1. HIPAA Privacy Compliance for E-Health Sites
Michael Rozen, MD
Chief Privacy Officer
VP, Consumer Affairs
WellMed, Inc.
11:30 Enhancing the Doctor/Patient Relationship Using Online Health Tools
With patients able to track billing and claims submittal online, research healthcare providers, and have access to their own records, they are becoming more active participants in the disease management process. Are we seeing a consumer revolution changing the healthcare paradigm and driving the future of healthcare? What changes need to be implemented to adapt to the new consumer? This session directly explores how the necessary tools for E-health empowerment can be used to enhance the doctor/patient relationship. Specifically you will hear:
·         How the changing healthcare paradigm promotes the doctor/patient relationship
·         Overcoming the challenges that arise in establishing interactive health communication
·         Understanding how Web-based strategies will raise the bar beyond customization and personalization
·         Identifying more opportunities for improving patient satisfaction numbers
Michael J. Rozen, M.D. Vice President Consumer Affairs and Director of Health Record Security, WELLMED, INC.

2. Howard Bell
Writer, Healthcase Informatics
Feb, 2000
“We are in the very early stages of health care informatics—just climbing out of the primordial cyber soup to blink like kids at the future and all its potential.”

3. Who Is On The Web Chronically Ill Recently Diagnosed Friends & Family
US Adults on Web
114 Million
86 % looking for health
Who Is On The Web
Harris Interactive
2000
Chronically Ill
Recently Diagnosed
Friends & Family
Worried Well
Health Savant
Consumers, Patients, End Users, Visitors
• The chronically ill —Seek greater control over their illnesses through knowledge. Immobility may bring
about need for instant, at-home access to condition-specific news and treatment updates.
• The recently diagnosed —Concerned and wanting as much information as possible about their condition, what they can do to improve it and the resources available to assist them.
• Friends, family—Predominately mothers, years old, married, working at least part-time, at least one child and one aging parent, middle income or higher, some college education, Internet savvy, worried about unhealthy or chronically ill children or loved ones, or wanting simply to take a more proactive approach to their family's health. Also, grown children of elderly parents and concerned friends and acquaintances who want to be helpful.
• Worried well—People looking for reassurance, that they are not likely candidates for disease, for instance, or that their benign symptoms are not an indication of serious illness.
• Health savant—Vigorously healthy, self-improvers seeking ever greater health. May be looking for the latest dietary news, latest studies
Examples of a person managing diabetes and another person

4. New Patient - New Attitude
Better educated
Technology-savvy
Self-directed
Expect quality service
Less loyal
Higher expectations
We are seeing a fundamental shift in the way people are managing their lives. Looking at it in business terms, there is a higher degree of an entrepreneurial spirit This shift in attitude and action can be seen in many facets of life and on many levels. The Internet has been a major catalyst in .
Let’s first take a look at the financial services industry:
The skeptics in the financial services industry were blown away with the hoards of people who went online to trade. (Schwab and ML)
Households paying bills via the web will grow from 1.8M in ‘98 to over 20 M by (Jupiter, FSO)
Web-banking households will grow for 3.8 M in 1998 to >26M by 2003 (25% of all banking households in the US)
Jupiter forecasts that by 2003, of all stock-owning households, 41% will be online trading households
Revenues will grow more modestly from 240M to over 1B by 2003 cementing online banking less as a driver of revenue than one of cost savings, customer retention, and geographic expansion
___________
Consumers can go online today to: Book travel, comparison shop for home electronics, conduct sophisticated financial transactions (find the most competitive mortgages, life insurance and even manage their retirement funds) and even buy a lear jet ($40M dollars)
They want to be able to go to the web and easily find reliable, relevant information, evaluate a doctor, a health plan a treatment option or even a procedure.
Some people in the ehealth industry are amazed by the poor performance of their public currencies. Most complain about an inability to monitize their traffic, people are unwilling to pay for health information etc… I would suggest that they have not delivered a strong value proposition lets think about Amazon.com for a bit.
***May or may not discuss*** Couple of facts – 7 years ago a technology futurist spoke to the ABA about the emergence of the Internet as a commercial platform. He indicated that someone had an opportunity to create a national presence for a fraction of the cost of Barnes & Noble etc, he also indicated that in his opinion it would be someone from outside their industry that would execute on the big idea as they were too busy solving real day-to-day challenges.
When amazon started they were a simple bookstore offering a broad array of titles undercutting the traditional booksellers on both price and availabiltiy. Using technology they have focused on delivering an outstanding customer experience;
they use personalization to deliver recommended titles
after I place an order, I immediately receive a confirmation
when the product ships I receive a second letting me know when it will arrive
the product is on my doorstep almost without fail (often times they actually ship ahead of schedule and even upgrade my shipping preference)
Then they send me an informing me of new releases from my favorite authors, special sales etc
Amazon has set the bar for quality, anything less than this is unacceptable. (It has taken them 5+ years and billions of dollars but they have set the bar)

