Healthcare Information Technology

Study Indicates Majority of EHR Vendors are Engaging in Information Blocking Practices

Information blocking by electronic health record (EHR) vendors is still highly prevalent, despite recent policymaking that prohibits information blocking practices, according to a recent study published in the Journal of the American Medical Informatics Association (JAMIA).

To identify the extent of the problem, the researchers conducted a national survey of health information exchange organizations (HIEs). HIEs were chosen as they are directly connected to EHR vendors and health systems and are therefore in an ideal position to assess interoperability and data sharing.

86 out of the 106 HIEs that met the qualification criteria responded and answered three questions:

  • How often do EHR vendors and health systems practice information blocking?
  • How are these information blocking practices conducted?
  • What is the impact of local market competitiveness on information blocking behavior?

A majority of HIEs (55%) reported cases of information blocking by EHR vendors at least some of the time and 14% said all EHR vendors engaged in information blocking. 30% of respondents said information blocking occurred with some health systems.

The information blocking practice most common with EHR vendors was setting unreasonably high prices, which was reported by 42% of respondents. The second most common information blocking practice, reported by 23% of respondents, was artificial barriers.

The most common information blocking practice by health systems, reported by 15% of respondents, was refusing to share health information. 10% of respondents said artificial barriers. The researchers found a correlation between information blocking and regional competition amongst vendors, with some geographic regions experiencing more cases of information blocking. 47% of respondents said there were high levels of information blocking by EHR vendors in more competitive developer markets, and 31% said there were high levels of information blocking by health systems in competitive markets.

The HHS’ Office of the National Coordinator for Health Information Technology’s (ONC) final interoperability rules prohibits intentional information blocking. “As enforcement of the new regulations begins, surveillance of stakeholders with knowledge of information blocking, including HIEs, will be critical to identify where reductions occur, where information blocking practices persist, and how best to target continued efforts,” suggested the researchers.

The findings of the study mirror a previous study in 2016, with the results of both serving as a baseline against which information blocking can be measured in the future.

“Given persistently high levels of information blocking reported by knowledgeable actors, our findings support the importance of defining and addressing it through the planned implementation of the final regulation, definition of penalties, and enforcement for those found to engage in information blocking,” wrote the researchers. “Our findings also provide insight into how enforcement efforts might be targeted and one useful approach to monitoring their effectiveness.”

The post Study Indicates Majority of EHR Vendors are Engaging in Information Blocking Practices appeared first on HIPAA Journal.

Micky Tripathi and Robinsue Frohboese Head ONC and OCR at the HHS

The Biden administration has appointed Micky Tripathi as the National Coordinator for Health IT at the Department of Health and Human Services’ Office.

Tripathi will head the Office of the National Coordinator for Health IT, which is tasked with coordinating efforts to implement advanced health information technology to ensure the secure exchange of health information. The ONC is currently overseeing efforts to provide Americans with easy access to their health records through their smartphones and is implementing 21st Century Cures Act provisions that promote health IT interoperability and prohibit information blocking.

Tripathi has a wealth of experience in secure health information exchange and is aware of the current interoperability issues in the healthcare industry. Prior to joining the ONC, Tripathi was most recently the chief alliance officer at the healthcare analytics and software company Arcadia, where he was responsible for developing partnerships to enhance healthcare with advanced IT technology.

Tripathi has also served as manager of the strategy and management consulting firm Boston Consulting Group (BCG), CEO of the Massachusetts eHealth Collaborative, was the founding president and CEO of the Indiana Health information Exchange, and has served on the boards of the HL7 FHIR Foundation, Datica, Sequoia Project, CommonWell Health Alliance, and the CARIN Alliance.

“I can personally attest to Micky’s industry-wide leadership on healthcare interoperability and to his vision for the value that shared, timely, and accurate data provides for improving healthcare delivery and reducing costs. No one is better suited for this absolutely critical mission,” said Sean Carroll, CEO, Arcadia.

Tripathi replaces former President Trump appointment Donald Rucker, M.D., who held the position for the previous 4 years.

