Improving Patient Outcomes through Secure Data Exchanges Michael L. Nelson, DPM VP of Healthcare Strategy, Equifax

Learning Objectives 1.Review HIPAA privacy rule and ways to implement the ruling in patient portals and information exchanges 2.How to prevent inappropriate access to PHI and PII 3.Explore identity-proofing processes

Institute for Healthcare Improvement Triple Aim 1.Improve the health of the population 2.Enhance patient experience and outcomes 3.Reduce per capita cost of care Achieving the Triple Aim will require coordination of care driven by secure, private, interoperable health information exchange which in turn relies upon: Unambiguous Patient Identification Encrypted Internet Communications Trust Hierarchy and Authentication

1996 HIPAA Administrative Simplification Improve the efficiency and effectiveness of the health care system by standardizing the electronic data interchange of certain administrative and financial transactions. Protect the security and privacy of transmitted information. Title II - Subtitle F – Administrative Simplification

Unambiguous Patient Identification Patient records are dispersed across multiple treatment facilities and geographies that have disparate technologies False positive medical record matches co-mingle information from 2 or more different people – safety issue False negative medical record matches fail to link multiple records for the same person resulting in a fragmented, incomplete EHR which can compromise outcomes Although a unique patient identifier is written into the HIPAA law, the federal govt. refuses to fund its creation due to privacy concerns of consumer groups

Unambiguous Patient Identification The current state of patient matching is unacceptable ONC, CHIME, AHIMA, AHA, and other industry groups have prioritized improving match accuracy in light of the digitization of medical records and meaningful use requirements Master Patient Index match accuracy is limited by the quality of the data being fed into the matching algorithms Address changes and name changes due to marriage and divorce are the biggest culprits when it comes to matching Reliable 3 rd party data solution company is a great solution for improving patient matching

Unambiguous Patient Identification Each yr., 200K-300K counterfeit driver’s licenses are introduced in the U.S. – Registrars are not trained to detect counterfeit driver’s licenses – Many patients do not have driver’s licenses All other patient information is self-reported on a registration form – Can be falsely reported – Fat finger errors Increased patient payment responsibility due to high deductibles and co-payments creates an environment ripe for fraud – Medical identity theft is the fastest growing fraud in the U.S. Biometrics? – You had best identity-proof the patient before linking a biometric to him

Evolution of the Healthcare Paradigm Quality Reports to Clinicians, Payers, And Public AHRQ Best Practice Rules Lab Pharmacy Lab Pharmacy External Data Sources Public Health Patient Electronic Health Record System Paper Records Clinical Decision Support System Complete the Feedback Loop Clinicians Secure HIE Network

Future for Healthcare Goal: Best Care at Lower Cost. Means: Clinician/Patient direct interaction with Clinical Decision Support System (CDSS) (“Meaningful Use”), Evidence-Based Medicine (EBM) Drivers: HIE + EHR + CDSS + EBM => SAVES LIVES and $$$ – Interoperable HIE is KEY to Meaningful Use of HIT which, in turn, is KEY to continuously learning healthcare system! Requires: EHR (with CDSS, EBM, and HIE) and: – Interoperability with sources of clinical data and sources of computable rules for best clinical practices (Standards). – Incentives to incorporate into healthcare practice (Resources and Regulations). – Investigations of systemic failures to enable systems that detect and prevent errors through best practices at the point of decision making (Research). – Trust through interoperable security and privacy (including patient consent).

Future for Healthcare Health Information Exchange – Verb – Noun Physician Engagement Patient Engagement Must prevent inappropriate access to PHI – Is the doctor who he says he is? – Does the doctor have an active license at that point in time? – Is the doctor sanctioned federally or in any state? – Is the patient or the patient’s representative who he says he is?

TRUST Requires Assurance of Identity High level of assurance that the person who is sending information is who say they are. High level of assurance that the person who is receiving information is who we think they are. High level of assurance that the patient identified in the information is who we think they are. These mechanisms are dependent on high assurance identity proofing and multi-factor authentication. – Certified NIST Level 3 compliant assurance now available commercially at reasonable prices.

HIPAA Security Rule of Thumb Assess risk. – Identify & assess risks/threats to electronic information: Availability, Integrity, and Confidentiality – Consider the probability and criticality of each potential risk. Manage risk. – Consider size, complexity, technical infrastructure, hardware, and software security capabilities, and costs. – Implement reasonable and appropriate administrative, physical, and technical security safeguards. Educate/Train. Document and Monitor. Repeat cycle periodically … forever! – “Reasonable and appropriate” used 75 times in 75 page reg.

Identity Assurance is the Backbone of Trust Risk Analysis determines the level of identity authentication required under HIPAA. – Clinical environments require frequent, repetitive logons by staff from relatively secure locations where other factors limit access by unknown persons. Username and password are often considered adequate here. If not, the controlled environment allows other factors to be used. – ID cards, RFID chips, tokens, fingerprints. – Unsecured environments require stronger authentication. Home, hotel, Starbucks, … Cannot use additional hardware or software. Cannot scale expensive mechanisms such as portable devices (tokens) to consumers.

Conclusions Improving Patient Outcomes – Unambiguous Patient Identification Back End – Cleanse MPI leveraging 3 rd party reliable data to link all of a patient’s historical records into a complete EHR Front End Registration/Enrollment – Identity proof patients and their representatives to prevent false positive matches – Security Risk Assessments – Encrypted Internet Communications Desk tops, laptops, flash drives, medical devices – Trust Hierarchy and Authentication Access management and prevention of inappropriate access to PHI and PII