About Archer Lyle

Archer Lyle is Bridge Patient Portal's Chief Operations Officer. She specializes in patient engagement and electronic healthcare communications.

    Find more about me on:
  • linkedin

Recent posts:

Author Archives: Archer Lyle

Archer Lyle is Bridge Patient Portal's Chief Operations Officer. She specializes in patient engagement and electronic healthcare communications.

Is Skype® HIPAA Compliant?

Cellphone

Given the growing interest in video conferencing services for communicating with patients online, healthcare organizations often come to Bridge Patient Portal with questions about the use of Skype® for telemedicine, and whether the software meets HIPAA compliance standards. Though HIPAA doesn’t specifically mention the types of technologies that healthcare providers can use for video conferencing, there are three key issues to consider.

1. Encryption

Skype® uses AES 256-bit encryption to secure the different channels of communication that take place on the platform (chat sessions, voice calls and video calls). This level of encryption exceeds federal guidelines for transmitting protected health information (PHI), which set the minimum level of encryption as 128-bit. However, this is not the only factor to consider in determining HIPAA compliance.

2. The Business Associate Agreement

One of the most compelling reasons against the use of Skype® for healthcare provider-patient communication is that Skype® will not enter into a business associate agreement (BAA). A BAA is required under the HIPAA Omnibus Rule for any entity that creates, receives, maintains or transmits PHI on behalf of a healthcare provider, health plan or healthcare clearinghouse.

There are some debates as to whether Skype® qualifies as a HIPAA business associate due to the “mere conduit” rule, which states that a company is exempt from being a business associate if:

– It only transmits PHI in encrypted format

AND

– It never has access to the encryption key

The problem with Skype® is that, while the company states that it does not have access to the PHI that it transmits, it has been known to provide information to law enforcement. This means that it has access to the encryption key and is, therefore, considered a business associate.

Another factor to keep in mind is that the Omnibus Rule requires business associates to provide “satisfactory assurances” that PHI will be protected as required by HIPAA rules. However, Skype®does not state anywhere that its services can be used in a HIPAA-compliant way.

3. Audits and Breaches

The HIPAA Security Rule requires covered entities to use technologies that include audit controls by “implement[ing] hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” Unfortunately, Skype® does not offer audit control tools for monitoring who has access to PHI, nor does it provide notifications in the event of a breach.

The Verdict: Is Skype® HIPAA Compliant?

While Skype’s® encryption methods are strong, overall it does not meet HIPAA compliance standards. Organizations that use the software to communicate with patients over the internet should be aware of the risks involved and consider using specialized, HIPAA-compliant video conferencing platforms instead. If the patient has a preference for using Skype®, be sure that there is record of the patient’s acceptance to use non-HIPAA compliant technologies.

HIPAA-Compliant Skype® Telemedicine Alternatives Do Exist

There are alternative options for video conferencing. Cisco, for example, offers HIPAA compliant video conferencing solutions for healthcare, as do a number of specialized telemedicine software/hardware vendors. The challenge with all of these systems is the cost and complexity of implementing the technology with patients, and the learning curve for patients in beginning to use software that they are more than likely unfamiliar with.

For consultations that do not require video, Bridge Patient Portal offers a HIPAA-compliant e-consultation platform. Bridge allows for two types of secure communication between patients and physicians: secure messaging and telephone calls, including integrated VoIP calling. Bridge provides a business associate agreement to the covered entities that they work with, and continuously monitors regulatory requirements to ensure compliance. Bridge Patient Portal can also be integrated with a variety of 3rd party video conferencing solutions, facilitating pre-consultation communication, billing and intake.

Does your organization offer e-consultations? Let Bridge know which software you use and how your experience has been thus far.

To learn more about HIPAA and email/sms communication read our article: The Facts about HIPAA and Email/SMS Communication with Patients

To learn more about HIPAA and healthcare applications please read our three part article series:

The Facts about HIPAA and Email/SMS Communication with Patients

Email Browser Message

Email Browser MessageAs more healthcare providers begin to use email and text (SMS) messaging to communicate with patients, concerns about the HIPAA Security Rule and how it applies to electronic messaging have increased as much as the confusion has.

HIPAA law makes very few specific statements about what is and isn’t acceptable when it comes to electronic messaging – which leaves the execution of the law open to interpretation. Many providers are left making assumptions based on what others tell them or what their colleagues do. The reality is that very few truly understand how to apply the 400+ page 1996 HIPAA law in today’s ever-changing health IT environment.

On the Department of Health and Human Services (HHS) HIPAA FAQs page, it is stated that the Privacy Rule “allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so.”

As patient engagement strategists, Bridge Patient Portal fully supports electronic communication to improve patient care, assuming the right precautions are taken.

The Encryption Issue: Do I need to send encrypted emails to my patients?

Before we get into best practices for communicating with patients electronically, we’d like to clear up one important matter regarding the emailing and texting of electronic patient health information (ePHI).

The word encryption is used frequently when discussing ePHI, as any covered entity should be communicating ePHI internally using encryption technology. This usually doesn’t present a problem because intra-organizational communication is quite easy to keep secure. However, if you want to use encrypted emails when communicating with a patient, things get a little bit more complicated.

While a covered entity can encrypt its end of the email transport, it’s difficult to ensure the security of the email once it leaves the organization’s server. In order for completely encrypted email communication to be achieved, the patient would need to use an email service that supports HIPAA-level encryption. The Privacy Rule recognizes this, and grants individuals access to ePHI in the format that they wish to receive it, i.e. unencrypted email. Nowadays, the issue of encryption is becoming less and less of a concern as email services such as Google and Yahoo! are implementing stricter security policies every day.

The bottom line is that the patient must request to receive unencrypted emails and be made aware of the risks. See section 45 CFR 164.524 for more details on a patient’s right to access PHI.

Applying HIPAA to your email protocol

Here are some recommendations to consider when implementing HIPAA regulations and requirements in your office and establishing your patient electronic communication protocol:

HIPAA StandardPractical Advice
HIPAA Standard 164.312(d): Implement procedures to verify that persons or entities seeking access to ePHI are who they claim to be.Double-check and triple-check to be positively sure that the email address or phone number is correct before sending.

Implement a system to help ensure that the information you receive from the patient is authentic and verified in the first place.
HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures.Do not use the patient’s name, initials, or medical record number in the subject line of an email.

Also, do not use direct patient identifiers in the message content. This includes:

1. Names
2. All geographical subdivisions smaller than a state – including street address, city, county, precinct, zip code, and their equivalent geocodes. The initial three digits of a zip code may be acceptable, however, if according to the current publicly available data from the Bureau of the Census: (1) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
3. Dates. Except for year, all elements of dates directly related to an individual – including birth date, admission date, discharge date, date of death. This also includes all ages over 89 as well as all elements of dates indicative of the patient being over 89 (including year). Such ages and elements of dates may be aggregated into a single category of “age 90 or older.”
4. Phone numbers
5. Fax numbers
6. Electronic mail addresses
7. Social Security numbers
8. Medical record numbers
9. Health plan beneficiary numbers
10. Account numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers, including license plate numbers
13. Device identifiers and serial numbers
14. Web Universal Resource Locators (URLs)
15. Internet Protocol (IP) address numbers
16. Biometric identifiers, including finger and voice prints
17. Full face photographic images and any comparable images
18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
HIPAA Standard 164.306(b): Implement reasonable and appropriate security measures. (Continued)Limit the amount of personal health record information you include in electronic communication. Don’t include any highly sensitive information, defined as:

1. Mental Illness or Developmental Disability
2. HIV/AIDS Testing or Treatment
3. Communicable Diseases
4. Venereal Disease(s)
5. Substance (i.e., alcohol or drug) Abuse
6. Abuse of an Adult with a Disability
7. Sexual Assault
8. Child Abuse and Neglect
9. Genetic Testing
10. Artificial Insemination
11. Domestic Violence

Considering that many email addresses are shared with spouses, it’s best practice to avoid sensitive information whenever possible.

Additional Best Practices

  • Include a disclaimer regarding patient privacy in all communication.

Sample: The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

  • Seek patient consent prior to contacting patients by email or SMS, and inform them of any privacy issues. Keep a record of this acceptance. This is commonly referred to as an “opt-in agreement”.
  • Educate patients. Encourage them to protect their devices/computers with passwords and enable an automatic logoff. Create an advertising campaign to make patients aware of security concerns. It is also best practice to force password changes every 6 months.
  • Allow alternative options for communication upon patient request. Make these options clearly visible in the email or text message body.

The most important thing to know in applying HIPAA law

In our interpretation of HIPAA law, the bottom line is to put the patient first. Make sure they understand the risks and agreements they are entering into (using simple language – not just a lengthy terms & conditions document). Once patients feel comfortable and secure, you can confidently leverage technology (HIPAA secure messaging, HIPAA compliant email, HIPAA compliant SMS) to enhance the patient experience.

1http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/deident.html

To learn more about HIPAA and healthcare application please see our three-part article series:

 

This material is intended for general information purposes only and does not constitute legal advice. The reader should consult legal counsel prior to implementing any HIPAA communication policy or technology (HIPAA secure messaging, HIPAA compliant email, HIPAA compliant SMS).

Meaningful Use: A Comprehensive Guide – Part IV: MACRA

MACRA and meaningful useGiven the time sensitive nature of the MACRA program, this article is out dated. Please refer to Bridge’s MACRA 101 article for more current explanation of the MACRA program and how it relates to a patient portal.

As we head into the second half of 2016, it is difficult to talk about Meaningful Use without mentioning the Medicare Access and CHIP Reauthorization Act (MACRA), the new healthcare legislation that is shaping up to begin in January 2017. There has been a lot of buzz that Meaningful Use is ending with the approval of this new legislation, but that is not exactly the case. While the words “meaningful use” may start to fade out of our everyday lexicon, don’t be fooled into thinking that Meaningful Use is going away. Under MACRA, it’s basically just been repackaged and tied up with a bow, as a piece of this larger incentive program. (more…)

How Can Bridge Help You Meet Meaningful Use Stage 1 and Stage 2 Criteria?

ONC 2014 Edition certifiedA 2014 Edition certified patient portal is an integral piece of the Meaningful Use attestation process. Bridge Patient Portal is 2014 Edition certified on 17 modular EHR criteria, making it an excellent choice for any healthcare practice or hospital to use in combination with their EHR software to receive federal incentive dollars.

Using Bridge Patient Portal alone, healthcare organizations can meet 45% of the base criteria for Meaningful Use Stage 2. Paired with a certified EHR solution, Bridge can be used to meet 100% of Meaningful Use Stage 1 and 2 criteria.

Here are some of the ways that Bridge can help you attest for Meaningful Use:

Meaningful Use Stage 1

Stage One stipulates that a healthcare provider must meet any five of the Meaningful Use Menu Set Objectives. One example: 10% of all patients seen are provided with timely electronic access (within four business days) to their health information.

Our Solution: All patient accounts are activated as soon as they register with the Portal. Providers can allow registered patients electronic access to their health information as soon as they like.

Meaningful Use Stage 2 for Practices

Core objective #17: Use secure electronic messaging to communicate with patients on relevant health information.

Our Solution: Bridge Patient Portal offers a secure messaging system that allows each user to send messages to other users whom they have added as contacts in their profile.

Meaningful Use Stage 2 for Hospitals

Menu objective #2: Record electronic notes in patient records.

Our Solution: Using the Progression section, physicians can take notes such as identifying information and presenting problem; mental status and risk assessment; diagnostic impression evaluation; treatment goals, and more.

Call 866-838-9455 to learn more about attesting for Meaningful Use with Bridge Patient Portal.

 

Patient Portal, Meaningful Use and ACOs

For those not entirely familiar with Accountable Care Organizations, here’s a brief explanation:

Accountable Care Organizations (ACOs) are groups of medical providers who take collective responsibility for the quality, cost and overall care of Medicare patients. The goal of ACOs is for Medicare patients, specifically the chronically ill, to receive high quality care without the duplication of services and medical errors commonly seen in other models. In return for taking this responsibility on, ACO members receive reimbursements when they meet quality metrics and reductions in cost of care. ACOs haven’t completely removed traditional fee-for-service payments, but they offer bonuses when costs are kept down and care quality is high.

ACOs offer a paradigm for a new fee-for-value model – a model that we expect to see most healthcare organizations moving towards in the future.

Trend Towards a Value-Based Model

The historical growth of the Accountable Care Organizations market is demonstrated below, with the number of ACOs having increased dramatically between 2010 and 2013. This trend is predicted to continue, with ACOs expected to double by the end of 2014.

ACO growth

Source: Accountable Care Growth in 2014

ACOs and Meaningful Use

There is 58% overlap between the requirements for ACOs and requirements for Meaningful Use – regulations that are affecting all healthcare providers in the U.S. In addition to federal government efforts to shift to a value-based model, shifts have also been happening in the managed care market. There is little doubt that healthcare payment reform is impending. There is general consensus that the U.S. healthcare industry must replace the costly fee-for-service model with something more efficient and high-quality. These major policy trends hint at a larger shift toward a value-based model, and some private sector organizations have even successfully embraced the value-based model. Therefore preparing now to attest for all the Meaningful Use stages will not just allow organizations to receive stimulus dollars, but also prepare them for upcoming changes to reimbursement models.

Patient Portals

Meaningful Use patient portals are an integral tool for ACOs to accomplish their goals. At the most basic level, patient portals enable organizations to qualify for accountable care or wellness incentive payments. In addition, they are becoming a critical tool for providers to keep costs down and quality of care high – the essence of the accountable care model.

A growing body of research studies have proven that participation in an online healthcare portal improves patient engagement.1 Additionally, patients engaged in their own healthcare have proven to have better clinical outcomes.2 The Bipartisan Policy Center reported3 that patient engagement is associated with:

  • Reduced diagnostic testing and expenditures
  • Fewer referrals
  • Fewer elective surgeries
  • Increased adherence to prescribed medical treatments
  • Increased functional status and faster recovery
  • Higher levels of satisfaction
  • Higher levels of health literacy
  • Higher levels of positive health-related behavior changes

An engaged patient is also critical for an ACO because, unlike traditional Health Maintenance Organizations (HMOs), a patient is not restricted to visiting providers in the ACO network. This means the ACO must do an outstanding job of keeping a patient satisfied and engaged with the providers in the network.

Patient portals help organizations provide care at a lower cost, allowing them to meet the ACO financial requirements. There are basic cost benefits related to efficiency and productivity and more complex benefits as well. Patients can be significantly involved in the delivery of their care and perform tasks without care team assistance. Portals can also allow organizations to contract lower cost staff (i.e. outsourced staff) to assist in the care management remotely. Through more frequent online care, ACOs can avoid readmissions and costly emergency visits.

Sources

1 : http://e-patients.net/archives/2014/08/new-evidence-engaged-activated-patients-do-better-and-cost-less.html
2: The American Journal of Managed Care, March 2012
3: http://bipartisanpolicy.org/sites/default/files/BPC_Engaging_Consumers_Using_Electronic_Tools.pdf

How to Use a Patient Portal to Meet Meaningful Use Stage 2

Patient engagement is a buzzword that’s been flying around for a while. In case you’re not familiar with it, here are a few industry definitions.

  • “The process by which patients become invested in their own health.”
  • “Patients’ use of educational materials and online resources to learn about better health and/or their own health conditions.”
  • “When a patient feels comfortable challenging their doctor when something doesn’t seem right or when explanations are not clear.”
  • “Actions individuals must take to obtain the greatest benefit from the health care services available to them.”
  • “Patient engagement is a broader concept that combines patient activation with interventions designed to increase activation and promote positive patient behavior, such as obtaining preventive care or exercising regularly.”

What Does It Mean For You?

Let’s Start with Meaningful Use Stage 2

To meet Stage 2 as an eligible professional (EP), you must use a patient portal to meet the following Core Objectives:

  • Core Objective: Provide clinical summaries for patients for each office visit.
  • Measure: Clinical summaries provided to patients or patient-authorized representatives within one business day for more than 50 percent of office visits.
  • Core Objective: Use secure electronic messaging to communicate with patients on relevant health information.
  • Measure: A secure message was sent using the electronic messaging function of CEHRT by more than 5 percent of unique patients (or their authorized representatives) seen by the EP during the EHR reporting period.
  • Core Objective: Provide patients the ability to view online, download and transmit their health information within four business days of the information being available to the EP.
  • Measure 1: More than 50 percent of all unique patients seen by the EP during the EHR reporting period are provided timely (available to the patient within 4 business days after the information is available to the EP) online access to their health information, with the ability to view, download, and transmit to a third party.
  • Measure 2:  More than 5 percent of all unique patients seen by the EP during the EHR reporting period (or their authorized representatives) view, download, or transmit to a third party their health information.

To meet Meaningful Use Stage 2, you may use Bridge Patient Portal OR your EHR to meet the following objectives:

  • Core Objective: Record the following demographics: preferred language, sex, race, ethnicity, date of  birth.
  • Measure: More than 80 percent of all unique patients seen by the EP have demographics recorded as structured data.
  • Core Objective: Record and chart changes in the following vital signs: height/length and weight (no age limit); blood pressure (ages 3 and over); calculate and display body mass index (BMI); and plot and display growth charts for patients 0-20 years, including BMI.
  • Measure: More than 80 percent of all unique patients seen by the EP have blood pressure (for
    patients age 3 and over only) and/or height and weight (for all ages) recorded as
    structured data.

The Good News?

You’ve chosen a patient portal system designed for patient engagement and a service team that is prepared. We don’t just expect you to meet the 5% messaging requirement – we want you to exceed it.

Here Are Some Tips for You:

  1. Understand your patients’ behavior and demographics. 
    1. Why do they want to use the portal? For example:
      1. For chronic condition management patients, you should promote:
        1. Lab results
        2. Vitals tracking
        3. Care plans
        4. Communication with a coach or provider
      2. For healthy patients, you should promote:
        1. Appointment scheduling
        2. Wellness (e.g. health tips, HRA assessments)
        3. Diet/exercise management
        4. Communication with a coach or provider
  2. Align the patient portal with your organization’s strategic goals.
    1. Include the goal of patient engagement in your hospital or practice’s policies, job descriptions, and mission and vision statements.
  3. Create value in enrollment.
    1. Start an enrollment drive.
    2. Create competitions among affiliated practices.
    3. Provide tablets/kiosks in waiting rooms.
    4. Create a marketing campaign.
      1. Promote on social media
      2. Send newsletters out to patients.
      3. Hand out paper marketing materials in your office (e.g. flyers, brochures, appointment cards)
      4. Promote on your website
    5. Include enrollment as part of the registration process.
      1. Make sure to collect email addresses from all patients upon intake.
      2. Have a help desk at the office for enrollment.
    6. Designate at least one “enrollment advisor” who knows how to walk patients through registration and tutorial.
  4. Encourage providers to promote the portal. Patients listen to doctors. 
    1. Provide training and incentives for providers to connect with patients using the portal.
    2. Providers should acknowledge that their patients use the portal and encourage continued use: “Thank you for using our portal. We see that you care about your health.” 
  5. Promote continued use.
    1. Portal use doesn’t stop at enrollment. Encourage continued use of the portal by communicating with patients via the portal. Assign a portal advisor to each patient to follow up at intervals after enrollment.

Attestation

The Bridge Patient Portal has a built-in Meaningful Use reporting module where you can export a report based on Core Objective, Provider and Reporting Period. A Bridge team member can help you run these reports when it comes time to attest.