5. New Patient – New Needs - Harris Interactive Now lets look at health
WHAT ARE THEY LOOKING FOR:
Information/news: People expect to find reliable, personalized healthcare information (30K sites make it nearly impossible)
Physician communication: Many want to communicate and/or schedule an appointment with their doctor (almost impossible),
Online benefit management: Most want to receive their benefit information online (completely impossible)
Interactive health programs
Plan and physician report cards
Community
Personal medical records
WHERE ARE THEY LOOKING?
You would hope that the new consumer would look to their health provider first, but instead they find most of their health information through online services.
(One group we were talking to has over 5M members, and are receiving 20,000 unique visitors on a monthly basis – No repeat traffic)
WHERE WOULD THEY LOOK? … they WOULD come to you!
“Patients also distrust many online health information sources. A survey released by LaurusHealth.com shows that over two-thirds of patients found the websites recommended by their doctor most credible while 56 percent trusted sites affiliated with doctors and hospitals. Commercial sites barely scored in the credibility stakes. Where consumers' health is concerned, they still rely on the traditional trusted sources of information and advice.”
- Harris Interactive

6. The Opportunity 64% looked for health information online
50% want information from doctor’s office
46% would use a site offered by a health plan
42% welcome information from a hospital site
- CyberDialog, Cybercitizen Health
Ist build: 64% have looked for health information online within 6 months
…BUT patients distrust many online health information sources. A survey by LaurusHealth.com shows that over two-thirds of patients found the websites recommended by their doctor most credible while 56 percent trusted sites affiliated with doctors and hospitals. Commercial sites barely scored in the credibility stakes. Where consumers' health is concerned, they still rely on the traditional trusted sources of information and advice.
This desire for credible, medically valid information is reinforced by the following research:
2nd build: 50% interested in information from a doctor’s office (currently 4%)
3rd build: 46% would use an Internet site offered by a health plan (currently 7%)
4th build: 42% would welcome information from a hospital site (8% report finding what they want)____
The consumer has spoken and in fact is telling us exactly what he/she want. The consumer wants personalized, relevant, medically valid info that is blessed by their provider.
Can they go to your site to get it?”
The groups that deliver this solution will increase marketshare, customer loyalty and my belief is that you will drive down health management costs
___OTHER STATISTICS THAT ARE NOT NEEDED TO MAKE THIS POINT:
21% will switch to a provider with a web site
19% would move to a doctor who uses
17% would switch to a health plan in order to manage benefits online
82% want a ‘personalized’ health/disease management site
Source: CyberDialog, Cybercitizen Health
SERVING THE NEEDS OF THE INDIVIDUAL CONSUMER
--Jupiter estimates that nearly half of Internet users go online to find health information.
--68% of approximately 88 M adults accessing the Internet are obtaining healthcare content. (The lowest number I have seen is 50% of people have looked for healthcare info – once)
--(remember that by M persons will be online)
--just 3.7 million US adults the doctor's office, but 33.6 million said they would like to do so. –cyberdialog 8/00

