By Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President, Privacy, Compliance and HIM Policy, MRO
Twitter: @MROCorp
Healthcare provider organizations are responsible for the privacy and security of their patients’ information. HIPAA codified this requirement for covered entities, including specific guidelines for protecting sensitive patient information such as behavioral and substance abuse records.
Health Information (HI) professionals are well aware of HIPAA’s patient privacy rules, regulations, and best practices for compliance. However, they must also consider sensitive patient data that flows outside of HIPAA: information shared by patients with outside third parties such as mobile applications and social media platforms.
In the wake of the Supreme Court’s decision to overturn Roe v. Wade, there is renewed national attention on safeguarding patient information, especially sensitive reproductive patient information and women’s health data not covered by HIPAA. Delaware and New Jersey have already passed reproductive health privacy laws while California and Colorado have pending legislation.
On June 29, the HHS Office for Civil Rights (OCR) issued new guidance related to reproductive privacy rights. On July 8, the White House followed with an executive order to strengthen the protection of reproductive health privacy and bolster patient-provider confidentiality. And several senators are pushing for HIPAA privacy rules to do more for reproductive health privacy.
Given this new guidance, now is the time for HI professionals to hold internal discussions, revisit policies, refresh education, and build checklists to ensure the privacy of sensitive patient data related to reproductive health. Here are four steps to take now.
Expand the Reach of Privacy Education and Awareness
According to a recent survey published by the American Medical Association and conducted by the Savvy Cooperative, patients and providers are advocating for stronger patient privacy regulation beyond HIPAA. Of the patients surveyed, 92 percent believe that companies should not be able to buy health data, and 94 percent want companies that interact with health data to be legally accountable. Patients were particularly concerned with “social media sites, big tech companies, and prospective employers having access to private information” according to the survey.
Many of the nation’s largest social media and information technology companies have already posted statements regarding their willingness to protect patients’ reproductive health data. On July 7, Google announced additional steps to protect user privacy around health issues and location data. Flo, a period tracking app, will add an anonymous mode so users can opt to remain private.
HI professionals also play an active role in targeting reproductive health privacy gaps through expansion of privacy awareness and education for patients, patient families, and other consumers. Consider the following tactics to discuss with your organization:
- Launch a patient education campaign including the use of data from wearable devices.
- Add this topic to interoperability and information blocking work group agendas.
- Meet with compliance, privacy, and security teams to enhance policies and procedures, and refresh internal training programs.
Segment Reproductive Health Data
Most healthcare provider organizations have already segmented drug, alcohol, and behavioral health records within their EHRs and other systems. This step may become necessary to ensure reproductive health privacy. However, records must not be so strictly segmented that clinically significant information is not readily available to support patient care.
Here are several internal discussions for HI professionals to initiate now:
- Meet with gynecology and obstetrics service line clinicians along with CDI teams to fully understand how reproductive documentation is captured and woven into practice and enterprise EHRs.
- Engage medical staff and compliance, privacy, and security teams to hear their concerns related to segmenting reproductive health data within the EHR.
- Work with IT departments to tag each data element and document related to reproductive health contained within EHRs and other systems.
Refresh Release of Information Policies and Procedures
In addition to segmenting reproductive health data, HI professionals should reevaluate their release of information (ROI) process to see if reproductive health documents can be suppressed and if so, under what situations is it legal to do so. If data is released inappropriately, there may be potential for it to be weaponized against both the patient and the provider.
Another consideration for the ROI process is how to redact reproductive data from a patient’s record should the medical record be legally requested or disclosed. How would redaction occur? Who would be responsible? Now that records are digitized, we can no longer simply “black out” specific information within a release. When legally authorized, reproductive data may require segmentation and be removed from the flow of information sharing and data exchange.
Finally, ROI workflows may require a new step in the process to ensure reproductive information is removed prior to release, to the extent legally permitted. There will be instances when reproductive health information cannot be redacted or removed, such as when the whole record is requested to be released by the patient, or under a subpoena or court order.
Build a Checklist to Mitigate Risk
This article is just the beginning of best practices regarding reproductive health privacy. The next step is to build a complete checklist to thoroughly prepare and protect your organization. Relevant considerations for examining legal and compliance risk should be included.
Any organization with operations that touch on reproductive health services in any way should keep abreast of state, federal, and privacy rules as they emerge. Risk mitigation will be paramount as new guidance is introduced and approved. A leading legal firm in healthcare, McDermott Will & Emery, recently produced a thorough checklist that serves as an important reference and resource.
Also continue to follow AHIOS and AHIMA as both organizations will monitor the situation and provide important guidance for HI professionals.
The views and opinions expressed in this article are those of Rita Bowen and do not necessarily reflect or represent the views, opinions, or policies of MRO Corporation.