COMMENTARY
Uber enters healthcare market, engages Clearwater Compliance to address HIPAA compliance risks
Well-known ride-sharing platform, Uber, joined the healthcare sector in February of this year when it rolled out Uber Health. Uber Health is a new service designed to address transportation problems that hinder patient access to care.
According to the American Hospital Association (AHA), a lack of transportation restricts access to medical care for 3.6 million people in the United States each year.1 Uber Health is Uber’s answer to this problem. The Uber Health initiative allows healthcare delivery organizations (HDOs) to partner with Uber to provide transportation for patients who need rides to or from healthcare services.
Early in Uber Health’s development process, Uber recognized that working with HDOs and their patients would require a more robust approach to cybersecurity than that required for working with the average Uber client. In order to work with HDOs, Uber also needed to be able to assure potential partners that its new service would be compliant with the Health Insurance Portability and Accountability Act (HIPAA).
By working with healthcare organizations to provide services to patients, Uber Health has placed itself in the role of a “business associate.” Business associates who create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity (e.g., a hospital, a physicians group, or healthcare system), must ensure the privacy and security of PHI. A data breach has the potential to compromise patient safety, as well as incur enforcement fines and penalties from the U.S. Department of Health and Human Services (HHS) and Office for Civil Rights (OCR).
To mitigate this risk, Uber proactively engaged the services of Clearwater Compliance. Clearwater Compliance specializes in helping organizations analyze and mitigate HIPAA compliance and cybersecurity risk.
Clearwater Compliance performed a comprehensive compliance and cyber risk analysis for Uber Health last June. The analysis involved identifying every information asset subject to HIPAA regulation; identifying the threats and vulnerabilities associated with each asset; and specifying the likelihood and impact of each threat to develop a risk rating for each risk.
Clearwater’s analysis also included a review of the technical, physical, and administrative controls related to Uber Health’s new application and technology. With guidance from Clearwater Compliance, Uber Health used the results of the risk analysis to put policies, procedures, and processes in place to protect the privacy and security of patient health data.
Uber now has the safeguards in place to sign a Business Associate Agreement (BAA) with partner organizations, verifying Uber Health’s commitment to protecting PHI.
REFERENCE
American Hospital Association, “Social Determinants of Health Series: Transportation and the Role of Hospitals.” Retrieved from https://www.aha.org//ahahret-guides/2017-11-15-social-determinants-health-series-transportation-and-role-hospitals
CYBERSECURITY
One in five health employees willing to sell confidential data to unauthorized parties
Nearly one in five health employees (18%) said they would be willing to sell confidential data to unauthorized parties, according to a survey from Accenture.
The survey, of 912 employees of provider and payer organizations in the United States and Canada, found that the 18% of respondents willing to sell confidential data to unauthorized parties would do so for as little as between $500 and $1,000. In addition, respondents from provider organizations were significantly more likely than those in payer organizations to say they would sell confidential data (21% vs. 12%).
This includes selling login credentials, installing tracking software, and downloading data to a portable drive, among other actions.
The survey also found that health employees’ willingness to sell confidential data is not just hypothetical: Roughly one-quarter (24%) of the respondents said they know of someone in their organization who has sold their credentials or access to an unauthorized outsider. These actions contribute to the vast impact of cybercrime that health organizations spent an estimated US$12.5 million each, on average, addressing in 2017.
“Health organizations are in the throes of a cyber war that is being undermined by their own workforce,” said John Schoew, who leads Accenture’s Health & Public Service Security practice in North America. “With sensitive data a part of the job for millions of health workers, organizations must foster a cyber culture that addresses these deeply rooted issues so that employees become part of the fight, not a weak link.”
While nearly all (99 %) of the respondents said they feel responsible for the security of data, their behavior suggests that organizations cannot rely solely on employees to safeguard data, as evidenced by the 21% who said they keep their user name and password written down next to their computer. Ironically, nearly all (97%) of the respondents said they understand their organization’s explanation of data security and privacy.
In addition, while nearly 9 in 10 (88%) respondents said that their organization provides security training—with such training mostly mandatory—the findings suggest that training is not an absolute deterrent. Of those who receive security training, 17% said they still write down their user name and passwords, and 19% said they would be willing to sell confidential data. Surprisingly, those numbers increase for those who receive frequent training: Of the employees who receive quarterly training, 24% said they write down their user names and passwords and 28% said they are willing to sell confidential data. This suggests that it’s the quality, not the frequency or quantity, of training that matters.
