Selected Podcast
Trends in Health IT Privacy and Compliance
Lori Manteufel discusses health IT compliance as well as upcoming regulatory changes.
Featuring:
Lori Manteufel, BBA
Lori Manteufel is a Health IT Project Specialist at MetaStar. Since April 2015, Lori has worked primarily in the Health IT Extension Program assisting Wisconsin Medicaid Providers to improve health IT maturity and participate in the Medicaid Promoting Interoperability Program. Transcription:
Prakash Chandran: MetaStar Health IT Radio is a podcast series that features consulting content experts and covers topics regarding the Wisconsin Medicaid EHR Incentive Promoting Interoperability Program, as well as a behavioral health technical assistance initiative. MetaStar has helped more than 2000 providers attest to Promoting Interoperability as Wisconsin's regional extension center since 2010 and continues to provide attestation assistance and audit preparation as a consulting service.
We are joined today by Lori Manteufel, our project specialist at MetaStar. And she's going to be sharing information about trends in health IT privacy and compliance.
This is MetaStar Health IT Radio, the podcast from MetaStar. My name is Prakash Chandran. And so Lori, it is great to have you here today. You know, electronic breaches seems to be in the headlines increasingly. So what does this mean for the future of interoperability?
Lori Manteufel: You know, Prakash, it's really a very interesting balance right now, because as you've just said, there has been an increase in especially the visibility of these kinds of breaches that really makes people very, very concerned. But on the other hand, you also have a call and a need for easier exchange of electronic health information and increased patient access.
This is especially seen through some of the recent regulations that have come out from the Centers of Medicare & Medicaid Services, such as the Interoperability final rule, as well as the Office of the National Coordinator for Health IT recently released the information blocking final rule. And then on the patient front, you also have the emergence and continuing increase of emergence of health apps for patients to use.
So it's really an interesting time on that and changes are expected in the future, such as with the information blocking rule, changes to HIPAA as well as 42 CFR Part 2.
Prakash Chandran: Okay. Understood. So, one of the most important pieces of information is that PII or that person's healthcare information, can you describe the current privacy landscape as it relates to that?
Lori Manteufel: You know, right now, it's really a patchwork of laws and regulations. First of all, we can think of it this way. You have healthcare-specific privacy laws, and then you also, in some cases, have state and federal general privacy laws and regulations that also applies.
So on the healthcare-specific side, probably the best known is HIPAA. Generally speaking, these types of laws and regulations apply to health information that is personally identifiable, and they generally limit the use and disclosure of health information without the individual's consent with the exception of some cases that are closely connected to a patient's health care. And then they also require that electronic health information especially is adequately secured.
The same is true with these other general regulations. However, this is a little bit more general and looks at sensitive nature, requiring heightened layers of protection, and also may require that personal information be adequately secured as well.
Prakash Chandran: Okay. Understood. And you kind of touched on this a little bit, but maybe go into a little bit more detail about the expected trends or changes in privacy that are likely to affect a person's health information.
Lori Manteufel: Well, first of all, it's interesting to note that, right now, there are efforts in Congress to further address privacy. And that the US federally is looking at a new privacy framework that is currently in discussion. But by and large, what we can really expect to see within over the course of the next few years is a broadening in the scope of what is considered personally identifiable information. And then also, more transparent notification to individuals about how their information is collected, used, shared. And in particularly of importance is when that information is sold and to whom. Also, you'll see more rights for individuals to delete information as well as more power for them to control the use sharing as well as selling of that information. So those are some of the expected trends that we can expect to see within the next couple of years.
Prakash Chandran: So on the other end of the spectrum to privacy is interoperability or making the exchange of health information to facilitate care transitions easier. So earlier, you mentioned the expected changes to HIPAA that would do that, so what should we look out for there?
Lori Manteufel: As I mentioned before, this whole idea of interoperability or healthcare providers having the exact data that they need on a timely basis is really, really important. And that is really what is driving some of these changes, including those changes that we are expecting in HIPAA.
First of all, I just want to emphasize that right now, as of September, 2021, there is no final rules. So I can only speak to what has currently been proposed. So there may be some additional changes out there, but right now, this proposed changes really support individual's engagement in their health care and removing barriers to coordinated care and decreasing regulatory burdens on the healthcare industry.