7. Consumer-Centric Healthcare Management
The financial services market has matured more rapidly, partly due to the structure of the market. Also because health infrastructure is much more complex, but the additional challenges make the opportunity in HC even larger.
Unlike financial services, in health care consumer portals cannot provide: interaction, communication with physicians, communication with plan.
Means different things for different organizations.
--Pacificare has their secure horizons program targeted to Sr. Care
--PBM’s adding value to their corporate customers and stripping away costs for refills etc.
--Health Calc, Columbia HCA, Children’s Hospital…
One size does not fit all, so use the Internet to provide a flexible solution that focuses on your strengths.
Whatever the business goals, health organizations should offer individualized and relevant:
Communication that is relevant, timely, accurate
Connectivity – efficient access to providers, health records and information
Care – appropriate and the highest quality possible
________________
Similar to financial services industry where online financial news services are now the leading news source for active financial investors looking for share prices and investment advice. Just under 60 percent of active traders have a personalized web page with share prices and 15 percent say they receive financial updates on a wireless device.
Leverage the Internet to build and manage one-to-one relationships with your customers
Utilizing CMR solutions to:
Acquire & retain customers
Grow revenues & reduce costs
Communicate based on your business needs

8. Average Time Health Savant 32 Minutes WellMed User 19 Minutes
Doctor/Patient Visit Minutes
Breaking Health News 51 Seconds
DTC Seconds
One goal is to use the time consumers spend on
the Internet to increase the value of the 9 minutes
they spend with the doctor

9. eHealth Non Traditional Stakeholders Connectivity Data Empowerment
Interactivity
Up close and personal

10. eCare Traditional stakeholders Using electronic medium to deliver care
32 % Employers using Internet to Administer health benefits

11. The Internet Doctor-Patient Relationship
What are features of it?
What are boundaries?
Who has jurisdiction?
Who provides oversight ?
Licensure, Credentials, Remuneration?
Professional status?

12. What Constitutes a Valid Internet Prescription?
Proximity?
Evaluation?
Diagnosis?
Remuneration?
Interaction?
Licensure?
Oversight?
Jurisdiction?

13. Personally Identifiable Health Information
How do you protect consumer privacy, set proper consumer expectations, build trust, provide connectivity, interactivity and be profitable
What is the consumer’s /patient’s
expectation of privacy and confidentiality?

14. “The right to be left alone…”
The right to be left alone is the most comprehensive of rights…”
Olmsted v. United States
1928
Louis Brandeis
Communication
Technology 1890:
Photography
Cheap Printing

15. “You already have zero privacy. Get over it.”
Scott G. McNealy
CEO, Sun Microsystems, Inc.
1999

16. Privacy Protection at Commercial Web Sites
93% of commercial web sites collect at least one type of personal identification
Less than 10% of sites encompass all five principles
One third of sites post no privacy policy
Only 19% disclose steps taken to safeguard data
Examples of abuse are widespread
Privacy Rights Clearinghouse
Beth Givens, Director 1999
Five Principles for Privacy Protection:
Notice, Choice, Access, Security, Enforcement

17. Privacy Among Top Shopping Sites
Only a third of surveyed sites guaranteed not to send visitors’ personal information to third parties
31% of sites have privacy policies that appears to give owner the right to send personal details to third parties
eMarketer, July 2000
Top 101 Consumer Websites

18. Amazon: “Personal info may be shared”
“Dear Customer,
We have just updated Amazon.com's privacy policy and, because privacy is important, we wanted to you proactively in this case and not just update the policy on our site, as is the common Web practice. Thanks for being a customer and allowing us to continue to earn your trust.
To read the updated Privacy Notice, visit:
Associated Press,
Sep. 1, 2000

19. The fine print
"As we continue to develop our business, we might sell or buy stores or assets. In such transactions, customer information generally is one of the transferred business assets," the company said. The company also said that "in the unlikely event that Amazon.com Inc., or substantially all of its assets are acquired,customer information will of course be one of the transferred assets."

20. The PEW Internet and American Life Project, 2000
Consumer Attitudes
86 % favor opt-in privacy policies that require permission for use
54 % view website tracking of users as invasion of privacy
Only 27 % feel that website tracking is helpful
54% have provided personal information to use a Web site.
48% have bought online using a credit card
55 % have sought health information
43 % have sought financial information
36 % went to support-group sites or medical information sites
27 % say they will never divulge personal information online
The PEW Internet and American Life Project, 2000

21. Medical Record Privacy Concerns
78% of Doctors withhold information from patient record due to privacy concerns
87% of Doctors reported having had a patient request to withhold information from their records
Association of American Physician and Surgeons

