Latest HIPAA News

Webinar Today: Communication Best Practices During a Pandemic

Posted by HIPAA Journal

During the 2019 Novel Coronavirus pandemic, instant, immediate, and enterprise-wide communication is essential for slowing the spread of the virus and ensuring service continuity.

Relatively little is known about the Novel Coronavirus and how it is spread. It is a fast-evolving situation and new information is regularly being released by researchers and public health authorities. That information and updates to policies and procedures need to be rapidly communicated across healthcare organizations. It is also important for healthcare professionals to monitor the condition of patients who are self-isolating at home after displaying symptoms of COVID-19.

The 2019 Novel Coronavirus pandemic is placing health systems under a great strain and fast, effective, and efficient internal and external communication is critical.

TigerConnect, the leading secure healthcare communication platform provider, is hosting a webinar where the company’s healthcare communication experts will share communication and collaboration best practices for organizational preparedness, effective response, and service continuity during the 2019 Novel Coronavirus pandemic, and other times of crisis.

During the webinar, TigerConnect will discuss best practices for workflow readiness, how to accelerate internal and external communication, effective broadcasting of important updates to staff and external partners, how patient diagnosis and isolation workflows can be expediated, the best way to prioritize alerts for critical patients, how to ensure staff safety, and the use of text messaging to monitor patients who are self-isolating at home.

The TigerConnect platform has been adopted by more than 6,000 healthcare organizations to collaborate and communicate effectively. One of those healthcare organizations, Singapore Health, is using the TigerConnect platform to improve enterprise-wide communication and coordinate its response to COVID-19 cases. Singapore Health has been commended for the efficiency and effectiveness of its response to the crisis. TigerConnect will be sharing information on the lessons learned to help U.S. healthcare providers deal with the COVID-19 crisis more effectively.

The webinar is being hosted by Dr. Will O’Connor, Chief Medical Information Officer, TigerConnect and Julie Grenuk, Nurse Executive, TigerConnect.

The webinar will consist of a live presentation followed by a Q&A session.

Webinar Details:

Date:     Thursday, March 19th, 2020
Time:     2 p.m. ET / 11 a.m. PT

Click here to register for the free webinar

The post Webinar Today: Communication Best Practices During a Pandemic appeared first on HIPAA Journal.

Telehealth Services Expanded and HIPAA Enforcement Relaxed During Coronavirus Public Health Emergency

Posted by HIPAA Journal

In an effort to prevent the spread of the 2019 novel coronavirus, patients suspected of being exposed to the virus and individuals with symptoms of COVID-19 have been told to self-isolate at home. It is essential for contact to be maintained with people at risk, especially seniors and people with disabilities.

Telehealth services, including video calls, can help healthcare professionals assess and treat patients remotely to reduce the risk of transmission of the coronavirus. Telehealth services can also be used to maintain contact with patients who choose not to visit medical facilities due to the risk of exposure to the virus.

On Monday, March 16, 2020, the Trump Administration announced that telehealth services for Medicare beneficiaries have been expanded. Prior to the announcement, doctors were only able to claim payment for telehealth services provided to people living in rural areas and no access to local medical facilities and for patients with established relationships with billing providers.

“We are doing a dramatic expansion of what’s known as telehealth for our 62 million Medicare beneficiaries, who are amongst the most vulnerable to the coronavirus,” explained Seema Verma, administrator of the Centers for Medicare and Medicaid Services (CMS). “Medicare beneficiaries across the nation—no matter where they live—will now be able to receive a wide-range of services via telehealth without ever having to leave home. These services can also be provided in a variety of settings, including nursing homes, hospital outpatient departments, and more.”

Effective March 6, 2020, Medicare will reimburse a wide range of healthcare providers for office and telehealth visits, including nurse practitioners, social workers, and clinical psychologists. Reimbursement will be at the same rate as face-to-face visits.

Relaxation of Enforcement of Noncompliance with HIPAA

Telehealth services are subject to HIPAA regulations. The technology used, such as smartphone and communications platforms, must comply with HIPAA rules and have safeguards in place to ensure the confidentiality, integrity, and availability of ePHI. During a public health emergency such as a disease outbreak the HIPAA Security Rule still applies. Healthcare professionals that provide telehealth services would, under normal circumstances, not be permitted to use certain video conferencing technology such as Facetime or Skype, as the services are not fully compliant with HIPAA.

