Michael L Nelson DPM VP of Healthcare Strategy Equifax Learning Objectives Review HIPAA privacy rule and ways to implement the ruling in patient portals and information exchanges How to prevent inappropriate access to PHI and PII ID: 564617
Download Presentation The PPT/PDF document "Improving Patient Outcomes through Secur..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Improving Patient Outcomes through Secure Data Exchanges
Michael L. Nelson, DPM
VP of Healthcare Strategy, EquifaxSlide2
Learning ObjectivesReview HIPAA privacy rule and ways to implement the ruling in patient portals and information exchanges
How to prevent inappropriate access to PHI and PII
Explore identity-proofing processesSlide3
Institute for Healthcare Improvement Triple AimImprove the health of the population
Enhance patient experience and outcomes
Reduce per capita cost of
care
Achieving the Triple Aim will require coordination of care driven by secure, private, interoperable health information exchange which in turn relies upon:
Unambiguous
Patient Identification
Encrypted
Internet Communications
Trust
Hierarchy and Authentication Slide4
1996
HIPAA
Administrative Simplification
Improve the efficiency and effectiveness of the health care system by standardizing the electronic data interchange of certain administrative
and financial transactions.
Protect the security and privacy
of transmitted information
.
Title II - Subtitle F – Administrative
SimplificationSlide5
Unambiguous Patient Identification Patient records are dispersed across multiple treatment facilities and geographies that have disparate technologiesFalse positive medical record matches co-mingle information from 2 or more different people – safety issue
False negative medical record matches fail to link multiple records for the same person resulting in a fragmented, incomplete EHR which can compromise outcomes
Although a unique patient identifier is written into the HIPAA law, the federal govt. refuses to fund its creation due to privacy concerns of consumer groupsSlide6
Unambiguous Patient Identification The current state of patient matching is unacceptableONC, CHIME, AHIMA, AHA, and other industry groups have prioritized improving match accuracy in light of the digitization of medical records and meaningful use requirements
Master Patient Index match accuracy is limited by the quality of the data being fed into the matching algorithms
Address changes and name changes due to marriage and divorce are the biggest culprits when it comes to matching
Reliable 3
rd
party data solution company is a great solution for improving patient matchingSlide7
Unambiguous Patient Identification Each yr., 200K-300K counterfeit driver’s licenses are introduced in the U.S.Registrars are not trained to detect counterfeit driver’s licenses
Many patients do not have driver’s licenses
All other patient information is self-reported on a registration form
Can be falsely reported
Fat finger errors
Increased patient payment responsibility due to high deductibles and co-payments creates an environment ripe for fraud
Medical identity theft is the fastest growing fraud in the U.S.
Biometrics? – You had best identity-proof the patient before linking a biometric to himSlide8
Exam Room
Evolution of the Healthcare Paradigm
Quality
Reports to
Clinicians, Payers,
And Public
AHRQ
Best Practice Rules
Lab
Pharmacy
Lab
Lab
Pharmacy
Pharmacy
External Data Sources
Public
Health
Patient
Electronic
Health
Record
System
Paper
Records
Clinical
Decision Support
System
Complete the Feedback Loop
Clinicians
Secure HIE NetworkSlide9
Future for HealthcareGoal: Best Care at Lower Cost.
Means
:
Clinician/Patient direct interaction with Clinical Decision Support System (CDSS)
(“Meaningful Use”), Evidence-Based Medicine (EBM)
Drivers
: HIE + EHR + CDSS + EBM => SAVES LIVES and $$$
Interoperable HIE is KEY to Meaningful Use of HIT which, in turn, is KEY to continuously learning healthcare system!
Requires: EHR (with CDSS, EBM, and HIE) and:Interoperability with sources of clinical data and sources of computable rules for best clinical practices (Standards).Incentives to incorporate into healthcare practice (Resources and Regulations).Investigations of systemic failures to enable systems that detect and prevent errors through best practices at the point of decision making (Research).
Trust through interoperable security and privacy (including patient consent).Slide10
Future for HealthcareHealth Information Exchange
Verb
Noun
Physician Engagement
Patient Engagement
Must prevent inappropriate access to PHI
Is the doctor who he says he is?
Does the doctor have an active license at that point in time?
Is the doctor sanctioned federally or in any state?Is the patient or the patient’s representative who he says he is?Slide11
TRUST Requires Assurance of Identity
High level of assurance that the person who is sending information is who say they are.
High level of assurance that the person who is receiving information is who we think they are.
High level of assurance that the patient identified in the information is who we think they are.
These mechanisms are dependent on high assurance
identity proofing
and
multi-factor authentication.
Certified NIST Level 3 compliant assurance now available commercially at reasonable prices.Slide12
HIPAA Security Rule of ThumbAssess risk.Identify & assess risks/threats to electronic information:Availability, Integrity, and Confidentiality
Consider the probability and criticality of each
potential risk.
Manage risk.
Consider size, complexity, technical infrastructure, hardware, and software security capabilities, and costs.
Implement reasonable and appropriate administrative, physical, and technical security safeguards.
Educate/Train.
Document and Monitor.Repeat cycle periodically … forever!“Reasonable and appropriate” used 75 times in
75 page reg.Slide13
Identity Assurance is the Backbone of TrustRisk Analysis determines the level of identity authentication required under HIPAA.Clinical environments require frequent, repetitive logons by staff from relatively secure locations where other factors limit access by unknown persons.
Username and password are often considered adequate here.
If not, the controlled environment allows other factors to be used.
ID cards, RFID chips, tokens, fingerprints.
Unsecured environments require stronger authentication.
Home, hotel, Starbucks, …
Cannot use additional hardware or software.
Cannot scale expensive mechanisms such as portable devices (tokens) to consumers.Slide14
ConclusionsImproving Patient OutcomesUnambiguous Patient IdentificationBack End – Cleanse MPI leveraging 3
rd
party reliable data to link all of a patient’s historical records into a complete EHR
Front End Registration/Enrollment – Identity proof patients and their representatives to prevent false positive matches
Security Risk Assessments
Encrypted Internet Communications
Desk tops, laptops, flash drives, medical devices
Trust Hierarchy and AuthenticationAccess management and prevention of inappropriate access to PHI and PII