22. Regulatory Environments
Federal
State
International
Governing Agencies
Industry self regulation
Consumer Expectations
Court of Public Opinion
Sectoral Laws
Unleveled playing field
“Safe Harbor”
HHS, FTC, FDA, SEC…
Hi Ethics, OPA

23. Fair Information Practices
1965 House of Representatives Subcommittee
1973 HEW “The Code of Fair Information Practice Principles”
1974 Federal Privacy Act
Notice (awareness)
Choice
Access
Security
Data Integrity
1998 FTC defacto standards for privacy protection on the Internet

24. Important Regulations
COPPA-Children’s Online Privacy Protection Act of 1998 FTC
HIPAA-Health Insurance Portability and Accountability Act of 1996
Gramm-Leach Bliley Act (GLBA)

25. FTC Children Online Survey
March, 1998
212 Commercial children web sites
89% collected personal information
24% posted privacy policies
10% provided comprehensive privacy policy
1% required parental consent

26. Children’s Online Privacy Protection Act of 1998
Child-Individual under age 13
Collection-Includes direct or passive…”actual knowledge”
Release of Personal Information-”sharing, selling, renting, or any other means of providing personal information to any third party.”
Provide Notice
Inform Parents
Obtain Parental Consent
Allow Review
Establishes Rules

27. Children’s Online Privacy Protection Act of 1998
Collected Online
“Personally Identifiable Information”
Name
Physical Address
address or online contact information
Telephone number
Social Security number
Persistent identifier (cookie,etc.)
Information concerning a child …

28. Purpose of Administrative Simplification Privacy Regulations
Protect and enhance consumer rights:
access to their information
controlling inappropriate use
Improve quality by restoring trust
3. Improve efficiency and effectiveness by creating national framework for health privacy protection

29. HIPAA Components Electronic Transaction (65 FR 50312) Aug 17, 2000
Privacy (65 FR 82462) Dec 28, 2000
Unique identifier for Employers (63 FR 25272) May 7, 1998
Unique identifier for Providers (63 FR 32784) Jun 16, 1998
Security (63 FR 43242) Aug 12, 1998
Unique identifier for health plans ?????
Standards for Claims attachments ?????
Standards for COB ?????

30. HIPAA Privacy History Aug. 21, 1996 HIPAA, Public Law 104-109
Aug. 21, Congressional Deadline
Oct. 29, HHS Draft Issued
Nov. 3, FR 59918
Feb.17, End comment Period
Dec. 20, HHS Final Privacy Rule
Dec. 28, FR 82462
Feb.26, Compliance Date (2004 smaller plans)

31. HIPAA Privacy Overview
Establishes a set of basic national privacy standards
Sets a floor for privacy ground rules
Seeks to balance need of individual with needs of society
“Privacy is a fundamental right”

32. Components of Final Privacy Rule
Consumer control over Health Information
Boundaries on Medical Record Use and Release
Ensure Security of Personal Health Information
Establish Accountability for Medical Record Use and Release
Balance Public Responsibility with Privacy Protections
Special Protection for Psychotherapy Notes

33. Consumer Control over Health Information
Patient Education on privacy protections
Ensuring patient access to their medical records
Receiving patient consent before information released
Ensuring consent is not coerced
Providing recourse if privacy protections are violated

34. Boundaries on Medical Record Use and Release
Ensuring health information is not used for non-health purposes
Providing minimum amount of information necessary
Ensuring informed and voluntary consent

35. Establish Accountability For Medical Record Use and Release
Civil Penalties
Federal criminal penalties

36. Balancing Public Responsibility with Privacy Protections
Provides guidelines allowing disclosure:
Oversight of health care system-quality assurance
Public health
Research-IRB
Judicial and administrative proceedings
Limited law enforcement
Emergency circumstances
For deceased identification or cause of death
For facility patient directories
National defense and security

37. Changes from Proposed Regulation
Provide coverage to all individually identifiable health information held by a covered entity
Requires consent for routine use and disclosure - Health providers obtain general consent for treatment, payment and health care operations accompanied with detailed notice
Allows disclosure of full medical record for treatment
Protects against unauthorized use of medical records for employment purposes

38. Changes from Proposed Regulation
Enforcement – OCR
“Business associate”
Clearinghouses are not subject to certain requirements in the rule when acting as business associates of other covered entities.
Minors-federal privacy right attached to consent for treatment right
Marketing and fund raising use of information

39. Covered Information
In final rule, scope of protection extended to all individually identifiable health information in any form, electronic or non-electronic, held or transmitted by a covered entity.

