Healthcare Privacy and Security—Predictions for 2019

By Rita Bowen, VP, Privacy, Compliance and HIM Policy for MRO
Twitter: @MROCorp

We are highlighting privacy and security trends and predictions to help Health Information Management (HIM) and other healthcare leaders navigate compliance in the coming year.

Patient-Directed Requests
Attorney misinterpretation of patient-directed requests (PDRs) was front and center in 2018 and will continue to require clarification and guidance in 2019. When the validity of a PDR is questionable, the patient should be contacted to clarify and confirm consent. Here are additional strategies for handling attorney requests submitted under the guise of a PDR:

  • Inform your state legislators of this questionable attorney behavior
  • Discuss the issue with HIM peers in your area
  • Hold meetings with your OCR representative to determine the best course of action
  • Question and verify (with the patient) any suspicious PDR

We welcome a dialogue with the Office for Civil Rights (OCR) for clarification of the guidance to ensure requests are made for the purpose of assisting the patient with continuity of care—the original intent of the guidance. At MRO, we use the criteria provided by the guidance. The request must be made by the patient, written in the first person and signed by the patient. It must clearly state who is to receive the information and provide the address of that person.

Global Data Protection Rule (GDPR)
Released in May 2018 in the EU, the GDPR provided information on breach protection and response, which could affect guidance in the U.S. regarding notification timelines, documentation controls and data protection rules. The focus in 2019 will likely increase, prompting healthcare organizations to determine changes needed to strengthen privacy and security programs. Also, be aware of state action that is patterning to this rule.

Increased Information Collection
Technology will continue to advance through 2019—becoming faster and safer. With more apps and sophisticated technology, patients must be able to trust that their data is safe and secure. Here are several considerations:

  • What data will you protect?
  • What policies and procedures need to be reviewed?
  • Do you have a complete inventory of your data?

Digital mobile engagement is center stage—wearable devices, home monitors, patient portals, patient generated health data (PGHD) and ongoing technology innovation. The goal is for patients to have a connected, fluid experience throughout the healthcare journey.

Increased Access to Care
The patient experience has changed over the past several decades—from the focus on where patients receive care to where patients search for and choose to receive care. Increased access to care includes urgent care, virtual care, retail settings and nontraditional players such as Amazon and Google. All use some type of technology involving Protected Health Information (PHI) that must be documented and protected.

Population Health, Data and Analytics
Total consumer health requires awareness of educational needs, especially considering the aging population and proactive management of healthcare. Consumers will benefit from initiatives that promote informed decision-making through awareness of available resources and rights regarding PHI. Those efforts demand emphasis on data collection, protection and analytics to improve population health and ensure compliance.

AHIMA’s Vision for 2019
AHIMA recently released its vision for 2019 as the year of transformation. Based on a back-to-basics strategy, AHIMA will emphasize core strengths and services to move HIM forward:

  • Coding/clinical documentation improvement
  • Advocacy/AHIMA World Congress
  • Privacy and security
  • Operational effectiveness—patient-focused access, quality improvement, artificial intelligence, precision medicine, privacy demands

The top three drivers will be security risks, business needs and evolving industry changes.

Technology and Cybersecurity
In 2019, advancements in technology will remain centered on interoperability and cybersecurity. Interoperability is critical to patient engagement and optimal EHR investment required for proper PHI disclosure management.

Additionally, cybersecurity must be a top priority to ensure effective information security programs. Organizations must clarify policies regarding:

  • Risk assessments versus gap assessments
  • Incident response
  • External support
  • Business Associates
  • Third-party assessments
  • Certifications, audits, standards

The evolution of cybersecurity threats means increasingly sophisticated ransomware and other attacks including cryptojacking and whaling. In case of a technology incident, the best strategy is a layered security model to protect, detect, identify and respond.

This article was originally published on the MRO Blog and is republished here with permission.