The HHS’ Office for Civil Rights announced on March 17, 2020 that it is taking a more relaxed position on HIPAA enforcement of noncompliance with certain HIPAA provisions related to telehealth services. “OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  This notification is effective immediately,” explained OCR in its Notification of Enforcement Discretion for telehealth.

OCR confirmed that during the coronavirus public health emergency, healthcare providers are permitted to use “any non-public facing remote communication product that is available to communicate with patients,” in connection with good faith provision of telehealth. That enforcement discretion also applies to telehealth services related to the diagnosis and treatment of health conditions unrelated to COVID-19. While enforcement has been relaxed, Verma said “it is still important for covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures.”

While OCR does not endorse the use of certain products, it has been suggested that healthcare providers could use Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. Public facing chat and communications platforms such as Facebook Live, Twitch, and TikTok would not be permitted for telehealth purposes.

OCR reminded covered entities that they can obtain greater privacy protections by using HIPAA-compliant video communications solutions and should obtain a signed business associate agreement. Provides of platforms that do sign BAAs and provide a HIPAA compliant service include TigerConnect, Skype for Business, Zoom for Healthcare, Updox and VSee.

“OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency,” explained OCR in its notice. When the public health emergency ends, penalties would apply if a BAA is not in place and communications platforms are used that are not HIPAA compliant.

The post Telehealth Services Expanded and HIPAA Enforcement Relaxed During Coronavirus Public Health Emergency appeared first on HIPAA Journal.

HIPAA Compliance and COVID-19 Coronavirus

Posted by HIPAA Journal

HIPAA covered entities – healthcare providers, health plans, healthcare clearinghouses – and business associates of covered entities no doubt have many questions about HIPAA compliance and COVID-19 coronavirus cases. There may be confusion about the information that can be shared about individuals who have contracted COVID-19 and those suspected of exposure to the 2019 Novel Coronavirus, and with whom information can be shared.

HIPAA Compliance and the COVID-19 Coronavirus Pandemic

There is understandably concern about HIPAA compliance and the COVID-19 Coronavirus pandemic and how the HIPAA Privacy Rule and Security Rule apply. In the age of HIPAA, no disease outbreak on this scale has ever been experienced.

It is important to remember that during a public health emergency such as a disease outbreak, and this applies to HIPAA compliance and COVID-19, that the HIPAA Privacy and Security Rules still apply. The HIPAA Security Rule ensures the security of patients’ protected health information (PHI) and requires reasonable safeguards to be implemented to protect PHI against impermissible uses and disclosures. The HIPAA Privacy Rule restricts the uses and disclosures of PHI to those related to treatment, payment, and healthcare operations.

When public health emergencies are declared, it is common for the Secretary of the HHS to issue partial HIPAA waivers in affected areas. In such cases, certain provisions of the HIPAA Privacy Rule are waived for a period of 72 hours from the moment a HIPAA-covered entity institutes its disaster protocol. As of March 16, 2020, no HIPAA waivers have been declared by the Secretary of the HHS. Even without a HIPAA waiver, the HIPAA Privacy Rule permits responsible uses and disclosures of patients’ PHI.

OCR released a bulletin about the 2019 Novel Coronavirus in February 2020 confirming how patient information may be shared under the HIPAA Privacy Rule during emergency situations, such as the outbreak of an infectious disease, a summary of which is detailed below.

Permitted Uses and Disclosures of PHI in Emergencies

PHI can be disclosed without first receiving authorization from a patient for treatment purposes, including treating the patient or treating other patients. Disclosures are also permitted for coordinating and managing care, for patient referrals, and consultations with other healthcare professionals.

With a disease such as COVID-19, it is essential for public health authorities to be notified as they will need information in order to ensure public health and safety. It is permissible to share PHI with public health authorities such as the Centers for Disease Control and Prevention (CDC) and others responsible for ensuring the safety of the public, such as state and local health departments. These disclosures are necessary to help prevent and control disease, injury, and disability. In such cases, PHI may be shared without obtaining authorization from a patient.

Disclosures of PHI are also permitted to prevent and lessen a serious and imminent threat to a specific person or the public in general, provided that such disclosures are permitted by other laws. Such disclosures do not require permission from a patient. In such cases, these disclosures are left to the discretion and professional judgement of healthcare professionals about the nature and the severity of the threat.

