Archive for Technology

HHS Proposes New Rules to Improve Interoperability of EHI

HHS Proposes New Rules to Improve Interoperability of EHI
Could new innovations in technology promote patient access and make no-cost health data exchange a reality for millions?

The U.S. Department of Health and Human Services (HHS) has proposed new rules to support seamless and secure access, exchange and use of electronic health information. The rules, issued by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC), would increase choice and competition while fostering innovation that promotes patient access to and control over their health information. The proposed ONC rule would require patient electronic access to this electronic health information (EHI) be made available at no cost.

“These proposed rules strive to bring the nation’s health care system one step closer to a point where patients and clinicians have the access they need to all of a patient’s health information, helping them in making better choices about care and treatment,” said HHS Secretary Alex Azar. “By outlining specific requirements about electronic health information, we will be able to help patients, their caregivers, and providers securely access and share health information. These steps forward for health IT are essential to building a health care system that pays for value rather than procedures, especially through empowering patients as consumers.”

CMS’ proposed changes to the health care delivery system support the MyHealthEData initiative and would increase the seamless flow of health information, reduce burden on patients and providers, and foster innovation by unleashing data for researchers and innovators. In 2018, CMS finalized regulations that use potential payment reductions for hospitals and clinicians to encourage providers to improve patient access to their electronic health information. For the first time, CMS is now proposing requirements that Medicaid, the Children’s Health Insurance Program, Medicare Advantage plans and Qualified Health Plans in the Federally-facilitated Exchanges must provide enrollees with immediate electronic access to medical claims and other health information electronically by 2020.

In support of patient-centered health care, CMS would also require these health care providers and plans to implement open data sharing technologies to support transitions of care as patients move between these plan types. By ensuring patients have easy access to their information, and that information follows them on their health care journey, we can reduce burden, and eliminate redundant procedures and testing thus giving clinicians the time to focus on improving care coordination and, ultimately, health outcomes.

“Today’s announcement builds on CMS’ efforts to create a more interoperable healthcare system, which improves patient access, seamless data exchange, and enhanced care coordination,” said CMS Administrator Seema Verma. “By requiring health insurers to share their information in an accessible, format by 2020, 125 million patients will have access to their health claims information electronically. This unprecedented step toward a health care future where patients are able to obtain and share their health data, securely and privately, with just a few clicks, is just the beginning of a digital data revolution that truly empowers American patients.”

The CMS rule also proposes to publicly report providers or hospitals that participate in “information blocking,” practices that unreasonably limit the availability, disclosure, and use of electronic health information undermine efforts to improve interoperability. Making this information publicly available may incentivize providers and clinicians to refrain from such practices.

ONC’s proposed rule promotes secure and more immediate access to health information for patients and their health care providers and new tools allowing for more choice in care and treatment. Specifically, the proposed rule calls on the health care industry to adopt standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access structured and unstructured EHI formats using smartphones and other mobile devices. It also implements the information blocking provisions of the 21st Century Cures Act, including identifying reasonable and necessary activities that do not constitute information blocking. The proposed rule helps ensure patients can electronically access their electronic health information at no cost. The proposed rule also asks for comments on pricing information that could be included as part of their EHI and would help the public see the prices they are paying for their health care.

“By supporting secure access of electronic health information and strongly discouraging information blocking, the proposed rule supports the bi-partisan 21st Century Cures Act. The rule would support patients accessing and sharing their electronic health information while giving them the tools to shop for and coordinate their own health care,” said Don Rucker, M.D., National Coordinator for Health IT. “We encourage everyone – patients, patient advocates, health care providers, health IT developers, health information networks, application innovators, and anyone else interested in the interoperability and transparency of health information – to share their comments on the proposed rule.”

Policies in the proposed CMS and ONC rules align to advance interoperability in several important ways. CMS proposes that entities must conform to the same advanced API standards as those proposed for certified health IT in the ONC proposed rule, as well as including an aligned set of content and vocabulary standards for clinical data classes through the United States Core Data for Interoperability standard (USCDI). Together, these proposed rules address both technical and health care industry factors that create barriers to the interoperability of health information and limit a patient’s ability to access essential health information. Aligning these requirements for payers, health care providers, and health IT developers will help to drive an interoperable health IT infrastructure across systems, ensuring providers and patients have access to health data when and where it is needed.

