The Patient Portal Ecosystem: Engaging Patients while Protecting Privacy and Security

The Patient Portal Ecosystem: Engaging Patients while Protecting Privacy and Security NCHICA 11th Academic Medical Center Security & Privacy Conference, June 22-24, 2015 Panel Leader: Panelists: Amy Leopard, JD (Bradley Arant Boult Cummings) Patricia Corn (Wake Forest Baptist Health) Becky Tate (MEDHOST) 1

Agenda Overview of uses of Portals and PHRs Review state and federal laws and regulations Consider practical issues providers must manage Email sharing among patients Allowing API for view, download, transmit Patient managed access Managing patient directed disclosures (third parties) Patients managing information from multiple vendors Authorization process Patients managing proxy access for others Amendment of PHI 2

Overview of Portals and PHRs 3

Consumer Driven Healthcare Movement Physicians Payer Consumer Hospitals HSA Rx 4

Patient empowerment and Consumerism 50 40 30 20 10 0 Overblown Trend Real, we're gearing up issues we need to pay attn to 2009 HDM Poll of 137 5

Goals of a PHR Patient Perspective Easily manage access Organize health information from disparate providers in a single location Tools that support wellness and self-management Manage data sharing with health care providers Desire ease of use Automation - Manual entry of information is errorprone and time consuming 6

Goals of a PHR - Provider Perspective Tools to better manage health Analytics to monitor treatment Continuity of care and accessibility of data for paper-based system Tools promoting patient engagement 7

Uses for PHRs: Store health information Health risk assessment profile Targeted educational modules Clinical decision support for patient self-management of health risks Provider interaction for appointment and Rx refills Patient monitoring from medical device interface 8

PHR Data Set PHR DATA SET Name, demographics Family History Immunizations Recent encounters Hospitalizations, surgeries, procedures Medication List Lab, Pharmacy, Ancillary Health risk assessment Medical Power of Attorney Claims data and benefit coverage Medical and wellness device results Progress Notes 9

Different PHR Models Provider Patient Portal Most common form of personal health record Health Plan Consumer Portal United, Shared Health, AHIP and BCBSA Health Information Trust Custodian ehealth Trust Model Employer consortium for data repository on member employees Dossia Private label PHR for employers and health plans WebMD license 10

Patient Risks Risks of View Public computer, logoff Risks of Download Authentication, notice that patient has responsibility to protect Risks of transmitting health information Identity proofing and authentication of patients, personal representatives, other family, friends HIT Policy Committee Privacy and Security Workgroup 11

Regulatory Environment and PHRs 12

Which Federal Agency Should Enforce Privacy /Security Laws Against Vendors?... 13

HITECH and ARRA Drivers Meaningful Use HITECH e-copy Rights View online, download, transmit PHI Any provider or health plan digital format Forward to designate @ labor cost HIE Significantly expand access and PHI transmission to PHR Vendors Application Developers Competitors

Covered Entity under HIPAA? Providers filing claims electronically. Hospitals, physician groups, nursing homes, labs, pharmacies, doctors, nurses, dentists, psychotherapists Plans or Payors. MMO, Cigna, United Health Care, Anthem, Aetna Employer > 50 with self funding Clearinghouses standardizing PHI for others such as most billing services like WebMD Envoy. Business Associates Who create or receive PHI in order to perform function on behalf of Covered Entity now subject to certain HIPAA Privacy and Security provision under HITECH 15

HIPAA Business Associates Definition HITECH definition of BA includes: Vendors contracting with CE to allow CE to offer patients PHR as part of its ehr Organizations transmitting PHI data to a CE or its BA and requiring access to the PHI on routine basis HIE Organization, RHIO, Eprescribing Gateway PHR Vendors are not regulated directly by HIPAA unless BA above: But could be regulated by HITECH... 16

Data Flow is a Critical Regulatory Issue PHR = electronic record of individual health information drawn from multiple sources and managed, shared, and controlled by or for individual Tethered? PHR Business Associate: Vendors contracting with CE to allow CE to offer patients a portal or a PHR as part of its EHR PHR Vendor Entity, other than a CE, that offers or maintains a PHR directly with individual Source: {text} 17

