Balancing Patient Privacy with Patient Engagement

Electronic patient engagement has extended healthcare beyond the four walls of the practice. However, state or federal requirements make it paramount that patients have secure access when communicating electronically with their provider, according to David Holtzman.

Holtzman, vice president of compliance strategies at CynergisTek, has spent nearly 15 years in developing, implementing, and evaluating health information privacy and security compliance programs in both government and private sector positions. Prior to joining CynergisTek, he served on the health information privacy team for the Department of Health and Humans Services’ Office for Civil Rights, where he served as the senior advisor for health information technology and the HIPAA Security Rule.

At this year’s Healthcare Information and Management Systems Society (HIMSS) conference in Orlando, Holtzman, and co-presenter Mercy del Rey, who serves as assistant vice president and chief privacy officer for Baptist Health of South Florida will discuss the need for patient protection in technology-driven engagement activity.

Their session, “Balancing Patient Privacy with Patient Engagement Efforts,” is scheduled for Wednesday, February 22 from 11:30 to 12:30.

Holtzman recently discussed the session and key take away points regarding privacy and electronic health records with Physicians Practice.

Q:  What steps should be taken for medical practices to ensure secure electronic patient engagement efforts?

Software applications and technology that enable engagement between patients and healthcare providers should ensure that each individual is assigned a unique access ID, including the physician, the patient, designated workforce members from the physician’s office, and users designated by the patient, such as a parent or guardian. Because of multiple users, many of the systems have an audit function, which allows for the identification of individuals accessing the electronic records. As a further safeguard, firewalls and databases should consistently be reviewed and updated as needed.

Meanwhile, many hospitals and physicians have implemented strict, no-tolerance sanctions for employees who access files inappropriately. These policies and procedures for electronic access should be reviewed and updated as any new legislation can impact their effectiveness.

Q: What role does state and federal law play in balancing patient privacy via electronic engagement?

The Office of the National Coordinator for Health IT and the Office for Civil Rights … offer guidance and advice for healthcare professionals on how to advance and promote the access and sharing of patient information while safeguarding the privacy and security of the data.

Q: How can physician practices help ensure patient privacy when it comes to EHRs?

It is important for physician practices to understand the working of their EHR system to see how current confidential information flows from physician to online patient engagement. For example:

• Who touches the information?

• How is the information crated, modified, process and distributed?

• Are there any gaps between policies and procedures that make the data vulnerable to unauthorized access or hackers?

In addition, physician practices should ensure that utilized EHRs have monitoring and system audit controls. Practices should [also] review policies, training and information system security processes on a regular basis.