At the same time, balancing that with the continued efforts to protect patient;s individual health information privacy interests. So these include strengthening an individual's rights to go to their healthcare provider and request their own health information and having that information readily available, for example, through patient portals or through a patient facing app. Improved information sharing for care coordination and care management of individuals, so when you maybe go to the ER, they are very easily able to access what medications a patient is allergic to or what other co-morbidities may be going on with that patient and then really to facilitate family and caregiver involvement in the care of individuals, especially those experiencing emergencies or health crisises.
And then, enhancing flexibilities for disclosures in emergency or threatening circumstances. For example, the opioid epidemic or the current pandemic, the COVID-19 public health emergencies. And then, there's also efforts in the HIPAA changes that would reduce administrative burdens for healthcare organizations. Think of the number of signatures that are needed currently. So that's one area that they're really looking to make some consolidations and reduce that burden on healthcare organizations as well. So those are some of the proposed changes that we really expect to become finalized, hopefully within the next few months.
Prakash Chandran: Okay. Understood. And you spoke about this earlier, but substance use disorder information has special protection under 42 CFR Part 2. So what changes do we need to watch out for there?
Lori Manteufel: It's very interesting that you bring that up. The Cures Act, which is to remind everyone was the act that was passed by Congress back in March of 2020. And that really is going to have a profound effect on 42 CFR. That act was really put into place so that Americans have access to the care they needed during the COVID-19 pandemic and also to address the economic fallout from that pandemic. The way that it interacts or affects the 42 CFR Part 2, which is a long-standing regulation that really puts special privacy and confidentiality around substance use disorder information, is that it expanded the ability of healthcare providers to share records of individuals, but tightens the requirements in the event of a breach of confidentiality.
And so in short, the changes made by the Cures Act will align beyond the public health emergencies to help align 42 CFR more closely with HIPAA. Now, the changes that were part of that act will not actually take effect until SAMHSA, which is the Substance Use and Mental Health Services Administration and HHS, which is the Health and Human Services Office for Civil Rights, makes final regulatory changes. And those changes are expected to be available and really further fleshed out or made operational in late 2021.
Prakash Chandran: Okay. So, moving on, I wanted to ask you what steps can health organizations take to help secure patient electronic health information?
Lori Manteufel: Number one, with all of the changes that are coming around the corner, be it from the feds, in some cases, state laws that are going on, continuing education is really important. As I said before, some of these changes, we don't know exactly what they're going to be or what they're going to mean for individual healthcare providers in the case of some of the HIPAA proposed changes, as well as 42 CFR. So staying on top of these, having someone in-house that just is really staying on top of these changes to compliance, especially when some of those final rules come through late in 2021 is really important.
The other thing is that all health organizations should be doing annual security risk assessments or reviews. And it's really important now more than ever, that those encompass new technologies. For example, as a result of the pandemic, more and more healthcare is being done via telehealth. So that's important to make sure that those technologies are included in that security risk assessment.
The other piece of it is, is that information blocking and the SRA really go hand in hand, meaning that you want to make sure that some of your policies that you currently have in place, wouldn't now be considered information blocking. One example of that would be excessive or the ONC, now we consider excessive patient signatures or consent forms, you know, that go beyond what's currently required by HIPAA. So that is really, really an important process.
Another thing is, is that many organizations are considering additional certifications, such as high trust. I also wanted to mention, with everything that's going on around cybersecurity, that it is very important for healthcare organizations to stay up-to-date on these threats and best practices through industry groups, such as the Health Sector Coordinating Council or the HSCC. So those are a few of the steps that we would recommend.
Prakash Chandran: Okay. Another thing I wanted to ask you about is we all know that patients now have more access to their health data than ever. And I think that's probably a good thing. You know, they're taking ownership of things. But what steps can they take to make sure that their health information is secure?
Lori Manteufel: That is a really important question, because all of these rules and frameworks, things like HIPAA privacy and security rules and information blocking and all of that only can protect within the healthcare organization. Once this information is in the hands of the patients, it's really important that the patients understand that these laws don't apply if they themselves are sharing health information with organizations or with individuals, and that's simply not covered by HIPAA. For example, if patient themselves post information online, for example, through a message board or social media about a health condition, that's not protected by HIPAA.
