Protecting health information confidentiality, while still ensuring ready access for those who deserve it, means striking a strategic balance between privacy/security and access. In this era of cybercrime, data breaches, increased government regulation and audits, and the ongoing fight to open up health records for patients and providers, skills in healthcare privacy and security have never been more important. This fact was evident during the 11th Annual AHIMA Privacy and Security Institute, which took place Saturday and Sunday in the Los Angeles Convention Center.
Best practices from industry privacy and security experts and government officials were shared at the institute.
In one keynote presentation, Daniel Nigrin, senior vice president and chief information officer at Boston Children’s Hospital, discussed how his organization dealt with a crippling cyberattack by the hacktivists “Anonymous” in 2014.
The opening keynote presentation by the Office for Civil Rights (OCR) Deputy Regional Manager Yun-kyung Lee provided an update on OCR’s ongoing HIPAA/breach notification audits that started in 2016 and continued this year. April Carlson, privacy officer at the Mayo Clinic, closed the institute discussing her organization’s experience with one of those OCR audits.
In addition to investigations by government entities like OCR, Congress has also been active in passing new privacy and security regulations like the 21st Century Cures Act (Cures) that directly impacts health information management (HIM) professionals. Signed into law on December 16,
2016, the Cures Act snuck up on many in healthcare—and stresses significant advancements that need to be made by the industry in health IT and information interoperability, improved patient access, and specific prohibitions against “information blocking” that can come with a fine of up to $1 million per event.
David C. Kibbe, MD, MBA, president and CEO of DirectTrust, gave the institute’s second day opening keynote on the Cures Act and what specifically privacy/security professionals should do to remain in compliance with its new requirements.
Of particular importance to HIM professionals are the Cures Act provisions that aim to increase health IT interoperability and the data exchange that goes with it by prohibiting “information blocking”—described as deliberately building health IT systems or instituting organizational policies that “interfere with, prevent, or discourage” the exchange of health information with other organizations, providers, or patients, Kibbe said. The Cures Act defines what information blocking is, sets penalties for engaging in the practice, and calls on the Office of Inspector General to investigate complaints of the practice. The law is written in a way that it won’t excuse ignorance of any information blocking practices—meaning organizations can be fined even if they aren’t intending to engage in activity that meets the definition of information blocking.
“That is a really high bar,” Kibbe said. “So it is very, very important for people who work with health information and medical records, those who respond to requests people have for health information exchange and manage those processes to be very aware that they could be under scrutiny if they engage in any of these [information blocking] practices.”
Kibbe recommended that health IT vendors, hospital systems, and physician practices systematically look at how they engage in health information exchange and record access as an organization in order to identify if they are violating the Cures Act. For example, Kibbe said there are some electronic health record vendors who design systems that can’t accept information being sent using a Direct-standard PDF—a common format. If other providers in the area routinely exchange information using this common standard, the provider who can’t and limits information exchange could be found to be engaging in information blocking during an investigation, Kibbe said.
“That organization might have to say ‘You know, we are probably going to have to change our implementation, because if a known party is sending us a care plan and it is in a PDF file, we are going to have to accept that document, or will have to talk to them and ask them to change, but we can’t just out of hand block that information from getting to the provider that it is sent to,’” Kibbe said.
Another more basic example of what could be information blocking is denying patients access to their health information in an electronic format and blaming HIPAA as the reason—even though HIPAA expressly permits this access.
While the Cures Act offers somewhat broad requirements for the healthcare industry, Kibbe said he expects the Department of Health and Human Services to issue specific proposed and final rules that offer more practical guidelines in the coming months.