Disclosures of Information to Individuals Involved in a Patient’s Care

The HIPAA Privacy Rule permits disclosures of PHI to individuals involved in the care of a patient such as friends, family members, caregivers, and other individuals that have been identified by the patient.

HIPAA covered entities are also permitted to share patient information in order to identify, locate, and notify family members, guardians, and other individuals responsible for the patient’s care, about the patient’s location, general condition, or death. That includes sharing information with law enforcement, the press, or even the public at large.

In such cases, verbal permission should be obtained from the patient prior to the disclosure. A healthcare professional must otherwise be able to reasonably infer, using professional judgement, that the patient does not object to a disclosure that is determined to be in the best interest of the patient.

Information may also be shared with disaster relief organizations that are authorized by law or charters to assist in disaster relief efforts, such as for coordinating the notification of family members or other persons involved in the patient’s care about the location of a patient, their status, or death.

The HIPAA Minimum Necessary Standard Applies

Aside from disclosures by healthcare providers for the purpose of providing treatment, the ‘minimum necessary’ standard applies. Healthcare professionals must make reasonable efforts to ensure that any PHI disclosed is restricted to the minimum necessary information to achieve the purpose for which the information is being disclosed.

When information is requested by a public health authority or official, covered entities can rely on representations from the public health authority or official that the requested information is the minimum necessary amount, when that reliance is reasonable under the circumstances.

Disclosures About COVID-19 Patients to the Media

HIPAA does not apply to disclosures by the media about infections, but HIPAA does apply to disclosures to the media by HIPAA-covered entities and their business associates. In such cases, the HIPAA-covered entity or business associate can provide limited information if a request is made about a patient by name. The information disclosed should be limited to the general condition of the named patient and their location in the facility, provided the disclosure is consistent with the patient’s wishes. The status of the patient should be described in terms such as undetermined, good, fair, serious, critical, treated and released, treated and transferred, or deceased.

All other information may not be disclosed to the media or any individual not involved in the care of a patient without first obtaining written consent from the patient in question.

Disclosures of Information About COVID-19 by Non-HIPAA Covered Entities

It is worth noting that HIPAA only applies to HIPAA-covered entities, business associates of HIPAA-covered entities, and subcontractors of business associates. There are no restrictions on disclosures of information about the 2019 Novel Coronavirus and COVID-19 by other entities; however, while HIPAA may not apply, other federal and state laws may do.

HIPAA would therefore not apply when an employee tells an employer they have contracted COVID-19 or are self-isolating because they are displaying symptoms of COVID-19. HIPAA would apply if an employer is informed about an employee testing positive, if the employer is notified about the positive test by the employer’s health plan.

Further Information on HIPAA Compliance and the COVID-19 Coronavirus Pandemic

In response to this emergency, HIPAA Journal has worked with Compliancy Group to set up a free hotline for any questions you have related to the response to HIPAA compliance during coronavirus crisis: (800) 231-4096

Background Information on the SARS-CoV-2 Pandemic and COVID-19

The 2019 Novel Coronavirus has been named Severe Acute Respiratory Syndrome Coronavirus 2 (SARS-CoV-2) and causes Coronavirus Disease 2019 (COVID-19). The virus was first identified in November and originated in Wuhan, in the Hubei province of China. The Chinese government took steps to control the spread of the virus, but it was not possible to contain, and it spread around globe.

The World Health Organization (WHO) declared the outbreak a public health emergency of international concern on January 30, 2020. Following the WHO declaration, HHS Secretary Alex Azar declared the SARS-CoV-2 outbreak a public health emergency for the United States. WHO declared the outbreak a pandemic on March 11, 2020 and on March 13, 2020, President Trump declared COVID-19 a national emergency.

SARS-CoV-2 is highly infectious, and COVID-19 has a high mortality rate. The mortality rate is difficult to determine many people infected with SARS-CoV-2 only have relatively mild symptoms and do not seek medical help. Testing has been erratic initially in many locations and tests have been in short supply. Based on the limited data available, the mortality rate ranges from less than 1% to 7%. In early March, WHO estimated a mortality rate of 3.4%; however, the data on which these figures are based may be inaccurate and this is an evolving situation.

