Technology Tightrope: Balancing DigitalAdvances With Patient Safety and Risk Concerns

2

Today’s Program

MaryAnn earned her RN degree from St. Mary’s School of Nursing in Rochester, Minnesota. Shecompleted her bachelor of science degree in health education from the University of New Mexico andher master of science degree in healthcare administration from the University of St. Francis in Joliet,Illinois.

MaryAnn is a member of the American College of Healthcare Executives (ACHE), and she has servedon the Board of Directors of the Voluntary Hospitals of America (VHA) Southwest, the New MexicoHospital Association, and numerous community agencies.

Today’s speaker is MaryAnn Digman, RN, MSHA, Senior PatientSafety & Risk Management Consultant, Medical Protective(Maryann.Digman@medpro.com)

MaryAnn brings a wealth of education and more than 25 years ofprogressive clinical and operational healthcare leadership experience toher responsibilities at Medical Protective.

Her previous roles in large integrated systems, academic medicalcenters, community hospitals, and rural healthcare in public, not-for-profit, and investor-owned systems — and her experience as aCOO/CEO ― are invaluable to her clients as they develop effective business strategies.

3

Designation of continuing education credit

Medical Protective is accredited by the Accreditation Council for ContinuingMedical Education (ACCME) to provide continuing medical education forphysicians.

Medical Protective designates this live activity for a maximum of 2.0 AMA PRACategory 1 Credits™. Physicians should claim only the credit commensuratewith the extent of their participation in the activity.

The Medical Protective Company is designated as an ApprovedPACE Program Provider by the Academy of General Dentistry. Theformal continuing dental education programs of this programprovider are accepted by AGD for Fellowship/Mastership andmembership maintenance credit. Approval does not implyacceptance by a state or provincial board of dentistry or AGDendorsement. The current term of approval extends fromOctober 1, 2015, to September 30, 2018. Provider ID 218784.

The Medical Protective Company designates this continuing education activityas meeting the criteria for up to 2 hours of continuing education credit. Doctorsshould claim only those hours actually spent in the activity.

4

Disclosure

Medical Protective receives no commercial support frompharmaceutical companies, biomedical device manufacturers, orany commercial interest.

It is the policy of Medical Protective to require that all parties ina position to influence the content of this activity disclose theexistence of any relevant financial relationship with anycommercial interest.

When there are relevant financial relationships, the individual(s)will be listed by name, along with the name of the commercialinterest with which the person has a relationship and the natureof the relationship.

Today's faculty, as well as CE planners, content developers,reviewers, editors, and Patient Safety & Risk Solutions staff atMedical Protective have reported that they have no relevantfinancial relationships with any commercial interests.

5

Objectives

At the conclusion of this program, you should be able to:

• Explain why selection, training, and competency aretop risk concerns for all new technologies.

• Understand risks associated with social media/electronic communication and identify key areas forconsideration in the developmentof social media policies.

• Cite barriers and risks associatedwith telehealth, and describeseveral strategies that can helpaddress telehealth liabilityconcerns.

6

Specific areas for review

Data security Electroniccommunication

Electronichealth records

Telemedicine Newtechnologies

7

Why talk about data security?

• Stolen health information is more valuable thanstolen social security numbers.

• Increasing numbers of healthcare providers arereporting privacy breaches.

• Growing automation and adoption ofEHRs exacerbates the risk of privacybreaches.

“An Evolving Risk.” Healthcare Risk Management Review, Annual 2014/15

8

Privacy and security risks

Email and texting — Is it encrypted and secure?

General internet use

Social media posts

Staff-owned electronic devices (laptops, tablets, smartphones)

Flash drives/disks

Charts/media taken out of office/facility

Failure of back-up devices

9

Cyber/privacy cases: Volume by allegation type

50%

25%

7%

6%5%

3%

4%Breach of Confidentiality

Altered/Misplaced/Stolen/DestroyedRecords

Noncovered Claim

Breach of Contract or Warranty(Vendor Breach of PHI)

Malware/Virus

Identify Theft

Other

Data source: MedPro Group claims data, 2011−2014.