40. No accepted standard definition
What is Medical Record?
No accepted standard definition

41. What is Health Information?
The Health Insurance Portability and Accountability Act of Aug, HR 3103, PL
‘‘(4) HEALTH INFORMATION.—The term ‘health information means any information, whether oral or recorded in any form or medium, that—
‘‘(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
‘‘(B) relates to the past, present, or future physical
or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”

42. What is a Personal (Consumer) Health Record?
ASTM Subcommittee
Consumer Health Record
The Personal Health Record is an online, location-independent application where an individual can store and manage her own health information and/or the health information of her care dependents in a private, secure and confidential environment.

43. “Individually Identifiable Health Information”
HIPAA, 1996
‘‘(6) INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION.—
The term ‘individually identifiable health information’ means any information, including demographic information collected from an individual, that—
‘‘(A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
‘‘(B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and—
‘‘(i) identifies the individual; or
‘‘(ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
Sec. 1171, No. 6, pg. 89

44. Designated Record Set
Certain records maintained by or for a covered entity that are always part of a covered entity’s designated record sets and to include other records that are used to make decisions about individuals.
The means of retrieval of a record is not a defining criteria.

45. Creation of De-identified Information
(d) permits a covered entity to use protected information to create de-identified information, whether or not the de-identified information is to be used by the covered entity. It is not subject to privacy rules unless re-identified.

46. Data Aggregation
Term defined to permit business associate to combine protected health information for creation of data for analyses that relate to health care operations of the respective covered entities.

47. Aggregate Data vs. Personally Identifiable Information
“Who owns the
data?”
“Who has a right
to the data?”

48. Indirect treatment relationship
Relationship between healthcare provider and individual in which provider delivers health care to the individual based on the orders of another health care provider and the health care services, products, diagnosis, or results are typically furnished to the patient through another provider, rather than directly.

49. Consent
Covered health care providers who have a direct treatment relationship with an individual are required to obtain a general consent from the individual in order to use or disclose the protected health information for treatment, payment and health care operations.
Providers may condition treatment on patient’s providing consent.
For psychotherapy notes, for most purposes, an individuals authorization is required.

50. Authorization
Required for all disclosures and uses not expressly exempted in the regulation.
Can not condition services or payment on receipt of authorization

51. Marketing (authorization required)
Communication about a product or service a purpose of which is to encourage recipients to purchase or use the product or service
Three exceptions:
-Marketing the organization
-Part treatment or health of individual
-In the course of managing the treatment of individual or directing to recommending other treatments, etc.

52. Employers Not covered entities under the privacy regulation
Are subject to federal disability nondiscrimination laws
ADA, 42 U.S.C or more employees
Governs transmission to covered entity
Can use medical information for insurance purposes

53. Clinical Laboratories CLIA, 42 U.S.C. 263a and reg 42 CFR part 493
Require clinical labs to disclose test results/reports only to authorized persons as defined by State Law. Federal law defines it as the person who orders the test. Under this law, a clinical lab may be prohibited from providing the individual who is the subject of the test result access to this information. Under HIPAA, then the lab is exempted from reporting the result to the patient.
If the clinical lab operates in a state in which the term authorized person is defined to include the individual, then the lab would have to provide the individual with these rights.
Similarly, research labs that do not report patient specific results for diagnosis prevention or treatment are exempted from providing patient access under HIPAA.

54. Disclosure Authorization
If a federal law requires a covered entity to disclose a specific type of information, the covered entity would not need an authorization. The covered entity must determine if the disclosure is mandatory rather than merely permissible.

55. EU Safe Harbor
“We believe they are essentially consistent and that an organization complying with our privacy regulation can fairly and correctly self-certify that it complies with the Principles.”
Questions regarding compliance and interpretation will be decided based on U.S. Law

56. EU Data Exportation
Members can only export data if the destination country “ensures an adequate level of protection” for such data, or if some exception applies to the particular transfer

57. Safe Harbor Privacy Principles
Approved by EU Member States
May 31, 2000
Intended solely for use by US organizations receiving personal data from EU for the purpose of qualifying for the safe harbor and the presumption of “adequacy” it creates.
If an organization joins a self regulatory privacy program that adheres to the Principles, it qualifies for the safe harbor.