One of the main factors that has contributed to the rapid spread of SARS-CoV-2 is the long incubation period before symptoms are experienced, during which time infected individuals can spread the virus. It can take up to 14 days before infected individuals start displaying symptoms. The median incubation time is 10 days.

This is a rapidly changing situation that is likely to get considerably worse until the spread of the disease can be curbed. In the absence of a vaccine to provide protection, steps need to be taken by the entire population to limit exposure and prevent the spread of the disease.

There has been significant progress towards a vaccine in a short space of time. Some pharma firms having already developed potential vaccines, but they now need to be tested for safety on humans in clinical trials. Even if the process can be fast tracked, it is unlikely that a vaccine will be available before 2021.

The post HIPAA Compliance and COVID-19 Coronavirus appeared first on HIPAA Journal.

TigerConnect Secure Communications Platform Offered to Hospitals Free of Charge During COVID-19 Pandemic

Posted by HIPAA Journal

TigerConnect, the provider of the most widely used secure healthcare communications platform in the United States, has announced that U.S. health systems and hospitals can use its platform free of charge to help support COVID-19 related communications during the novel coronavirus pandemic.

TigerConnect has been tracking COVID-19 and the impact it is having on the U.S. healthcare system. Unsurprisingly given the rapid spread of the virus, use of its secure communications platform has surged. The company also reports that it is receiving an increasing number of calls from customers looking to expand licenses to make sure all staff have access to the platform to expedite internal and external communication and support isolation workflows.

The TigerConnect platform can be used to create dedicated channels for COVID-19 communications to provide support for patients and staff members. The platform ensures instant and immediate communication of preparedness plans, staff schedules, guidelines on infection control and isolation protocols, and other critical information. Users of the platform can contact any person within a healthcare system instantly, without knowing their number or extension.

“As part of the healthcare community, we harbor a sense of duty to do everything we can to keep the flow of information moving as quickly as possible,” explained TigerConnect. “This is the time to remove any barriers that might keep organizations from having every tool they need to fight COVID-19.”

Hospitals and health systems that have not yet adopted the TigerConnect platform are being offered complimentary use of the TigerConnect secure texting network for up to 6 months to support COVID-19 communications. Existing customers will be provided with complimentary expansion of TigerText Essentials licenses for up to 6 months. TigerConnect has also announced that it will be extending support hours and publishing resources and conducting webinars to help current and new users of the platform optimize communications.

As has been seen in Europe, which is now the epicenter of the COVID-19 pandemic, hospitals and health systems are stretched and struggling to cope with the number of cases. Immediate, enterprise-wide communication is critical for preventing the spread of the disease.

In Singapore, stringent measures have been implemented to prevent the spread of the novel coronavirus. As of March 14, there have been 200 cases of COVID-19 in Singapore but no COVID-19 deaths. Coordinating the response to COVID-19 and ensuring resources are correctly allocated has been a major challenge, but one that has been helped by having an efficient communications system in place. 55,000 healthcare professionals in Singapore are using the TigerConnect platform and usage has increased fivefold in the past three weeks. Being prepared and having the systems in place to deal with outbreaks of disease that support fast and efficient communication has been invaluable.

“It is clear that identifying new cases quickly and sharing that information among key stakeholders is crucial to containment and treatment,” explained TigerConnect co-founder and CEO, Brad Brooks. “Our mission is to help organizations remove the barriers that might slow down those responses as we continue to partner with the organizations on the front lines of this crisis.”

The post TigerConnect Secure Communications Platform Offered to Hospitals Free of Charge During COVID-19 Pandemic appeared first on HIPAA Journal.

HSCC Publishes Best Practices for Cyber Threat Information Sharing

Posted by HIPAA Journal

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published best practices for cyber threat information sharing. The new guidance document is intended to help healthcare organizations develop, implement, and maintain a successful cyber threat information sharing program to reduce cyber risk.

The new document builds on previously published guidance – the Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) – in which HSCC identified key Information Sharing and Analysis Organizations (ISAOs) for the healthcare sector. The latest guidance document helps organizations determine what information to share, how to share the information, and how to protect any sensitive information they receive, as well as providing best practices for obtaining internal and legal approvals for information sharing processes.

