1

Balancing Patient Privacy With Patient Engagement Efforts

Session #181 February 22, 2016

David Holtzman, JD, CIPP VP Compliance Strategies, CynergisTek

Mercy del Rey Chief Privacy Officer, Baptist Health South Florida

2

Speaker Introduction

•Subject matter expert in health

information privacy policy and compliance

issues involving the HIPAA Privacy,

Security and Breach Notification Rules

•Former senior advisor for health

information technology and the HIPAA

Security Rule, Office for Civil Rights

David Holtzman, JD,

CIPP/G

CynergisTek, Inc.

3

Speaker Introduction

• Chief Privacy Officer for complex health system with 16,000 employees and 220 medical staff members supporting 6 hospitals, region-wide outpatient facilities, the new Miami Cancer Institute, 6 Centers of Excellence, the Baptist Health Medical Group, the Baptist Health Quality Network and the Baptist Health employer sponsored group health plans.

• Over 25 years of diverse healthcare experience that includes regulatory compliance, human resources management and healthcare operations.

Mercy del Rey

Assistant Vice President/Chief Privacy Officer

Baptist Health South Florida

4

Conflict of Interest

David Holtzman, JD, CIPP

Has no real or apparent conflicts of interest to report.

5

Conflict of Interest

Mercy del Rey

Has no real or apparent conflicts of interest to report.

6

Agenda

1) HIPAA’s Right of Access to PHI

2) Who is Authorized Access to PHI

3) Patient’s Right to Amend

4) PHRs and EHRs

5) Questions

7

Learning Objectives

• Identify key drivers of federal policy empowering patient

control and access to their health records

• Evaluate current OCR guidance on patient access to

health information and sharing with third parties

• Describe best practices for giving patient choices in

access and sharing their health information

8

Benefits Were Realized for the Value of Health IT• The Value Steps Impacted Were:

– Electronic Secure Data

– Patient Engagement and Population Management

• Enabled meeting Meaningful Use requirements which increased Medicare reimbursement

• Patients received online access to care summaries

• Patients directed copies of health records and care summaries to trusted 3rd parties

9

HIPAA’s Right of Access to PHI?

10

HIPAA’s Right of Access to PHI• HIPAA: Patient is entitled to “designated record set”

– Medical record

– Billing record

– Other records used to make decisions about patient

• EHR Portal is limited portion of medical record

– Patient is entitled to more information than is available through EHR portal

11

HIPAA’s Right of Access• HIPAA provides that individual is entitled to requested for or format, if

readily producible

– If not readily producible, default is hard copy or electronic copy, depending on whether maintained electronically

• EHR portal is not everyone’s requested form or format

– Covered entity must continue to provide alternatives, such as hard copies or email attachment

12

HIPAA’s Right of Access• HIPAA permits covered entity to deny access for numerous reasons

– Reasonably likely to endanger life or physical safety

– References another person and reasonably likely to cause substantial harm to such person

– Request by personal representative and access is reasonably likely to cause harm

– Obtained from non-health care provider under promise of confidentiality

13

Patient Access = Patient Engagement• Incentivizing (penalizing) health care through Medicare payment policy

– Meaningful Use

– MIPS/Advancing Care Information

• Provide Patient Access

– Directly to the patient or their authorized 3rd party

• View online

• Download

• Transmit

– Through an API that can be used by applications chosen by the patient

14

Limiting Patient Access to Their PHI

• To what extent does EHR portal include information that may cause harm?

• Can clinician act proactively to flag information that could cause harm?

15

Accessing PHI at Baptist Health • Traditional Access to PHI via HIM

– Patient requests and authorizations drive the release of

information workflow

– Well-established process at Baptist Health

• Direct Access to PHI via Patient Portal

– Patient and/or designee may access available PHI at their

discretion.

– Currently transitioning to new EHR portal

16

Accessing PHI at Baptist Health • Complete records provided in the patient’s format of choice

– Hard Copy - CD’s*

– Mail - Thumb Drives*

– Faxes - Email*

• Our patient portal is evolving with the implementation of a new EHR to

include a more robust record set

Portal Current State: CCDA and basic PHI

Portal Future State: All pertinent records

17

Patient Access and Engagement

Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sept

9,705 9,401 10,903 9,940 11,281 12,395 12,361 12,694 13,174 14,299 15,713 13,321

1,000

3,000

5,000

7,000

9,000

11,000

13,000

15,000

17,000

RE

QU

ES

TS

Total Request Volume - FY 2016

18

Patient Access and Engagement

Electronic 78,919

Paper66,363

Total Requests for Records Fiscal Year 2016

Electronic Paper

19

Who is Authorized Access to PHI?