The other thing is that patients really need to pay attention to are these apps or even online fitness trackers, and really understand what's being done with that information, who is it being shared with or, in some cases, sold to.
One really good sort of rule of thumb is don't post things online that you don't want to make public and pay attention to some of this fine print that instead of just scrolling and hitting accept and moving on. Also, takesome common sense measures as well. For example, if you're using your laptop or your mobile phone and you have health information on it, make sure that it's password protected. Also watch out for scams. Just as there are scams in other areas such as the financial sector, the same is becoming true in medical, that there are actors out there that are trying to get health information in order to use it in scams, so just remain very, very vigilant. So those are some of the tips that I would have for patients.
Prakash Chandran: Yeah. That makes sense. And a lot of that is common sense, like don't post anything online that you don't want public, make sure things are password-protected, things of that nature, right?
Lori Manteufel: Yes. Exactly.
Prakash Chandran: So just before we close here, is there anything else that you wanted to share with our audience regarding compliance or any of the regulatory changes that we were discussing?
Lori Manteufel: I think the biggest thing just to remember is that there are changes on the horizon and those changes kind of have that bale. It's just like we talked about previously that patients are going to have more and better access to their own health information.
But then on the other hand, that also lays that burden of protecting that information from cyber security threats and others as well. And so it's a really interesting time and I'm really excited for the changes that we are going to be seeing over the next few years.
Prakash Chandran: As am I. It's an exciting time to kind of be around, especially with healthcare and all of this information, but just have to make sure that the price of peace is eternal vigilance, just to have to make sure things are secured and that we stay on top of all of these regulations. Isn't that correct?
Lori Manteufel: Yeah. Absolutely.
Prakash Chandran: All right. Well, Lori, really appreciate your time today.
Lori Manteufel: Thank you.
Prakash Chandran: That's Lori Manteufel, a project specialist at MetaStar. Thanks for checking out this episode of MetaStar Health IT radio. For more information on this topic and to access resources mentioned, please visit metastar.com/podcasts. That's M-E-T-A-S-T-A-R dot com forward slash podcast. My name is Prakash Chandran and thank you so much for listening.
Prakash Chandran: MetaStar Health IT Radio is a podcast series that features consulting content experts and covers topics regarding the Wisconsin Medicaid EHR Incentive Promoting Interoperability Program, as well as a behavioral health technical assistance initiative. MetaStar has helped more than 2000 providers attest to Promoting Interoperability as Wisconsin's regional extension center since 2010 and continues to provide attestation assistance and audit preparation as a consulting service.
We are joined today by Lori Manteufel, our project specialist at MetaStar. And she's going to be sharing information about trends in health IT privacy and compliance.
This is MetaStar Health IT Radio, the podcast from MetaStar. My name is Prakash Chandran. And so Lori, it is great to have you here today. You know, electronic breaches seems to be in the headlines increasingly. So what does this mean for the future of interoperability?
Lori Manteufel: You know, Prakash, it's really a very interesting balance right now, because as you've just said, there has been an increase in especially the visibility of these kinds of breaches that really makes people very, very concerned. But on the other hand, you also have a call and a need for easier exchange of electronic health information and increased patient access.
This is especially seen through some of the recent regulations that have come out from the Centers of Medicare & Medicaid Services, such as the Interoperability final rule, as well as the Office of the National Coordinator for Health IT recently released the information blocking final rule. And then on the patient front, you also have the emergence and continuing increase of emergence of health apps for patients to use.
So it's really an interesting time on that and changes are expected in the future, such as with the information blocking rule, changes to HIPAA as well as 42 CFR Part 2.
Prakash Chandran: Okay. Understood. So, one of the most important pieces of information is that PII or that person's healthcare information, can you describe the current privacy landscape as it relates to that?
Lori Manteufel: You know, right now, it's really a patchwork of laws and regulations. First of all, we can think of it this way. You have healthcare-specific privacy laws, and then you also, in some cases, have state and federal general privacy laws and regulations that also applies.