One of the main benefits of participating in these programs is to learn about possible attacks and the mitigations to implement to avoid becoming a victim. If an attack occurs at one healthcare organization, it is probable that similar attacks will be performed on others. Through threat information sharing, healthcare organizations can learn from others about attacks and mitigations so they can prepare and improve their own security posture. This is especially important for healthcare organizations with limited resources to devote to cybersecurity as it allows them to crowd source cybersecurity expertise.

The threat landscape evolves at a rapid pace and new attack methods are constantly being developed by cybercriminals. Cyber threat intelligence sharing programs help participants keep abreast of new attack methods and take steps to reduce risk through rapid sharing of actionable intelligence. Cross-organizational collaboration also helps to improve patient safety through the development of trusted networks that help manage potential threats.

The guidance document helps organizations get started by outlining the steps that need to be taken to prepare before joining a threat information sharing program. Preparation requires information sharing goals and objectives to be established, as well as governance models for regulatory compliance. Information sharing assets must be categorized, a governance body must be created, and sanitization rules must be established. HSCC recommends involving the legal department early in the information sharing process and making sure the value and scope of information sharing is understood.

The HSCC cyber threat information sharing guidance details the types of information that should be shared, such as strategic, tactical, operational, and technical intelligence, as well as open source data and incident response information. “While some may believe that threat intelligence only includes information about malware, hacking techniques, and threat actors – threat intelligence data truly comes in a variety of forms and should encompass all cyber risk that could impact the health industry, such as third-party risks, insider threats, cybersecurity risks, regulatory risks, and geopolitical risks,” explained HSCC.

The guidance also details best practices for sharing information, such as using the traffic light protocol and ensuring legal protections are in place to protect against any liability, and also provides advice on who to share threat data with. The document concludes with case studies showing how information can be shared to benefit the information sharing community and protect against attacks.

The HSCC best practices for cyber threat information sharing can be downloaded on this link.

The post HSCC Publishes Best Practices for Cyber Threat Information Sharing appeared first on HIPAA Journal.

HHS Releases Final Interoperability and Information Blocking Rules

Posted by HIPAA Journal

On March 6, 2020, the Office of Information and Regulatory Affairs’ Office of Management and Budget announced it has completed its review of the rules proposed by two HHS agencies in February 2019 to tackle interoperability and information blocking.

On March 9, 2020 the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator of Health Information Technology (ONC) released their final rules which change how healthcare delivery organizations, health insurers, and patients exchange health data.

The interoperability and information blocking rules were required by the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) and the 21st Century Cures Act of 2016. They are intended to make it easier for healthcare data to be exchanged between providers, insurers, and patients and are a key part of creating a patient-centric healthcare system and put patients in control of their own health records.

“These rules are the start of a new chapter in how patients experience American healthcare, opening up countless new opportunities for them to improve their own health, find the providers that meet their needs, and drive quality through greater coordination,” explained HHS Secretary, Alex Azar.

Easy Access to Patient Records Through APIs

One of the ways that patients are given easy access to their health data is through the use of application programming interfaces (APIs). APIs can be leveraged to connect different IT systems and software solutions to allow data to be easily transferred from one to the other. The use of APIs has driven innovation in many sectors, but they have not been adopted in healthcare to give patients easy access to their medical records. The final rules will ensure that changes.

The use of APIs will allow healthcare providers to easily share a patients’ electronic health records with other healthcare organizations with different EHR systems. It will also allow patients to have their healthcare data, including medical records, sent to a third-party health app if thy so wish. The rules also include provisions to ensure that patient data contained in electronic health records is provided to patients at no additional cost when it is accessed electronically.

Improving Interoperability of Health Data

The CMS Interoperability and Patient Access final rule, part of the Trump Administration’s MyHealthEData initiative, is aimed at improving interoperability and patient access to healthcare data. “[The] final rule is focused on driving interoperability and patient access to health information by liberating patient data using CMS authority to regulate Medicare Advantage (MA), Medicaid, CHIP, and Qualified Health Plan (QHP) issuers on the Federally-facilitated Exchanges (FFEs),” explained CMS in the Interoperability and Patient Fact Sheet, published on March 9, 2020.

The lack of effective exchange of healthcare data has had a negative effect on patient outcomes and is also contributing to high healthcare costs. The CMS final rule removes barriers to information sharing to give patients easy access to their healthcare data, it will improve interoperability, drive innovation, and reduce the burden on payers and providers. When patient health information moves freely, patient care can be coordinated easily, costs can be reduced, and patient outcomes are likely to improve.