Three-fourths of all cases related to cyber liability/privacy issues arise out of breach ofconfidentiality (disclosure of personal health information) or theft of patient records(either paper or electronic). Breach of contract/warranty cases involve failure of vendors toprovide protection against “hacking” into system servers.

Three-fourths of all cases related to cyber liability/privacy issues arise out of breach ofconfidentiality (disclosure of personal health information) or theft of patient records(either paper or electronic). Breach of contract/warranty cases involve failure of vendors toprovide protection against “hacking” into system servers.

Three-fourths of all cases related to cyber liability/privacy issues arise out of breach ofconfidentiality (disclosure of personal health information) or theft of patient records(either paper or electronic). Breach of contract/warranty cases involve failure of vendors toprovide protection against “hacking” into system servers.

The “Other” category includes unique scenarios, such as stealing ofpatient lists for new business, attaching incorrect patientidentification to billing records, etc.

10

Case study: Postsurgical pictures on Instagram

Scenario Successful augmentation procedure performed byplastic surgeon; patient consented via Facebookmessage to physician office posting “after” pictures onInstagram.

CaseOverview

Within 2 hours of photo being placed on Instagram,claimant contacted physician office and asked that it beremoved.

Outcome Claim filed, even though photo was immediatelyremoved; alleged violation of rights, negligence, breachof fiduciary duty, breach of contract, and infliction ofemotional distress.

Key Issue Consent did not include all required HIPAA elements.

11

Cyber/privacy cases: Volume by location/origin of case

• Half of all cases originate in an office or on office property.

• Actual cyber-based (Internet) occurrences account for another 15% of cases.

Data source: MedPro Group claims data, 2011−2014.

The “Other” category includes unique scenarios, such as a newspaperarticle revealing PHI, patient’s home, civil litigation, etc.

54%

10%

10%

9%

8%

5%

2%2% 1%

9%

Office/Office Property

Cyber: Office/Practice Website

Vehicle

Patient's Chart

Noncovered Claim

Cyber: Malware/Virus

Cyber: Vendor

Provider/Staff Home

Hospital

Other

12

Cyber/privacy cases: Volume by risk indicator (contributing factor)

Data source: MedPro Group claims data, 2011−2014

The “Other” category includes miscellaneous scenarios, such as a patientbringing suit against a provider for reporting the patient to welfare services.

• The percentage of failure to follow policy/procedure cases is increasing. This is attributed tobreaches occurring within an office setting due to failure to adhere to HIPAA requirements.

• Theft of property (e.g., computers) continues to be a factor seen most often when a laptop orbriefcase containing PHI is stolen.

27%

27%9%

8%

8%

7%

6%4%

1%

3%

Failure to Follow Institutional Policy/Procedure

Theft of Property; Unsecured Property

Communication (i.e., Verbal Disclosure of PHI inPublic Area)Cyber: Malware/Virus Protection/EHR SystemCrashInformed Consent: Failure to Obtain or Lack of

Failure to Monitor Clinical Staff

Noncovered Claim

Documentation Missing/Lost/Destroyed

No Factors (Unfounded Claim)

Other

13

The importance of encryption

• Encryption is a method used to makeinformation unreadable by third parties.

• A key, like a decoder ring or code, is used todecrypt the information to make it readableagain.

Rashid, F. Y. (2013, December 7). Majority of mobile apps have serious securityflaws. PC Magazine. Retrieved from http://securitywatch.pcmag.com/mobile-apps/318686-majority-of-mobile-apps-have-serious-security-flaws

14

Being proactive — Security Risk Assessment Tool

http://www.healthit.gov/providers-professionals/security-risk-assessment-tool

15

Risk assessment process after a breach

Minimally, four factors must be considered in the riskassessment:

The nature and extent ofthe PHI involved, includingthe types of identifiers and

the likelihood of re-identification

The unauthorized person(s)who used the PHI, or towhom the disclosure was

made

Whether the PHI wasactually acquired or viewed

The extent to which risksassociated with the breach

have been mitigated

16

Technology, communication, and documentation

17

Range of technologies and applications

Email and texting

Websites, blogs, and RSS feeds

Social media

Skype and FaceTime

EHRs and patient portals

An “app” for this and an “app” for that

18

Key risk areas

Technology maintenance, upgrades, and monitoring

Education and/or training

Privacy, security, and compliance — including permanence of information

Policies and procedures

Quality and control of content

Provider−patient relationship, including medical advice

19

Use of social media in communication

• Quick dissemination of information

• Utilizes contemporary marketing methodologies

• Mechanism for reaching atremendous number ofpeople

• Recruiting and backgroundchecks

• Development of personalsupport and information-sharing groups

20

AMA Social Media Guidelines

• Patient privacy and confidentiality must be maintainedin all environments.