The HHS has also confirmed that Robinsue Frohboese has taken on the role of Acting Director of the HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance. Frohboese previously served as principal deputy director of OCR and takes over from acting director March Bell, who replaced the former OCR Director Roger Severino on January 15, 2020.

Frohboese has played a key role in many civil rights initiatives and OCR’s implementation of the HIPAA Privacy Rule.

Prior to taking on the role of principal deputy at OCR, Frohboese worked for 17 years in the Special Litigation Section of the Civil Rights Division of the U.S. Department of Justice, first as Senior Trial Attorney and subsequently as Deputy Chief.

The post Micky Tripathi and Robinsue Frohboese Head ONC and OCR at the HHS appeared first on HIPAA Journal.

HHS Makes $20 Million Available to Expand COVID-19 Vaccine Information Sharing

The U.S. Department of Health and Human Services has made $20 million available to improve data sharing between health information exchanges (HIEs) and immunization information systems.

The money comes from the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) fund that was signed by President Trump on March 27, 2020 to support vaccination efforts to fight the COVID-19 pandemic.

The investment expands the Office of the National Coordinator for Health Information Technology (ONC)’s Strengthening the Technical Advancement and Readiness of Public Health Agencies via Health Information Exchange (STAR HIE) Program and will help communities improve health information sharing related to COVID-19 vaccinations.

Public health agencies will be able to receive additional help to track and identify individuals who have not yet received a second dose of the COVID-19 vaccine and the additional investment will help clinicians identify and contact high risk individuals who have not yet received their first vaccination.

The additional investment will be spread across the country and will be used to support communities that have been hit particularly hard by COVID-19. The HHS will also be awarding funds to the Association of State and Territorial Health Officials (ASTHO) and the Colorado Regional Health Information Organization (CORHIO) to improve HIE immunization collaborations.

“These CARES Act funds will allow clinicians to better access information about their patients from their community immunization registries by using the resources of their local health information exchanges,” said Don Rucker, MD, national coordinator for health information technology. “Through these collaborative efforts public health agencies and clinicians will be better equipped to more effectively administer immunizations to at-risk patients, understand adverse events, and better track long-term health outcomes as more Americans are vaccinated.”

The success of vaccination programs is dependent on correctly identifying patients and ensuring patients receive two doses of the correct vaccine. That means providers, pharmacists, and public health officials will need access to patient data and vaccine records. Effective data exchange and patient matching will also help to provide insights into the effectiveness of the vaccines and tracking long term health outcomes. STAR HIE intends to provide statistics to measure vaccination outcomes.

There are approximately 100 HIEs in the United States which reach around 92% of Americans and 63 immunization information systems in the United States, one in each state, 8 in territories, and in five cities. The immunization information systems are funded, in part, by the Centers for Disease Control and Prevention’s National Center for Immunization and Respiratory Diseases (NCIRD).

The post HHS Makes $20 Million Available to Expand COVID-19 Vaccine Information Sharing appeared first on HIPAA Journal.

Webinar Today: How HIPAA-Compliant Messaging Transforms Healthcare

Data show 70% of delays in providing treatment to patients is due to miscommunication, so resolving the problems that result in miscommunication in healthcare is key to improving quality of care, clinical outcomes, and the patient experience.

One of the biggest contributory factors to miscommunication is the use of outdated communications systems, which has long been a problem in healthcare. Fortunately, there is a solution that has been shown to greatly improve communication efficiency and reduce the potential for errors and miscommunication – a secure texting platform.

To find out more about secure, HIPAA-compliant messaging and how it can make care teams immediately more efficient and effective, we invite you to join this upcoming webinar.

During the webinar you will discover how this single change can lead to major improvements in collaboration, save valuable time, decrease costs, and lead to happier staff and patients.

The webinar is being hosted by TigerConnect, the leading secure healthcare messaging provider, and will take place on Wednesday, December 9 at 10 a.m. PT / 1 p.m. ET.