“Delivering interoperability actually gives patients the ability to manage their healthcare the same way they manage their finances, travel and every other component of their lives. This requires using modern computing standards and APIs that give patients access to their health information and gives them the ability to use the tools they want to shop for and coordinate their own care on their smartphones,” said Don Rucker, M.D., national coordinator for health information technology.

Final Rules Will Drive Innovation

In addition to requiring healthcare providers to share medical records with third party apps at the request of patients, the CMS rule also calls for health insurers to share cost information with third-party apps. This will give patients information about the out-of-pocket expenses they are likely to incur. This will allow patients to plan and budget for medical bills.

“The days of patients being kept in the dark are over,” said CMS Administrator Seema Verma. “These rules begin a new chapter by requiring insurance plans to share health data with their patients in a format suitable for their phones or other device of their choice. We are holding payers to a higher standard while protecting patient privacy through secure access to their health information. Patients can expect improved quality and better outcomes at a lower cost.”

The CMS final rule also requires CMS-regulated payers to make provider directory information available publicly via a standards-based API. This will encourage innovation and will allow third-party app developers to create services that allow patients to find providers that can offer care and treatment. These apps could also be used by clinicians to find other providers to help with care coordination.

The CMS rule also calls for payer-to-payer clinical health data exchange to allow patients to take their data with them when they change payers and to create a cumulative health record with their current payer. “Having a patient’s health information in one place will facilitate informed decision-making, efficient care, and ultimately can lead to better health outcomes,” explained the CMS.

Preventing Information Blocking

The ONC’s 21st Century Cures Act: Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule details information blocking practices such as anti-competitive behavior which are prohibited and reasonable and necessary activities that are not classed as information blocking and are permitted. One area where problems will be eased is the sharing of screenshots and videos related to EHR use. Many EHR providers prohibit the use screenshots and videos, when these are important for communicating about usability, the user experience, and interoperability.

The CMS has confirmed that starting in late 2020, using data collected for the 2019 performance year data, the CMS will be reporting clinicians, hospitals, and critical access hospitals that are believed to be engaging in information blocking practices based on how they attested to certain Promoting Interoperability Program requirements.

Patient Privacy and Data Security

The proposed rules will improve interoperability and reduce information blocking, but there has been fierce criticism of the rules by some groups, mostly in relation to patient privacy. Both the American Hospital Association (AHA) and the American Medical Association (AMA) have been vocal critics of the rules criticized the rules, with one of the main issues related to the sharing of health records with third-party apps.

Healthcare providers are required to comply with HIPAA and must ensure safeguards are implemented to ensure patient data is protected. Health app developers and other entities not required to comply with HIPAA, may not have appropriate privacy protections in place. There is also considerable potential for secondary uses of patient health information without the knowledge of patients.

The AHA and AMA are not alone. Many privacy advocates and health systems have expressed concern about the proposed rules and patient privacy. Last year, Epic wrote to the HHS Secretary voicing concern and even threatened legal action if patient privacy was not protected. The letter was signed by 60 healthcare systems.

The CMS and ONC have made patient privacy a key priority. Both the CMS and ONC want to ensure patient data flows freely, but also that patient privacy is protected. To ensure the privacy and security of patient data in transit, the ONC and CMS have adopted the Health Level 7® (HL7) Fast Healthcare Interoperability Resources® (FHIR) Release 4.0.1 as the standard to support data exchange via APIs.

That standard ensures patient privacy and security for the transfer of health data but does not cover patient data once it has been transferred to a third party. To address risks after data has been transferred, healthcare organizations are permitted to ask third-party app developers to attest to certain privacy provisions, such as whether there will be any secondary uses of patient data and to make sure patients are informed about what those secondary uses will be.

The post HHS Releases Final Interoperability and Information Blocking Rules appeared first on HIPAA Journal.

Coronavirus Preparedness – Managing the Message to Your Community

Posted by HIPAA Journal

The entire nation is braced for a potential COVID-19 pandemic. The novel coronavirus was first detected in China and has now spread to more than 90 countries around the world, including the United States. COVID-19 has been declared a global health emergency by the World Health Organization (WHO).

It is essential for correct information about the risks associated with the virus to be effectively communicated to the public, the steps that should be taken to prevent infection, and the actions to take if infection is suspected.

