How can Hospital Systems Support Both Ends of the Spectrum of Securing & Sharing Patient Data?

*Video first appeared at This Week Health’s TownHall titled Situational Awareness: Assessing how to Comply with Both the 21st Century Cures Act & HIPAA Sharing or not sharing, you need SePHIA – Situational ePHI Awareness.

How Can Hospital Systems Support Both Ends of the Spectrum of Securing & Sharing Patient Data? (Video Transcript)

Frank Nydam  (Tausight CEO): Conflicting ideas, information sharing data, blocking compliance, sharing PHI, not sharing it. All these terms are in block with each other. They seem to conflict with each other. If you’re speaking with your board, you have to share information. You need to secure information. How do you rationalize those both ends of the spectrum?

Aaron Miri (Senior Vice President, Chief Digital Officer, Baptist Health): Great question. So you’re exactly right. You have the 21st Century Cures Act, which is signed into law that basically gave assurances to the public, to a patient, that your information as a patient is accessible to you on demand where you want it, how you want it, where you want it. Then you have HIPAA which says, all right, covered entity, a.k.a hospital, or healthcare delivery organization, you’re accountable. If you inadvertently disclose patient Aaron’s information. So then you’re looking as a hospital going, wait a minute, I’m doomed if I do share all the information, I’m doomed if I don’t. So how do I do this? So what we’ve begun to do is crosswalk and look at exactly what the criteria is for how you share appropriately. In the information sharing regulations, you are allowed to delay sending information if you can prove reasonable harm and also for other security concerns, but you have to work with your patient. That’s asking for it to teach them, “Hey man, you don’t want to put this data in this app that’s guess what, hosted in China because of potential concerns.

But the problem is we’ve never had real visibility to where EPHI is going. So now think about…I’m patient Aaron presenting to Baptist Health saying, “Hey, I want my data sent to this app.” How do I know as a CIO that the data made it to that app or should not be going to that app? And more importantly, where all of patient Aaron’s information is? Today you think about it, you’re like, “Oh, it’s an electronic health record.” Actually, it’s not. It’s in hundreds, if not thousands of other systems that surround the EHR. While the EHR is important, it is not the end all be all. This October, information blocking actually antes up the rules. On October 8th of 22 this year, there’s now a full definition for EHI – Electronic Health Information. That is HIPAA plus the designated record set, which is all the other information contained about Aaron, plus anything else that is contained in that. And so when you look at the total spectrum of data, that is a tremendous amount of data points. It’s not just what’s confined in HIPAA, it’s everything. Now you really raise the stakes because the penalties are a certification of completion and it’s a certification of accreditation that could be a jeopardy, and making sure that as part of the process when you attest to CMS is that I am actually following this. You know it’s only a matter of time before there’s regulation out there. It’s already being composed and it’s going through rulemaking of just what that’s going to be. Is it the OIG that shows up and knocks the door going, Hey man, we want to know what Baptist Health does – or what’s going to happen? We will find out soon, but right now we are trying to get our act together and preparing for that because of a condition of participation issue that could happen if you do not comply with information blocking. And of course, we all know what the penalties are for not complying with HIPAA.