So on the healthcare-specific side, probably the best known is HIPAA. Generally speaking, these types of laws and regulations apply to health information that is personally identifiable, and they generally limit the use and disclosure of health information without the individual's consent with the exception of some cases that are closely connected to a patient's health care. And then they also require that electronic health information especially is adequately secured.
The same is true with these other general regulations. However, this is a little bit more general and looks at sensitive nature, requiring heightened layers of protection, and also may require that personal information be adequately secured as well.
Prakash Chandran: Okay. Understood. And you kind of touched on this a little bit, but maybe go into a little bit more detail about the expected trends or changes in privacy that are likely to affect a person's health information.
Lori Manteufel: Well, first of all, it's interesting to note that, right now, there are efforts in Congress to further address privacy. And that the US federally is looking at a new privacy framework that is currently in discussion. But by and large, what we can really expect to see within over the course of the next few years is a broadening in the scope of what is considered personally identifiable information. And then also, more transparent notification to individuals about how their information is collected, used, shared. And in particularly of importance is when that information is sold and to whom. Also, you'll see more rights for individuals to delete information as well as more power for them to control the use sharing as well as selling of that information. So those are some of the expected trends that we can expect to see within the next couple of years.
Prakash Chandran: So on the other end of the spectrum to privacy is interoperability or making the exchange of health information to facilitate care transitions easier. So earlier, you mentioned the expected changes to HIPAA that would do that, so what should we look out for there?
Lori Manteufel: As I mentioned before, this whole idea of interoperability or healthcare providers having the exact data that they need on a timely basis is really, really important. And that is really what is driving some of these changes, including those changes that we are expecting in HIPAA.
First of all, I just want to emphasize that right now, as of September, 2021, there is no final rules. So I can only speak to what has currently been proposed. So there may be some additional changes out there, but right now, this proposed changes really support individual's engagement in their health care and removing barriers to coordinated care and decreasing regulatory burdens on the healthcare industry.
At the same time, balancing that with the continued efforts to protect patient;s individual health information privacy interests. So these include strengthening an individual's rights to go to their healthcare provider and request their own health information and having that information readily available, for example, through patient portals or through a patient facing app. Improved information sharing for care coordination and care management of individuals, so when you maybe go to the ER, they are very easily able to access what medications a patient is allergic to or what other co-morbidities may be going on with that patient and then really to facilitate family and caregiver involvement in the care of individuals, especially those experiencing emergencies or health crisises.
And then, enhancing flexibilities for disclosures in emergency or threatening circumstances. For example, the opioid epidemic or the current pandemic, the COVID-19 public health emergencies. And then, there's also efforts in the HIPAA changes that would reduce administrative burdens for healthcare organizations. Think of the number of signatures that are needed currently. So that's one area that they're really looking to make some consolidations and reduce that burden on healthcare organizations as well. So those are some of the proposed changes that we really expect to become finalized, hopefully within the next few months.
Prakash Chandran: Okay. Understood. And you spoke about this earlier, but substance use disorder information has special protection under 42 CFR Part 2. So what changes do we need to watch out for there?
Lori Manteufel: It's very interesting that you bring that up. The Cures Act, which is to remind everyone was the act that was passed by Congress back in March of 2020. And that really is going to have a profound effect on 42 CFR. That act was really put into place so that Americans have access to the care they needed during the COVID-19 pandemic and also to address the economic fallout from that pandemic. The way that it interacts or affects the 42 CFR Part 2, which is a long-standing regulation that really puts special privacy and confidentiality around substance use disorder information, is that it expanded the ability of healthcare providers to share records of individuals, but tightens the requirements in the event of a breach of confidentiality.
And so in short, the changes made by the Cures Act will align beyond the public health emergencies to help align 42 CFR more closely with HIPAA. Now, the changes that were part of that act will not actually take effect until SAMHSA, which is the Substance Use and Mental Health Services Administration and HHS, which is the Health and Human Services Office for Civil Rights, makes final regulatory changes. And those changes are expected to be available and really further fleshed out or made operational in late 2021.
Prakash Chandran: Okay. So, moving on, I wanted to ask you what steps can health organizations take to help secure patient electronic health information?
