Before continuing, I'd like to contextualize the HISP discussion. Why is it important or relevant for you as an eye care provider? You may recall my earlier statement that 2011 was the year of the EHR and that 2012 would be the year of the HIE. HIEs are where you'll encounter HISPs.
Remember, your state HIE is something you need to be learning about and seeking to get involved in now. So, assuming you have a certified EHR and may even have attested to Meaningful Use, you'll want to begin receiving patient CCDs from other providers. (Electronic delivery of this health information may save you up to 10 minutes per exam.) Sending and receiving CCDs is a big part of what the health care reform game is all about - this exemplifies both portability and interoperability. However, you can't simply call up other local providers and ask them to send over a CCD. That worked with fax and email but those communications methods are no longer acceptable. The CCD must be sent and received via encrypted protocols that assure the security of your patient's health information. (As noted above, the P in PHI stands for "protected", not personal or patient, although both those descriptors are also true and applicable.)
Here's some reassurance about the security of your patients' protected health information. HISPs must observe the following "Trust and Privacy Considerations":
As you learn more about your state Health Information Exchange, you'll uncover a whole new network of regulations and protocols akin to what we've all gone through thus far to achieve certification and meaningful use attestation. Since the HIE is all about exchanging health information, you'd expect - and indeed find - an approved encrypted transmission protocol. That's ONC Direct. And that's what HISPs must use. Correspondingly, you will need to enter into an agreement with a Health Information Service Provider in order to be part of your state HIE. (Not to fear, this agreement will be similar to the Business Associate Agreement that you're now familiar with. Your patients routinely sign your HIPAA statement of privacy practices and you do likewise with associated businesses, such as your software vendor, who may see your patient database. In fact, it'll probably be your software vendor who chooses your HISP on account of the connectivity required to enable the communications.)
Here's some reassurance about the security of your patients' protected health information. HISPs must observe the following "Trust and Privacy Considerations":
- The sender has assurance that the receiver is who the receiver purports to be
- The receiver has the same level of assurance in the sender
- Both have assurance that the content will not be modified in transit
- Exposure to personally identifiable information (PII) or protected health information (PHI) is under the complete control of sender and receiver
These preconditions are assured through the use of secure protocols in which messages are signed with the sender's private key and encrypted with the receiver's public key. Because of this:
- The sender ensures that only the intended receiver can view the content (through use of the receiver's private key to decrypt the data)
- The receiver ensures that the content is as was sent by the sender (through the use of the sender's signature)
- Both parties ensure that they trust the identity assurance and other certificate issuance policies of the sender and receiver's certification authority.
Last word. These acronyms and entities get admittedly dizzying. Our intent in exposing it all for you is not to heap up your responsibilities or add to your to-do list. Our hope is simply to bring some level of understanding and familiarity that let's you proceed well guided through the maze.
Alistair Jackson, M.Ed.
No comments:
Post a Comment