Personal Health Data Check Data Flow and Covered Entity Status!! Data from Individuals to Covered entities = PHI Permissible uses and disclosures or HIPAA authorization Marketing Rules Sale of PHI PHI may also be regulated by FTC

Consumer Directly Supplies Health Information to Non-Covered Entities HIPAA does not apply to PHRs offered by employers or by PHR vendors directly to consumers FTC regulates PHR Vendors as well as compliance with privacy policies of entity offering PHR (See ONC Model PHR Notice)

Medicare and Medicaid EHR Meaningful Use To be eligible for Medicare/Medicaid incentives, providers must demonstrate Certified EHR provides for electronic exchange of health information to improve quality of care EHR Measures and Objectives for Meaningful Use enable patients to view, download and transmit their health information ONC being urged to consider connection to PHR NCVHS health plan testimony: QI, disease mgt, and care coordination support portability of data in PHRs to aid transition to meaningful use of EHRs.. 20

Meaningful Use Stage 3 NPRM Allowing API for view, download, transmit HIT Policy Committee Privacy and Security Workgroup studying Privacy and Security Issues Related to Increasing Patient Access to Data through either VDT Technologies or open APIs Increasing number of APIs connecting EHR 21

HITECH digital rights... Right to Access PHI in Electronic Format patients may request copy of ehr in electronic format maintained by CE instruct CE to forward EHR to any designated person at entity s labor cost only. Significantly expand patient access to electronic formats and increase PHI transmission to others PHR vendors, health record data banks and HIE/RHIOs. Who owns data? More importantly who has right to access and control data? 22

FTC Regulation and Exercise of Enforcement Authority Under FTC Act 5 Section 5 of the FTC Act: Unfair and Deceptive Acts or Practices Deceptive: Not implementing stated privacy policies Misrepresenting the extent to which privacy and security of information collected I used, maintained, and protected Unfair: Alleged failure to implement reasonable and appropriate security measures (or to ensure service providers did so) BUT HIPAA MAY NOT BE THE STANDARD!!!!

FTC PHR Breach Notice Rule -- for Non-HIPAA CEs and BAs PHR Vendors (200) entity, other than HIPAA-CE or BA of HIPAA-CE that offers or maintains a PHR PHR Related Entities (500) Non-covered entities or BAs that: offer products or services via website of PHR vendor CEs offering PHRs access PHR information or send info o PHR 3rd Party Service Providers to PHR Entities (200) Provides services to above PHR Entities and as a result, Access, maintain, retain, modify, record, store, destroy or otherwise hold, use or disclose unsecured PHR IHI 24

Other Legal Considerations Contractual Obligations Contracts Ownership general governed by contract, but legal ownership may be secondary to concerns over uses and disclosures of copies of the data Documentation Consent Enrollment and verification Patient EULA s Terms and Conditions Privacy and Security Ownership of data Uses and disclosures Warnings re: urgent and emergent care Disclaimers and Limits of Liabilities

Other Legal Considerations State Laws State Law Issues Personal Data Sensitive information Consumer Protection Laws Consent issues Proxies Minors Malpractice Constitutional Right to Privacy

Other Legal Considerations: Secondary Uses Threshold issue: Provide transparency to consumers via disclosure of secondary uses and safeguards De-identified data Authorization from Individual Limited Data Sets for Research, public health or QI Population-based activities to improve health or reduce healthcare costs 27

Risks with De-identified Data 28

PHRs Practical Considerations 29

Practical Considerations Educating patients about their role in protecting their health information Patient managed access Patient education (staff support) Patient identity validation Shared Emails Proxy access management Release of information Sensitive info Minors and state consent laws 30

Practical Considerations Documentation Are existing notices and forms sufficient? (NOPP, Authorization Form, Terms of Use of Patient Portal/PHR) Managing sensitive information Using and managing consumer driven data 31

Practical Considerations Addressing amendment requests Encouraging patient use in order to decrease printing of PHI 32

QUESTIONS? Amy Leopard aleopard@babc.com Patricia Corn pcorn@wakehealth.edu Becky Tate becky.tate@medhost.com 33