58. U.S. “Safe Harbor Principles”
Notice Informed Consent
Choice “Opt-out”
Sensitive “Opt-in”
Onward Transfer Third Parties
Security Protection “Reasonable
Data Integrity Accurate, current
Access Unconditional v Reasonable
Enforcement Recourse & Penalty

59. Notice
“THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY”
Covered entities must describes all uses and disclosures of protected health information they are permitted or required to make without authorization including those uses and disclosures under consent requirements.

60. Notice
Additionally, covered entities have to disclose those activities they may want to contact the individual
-providing appointment reminders
-describing/recommending treatments
-providing health benefit information
-soliciting funds
Direct treatment providers must provide notice at time of first service delivery either in person or electronically. Under final rule, a covered entity that maintains a web site describing the services and benefits it offers must make its privacy notice prominently available through the site. Individual has right to request paper notice.

61. Patients/consumers are not covered entities and therefore HIPPA does not offer privacy protection to the individually identifiable health information they maintain/hold about themselves or their family.

62. Gramm-Leach-Bliley (S.900)
-Deregulation of Financial Service Organizations
-Act pertains to “Customers’ nonpublic personal information.”

63. Gramm-Leach-Bliley (S.900)
-Accurately, clearly and conspicuously disclose to consumers, at the time relationship is established and not less than annually after that, the organizations’ privacy policy for disclosing customers non-public information
-Provide the Consumer the right to “opt out” of disclosures of their nonpublic personal information to non-affiliated third parites (limited exceptions…)
-Establish appropriate security and confidentiality measures for customer records and information

64. Medical Financial Privacy Protection Act (H.R. 4585)
Representative Leach Chairman, House Banking and Financial Services Committee
Goal: Prevent financial institutions from sharing medical financial information without an individual;s consent and prohibit the use of medical information in making credit decisions.
The bill requires a specific and separate consent for mental health information, HIV information, genetic information and abortion information.

65. Medical Financial Privacy Protection Act (H.R. 4585)
General Rules for Use of IIHI
Representative Leach Chairman, House Banking and Financial Services Committee
-“Opt-in” Consent for health information
-Prohibit disclosure of Information about IIHI -Personal Spending Habits
-Notice and Consent for Aggregate data disclosure to third party
-Exempt use for customer service
-Prohibit re-disclosure and re-use by third parties
-Prohibit requesting of health information from a third party to make a loan or credit decision

66. The Prime Directive The actions of an eHealth or eCare Web site do not allow an individual to be identified with their unique health characteristics without the individual’s opt-in authorization.

67. Evolving Issues Data Interchange Messaging Email
Ubiquitous Wireless Connectivity
Decision Making Support
Data Interpretation
Closing the Loop to Physician Desktop
Consumer Claims-Processing Support

68. RELEASES AUTHORIZATIONS
Data Interchange
RELEASES AUTHORIZATIONS
For release of personally identifiable information, the user must explicitly authorize such release. The authorization must state:
Purpose for release
Information to be shared
Who information shared with
Duration of authorization
Provide user opportunity to revoke authorization at any time

69. Tailored Communication
Deliver personalized content, tailored advertising, relevant information
Personal Health Manager Home Page
Tailored
Secure instant messaging
Targeted ecommerce
Access and pre-qualification to appropriate clinical trials
case study as illustration
[visual: Diabetic surfs the web looking for information and resources to help him manage his condition. Visits many eHealth sites, but they don’t ask any questions, offer only general information, or information of dubious value. Visits WellMed, takes HQ, takes AdvancedHQ for diabetes. Upon completing AdvancedHQ, receives personalized information and options for managing condition. Conclusion: WellMed engages users in a dialogue and delivers personalized, condition-specific information tailored to their particular needs.]
Problem: Content of the electronic message may allow an individual to be associated with their unique health characteristics and thus their privacy violated.