For a fact sheet on the CMS proposed rule (CMS-9115-P), please visit: https://www.cms.gov/newsroom/fact-sheets/cms-advances-interoperability-patient-access-health-data-through-new-proposals

For fact sheets on the ONC proposed rule, please visit: https://healthit.gov/nprm

To receive more information about CMS’s interoperability efforts, sign-up for listserv notifications, here: https://public.govdelivery.com/accounts/USCMS/subscriber/new?topic_id=USCMS_12443

To view the CMS proposed rule (CMS-9115-P), please visit: https://www.cms.gov/Center/Special-Topic/Interoperability-Center.html

Posted in: Technology

Leave a Comment (0) →

Are Your Electronic Devices Physically Secure?

Are Your Electronic Devices Physically Secure?

In the age of electronic medical records and ransomware attacks, recent focus with regard to HIPAA compliance seems to be on electronic security. How are your electronic medical records stored? Do you require two-factor authentication to access your electronic system remotely? What firewalls and malware detection systems do you have in place to prevent a cyber-attack?

However, in the May 2018 OCR Cyber Security Newsletter, the Office of Civil Rights (OCR) reminded providers that, in the midst of electronic security, appropriate physical security controls are also an important component. The HIPAA Security Rule requires that all workstations (including laptops, desktops, tablets, smartphones and portable electronic devices) accessing PHI must have physical safeguards in place to restrict access to authorized users.

According to OCR, the following methods may be helpful in achieving compliance with this requirement: privacy computer screens, cable locks, port and device locks (preventing access to USB ports or removable devices), positioning work screens in a manner in which they cannot be viewed, locking rooms that store electronic equipment, security cameras and security guards. Of course, which methods are appropriate for each provider will vary based on the provider’s risk analysis and risk management process.

In reviewing the physical security of electronic devices, OCR recommends that providers ask the following questions:

  • Is there a current inventory of all electronic devices (i.e., computers, portable devices, electronic media) including where such devices are located?
  • Are any devices located in public areas or other areas that are more vulnerable to theft, unauthorized use, or unauthorized viewing?
  • Should devices currently in public or vulnerable areas be relocated?
  • What physical security controls are currently in use (i.e., cable locks, privacy screens, secured rooms, cameras, guards, alarm systems) and are they easy to use?
  • Could additional physical security controls be reasonably put into place?
  • Are policies in place and employees properly trained regarding physical security (i.e., use of cable locks and privacy screens)?
  • Are signs posted reminding personnel and visitors about physical security policies or monitoring?

A copy of the May 2018 OCR Cyber Security Newsletter is available at https://www.hhs.gov/sites/default/files/cybersecurity-newsletter-may-2018-workstation-security.pdf.

Kelli Fleming is a Partner with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP is a partner with the Medical Association.

Posted in: Technology

Leave a Comment (0) →

Keep the Medical Association in Your Facebook News Feed

Keep the Medical Association in Your Facebook News Feed

Facebook changed its news feed algorithm to prioritize content from friends, family and groups so you are less likely to see public content from businesses, brands and news media now than before the first of the year. Facebook justified the change for “people’s well-being” and suggesting that businesses will have to work harder to get their members’ attention.

So, what can you do to keep the Medical Association in your Facebook news feed?

Desktop Computers

Go to the Medical Association Facebook page and make sure you have “liked” the page. Hover over “Following” and select “See first” from the drop-down menu.

 

Also switch “Events, Suggested Live Videos” to “On,” and you’re all set!

Phone and Tablet Users

On your smartphone or tablet, go to the Medical Association Facebook page and click “Like.”

Then select “Follow” or “Following;” click it and turn “Get Notifications” to the on position. Don’t forget to Like and Share our posts with your friends and family!