Webinar Details:

How HIPAA-Compliant Messaging Transforms Healthcare

Date/Time: Wednesday, December 9 – 10 a.m. PT / 12 p.m. CT / 1 p.m. ET

Hosted by:
Julie Grenuk, Nurse Executive, TigerConnect
Tommy Wright, Director of Product Marketing, TigerConnect

Register Here

The post Webinar Today: How HIPAA-Compliant Messaging Transforms Healthcare appeared first on HIPAA Journal.

HHS Releases Final Rules with Safe Harbors for Cybersecurity Donations

On Friday last week, the Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) and Office of Inspector General (OIG) published final rules that aim to improve the coordination of care and reduce regulatory barriers. Both final rules contain safe harbor provisions that allow hospitals and healthcare delivery systems to donate cybersecurity technology to physician practices.

The CMS released the final version of the 627-page Modernizing and Clarifying the Physician Self-Referral Regulations, commonly called Stark Law, and the OIG finalized revisions to the 1,049-page Safe Harbors Under the Anti-Kickback Statute and Civil Monetary Penalty Rules Regarding Beneficiary Inducements.

Physician practices often have limited resources, which makes it difficult for them to implement solutions to address cybersecurity risks. Without the necessary protections, sensitive healthcare data could be accessed by unauthorized individuals, stolen, deleted, or encrypted by threat actors. Threat actors could also conduct attacks on small physician practices and use them to gain access to the healthcare systems to which they connect.

When the rules were first proposed, commenters emphasized the need for a safe harbor to allow non-abusive, beneficial arrangements between physicians and other healthcare providers, such donations of cybersecurity solutions to help safeguard the healthcare ecosystem. The CMS first proposed the changes in October 2019 as part of the Regulatory Sprint to Coordinated Care.

The CMS final rule clarifies the Stark Law exceptions concerning donations of electronic health record donations to physicians, expanding the EHR exception to include cybersecurity software and services. A standalone exception has also been introduced for broader cybersecurity donations, including donations of cybersecurity hardware.

“These finalized exceptions provide new flexibility for certain arrangements, such as donations of cybersecurity technology that safeguard the integrity of the healthcare ecosystem, regardless of whether the parties operate in a fee-for-service or value-based payment system,” said the CMS.

The changes recognize the risk of cyberattacks on the healthcare sector and create a safe harbor for cybersecurity technology and services to protect cybersecurity-related hardware, and will help to ensure that cybersecurity software and hardware are available to all healthcare providers of all sizes.

The safe harbor applies to, but is not limited to, “software that provides malware prevention, software security measures to protect endpoints that allow for network access control, business continuity software, data protection and encryption and email traffic filtering.” The exception also covers the “hardware that is necessary and used predominantly to implement, maintain or re-establish cybersecurity” and a broad range of cybersecurity services such as updating and maintaining software and cybersecurity training services. There is no distinction in the rule between locally installed and cloud-based cybersecurity solutions.

Under the cybersecurity exception, recipients are not required to contribute to the cost of the donated cybersecurity technology or services. Under the EHR exception, the cost contribution requirement for donations of EHR items or services is retained.

“It is our position that allowing entities to donate cybersecurity technology and related services to physicians will lead to strengthening of the entire health care ecosystem,” said the HHS.

The final rules are due to be published in the federal register on December 2, 2020 and are expected to take effect on January 19, 2021.

The post HHS Releases Final Rules with Safe Harbors for Cybersecurity Donations appeared first on HIPAA Journal.

FTC Settlement with Zoom Resolves Allegations of Cybersecurity Failures and Deceptive Security Practices

The U.S. Federal Trade Commission has reached a settlement with Zoom to resolve allegations that the teleconferencing platform provider misled its customers about the level encryption and had failed to implement appropriate cybersecurity protections for its users.

During the pandemic, use of the Zoom platform skyrocketed, with business users and consumers adopting the platform in the millions. The platform was used by consumers to maintain contact with friends and family, while remote workers used the platform to communicate with the office and collaborate while working from home. The platform proved to be extremely popular in healthcare for providing telehealth services and in education for communicating with students.