70. Push Wellness (Opt-out) Pull Disease (Opt-in) Secure The Unmentionable
and Messaging
WellMed’s Philosophy
Push Wellness (Opt-out)
Pull Disease (Opt-in)
Secure The Unmentionable

71. Creating Dialogue with Patients: Effective and Efficient Communications
33% of Internet health site visitors would switch doctors based on ability to communicate over Internet (CyberDialogue)
Estimated that 55-65% of doctors will use Internet in 2000 (up from < 20% in 1997)

72. Physicians Want to Email Patients
How Interested Are You in Being Able to Communicate More With Patients Using ?
40% Express Some Interest in More Patient Contact
Not surprisingly, patients even more interested than MDs in communicating via – 41% highly interested, 28% moderately interested and only 32% uninterested.
In fact, 14% would even consider switching MDs to gain access to this capability. (may want to use in outlook as actual slide)
Right now– physicians who do their patients—10% or less (and 77% answered 0% of patients by ) mean was .4%…whereas with colleagues, mean was 8%
44% of MDs have shifted behavior due to patient web use– may be a data pt or slide– not sure yet
Source: Jupiter Analysis; The Cozint Report, (5/00); n=800 (US only)

73. Dr. Doolittle, Online at Least
Harris Interactive
April 03,2000
Emarketer.com
89 % of US Physicians are Internet users
Average 6 hours/week online
Personal 61%
Patient Clinical %
General Clinical 15%
Administrative 16 %
28% Access information for a FEW patients
52% Sometimes use computers to receive lab results
33% Work in practices with their own web site

74. E/M Codes for email-responses
CPT
Pay by Health Plan
First Care out of Chicago-TPA

75. Value Add-Health Management
Messaging Functions
Appt. Requests
Refills
Billing
Send lab results, etc.
Value Add-Health Management
Proactive message from Doc to Pt
(structured data)
Pt to Doc alert about abnormal results

76. Wireless Reminders
Supplies health information directly via cellular or digital technology
Offers 24-hour access to personal health information without a computer
Helps individuals organize and comply with treatment plans including prescription medications, fitness routines and nutrition protocols
Personalizes information and content

77. Wireless Statistics
Digital cell phone users, put at 32 million in 1999 by Jupiter Communications
Smart phones, predicted to be at 800,000 by end of 1999 by Jupiter Communications, but up to 76 million by 2003

78. People Want Wireless Email
75% of wireless usage involves retrieving
Solomon-Wolff
Almost half of mobile device users want to retrieve via wireless
Jupiter Communications

79. Customized Connectivity
Standard technologies will exist over the next 12 months that will make the tracking and monitoring of health issues more invisible and non-intrusive, greatly enhancing your ability to talk to your patients.
Your organization stays top of mind in a POSITIVE context, not simply “the group that you call when you’re sick.”
They look to your organization for help WHEN THEY ARE WELL.
They will open your and they will go to your site.
(Talk to data interchange here.)

80. Hi-Ethics Principles Reliable online information
Responsible online advertising
Private and secure personal health information

81. A group of major commercial ehealth sites
Hi-Ethics sites reach more than 30% of Internet audience in general
More than 60 million visitors have visited Hi-Ethics sites
Projected 2000 revenues are 2/3 of total eHealth companies1
1 Includes 22 eHealth companies designated by Wit Capital, January 31, 2000

82. 14 Hi-Ethics Principles 1-3 Privacy and Confidentiality
Advertising and Commerce
Quality of Health Information
Best Practices for Professionals
Disclosure and Feedback

83. Privacy and Confidentiality
Must conform with Fair Information Practices
Protection for Health-Related Personal Information “opt in”
Privacy in Relationships with Third Parties
Provide customers with meaningful choice

84. Advertising and Commerce
Disclosure of Ownership and Sponsorship
Identifying Advertising and “Sponsored” Content
Promotional Offers, Rebates and Free Items or Services

85. Quality of Health Information
Accuracy and Reliability Editorial Policy
Authorship and Accountability and Date
Validation for Self-Help Services

86. Best Practices for Healthcare Professionals
Clarity of Relationships
Professionalism
Qualifications

87. Combination of Law and Industry Self Regulation
Independent
Multi Faceted
Multi Tiered

88. CAV Program
Truste will administer Independent implementation, evaluation and dispute resolution
Hi Ethics will maintain the code and interpretation
Web site does not need to belong to Hi Ethics to obtain the seal
Annual Renewal
Feedback and Monitoring