• Personal use of Internet/social networking — useprivacy settings and all safeguards.

• Monitor personal Internet presence.

• Maintain appropriate boundaries in provider−patientrelationship.

• Separate personal and professional content.

• Give peers feedback, report to appropriate authorities.

• Recognize that online actions and content may damagereputation and undermine public trust.

21

What about online reviews of your practice?

Options to consider:

• Do nothing.

• Ask the webmaster toremove the post.

• Do NOT engage in anonline debate!

• If you do respond, do not respond to onlinecomments. It’s okay to script language toindicate you are committed to providing excellentpatient care and encourage anyone withconcerns to contact your office directly.

22

Risk of board investigation

Study published January 15, 2013, in the Annals ofInternal Medicine:

• Surveyed 70 state medical and osteopathicboards.

• Participants assessed hypothetical vignettes ofonline physician behavior.

• Asked to classify each — likelihood of triggeringan investigation, possible sanctions, etc.

Greysen, S. R., et al. (2013, January 15). Online professionalism investigations by state medical boards:First, do no harm. Annals of Internal Medicine, 158(2):124-130. Retrieved fromhttp://annals.org/article.aspx?articleid=1556363

23

Investigation likely — High consensus

81%Misleading informationabout clinical outcomes

79%Using patient images

without consent

77%Misrepresenting

credentials

77%Inappropriately

contacting patients

24

Investigation likely — Moderate consensus

73%Depicting alcohol

intoxication

65%Violating patientconfidentiality

60%Using discriminatory

speech

25

Investigation likely — Low consensus

46%Derogatory speech

toward patients

40%Showing alcohol usewithout intoxication

16%Providing clinical

narratives withoutviolation of

confidentiality

26

What the AMA says about email

Email should be used to

supplement a provider−

patient relationship and

is frequently a way for

patients to ask more

detailed questions.

27

Email checklist

Do you have a signed release and acknowledgement from thepatient that includes:

Requirement that for emergent or urgent concerns,communication will be via phone or in person?

Notice of the provider’s right to refuse to make decisionsor conclusions based on information obtained online?

Notice that email communication is retained in thepatient’s healthcare record?

Notice that the patient has read and accepted thepractice’s “online patient policies,” which include holdharmless language and terms of use?

Email server encryption requirements, and a waiver ifpatients opt not to use an encrypted service?

28

Case study — Texting

Scenario Academic medical center used smartphones to enterorders.

CaseOverview

Resident was in the process of discontinuing warfarin; atthe same time, she received a party invitation via textmessage. The disruption caused her to forget todiscontinue the medication.

Outcome Three days later, the patient had a bleeding crisis thatrequired surgery.

Key Issue Did personal use of mobile technology cause thedistraction, which resulted in the adverse outcome?

29

Risk issues with text messages

May reside on a mobile device and with acarrier indefinitely

Potential for exposure to unauthorizedthird parties due to theft, loss, or recyclingof the device

May be accessed without any level ofauthentication

Interception and decryption of textmessages possible with inexpensiveequipment

Information outside the health record

30

Risk mitigation for texting

Establish a policy that prohibits or limits texting and establishesretention guidelines

Train providers and staff on appropriate use

Conduct inventory of all mobile devices, including personal

Protect ePHI through passwords and encryption on all devices

Delete data completely prior to retirement of any device

Require health record annotation if texting is used for decision-making

31

Electronic Health Records

• EHRs — although intended to enhance communication anddocumentation — also are fraught with risks, such as:

o System interface issues — hardware, softwareapplications, data flow (i.e., between order entry andpharmacy)

o Clinician communication pitfalls — including problemssending and receiving referral/consult information, aswell as possible uncertainty as to whether theinformation was received

o Overuse or inappropriate use of the cutting and pastingfunction

o Alert fatigue

o Process lapses, such as failure to review information forcontent and accuracy prior to finalizing documentation

32

EHR errors as a risk factor — By case type

33

EHR errors as a risk factor — By location

34

EHR errors — By clinical severity outcome

35

EHR risk strategy

Identify functions within the EHR that create highrisk for your practice, such as:

• Test tracking

• Drug interaction andallergy alerts

• Cancelled appointmentsand “no shows”

• Medication prescribingprocess

Consider developing a performance improvementplan to help mitigate these risks.