Lori Manteufel: Number one, with all of the changes that are coming around the corner, be it from the feds, in some cases, state laws that are going on, continuing education is really important. As I said before, some of these changes, we don't know exactly what they're going to be or what they're going to mean for individual healthcare providers in the case of some of the HIPAA proposed changes, as well as 42 CFR. So staying on top of these, having someone in-house that just is really staying on top of these changes to compliance, especially when some of those final rules come through late in 2021 is really important.
The other thing is that all health organizations should be doing annual security risk assessments or reviews. And it's really important now more than ever, that those encompass new technologies. For example, as a result of the pandemic, more and more healthcare is being done via telehealth. So that's important to make sure that those technologies are included in that security risk assessment.
The other piece of it is, is that information blocking and the SRA really go hand in hand, meaning that you want to make sure that some of your policies that you currently have in place, wouldn't now be considered information blocking. One example of that would be excessive or the ONC, now we consider excessive patient signatures or consent forms, you know, that go beyond what's currently required by HIPAA. So that is really, really an important process.
Another thing is, is that many organizations are considering additional certifications, such as high trust. I also wanted to mention, with everything that's going on around cybersecurity, that it is very important for healthcare organizations to stay up-to-date on these threats and best practices through industry groups, such as the Health Sector Coordinating Council or the HSCC. So those are a few of the steps that we would recommend.
Prakash Chandran: Okay. Another thing I wanted to ask you about is we all know that patients now have more access to their health data than ever. And I think that's probably a good thing. You know, they're taking ownership of things. But what steps can they take to make sure that their health information is secure?
Lori Manteufel: That is a really important question, because all of these rules and frameworks, things like HIPAA privacy and security rules and information blocking and all of that only can protect within the healthcare organization. Once this information is in the hands of the patients, it's really important that the patients understand that these laws don't apply if they themselves are sharing health information with organizations or with individuals, and that's simply not covered by HIPAA. For example, if patient themselves post information online, for example, through a message board or social media about a health condition, that's not protected by HIPAA.
The other thing is that patients really need to pay attention to are these apps or even online fitness trackers, and really understand what's being done with that information, who is it being shared with or, in some cases, sold to.
One really good sort of rule of thumb is don't post things online that you don't want to make public and pay attention to some of this fine print that instead of just scrolling and hitting accept and moving on. Also, takesome common sense measures as well. For example, if you're using your laptop or your mobile phone and you have health information on it, make sure that it's password protected. Also watch out for scams. Just as there are scams in other areas such as the financial sector, the same is becoming true in medical, that there are actors out there that are trying to get health information in order to use it in scams, so just remain very, very vigilant. So those are some of the tips that I would have for patients.
Prakash Chandran: Yeah. That makes sense. And a lot of that is common sense, like don't post anything online that you don't want public, make sure things are password-protected, things of that nature, right?
Lori Manteufel: Yes. Exactly.
Prakash Chandran: So just before we close here, is there anything else that you wanted to share with our audience regarding compliance or any of the regulatory changes that we were discussing?
Lori Manteufel: I think the biggest thing just to remember is that there are changes on the horizon and those changes kind of have that bale. It's just like we talked about previously that patients are going to have more and better access to their own health information.
But then on the other hand, that also lays that burden of protecting that information from cyber security threats and others as well. And so it's a really interesting time and I'm really excited for the changes that we are going to be seeing over the next few years.
Prakash Chandran: As am I. It's an exciting time to kind of be around, especially with healthcare and all of this information, but just have to make sure that the price of peace is eternal vigilance, just to have to make sure things are secured and that we stay on top of all of these regulations. Isn't that correct?
Lori Manteufel: Yeah. Absolutely.
Prakash Chandran: All right. Well, Lori, really appreciate your time today.
Lori Manteufel: Thank you.
Prakash Chandran: That's Lori Manteufel, a project specialist at MetaStar. Thanks for checking out this episode of MetaStar Health IT radio. For more information on this topic and to access resources mentioned, please visit metastar.com/podcasts. That's M-E-T-A-S-T-A-R dot com forward slash podcast. My name is Prakash Chandran and thank you so much for listening.