Posted in: Technology

Leave a Comment (0) →

What Eight Things You Should Do to Protect Your Business from Cyber Threats

What Eight Things You Should Do to Protect Your Business from Cyber Threats

Cyber threats take many forms. The widespread WannaCry ransomware attack in May 2017 highlighted how computer files could be held hostage in return for payment, while the Dyn denial of service in October 2016 highlighted how websites like Airbnb and Twitter could be made inaccessible. Cyber threats are on the rise within the health care industry, as the information gained as a result is lucrative in value. Thus, it is important every physician practice take steps to protect itself from a cyberattack.

Identify the types of cyberattacks to which your practice is most likely vulnerable.

By doing so, you can invest in measures that will be most relevant to your practice. For instance, practices that host websites must preempt denial of service attacks, while those that hold private customer information electronically must prevent unauthorized access to their data. Of course, many practices will likely be vulnerable to a variety of cyberattacks.

Develop a framework to prevent, investigate and respond to the cyberattacks to which your practice is most vulnerable.

In 2014, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) issued and continues to update, a voluntary Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). In addition to their own independent initiatives, practices should periodically consult the Framework to keep abreast of cybersecurity best practices in order to assess their security status relative to others. In addition, the website for the Office of Civil Rights, the government entity responsible for HIPAA compliance, contains guidance on various cybersecurity topics that may also prove helpful.

Invest in the latest computer security and protection measures.

To the extent feasible, practices should strive to use the most up-to-date software and avail themselves of periodic releases of software updates. Cyberattack methods constantly evolve, and older versions of software are more vulnerable to newer and more complex threats. For example, victims of the WannaCry ransomware attack were mainly those organizations that ran older versions of Windows operating software. Practices should also consider regularly backing up data and insulating that data from their computer network, segmenting their computer network, and monitoring network activity.

Implement employee vigilance and training measures.

Perpetrators of cyberattacks often employ phishing scams by sending emails with attached malware to individuals who then promptly download the attachments and infect their employers’ computer networks. Practices should train employees to identify suspicious emails in order to guard against phishing schemes. Such training can be incorporated into your practice’s periodic HIPAA training.

Given that malicious emails are often sent by seemingly familiar senders, practices should teach employees how to spot subtle clues that indicate dangerous emails. For instance, employers should instruct employees to check whether the domain name of the originating account is a “near-miss” from what would be expected. For example, an employee recognizing “dot com” and “dot co” could be the difference in avoiding hefty losses.

Test your cybersecurity measures and monitor the effectiveness.

To test whether employees take instructed precautions against phishing attacks, practices should send their employees emails from a “near-miss” domain and tally how many employees fall for them. Of course, even after enhancing computer security systems and increasing employee awareness of network defenses, practices may nonetheless succumb to a cyberattack, but at least the chances of doing so may be reduced.

Obtain effective cyberattack insurance coverage.

Practices should compare potential damages in the event of a cyberattack to the coverage provided in their existing insurance policies and seek out supplementary insurance for any uncovered damages or liabilities that may arise in the event of a cyberattack. For instance, since courts are divided as to whether computer systems constitute “tangible property” for purposes of an insurance claim, practices should consider consulting their insurance companies, brokers, or legal counsel to obtain insurance that covers the types of damages that arise in cyberattacks, including, but not limited to, expenses associated with providing patients with written notice when a reportable HIPAA breach occurs.

Adopt an effective legal strategy for your practice that preempts and limits liability.

As practices retain confidential personal and medical information, any data breach or unauthorized disclosure could subject the practice to liability under a host of federal and state law claims, in addition to HIPAA fines and penalties. Thus, the establishment of an effective legal strategy that preempts and limits liability is essential.

Employ traditional security measures for your practice at locations that could be vulnerable to physical disruption of your cyber capabilities.

Practices should account for some of the more traditional ways in which perpetrators can disrupt their computer networks. To prevent someone from unplugging the power source to a computer network or server, you could consider installing CCTV cameras and limiting access to such areas. In addition, have security incident procedures in place and be prepared to continue operations if an interruption occurs. For example, if an interruption with respect to your EMR system occurs, be prepared to continue business utilizing paper medical records until the interruption can be resolved and your EMR is back online.

Article contributed by David D. Dowd III, Elizabeth B. Shirley and Kelli C. Fleming with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP, is an official Bronze Partner with the Medical Association.

Posted in: Technology

Leave a Comment (0) →
Page 2 of 2 12