Zoom reported in its second quarter earnings call that it has seen 400% growth of corporate clients with more than 10 employees and around 300 million meetings were taking place each day. The massive increase in popularity attracted the attention of security researchers, who discovered multiple security vulnerabilities in the platform.

One of the main issues concerned encryption. Zoom stated on its website that the platform offered end-to-end encryption when this was not the case. Meetings were encrypted, but Zoom was able to access customer data. The company also stated AES 256 encryption was used, when encryption was only AES 128, and recorded meetings were immediately encrypted prior to storage.

Other cybersecurity issues included a Zoom software update that circumvented a browser security feature and a lack of security protections which allowed uninvited individuals to join meetings – termed Zoombombing. The company was also discovered to be sharing email addresses, photos, and user’s names with Facebook, albeit unwittingly.

The investigation by the FTC revealed Zoom had “engaged in a series of deceptive and unfair practices that undermined the security of its users.” A settlement was reached with the firm that requires the company to implement and maintain a comprehensive security program within 60 days.

The 17-page agreement details the steps that Zoom must take to ensure the security of its platform. They include conducting annual assessments on potential internal and external security risks and developing and implementing safeguards to reduce those risks to a low and acceptable level.

Additional safeguards must be implemented to protect against unauthorized access to its network, multi-factor authentication, steps must be taken to prevent the compromise of user credentials, and data deletion controls must be implemented. Zoom is required to review all software updates to identify potential security flaws prior to rollout and must ensure that any new features or security measures do not interfere with third party security features. The company must also implement a vulnerability management program.

Zoom has been prohibited from misrepresenting the security features of its platform to users, the categories of data accessed by third parties, and how data privacy and security are maintained.

Zoom must undergo a third-party audit by an independent security firm to ensure the company is complying with all requirements of the agreement and is successfully remediating risks. The agreement will last for 5 years, during which time the FTC will be monitoring Zoom for compliance.

Zoom avoided a financial penalty, but if the company is discovered to have violated the terms of the agreement or federal laws, financial penalties will be applied up to a maximum of $43,280 per violation.

“Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection.

The post FTC Settlement with Zoom Resolves Allegations of Cybersecurity Failures and Deceptive Security Practices appeared first on HIPAA Journal.

TigerConnect Survey Confirms Widespread Support for Telehealth Among Providers and Patients

The coronavirus pandemic has resulted in a major increase in healthcare providers offering telehealth services to patients. Virtual visits are being offered to reduce the number of patients visiting hospitals and physician offices to limit transmission of the virus to ensure patient safety. The increase in use is out of necessity, but new research confirms telehealth services are popular with providers and patients alike.

TigerConnect, the provider of the most widely adopted communication platform in healthcare, recently commissioned a comprehensive Harris Poll survey to explore attitudes to telehealth among patients and healthcare providers. The survey was conducted on 2,039 U.S. adults aged 18 or older between July 23-27, 2020 and 500 healthcare clinicians between June and July 2020.

88% of healthcare providers who were already offering telehealth services to patients saw an increase in the use of telehealth services due to the coronavirus pandemic, with 71% of providers saying there was a large increase in use. It is understandable that so many providers and patients have embraced telehealth in order to reduce infection risk and prevent transmission of the virus, but even when the pandemic is over it is likely that use of telehealth services will continue at the same or even an increased level. Over two thirds of providers (71%) believe use of telehealth services will continue at the same or even a higher level when the pandemic is over.

There is also strong support for telehealth services among patients. 87% of patients who tried telehealth said they were satisfied with the experience, with 7 out of 10 patients saying it is important for providers to offer telehealth services to patients. Many patients appear to prefer virtual visits to in-person visits. Only 40% of patients said they prefer to meet their providers face to face.

Patients may be apprehensive about trying telehealth, but once they have their first virtual visit they are keen to go virtual again. Patients who have had one telehealth or video consultation in the past year were twice as likely to express a strong preference for a virtual visit over an in-person visit.

