doctor, health record now covered

by HIPAA. What if health record is on Facebook?• Security and Privacy concern for supporting Apps in same

ecosystem but not from Apple, Apple has a disclaimer posted.• Not all patients use Apple.

21

Where does Health Info fit?

HI Health

Information

IIHI Individually Identifiable

Health Information

PHIProtected Health

Information

22

EHR Tips and Constraints

• Not easy to schedule two appts in two different EHR systems.

• Contact originating sites to get appt.• Deviation of normal follow-up, more chance of patient

not getting entered in the right EHR for follow-up.• EHRs with built in ZOOM that records and saves

telehealth record.• Needing to input from one EHR to another EHR.• Dual screen, patient on one side, chart on other side.

23

Other Considerations

• Privileges can be a problem, may need to see patients somewhere else, too expensive to be credentialed for numerous hospitals.

• Where patient is located is where provider needs to be licensed.

• Exception super specialist when requested by provider.

• ZOOM, green lock button means encrypted.• Best to have point person to stay on top of and

book for 15 minutes longer due to additional coordination and paperwork.

24

• May need clinician on other side to be physician extender for hands on.

• Important to build into workflow, processes in place.

• Telehealth involves sharing of information with more than one organization--questions about shared responsibility for managing and securing patient informing generated through a telehealth encounter need to be addressed.

25

Keep Up With the Changes

• Join the OCR Privacy and Security Listservshttp://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/listserv.html

26

Privacy rule:http://www.hhs.gov/hipaa/for-professionals/privacy/

Security rule:• http://www.hhs.gov/hipaa/for-professionals/security/

Business Associate:• http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/bu

sinessassociates.htmlBreach Notification Rule:• http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/br

eachnotificationifr.html

Important Links on hhs.gov

27

28

http://mpqhf.com/corporate/gotohts/hts-services/hipaa-privacy-and-security/

For assistance please contact:

Susan Clarke: sclarke@mpqhf.org, (307) 248-8179

Please let me know how I can help?

29

Questions

30