Doctors put patients in charge with Apple’s Health Records feature
Apple posted a feature article March 30 about how U.S. doctors are putting their patients in charge with Apple’s Health App Records feature.
Apple begins with Dr. Harrington. When Dr. Robert Harrington, cardiologist and Chairman of the Department of Medicine at Stanford, sees patients, they frequently pass him stacks of printed medical records and spreadsheets, hand-drawn charts or their smartphone with notes and photos. Occasionally, they’ll enter his office with grocery bags full of medications to walk him through the details of their care.
“People hand you all sorts of things these days,” he says, “and more data is almost never bad, but when they show up with paper, how do you summate that?” He’s hired a skilled team to take on the task of pulling it all together.
On March 30, patients of NYU Langone Health, Stanford Medicine and nearly 40 other health systems representing hundreds of hospitals and clinics had the capability to view their medical records right from their iPhone. The updated Health Records section within the Health app helps consumers see medical information from various institutions organized into one view and receive notifications when their data is updated. This information can help patients better understand their health history, have informed conversations with physicians and family members, and make future decisions. Health Records data is encrypted and protected with the user’s iPhone passcode.
As a self-proclaimed “data guy,” Dr. Harrington says “any time you can put information in patients’ and doctors’ hands and allow there to be more informed decision making, that is the best of all.” In a world where patients have more technological access to data than ever, a platform like Health Records is, in his words, “an important maneuver for patient empowerment and the way the world needs to be.”
The new Health Records feature was previously available to patients who joined the Apple Beta Software Program. March 30, patients from nearly 40 health institutions listed below can view their medical records simply by updating their iOS software on their iPhone.
MOBILE COMMUNICATIONS
Study: Hospital IT smartphone investments are driving clinical transformation
Spyglass Consulting Group released its most recent healthcare study, Trends in Clinical Communications and Collaboration 2018. The study shows that 90% of hospitals surveyed are making significant enterprise-wide investments in smartphones and secure mobile communications platforms to drive clinical transformation and address the mission- and patient-critical communications requirements of clinical and non-clinical mobile workers within the hospital and across the care continuum.
Hospitals surveyed have identified common communications challenges experienced by mobile clinical workers that include:
- Communications overload. Clinicians are overwhelmed by the overhead paging system, incoming voice and text communications, and a continuous stream of device alarms which is creating alarm fatigue and leaving them little time for direct patient care.
- Lack of standardized processes. Clinicians are resistant to utilizing standardized communications processes and tools especially during transitions which can introduce medical errors into care process.
- Dissatisfaction with existing communications tools. Clinicians are dissatisfied with the antiquated communication options provided by hospital IT including overhead paging, landline phones, pagers, and proprietary VoIP handsets. EHR-based messaging tools are poorly designed and not well integrated with their workflow.
With the transition toward patient-centered care models and value-based purchasing, hospitals surveyed are evaluating next-generation communications platforms and upgrading their technical infrastructure to help achieve the Triple AIM framework by reducing healthcare costs, improving care quality and outcomes, and increasing patient and staff satisfaction.
Next-generation communications platforms are providing:
- Cross platform support, enabling clinicians to use different mobile devices and/or web-based interfaces to support anytime, anywhere communications
- Unified communications, enabling clinicians to use different communication modalities including Voice over IP, secure text messaging, and videoconferencing
- Enterprise-wide directories integrated with the on-call scheduling system and care assignments database, enabling clinicians to connect with team members
- Event-driven communications, enabling clinicians to receive critical notifications from hospital legacy systems providing actionable content to close the communications loop
- Analytics and reporting tools enabling hospital IT to measure communications tools usage and effectiveness to drive clinical workflow improvements.
Additional Highlights of the Trends in Clinical Communications & Collaboration Report:
- Developed comprehensive mobile strategies. 73% of hospitals surveyed have developed or were developing mobile strategies to address the communications, collaboration, and computing requirements of clinical professionals and other mobile workers across medical departments, standalone hospitals, and ambulatory environments.
- Identified compelling return on investments. 48% of hospitals surveyed have identified or were identifying compelling ROI models to justify mobile investments that provide quantifiable metrics to demonstrate cost reductions, outcome improvements, and staff/patient satisfaction.
- Leveraged middleware to support event-driven notifications. 68% of hospitals surveyed are using middleware to collect, monitor and manage data, alerts and alarms generated from hospital legacy systems, including nurse call, biomedical devices, EHR, pharmacy, and laboratory.