Getting the message out to residents in your local community is important to help prevent the spread of the disease, but what is the best approach to take to ensure correct information is provided and how can you prepare for a pandemic disease outbreak?

Rave Mobile Safety is hosting a timely webinar in which important issues will be discussed including strategies for pandemic preparedness, best practices for effective communication during a disease outbreak, and how organizations can leverage technology to inform and protect their community.

Speakers:

  • Steve Mullings, Emergency Planner and Continuity Director, University of Alaska
  • Don Aviv, President, Interfor International
  • Mark Escott, EMS System Medical Director, City of Austin and Travis County, TX.

Date:   Wednesday March 18, 2020. 

Time:   1pm-2pm ET

Click here to register for the webinar

N.B. HIPAA Journal is not participating in this event and has not been paid for promoting this webinar.  If your organization is running a survey or web event that is of interest to healthcare professionals, you can contact us with the details.

The post Coronavirus Preparedness – Managing the Message to Your Community appeared first on HIPAA Journal.

Protecting Jessica Grubbs Legacy Act Reintroduced by Sens. Manchin and Capito

Posted by HIPAA Journal

The Protecting Jessica Grubbs Legacy Act (S. 3374) has been reintroduced by Senators Joe Manchin (D-W.V.) and Shelley Moore Capito (R-W.V.). The Protecting Jessica Grubbs Legacy Act aims to modernize the 45 CRF Part 2 regulations to support the sharing of substance abuse disorder treatment records and improve care coordination.

42 CFR Part 2 regulations restrict the sharing of addiction records, which makes it very difficult for information to be shared about patients who are recovering from substance abuse disorder. Currently 45 CFR Part 2 regulations only permit substance abuse patients themselves to decide who has access to their full medical history. While the sharing of highly sensitive information about a patient’s history of substance abuse disorder and treatment is intended to protect the privacy of patients and ensure they are protected against discrimination, not making that information available to doctors can have catastrophic consequences, as happened with Jessica Grubbs.

Jessica Grubbs was recovering from substance abuse disorder when she underwent surgery. The discharging doctor prescribed oxycodone and Grubbs returned home with 50 oxycodone pills. She later died of an overdose. If the discharging doctor was made aware that Grubbs had a history of substance abuse disorder, a different medication could have been prescribed.

Medical providers are responsible for providing care to patients, but without access to their full medical histories, they are doing so blind. It is difficult for medical providers to make correct decisions about patients’ care if they only have access to incomplete medical records.

The Protecting Jessica Grubbs Legacy Act was introduced to ensure medical providers have access to all the necessary information, so they do not accidentally give opioid drugs to patients in recovery from substance abuse disorder. The Protecting Jessica Grubbs Legacy Act will help to ensure tragedies such as the death of Jessica Grubbs are prevented.

“No family or community should ever have to go through the senseless and preventable tragedy that Jessica Grubbs and her family had to endure,” said Sen. Manchin. “This bipartisan bill is essential to combating the opioid epidemic and ensuring that these painful deaths are prevented.”

Healthcare industry stakeholders have been pushing for changes to 42 CFR Part 2 regulations for several years and Congress has been petitioned to make changes to the regulations. In 2019, the National Association of Attorneys General wrote to House and Senate leaders calling for changes to the regulations, which were called cumbersome and out of date. 39 state attorneys general signed the letter. The HHS also proposed changes to 45 CFR Part 2 last year to align the regulations more closely with HIPAA.

The reintroduced Protecting Jessica Grubbs Legacy Act includes several revisions to the original act, S. 1012, which was introduced in April 2019. The language of the bill has been changed to require a patient to give their affirmative, written consent to opt-in before their information may be shared. An educational component has also been added that requires patients to be informed about exactly what they are consenting to before a final determination. An opt-out clause has also been added that allows patients to opt out and rescind their consent at any time. The revised Protecting Jessica Grubbs Legacy Act also calls for Part 2 regulations to be aligned more closely with HIPAA.

To ensure the privacy of patients is protected, enhancements have been made to current protections to prevent discrimination in relation to access to treatment, termination of employment, receipt of worker’s compensation, rental housing, and federal, state, and local government social services benefits.

The Secretary of the Department of Health and Human Services will be directed to consult with appropriate legal, clinical, privacy, and civil rights experts when updates are made to the Code of Federal Regulations to implement the changes proposed in the bill.