When patients were asked if there was anything about telehealth they did not like, almost half of patients could not think of a single criticism about their experience. The main advantages of telehealth among patients were convenience (50%), allowing appointments to be kept that may otherwise have been cancelled (36%), and the ease at which health check-ups could be scheduled (34%). 52% of patients said they believe telehealth was a safe alternative to an in-person office visit.

Boomers (Over 55s) and Gen Z (Under 24s) were the age groups least satisfied with telehealth. The most common complaint among Boomers was excessive complexity, while the most common complaint with Gen Z users was a lack of features, showing there is clearly further scope for refinement.

The survey on clinicians revealed there is a majorly fragmented market, with 140 different telehealth solutions in use. 14% of respondents said they are currently using multiple telehealth solutions. That may well change after the pandemic is over and the notice of enforcement discretion of the HHS’ Office for Civil Rights expires. The notice of enforcement discretion for telehealth services temporarily allowed telehealth solutions to be used that may not be fully compliant with HIPAA requirements.

65% of respondents said they were happy with their current telehealth solutions and almost 90% of users of the TigerConnect platform said they were happy with the TigerConnect platform.

The survey also revealed there is strong bipartisan support for telehealth, with 77% of Democrats and 66% of Republicans believing healthcare providers should offer telehealth services to patients. There are still some challenges to overcome to ensure that telehealth services are accessible to all. 53% of surveyed patients living in urban areas had utilized telehealth services compared to just 31% of patients in rural areas, which suggests there may be issues with broadband availability and cellular reception in rural areas which is limiting uptake.

“The people have spoken: telehealth is here to stay,” said TigerConnect CEO Brad Brooks. “The overnight move to telehealth is one of the fastest cultural shifts in healthcare in decades, and this research reveals it has already transformed the habits of millions of Americans who can now access great healthcare as easily as they can catch a ride to the airport. It’s up to our industry to seize this moment and ensure that it’s as easy as possible for anyone to access or administer world-class healthcare anywhere and anytime to improve health outcomes for all Americans.”

The post TigerConnect Survey Confirms Widespread Support for Telehealth Among Providers and Patients appeared first on HIPAA Journal.

OCR Publishes New Resources for MHealth App Developers and Cloud Services Providers

The Department of Health and Human Services’ Office for Civil Rights has announced it has published additional resources for mobile health app developers and has updated and renamed its Health App Developer Portal.

The portal – Resources for Mobile Health Apps Developers – provides guidance for mobile health app developers on the HIPAA Privacy, Security, and Breach Notification Rules and how they apply to mobile health apps and application programming interfaces (APIs).

The portal includes a guidance document on Health App Use Scenarios and HIPAA, which explains when mHealth applications must comply with the HIPAA Rules and if an app developer will be classed as a business associate.

“Building privacy and security protections into technology products enhances their value by providing some assurance to users that the information is secure and will be used and disclosed only as approved or expected,” explained OCR. “Such protections are sometimes required by federal and state laws, including the HIPAA Privacy, Security, and Breach Notification Rules.”

The portal provides access to the Mobile Health Apps Interactive Tool developed by the Federal Trade Commission (FTC) in conjunction with the HHS’ Office of the National Coordinator for Health IT (ONC) and the Food and Drug Administration (FDA). The Tool can be used by the developers of health-related apps to determine what federal rules are likely to apply to their apps. By answering questions about the nature of the apps, developers will discover which federal rules apply and will be directed to resources providing more detailed information about each federal regulation.

The portal also includes information on patient access rights under HIPAA, how they apply to the data collected, stored, processed, or transmitted through mobile health apps, and how the HIPAA Rules apply to application programming interfaces (APIs).

The update to the portal comes a few months after the ONC’s final rule that called for health IT developers to establish a secure, standards-based API that providers could use to support patient access to the data stored in their electronic health records. While it is important for patients to be able to have easy access to their health data to allow them to check for errors, make corrections, and share their health data for research purposes, there is concern that sending data to third-party applications, which may not be covered by HIPAA, is a privacy risk.

OCR has previously confirmed that once healthcare providers have shared a patients’ health data with a third-party app, as directed by the patient, the data will no longer be covered by HIPAA if the app developer is not a business associate of the healthcare provider. Healthcare providers will not be liable for any subsequent use or disclosure of any electronic protected health information shared with the app developer.

