.st0{fill:#FFFFFF;}

Podcast

Should You Be Trusted? – Ep 371 

 September 2, 2022

By  Donna Grindle

Share0
Tweet0
Share0

trust but verifyShould we be questioning other people and vendors we work with about the trust we should have in them? The answer is yes. Are they protecting and securing the patient data we entrust them with? “Trust but verify” is something we talk about a lot. So, I ask you… should you be trusted? And can you prove it?

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Should You Be Trusted? – Ep 371

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Mar 12, 13, 14 and 15, 2023

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

[08:17] Email from Jena:

What do you do when a patient requests for a certain individual staff to not access their chart, but is on the provider team that the patient sees?

So, first of all, there are only two things that you must comply with under HIPAA as far as requests from patients:

  1. You must comply with a request from a patient for their records, and
  2. If a patient wants to pay out of pocket for a service and doesn’t want you to file it with insurance, then you must comply with this request, as long as you’ve agreed on payment terms.

That being said, I would recommend that you find a way to resolve this request that makes the patient feel comfortable that you respect their right to privacy. So, first, you could check to see if there is a technical way within your systems to do what the patient is asking. Can I block one user from a chart? Probably not, but ask the question anyway. If this can’t be done within our technical safeguards, that leaves you with trying to use administrative safeguards. You could tell the patient that you don’t have a way to set the system to restrict the employee from the medical record, but that you can inform the employee that they do not have permission to access this particular record. You can inform them that the system logs users’ access and activity in the records and you will monitor for any unauthorized or inappropriate access, especially for the employee in question.

There’s no telling how the patient will react to your solution, but you should be honest with them regarding what you can and cannot do. It comes back to customer service and patient privacy rights. Of course, you will want to document this request, conversations had and resolution options you offered.

Should You Be Trusted?

[14:49] A question we should all ask these days at one point or another. But, more importantly as a player in the healthcare industry at some level, your employees, patients, residents, clients, consumers, etc should be asking you this question about your organization. We talk about HIPAA obligations on this podcast because we do believe patient privacy matters and we believe HIPAA protections directly impact patient care and patient safety. If we get asked about trusting us, I can honestly say we do everything in our power to protect any valuable information we create, receive, maintain or transmit. Can your organization confidently say that?

All of this comes to mind based on an interesting document published by the American Medical Association (AMA). The AMA Privacy Principles released in May of 2020 have been on my radar for a while but I keep forgetting to put them into an episode. The AMA recently published information about a patient privacy survey that reminded me of them, so now is the time.

The Privacy Principles

[19:12] The AMA makes it clear that these principles are based on what they already have in place but designed to go beyond those who are covered under HIPAA.

They are meant to apply to entities other than those already considered covered entities under HIPAA—in other words, physicians generally would not be subject to additional regulation. The principles take into consideration that some data historically not considered “personal” may in fact be personally identifiable (e.g., IP addresses, advertising identifiers from mobile phones). Accordingly, the Principles’ use of the term “data” includes information that can be used to identify an individual, even if it is not descriptive on its face.

The Principles provide individuals with rights and protections from discrimination and shift the responsibility for privacy from individuals to data holders other than HIPAA-covered entities (collectively referred to in this document as entities). In other words, third parties who access an individual’s data should act as responsible stewards of that information, just as physicians promise to maintain patient confidentiality. The Principles also call for robust enforcement of penalties for violation of rights to help patients develop and maintain trust in digital health tools, including the use of smartphone applications (apps) to access their own health information.

I find it interesting that they break it down into the following sections:

  • Individual Rights
  • Equity
  • Entity Responsibility
  • Applicability
  • Enforcement

Here are a few excerpts from the various sections.

  • Individuals have the right to know exactly what data of theirs an entity is accessing, using, disclosing, and processing—and for what purpose—at or before the point of collection.
  • Individuals have a right to direct entities to not sell or otherwise share data about them.
  • Individuals should have a private right of action against entities that are subject to these requirements if the FTC and/or state Attorney General declines to pursue enforcement.