36

Patient portals

• Secure online website giving patients 24-hour access to PHI,including:

o Prescription requests

o Discharge summaries

o Diagnostic test results

• Terms of use should be clear

• Access should be via encrypted, password-protected loginprocess

• EHR audit trail should be utilized — validate who accessedpatients’ records and when

• Goal should be to enhance provider−patient communicationand to improve patient outcomes

http://healthit.gov/providers-professionals/faqs/what-patient-portal

37

Telemedicine

38

Definition of telemedicine

“Telemedicine is the use of medical informationexchanged from one site to another via electroniccommunications to improve a patient’s clinicalhealth status.

Telemedicine includes a growing variety ofapplications and services using two-way video,email, smartphones, wireless tools, and otherforms of telecommunications technology.”

American Telemedicine Association. (n.d.). What is telemedicine? Retrieved fromhttp://www.americantelemed.org/about-telemedicine/what-is-telemedicine

39

Benefits of telemedicine

• Improved access

• Cost efficiency

• Improved quality

• Patient satisfaction

• Convenience

• Market share

40

Telemedicine — Other considerations

• When to see patients via telemedicine technology

• Scheduling

• Guidelines for patients on how to use the technology

• Systems must beHIPAA-compliant

• Licensing

• Provider reluctance to use

• Reimbursement

• Informed consent

Crane, M. (2014, July 25). Exploring telehealth models. Medical Economics, 91(14), 17−20. Retrieved fromhttp://www.modernmedicine.com/sites/default/files/images/digital/ME/me072514_ezine.pdf

41

Types of technologies

Delivered through secure networks, email, landline, andwireless communication . . . telephone, satellite, Internet, andVPN:

• Videoconferencing

• Store-and-forward imaging

• Patient monitoring centers

• Mobile technologies (delivered via smartphone, tablets,etc.)

• Internet e-health patient services or professionaleducation

• Robotic services (monitoring, surgery, etc.)

American Telemedicine Association. (2013, July). State Medicaid best practice: Store-and-forwardtelemedicine. Retrieved from http://www.americantelemed.org/docs/default-source/policy/state-medicaid-best-practice---store-and-forward-telemedicine.pdf?sfvrsn=6

42

Reimbursement

Medicare

Restrictions on types of services and geographic location.

Medicaid

Telehealth reimbursement and other policies vary fromstate to state.

Commercial Payer

Reimbursement varies; however, the number of privatepayers who are covering telehealth services is increasing.

43

State licensing board regulations

• State regulations vary; somestates address telemedicinedirectly, others indirectly, andsome not at all.

• In the absence of direct orindirect guidance, doctors canassume that they likely need a license in the state wherethe patient is located.

• Even doctors practicing within one state may need aspecial telemedicine license or permit, depending on statelaw.

44

Risk issues

Clinical

• Provider−patientRelationship

• Patientassessment

• Medical advice

• Patient education

Admin

• Documentation

• Billing

• Patientidentification

• Privacy/security

• Maintenance oftechnology

Regulatory

• State and federalregulations

• Informedconsent

• Clinical decision-making

• Qualityimprovement

• Writtenagreements,MOUs, contracts

45

Credentialing

• CMS regulations, TheJoint Commission

• Credentialing byproxy

• Requirements

• Ensure that providersat distant sites arelegally allowed to provide services to theoriginating site’s patients

46

Online prescribing

• Provider–patient relationship

• Adequate physical exam

• Accuracy of patient history

• State licensing boardrequirements

• Federal regulations

• Majority of legal actions thathave been brought againsttelehealth providers arerelated to online prescribing

47

Informed consent

• Telemedicine-specific:

o Names of all involved healthcare providers, as well as

credentials and location

o Plan for ongoing care (who is responsible)

o Security/privacy measures

o Risks associated with use of

telehealth services (e.g.,

technical problems)

o Alternative plan in case of

emergency/malfunction

• Should be documented in the patient’s medical record

48

Privacy/security of PHI

• Transmission of data for telehealth services mustcomply with HIPAA and HITECH standards, aswell as any relevant state laws (same duty as in-person care)

• Safeguards must be in place at every point in theprocess (originating site, transmission medium,distant site).