A FAQ is also available on the portal that explains how HIPAA applies to Health IT and a guidance document explaining how HIPAA applies to cloud computing to help cloud services providers (CSPs) understand their responsibilities under HIPAA.

The post OCR Publishes New Resources for MHealth App Developers and Cloud Services Providers appeared first on HIPAA Journal.

OIG Identifies Barriers to the Use of Health Information Exchanges by the Department of Veteran Affairs

The Department of Veteran Affairs (VA) Office of Inspector General (OIG) has conducted a review of VA facilities and community providers to identify any barriers that are hampering the use of health information exchanges (HIEs). OIG identified several issues that need to be addressed to improve the exchange of health information.

HIEs are used to share healthcare information for the purpose of coordinating and improving the continuity of care for veterans enrolled in a VA facility. Following a pilot program, the VA introduced the Veterans Health Information Exchange (VHIE), which uses two methods for sharing veterans’ data between VA facilities and members of VA healthcare teams: VA Exchange and VA Direct.

OIG conducted a survey and interviews at 48 lower complexity Level 2 and 3 Veterans Health Administration (VHA) facilities, along with interviews of staff in the VHIE Program Office. OIG also met with the Office of Information Technology, Office of Community Care, Office of Rural Health, Cerner, and two state HIEs.

According to the VHIE Program Office Director, all 140 VA facilities have access to both VA Exchange and VA Direct, but currently only 28 of the 140 facilities have implemented VA Direct, which connects directly to DirectTrust. The facilities that had not yet implemented VA Direct report that they had not received adequate training by DirectTrust, did not have community partners using DirectTrust, or were using alternate HIEs.

OIG suggests in its report that “Expansion of VA Direct usage to all facilities would increase the instances of health information sharing and improve the timeliness of health information exchange while efforts continue with development of community partnerships through VA Exchange.”

Based on the survey results, OIG found 46 of the 48 facilities were using VA Exchange, VA Direct, or both, and only two facilities used neither. 22 facilities reported exchanging healthcare data by scanning, faxing, or mailing patient information.

Survey respondents indicated they needed additional training on HIEs to give them a better understanding on health information exchange and expressed a need for more community partners. There were also technology challenges with viewing community health information through VA Exchange, which required them to sign in to view the electronic health record and then sign in to the Joint Legacy Viewer (JLV) in order to access patient information from community partners. There were also issues with the quality of JLV data, access was not user friendly, and the cumbersome process delayed accessing patient information.

There are currently two contracts establishing community coordination for VHIE and 56 VHIE community coordinator positions to support facilities and Veterans Integrated Service Networks. Coordinators are required to provide training, policy, and process assistance to VHA directors and staff to enhance infrastructure, outreach, and training.

OIG found there was considerable variation in engagement across the 56 VHIE community coordinator, ranging from a high level of participation to next to none. OIG also discovered that when a coordinator leaves the position, it is common for communication issues to be experienced and training to suffer, which creates a barrier for staff knowledge and ability to use the programs.

“With the addition of more training, communication, and future planned technological changes, VHA could more effectively streamline the continuity of care received by veterans,” wrote OIG. “Electronic Health Records Modernization should alleviate some of the technology challenges currently experienced with the use of VHIE.”

The Under Secretary of Health concurred with the 4 recommendations made by OIG:

  • Review the barriers related to the use of VA Direct and increase the number of facilities using VA Direct to share health information.
  • Evaluate the VA Exchange and VA Direct training and education programs and increases accessibility to VHA staff, community partners, and veterans.
  • Increase the number of community partners, including more state exchanges and other HIE stakeholders to facilitate the expansion of bidirectional health information exchange.
  • Evaluate the performance work statements of the Veterans Health Information Exchange community coordinators and confirm compliance with the scope of work.

The post OIG Identifies Barriers to the Use of Health Information Exchanges by the Department of Veteran Affairs appeared first on HIPAA Journal.