20

Who May Access PHI on the Portal?• Individual

• Authorized person

– Authorization my comply with HIPAA

– There may be state law requirements

• Designee

– Must be in writing (including electronic)

– Must designate who and to what address (physical or electronic)

21

Personal Representatives and Minors

• Personal representative has rights of individual-including right to

access in form or format requested if readily producible

– Personal representatives rights should cut off at age of majority

• Personal representative can authorize access by 3rd party

– Guidance to Privacy Rule that authorization survives age of

majority, so 3rd party can continue to access EHR

22

Challenges and Strategies for Patient Portal Access

• Granting individual access requires sound security policies and workflows

• Granting designees access is NO EASY task and requires a great deal of forethought, planning and attention to detail!

– Segmenting data and restricting access is not always technically possible

• The development of patient portal strategies require a multi-disciplinary approach that

includes IT, Privacy, Security, Legal, Risk Management, Marketing, Operations Leaders,

Physicians, Clinicians and the Patient Representatives.

• A phased implementation strategy should be considered to enable individual access before implementing designee access.

23

Patient Right to Amend

24

HIPAA’s Right of Amendment• Patient has right to request amendment of designated record set

information

• Covered entity has limited basis for denial

– PHI was not created by covered entity

– Outside of designated record set

– Accurate and complete

• If denial, individual can add statement of disagreement to record

25

Amendments at Baptist Health• Amendment requests are handled by the Privacy Office

• With the implementation of a patient portal, expect increases in both

the volume and complexity of amendment requests

FY 2014 FY2015 FY2016

148 173 153

26

PHRs and EHRs

27

PHRs and EHR Portals• Personal health record (PHR) is patient controlled record

• EHR portal is window into EHR

• PHR and EHR portal can work together

– Patient gets to see EHR portal

– EHR portal feeds into PHR

– Patient gets to add information in PHR & chooses whether to share through EHR portal

28

PHRs and EHR Portals

• Is PHR considered PHI of covered entity?

– Is PHR operating on servers of the covered entity or their business associate?

• Does covered entity have right to access PHR?

– Patient permission required?

29

HIPAA’s Right of Amendment

• EHR portal provides potential means for submission of amendment requirements

• Amendment functionality of EHR may differ significantly

30

PHR Use and Access to Information• PHRs not covered by HIPAA can be lightly regulated

– FTC PHR Breach Notification Rule

– FTC Act Section 5 prohibition on Unfair and Deceptive Trade Practices

– Jurisdiction limited to for-profit entities

– State law breach notification reporting

– Model PHR Privacy Notice

• PHR companies can use to communicate their privacy and security policies

and data sharing practices to individuals.

– https://www.healthit.gov/policy-researchers-implementers/personal-health-record-

phr-model-privacy-notice

31

State Law and EHR Portals• Will portal include sensitive information subject to state law restrictions?

– HIV test results or other HIV or STD information

– Mental health information

– Genetic test results

– Alcohol or substance abuse treatment information

• Also subject to federal confidentiality requirements

• Will a more detailed authorization suffice?

– Is a separate authorization required for each disclosure?

32

• Dual portals currently on-line

• Individual access provided to all patients at time of discharge or registration

• Parental access offered to new moms and dads through until child turns 11

• Sensitive information restricted

• Electronic data exchange with PCPs and downstream providers

33

514,267

34,539

NextGen Portal June 2014 - December 2016

Invitations Sent

Patients Enrolled

6.7% Patient Participation

Rate

34

115,328

13,187

Cerner Portal August - December 2016

Invitations Sent

Patients Enrolled

11.4% Patient Participation Rate

35

Transmission of Summary of Care

36

Exceeding

Meaningful Use

patient

engagement

measures results

in > Medicare

reimbursement

54% of

patients

received

Summary of

Care

transmitted

electronically

through portal

STEPS: Patient Engagement & Population Management

37

54% of patient

requests for

access to their

PHI fulfilled

electronically.

Requests

increased 28%

in FY16

Enrolled

thousands of

Patients to use

of EHR portal

which

enhances data

sharing with

patients

STEPS: Secure Electronic Data

38

Questions?David Holtzman

david.holtzman@cynergistek.com

@HITPrivacy

Mercy del Rey

mercedr@baptisthealth.net

Please complete the online evaluation for this session