• Providers must be aware ofapproved vs. nonapprovedtechnologies for telehealth

• Policies/protocols forconfidentiality

49

Risk strategies

Ensure that telehealth providers are properly credentialed.

Ensure that communication from telehealth providers ispromptly reviewed and acted upon.

Develop and implement standardized clinical protocols.

Ensure that complications and adverse events associatedwith telehealth services are reported as part of thepractice’s incident report policy.

Gauge patient and provider satisfaction with telehealth programusing surveys or questionnaires.

50

Risk strategies

Ensure that technology used to facilitate telehealth interactions isfunctional and used appropriately by providers and patients.

Follow available telehealth standards to reduce risks of errorand lost data.

Provide staff training on telehealth technologies, scope ofservice, maintenance, and policies/protocols.

Understand the requirements related to the telehealthtechnology being used.

Implement privacy and security safeguards for the transmissionof patient health information.

51

Malpractice liability

Little information available

Increased use, more questions

May involve acts of commissionor omission

May involve numerousdefendants

Potential for vicarious liability

Potential for miscommunication

Provider−patient relationship

52

New technologies

• Embrace or avoid?

• Where are you on the adoption continuum?

• If you take the leap, do your due diligence!

53

Examples of new technologies

EHR/CPOE/bigdata

GeneticsRoboticsurgery

54

Pressure to purchase and use new technologies

• Increase revenue/profit

• Competitive advantage

• Appeal for youngerdoctors, staff

• Patient demand andgrowing market pressure

• Marketing thatoverpromises results butfails to define risks

55

General risk management concerns

Lack of awareness regarding learning curve,path to proficiency (volume)

External pressures, i.e. patients, hospitals,etc.

Patients unaware of risks, lack of informedconsent

Overestimation of benefits

No universally accepted guidelines on how totrain or length of training

Because the technology is so new, standardsof care have not yet been established

56

Training, competency, and credentialing

• Initial training for doctors and staff

• Proctoring/oversight

• Proficiency — How many is enough?

• Credentialing

• Ongoing training and competency testing

57

Risk strategies

Better training/documentation of training

Procedure for oversight/proctoring

Development of screening criteria

Use history/physical exam to evaluate each potential candidateand identify risks and benefits

Disclosure of risks to patients/patient options — informed consentdiscussion

Documentation of any special actions taken reduce risk

58

Due diligence and planning before implementation

• Is your entire team (staff, office, etc.) on board withimplementation of this new technology?

• Will this technology help you move forward, i.e.,increase market visibility, enhance encounters withyour patients, streamline communication?

• Were all end-users involved in the decision-makingprocess?

• Does this technology blend in well with existingpolicies/procedures (e.g., social media policy, patientportal access, etc.) or will new policies and proceduresneed to be developed?

59

Final warnings

• Pause, think, and think somemore about use of varioustechnologies in your practice.

• Patient perception is thefoundation of litigation.

• The only thing that lastsforever is electronic media.

• The only thing that doesn’t last forever iselectronic media that can’t be preserved.

60

The joy of technology

Technology is a moving target.

In the time it took us to present this program,telemedicine evolved in another new direction.

61

What questionsdo you have?

62

Disclaimer

The information contained herein and presented by thespeaker is based on sources believed to be accurate at thetime they were referenced. The speaker has made areasonable effort to ensure the accuracy of the informationpresented; however no warranty or representation is madeas to such accuracy. The speaker is not engaged inrendering legal or other professional services. If legaladvice or other expert legal assistance is required, theservices of an attorney or other competent legalprofessional should be sought.