Equity:

  • Healthcare information is one of the most personal types of information an individual can possess and generate—regardless of whether it is legally defined as “sensitive” or protected health information under HIPAA—and individuals accessing, processing, selling, and using it without the individual’s best interest at heart can cause irreparable harm.
  • Because low-income individuals and other vulnerable populations have fewer resources and tools at their disposal to effectively assert their privacy rights, purchase technology with the most advanced and up-to-date privacy and security technology, and recover from harmful invasions of privacy, privacy frameworks (legal or otherwise) must advance policies to benefit individuals of all income levels. For example, the AMA would not support a policy in which paid apps provided greater privacy protections than free apps.
  • Law enforcement agencies requesting medical information should be given access to such information only with a court order and if the law enforcement entity has shown, by clear and convincing evidence, that the information sought is necessary to a specific, legitimate law enforcement inquiry; that the needs of the law enforcement authority cannot be satisfied by non identifiable health information or by any other information; and that the law enforcement need for the information outweighs the privacy interest of the individual to whom the information pertains. Any applicable legal requirements for law enforcement access to medical information imposed by federal, state, or local laws shall apply in addition to this principle.
[29:18] Entity:

  • All entities that maintain an individual’s health information should have an obligation or “duty of loyalty” to the individual, including the duty to maintain the confidentiality of that information.
  • Entities should be required to disclose to individuals what specific elements of data they collect, why, how often, for what purpose, and specifically with whom they are sharing the data.
  • Entities should be prohibited from using health data to discriminate against individuals, including creation of “risk scores” that could hinder patients and their families from receiving health, disability, or life insurance; housing; employment; or access to other social services.

Applicability:

  • Privacy legislation should apply to entities that access, use, transmit, and disclose data, including HIPAA business associates, with exceptions for HIPAA-covered entities given their obligations under existing HIPAA regulation. We believe this framework would lead to enhanced transparency around the use of business associates in health care, particularly now that entities not traditionally associated with health care are more active in the healthcare industry.
  • We recognize the potential need for accommodations for small businesses in certain scenarios, but overall privacy principles should apply to them as they do to larger businesses. For example, an entity with fewer than 10 employees may not need a full-time privacy officer but must still be able to satisfy responses to individuals with questions about the entity’s data practices.
[37:52] Enforcement:

  • Individuals should not be responsible for costs of enforcement unless they are exercising their private right of action (in permitted instances where the Federal Trade Commission (FTC) and the individual’s State Attorney General (AG) do not enforce).
  • Federal privacy legislation should serve as a federal floor, not a ceiling.

These aren’t new concepts but they certainly do lay the groundwork for a more robust privacy framework for everything that has to do with your health information.

The App Developers Tool Kit

[38:57] There are so many apps spreading around the world that track and advise on personal health issues it is hard to keep up. In the US there is an assumption that these developers are covered by HIPAA. Only a small number of them will usually meet the requirements for HIPAA to apply to them. The AMA published a document they say is “A case for privacy by design in app development.”

This guide is very handy for anyone to review concerning their ability to secure and protect the information they have access to based on the services they perform. The checklist seems very valuable for that purpose, especially.

The reason it is important is not just the fact that the information is being captured, but also this one quote from the guide:

Patients will be seeking advice and recommendations from their physicians for apps to house their electronic medical records, and a recent Pew Survey showed that 90% of respondents preferred apps pre-approved by their physician.

Should you be trusted with that recommendation?

The Patient Privacy Survey

[41:52] Survey says: people expect their health information to be kept private by their physicians.

We know there is a distinct issue with people not understanding who and what is covered by HIPAA. All of the madness over what employers can ask or do under HIPAA seems to never go away since COVID-19 started. But, really it only brought the problem out for more to see. We know that HIPAA applies to a narrow group but we also know that we get questions sent to us like this one:

Hi. I am launching a smoothie app using the ingredients in your fridge which leads to better health! The only customer information I’m storing is their name, surname, Twitter or Facebook details. Do I require HIPAA compliance? Many thanks.

Social media is a gaping hole of privacy failures. Everyone seems to know that when they point out that is the least comfortable place for their health information to be shared. I wager if more understood what could happen that number would go above the 71.2% that feel that way on the survey.

The way we try to get folks to understand that patients really do care about their information being outside their control is often just tossed aside. Naw, patients don’t really care. Actually, we have shown many cases where patients care. This survey is not different.

Over one-half of surveyed patients stated they are very or extremely concerned about negative repercussions related to insurance coverage, employment or opportunities for health care resulting from access to their health data.

Everything we covered so far is perfectly tied together with this finding:

Ninety-four percent of patients state that companies that collect, store, analyze or use health data should be held accountable by the law.

So, we ask you again – should you be trusted?

Go to top

I think the AMA final paragraph in the survey discussion is a great way to close this one out:

Strong regulations are needed to support patients’ right to data privacy and restore trust in data exchange that facilitates accessible, equitable, and personalized care. The AMA continues to advocate for near-term app transparency requirements, including app privacy attestations collected by EHRs, that will increase transparency and bolster individuals’ choice in which apps to use.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: