Connecticut Ave NW, Washington, DC Understanding Patient Engagement in Stage 2 MU: Direct, HIPAA, VDT, and Patient Engagement Deven McGraw Partner Manatt, Phelps & Phillips LLP with David C. Kibbe President and CEO DirectTrust Slides and transcript to be published at DirectTrust.org

Connecticut Ave NW, Washington, DC Note to Slides This presentation was provided by Deven McGraw during an interview by David C. Kibbe. The transcript of the interview provides the questions and longer text answers. Both the slide deck and the transcript are available from DirectTrust on the website

Connecticut Ave NW, Washington, DC HIPAA & HITECH Patients have the right to access their health information in the form or format they request, as long as the info is reproducible in that form/format (HIPAA). Patients can get this information electronically if information is stored electronically (HITECH). Patients can have information directly sent to a third party if the choice is “clear, conspicuous and specific.” (HITECH)

Connecticut Ave NW, Washington, DC What is acceptable digital format? Must have capability to provide some human readable digital copy (for ex., PDF). Not required to adopt every format requested by patients – negotiate re: mutually acceptable format.

Connecticut Ave NW, Washington, DC Sending to Third Parties “Clear, Conspicuous & Specific” means: – In writing (can be electronic) – Signed by the patient (can be electronic) – Clearly identifies designated person/entity and where to send the information.

Connecticut Ave NW, Washington, DC Responsibilities of Sender Covered entities may rely on the information provided in writing by the patient and need only have reasonable procedures in place to assure that the address provided by the patient is correctly entered. – “For example, reasonable safeguards [to be followed by the covered entity] would not require the covered entity to confirm that the individual provided the correct address of the third party, but would require reasonable procedures to ensure that the covered entity correctly enters the address into its system.” (page 5635)

Connecticut Ave NW, Washington, DC Must be Sent Securely? HIPAA Security Rule requires secure transmission of PHI – but: If patient requests in unsecure format, provider must sent “in the form or format requested by the patient.” Yes, in this case, the patient’s wishes can trump Security Rule obligations.

Connecticut Ave NW, Washington, DC Really? Yes – but you are expected to provide a “lite” warning about security risks to make sure patient is aware of choice he/she is making. – “We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the e- mail could be read by a third party. If the individuals are notified of the risks and still prefer unencrypted , the individual has the right to receive [PHI] in that way, and covered entities are not responsible for unauthorized access of [PHI] while in transmission to the individual based on the individual’s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual.” (p.5634)

Connecticut Ave NW, Washington, DC HIPAA & VDT: Compatible? Two separate legal regimes – Meaningful Use (VDT) enforced by CMS, HIPAA by the HHS Office for Civil Rights (CMS). They convey separate rights – but it is possible to leverage one (VDT) to help you comply with the other (HIPAA).

Connecticut Ave NW, Washington, DC VDT - Professionals Under Stage 2 of Meaningful Use, eligible professionals are required to provide more than 50% of their unique patients with timely access to their health information. In addition, more than 5% of unique patients need to either view, download or transmit this information to a third party. Timely access means within 4 business days of the information being available to the professional.

Connecticut Ave NW, Washington, DC VDT- Hospitals Eligible hospitals and critical access hospitals must provide more than 50% of their inpatient or ER discharges with access to information about their hospital stay within 36 hours of discharge. They also must get more than 5% of their patients to use this functionality.

Connecticut Ave NW, Washington, DC What info must be provided? For professionals, information includes: – current and past problem list, procedures, lab test results, current medication list and med history, current medication allergy list and history, vital signs, smoking status, demographic information, and care plan fields (care team members, goals and instructions).

Connecticut Ave NW, Washington, DC What info must be provided? For hospitals, information includes: – admit and discharge date and location, reason for hospitalization, care team, procedures performed, current and past problem list, medications & allergies (current list and history), vital signs at discharge, lab test results available at discharge, summary of care record, and discharge instructions.

Connecticut Ave NW, Washington, DC How is HIPAA different? More information – patients entitled to all information in a “designated record set.” Longer lead time – up to 30 days, plus another 30 if information is stored off-site. Can charge for labor costs.

Connecticut Ave NW, Washington, DC Bottom Line Meaningful use may help you meet HIPAA obligations. Affirmatively provides relevant information for patients in a more timely (and possibly cheaper [for them]) way. VDT may be a “form or format” acceptable to both patient and provider. The “T” in VDT may help satisfy patients’ needs to get information to a third party.

Connecticut Ave NW, Washington, DC Certification Criteria The 2014 criteria require certification only to the ONC Applicability Statement for Secure Health Transport specification (not XDR and XDM for Direct Messaging) for the “transmit to third party at the request of a patient” functionality (e.g., the “T” in VDT). Final Stage 2 Rule: MU objectives must be met using certified technology (pages and 54037).

Connecticut Ave NW, Washington, DC Secure Messaging (Stage 2 MU) Relevant only to eligible professionals. More than 5% of an EP’s unique patients must send a secure message using the electronic messaging function of certified EHR technology (inflow not outflow). No particular technical standard required for certification; CEHRT must demonstrate the capability to “enable a user to send messages to, and receive messages from, a patient in a manner that ensures: both the patient (or authorized representative) and EHR technology user are authenticated; and the message content is encrypted and integrity-protected in accordance with the standard for encryption and hashing algorithms specified at [Section] (f).”

Connecticut Ave NW, Washington, DC Thank you! Deven McGraw Partner Manatt, Phelps & Phillips, LLP David C. Kibbe, MD MBA President and CEO DirectTrust