89. Multi Faceted Privacy Audit Financial Audit Security Audit
Professionalism compliance
Editorial Policy compliance
Advertising Policy compliance
Evaluation of third party relationships

90. Multi Tiered 1. Adopt Hi Ethics Principles 2. Perform Self assessment
3. Publicly announce compliance
4. Independent assessment
5. Voluntary participation in “Hi Ethics Seal Program”
6. Join Hi Ethics

91. The key is Setting proper customer expectations
And then delivering on them

92. Care is directed by the provider AND the consumer
Care is directed by the provider AND the consumer. As providers, we put the patient in the driver’s seat, and take our seat as navigator and coach.

93. References
IEEE Privacy Statement
Cybercitizen Health Study
Children’s Online Privacy Protection Rule
Proposed Standards for Privacy of Individually Identifiable Health Information
Summary:
Full Reg:
Security and Electronic Signature Standards
WellMed Privacy Statement
Privacy and Human Rights

94. References California Healthcare Foundation Privacy Report
HIPAA
US Health & Human Services on Administrative Simplification -
 Proposed Standards for Privacy of Individually Identifiable Health Information
Summary:
Full Reg.:
HIPAAcomply -
FTC HIPAA Response
Summary
Letter

95. References Security and Electronic Signature
Security and Electronic Signature Standards
US Encryption Policy, Jan 14,
HCFA’s Internet Security Policy
HCFA’s Internet Policy FAQs
State Laws
California senate bills are:
AB 416 Personal information: disclosure.
BILL NUMBER: AB 416 CHAPTERED 09/28/99 CHAPTER 527
 SB 19 Medical records: confidentiality.
BILL NUMBER: SB 19 CHAPTERED 09/28/99 CHAPTER 526.

96. References
Privacy Journal’s ranking of states Privacy Protection:
October 1999
“The State of Health Privacy: An Uneven Terrain” Health Privacy Project 7/24/99.
OECD
Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, September 23, 1980, Council of the OECD.
Privacy Protection on Global Networks, OECD Ministerial Conference, Ottawa, October 7-9,
Electronic Commerce OECD Policy Brief, No. 1,

97. References Safe Harbor
Safe Harbor: Draft International Safe Harbor Privacy Principles Issued by the U.S. Department of Commerce
Working Party On the Protection of Individuals with regard to the Processing of Personal Data 5146/99/EN/final Letter Adopted December 3,1999.
March 17, 2000 U.S. Department of Commerce latest Draft

98. References
Global
Privacy & Human Rights Country Reports.
None of Your Business; Peter P. Swire & Robert E. Litan; Brookings Institution Press: 1998.
UK Data Protection Act of 1998;
Privacy and Human Rights-An International Survey of Privacy Law s and Developments; 1999; Electronic Privacy Information Center and Privacy International; ISBN X;
Children’s Online Privacy
Children’s Online Privacy Protection Rule; 16 C.F.R. Part 132 RIN 3084-AA84; Agency Federal Trade Commission Final Rule ;
New Rule Will Protect Privacy of Children Online Press Release; FTC

99. References Fair Information Practices
Five Principles
Code of Fair Information Practices
Privacy Act of 1974 Law ftp://ftp.cpsr.org/cpsr/privacy/law/privacy_act_1974.txt
The citation for the report is as follows: U.S. Dep't. Of Health, Education and Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, Records, computers, and the Rights of Citizens viii (1973).
WellMed Privacy Statement
Other Sources
Tunitas Group -
Health Privacy Project -
Arthur Anderson -

100. References WEDI - http://www.wedi.org/ AHIMA - http://www.ahima.org/
Washington Publishing Company -
IEEEPrivacy Position Paper -
Cybercitizen Health Study -
FTC Advisory Committee on Online Access and Security -
Hi Ethics
eHealth Ethics Code-
AMA Web Guidelines-
Department of Commerce: Elements of Effective Self Regulation for the Protection of Privacy and Questions Related to Online Privacy.
Institute for Health Care Research and Policy -Georgetown University:
Final Rule: Privacy Standards.