“This is an ideal compromise that alleviates the roadblocks to care coordination, while providing strong protections, and more importantly providing those suffering with substance use disorder, more comfortable in knowing they can share medical records in a protected manner and enforced with real penalties to prevent misuse of sensitive medical information,” said Sen. Manchin in a statement.

The revised bill has received considerable support from industry stakeholders and the bill has been co-sponsored by Sens. Sheldon Whitehouse (D-R.I), Kevin Cramer (R-N.D.), Dianne Feinstein (D-Calif.), Doug Jones (D-Ala.), Chris Murphy (D-Conn.), Thom Tillis (R-N.C.), Susan Collins (R-Maine), Kamala Harris (D-Calif.), Bill Cassidy (R-La.), Amy Klobuchar (D-Minn.), and Jeff Merkley (D-Ore.).

The post Protecting Jessica Grubbs Legacy Act Reintroduced by Sens. Manchin and Capito appeared first on HIPAA Journal.

Senators Demand Answers from Ascension About Project Nightingale as Google’s Response was Deemed Incomplete

Posted by HIPAA Journal

Following the revelation that a considerable volume of patient data had been shared with Google by the Catholic health system Ascension, the second largest health system in the United States, concern was raised about the nature of the partnership.

Ascension operates 150 hospitals and more than 2,600 care facilities in 20 states and the District of Columbia and has more than 10 million patients. In November 2019, a whistleblower at Google passed information to the Wall Street Journal on the nature of the collaboration and claimed that patient data, including patient names, dates of birth, lab test results, diagnoses, health histories and other protected health information, had been shared with Google and was accessible by more than 150 Google employees.

In response to the story, Google announced that the partnership, named Project Nightingale, was a cloud migration and data sharing initiative. Ascension is migrating its data warehouse and analytics infrastructure to the Google Cloud and will be using Google’s G Suite productivity suite. Patient data was being used by Google’s AI and machine learning technologies with the purpose of improving clinical quality and patient safety.

Google and Ascension both unissued statements confirming that there was a business associate agreement in place and data was being shared in a manner compliant with Health Insurance Portability and Accountability Act (HIPAA) Rules and health data was not being used for purposes other than those stated in its BAA. Several investigations were launched to determine the nature of the agreement between both companies, with the HHS’ Office for Civil Rights opening an investigation into both companies to determine whether HIPAA Rules were being adhered to.

Three U.S. senators – Sen. Bill Cassidy, M.D., (R-LA), Elizabeth Warren (D-MA), and Richard Blumenthal (D-CT) – wrote to Google demanding answers about the collaboration. Google responded and explained that data was shared in accordance with HIPAA Rules, that only a limited number of employees have access to that data, that access controls are in place to prevent unauthorized access, and any individual required to access health data is set permissions based on their role and job function.

Google also explained that Ascension’s data is logically isolated from other customers and confirmed that the data was only being used for an EHR search pilot program that would provide physicians and nurses with a unified view of patient data from multiple EHR systems. The EHR search tool will allow medical staff to search data in EHRs faster and effectively query medical records using words and abbreviations commonly used in healthcare. Google confirmed that medical records were not being used for secondary purposes, such as identifying services for specific individuals or to send them targeted advertisements.

The senators believe the answers provided by Google are incomplete. On Monday, they wrote to Ascension demanding answers about Project Nightingale and the patient data shared with Google. “Google’s response did not answer a number of our questions pertaining to Ascension’s involvement, we are requesting additional details from Ascension to help us better understand how Project Nightingale protects the sensitive health information of American patients,” explained the senators.

The senators want to know how many records have been shared with Google, the exact nature of the information that was shared, if there have been any breaches of the shared data, and whether patients were notified that their PHI would be shared with Google and if they were given the opportunity to opt out.

“It’s critical lawmakers receive comprehensive information about Project Nightingale, which serves as a case study of Google’s more extensive foray into electronic health records,” explained the senators in the letter. “While improving the sharing, accessibility, and searchability of health data for providers could almost certainly lead to improvements in care, the role of Google in developing such a tool warrants scrutiny.”

The post Senators Demand Answers from Ascension About Project Nightingale as Google’s Response was Deemed Incomplete appeared first on HIPAA Journal.