quiz the regulator - nchicaomnibus final rule • de-identification • combined regulation text •...
TRANSCRIPT
Quiz the Regulator
Linda Sanches, MPH Senior Advisor for HIT and Privacy Policy
• What is OCR and what do we do
• Enforcement activities
• HIT policy
• Resources
• Questions
Today’s Topics
Agenda
AMC 2
• OCR ensures that people have equal access to and the opportunity to participate in and receive services from all HHS funded programs without facing unlawful discrimination. Civil rights laws prohibit discrimination on the basis of race, color, national origin, disability, gender, and religion.
• Ensures the privacy and security of their health information is protected. HHS's enforcement agency for the HIPAA Privacy, Security, and Breach Notification rules.
• Enforces the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.
• Investigates complaints, conducts compliance reviews, develops policy, promulgates regulations, and provides technical assistance and education to ensure understanding of and compliance with these laws.
OCR Roles
OCR Oversight
AMC 3
OCR RULEMAKING
AMC 4
• What’s Done: – Omnibus Final Rule
• HITECH provisions on Enforcement penalties & Breach Notification
• GINA provisions
• Other rule changes
– National Instant Criminal Background Check System (NICS) NPRM
– CLIA Final Rules • Access to test results
directly from labs
• What’s to Come:
– From HITECH • Accounting of Disclosures
• Methods for sharing penalty amounts with harmed individuals
– NICS Final Rule
OCR GUIDANCE
AMC 5
What’s Done: Omnibus Final Rule • De-identification • Combined Regulation Text • Sample BA provisions • Refill Reminder • Factsheets on Student immunizations
and Decedents
Guide to Law Enforcement Permitted Mental Health Disclosures HIPAA in Emergency Situations HIPAA and Same-Sex Marriage Letters from the Director • Dear Provider – duty to warn, serious
and imminent threats • Right to access – updated for e-access
requirements
Other Guidance
• Guide to Privacy & Security of ePHI with ONC
• Security Rule guidance updates
• Model Notice of Privacy Practices –handout and on line versions
What’s to Come:
Omnibus Final Rule • Breach Safe Harbor Update • Breach Risk Assessment
Tool • Minimum Necessary • More on Marketing • More Factsheets on other
provisions Cloud guidance
REMINDER of Changes to the Rules:
• Security Rule: BAs (and subcontractors) now directly liable
• Privacy Rule: BAs (and subcontractors) now directly liable for:
– impermissible uses and disclosures;
– non-compliance with their BA Agreements; and
– certain individual rights
BUSINESS ASSOCIATES
AMC 6
A breach for HIPAA purposes:
• Impermissible use or disclosure
• Of unsecured PHI
BREACH NOTIFICATION RULE
AMC 7
Unsecured • Not Encrypted • Not Destroyed
Breach Presumed UNLESS:
• “LoProCo:” The CE or BA can demonstrate that there is a low probability that the PHI has been compromised based on:
– Nature and extent of the PHI involved (including the types of identifiers and the likelihood of re-identification);
– The unauthorized person who used the PHI or to whom the disclosure was made;
– Whether the PHI was actually acquired or viewed; and
– The extent to which the risk to the PHI has been mitigated.
Focus on risk to the data, instead of risk of harm to the individual.
Risk Assessment must be documented.
BREACH NOTIFICATION RULE
AMC 8
• Notification by BA to CE
• Notification by CE to:
– Individual
– HHS
– Media (500+)
• All 500+ breaches must be reported without unreasonable delay but no later than 60 days
BREACH NOTIFICATION RULE
AMC 9
500+ Breaches by Type of Breach
as of 5/31/2015
AMC 10
THEFT
49%
LOSS
9%
UNAUTHORIZED
ACCESS/DISCLOSURE
20%
HACKING/IT
9%
IMPROPER DISPOSAL
4%
OTHER
8%
UNKNOWN
1%
AMC 11
500+ Breaches by Location
as of 5/31/2015
PAPER RECORDS
22%
DESKTOP
COMPUTER
12%
LAPTOP
20%
PORTABLE
ELECTRONIC
DEVICE
11%
NETWORK SERVER
13%
7%
EMR
4%
OTHER
11%
12
BREACH HIGHLIGHTS
September 2009 through May 31, 2015
• Approximately 1,240 reports involving a breach of PHI affecting 500 or more individuals – Theft and Loss are 58% of large breaches
– Laptops and other portable storage devices account for 31% of large breaches
– Paper records are 22% of large breaches
• Approximately 173,000+ reports of breaches of PHI affecting fewer than 500 individuals
AMC
LESSONS LEARNED
Appropriate Safeguards Prevent Breaches
• Evaluate the risk to ePHI when at rest on removable media, mobile devices and computer hard drives
• Take reasonable and appropriate measures to safeguard e-PHI
– Store all ePHI to a network
– Encrypt data stored on portable/movable devices & media
– Employ a remote device wipe to remove data when lost or stolen
– Consider appropriate data backup
– Train workforce members on how to effectively safeguard data and timely report security incidents
13 AMC
COMPLAINTS RECEIVED
14 AMC
RECENT ENFORCEMENT ACTIONS
AMC 15
• Cornell
• Anchorage
• Parkview
• NYP/Columbia
• Concentra
• QCA
• Skagit County
• Adult & Pediatric Dermatology, P.C.
Lessons Learned:
• CEs and BAs must undertake a careful risk analysis to understand the threats and vulnerabilities to individuals’ data, and have appropriate safeguards in place to protect this information.
• Take caution when implementing changes to information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers’ health data using the Internet.
• Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements
RECENT ENFORCEMENT ACTIONS
AMC 16
AUDIT PILOT
FINIDNGS AND OBSERVATIONS
Security accounted for
60% of the findings and observations—
although only 28% of potential total.
Providers had a greater
proportion of findings & observations (65%) than reflected by their proportion of the
total set (53%).
Smaller entities struggle with all
three areas
AMC 17
AUDIT PHASE 2 APPROACH
• Primarily internally staffed
• Selected entities will receive notification and data requests
• Entities will be asked to identify their business associates and provide their current contact information
• Expect to select business associate audit subjects for first wave from among the BAs identified by covered entities
• Desk audits of selected provisions
• Comprehensive on-site audits as resources allow
• Watch our web site
AMC
• HIPAA supports the development of new technologies and delivery models that are transforming patient care.
• Blue Button, Direct: New technologies enable patients to exercise their rights under HIPAA. Patients may access key treatment information quickly, easily and securely
• Many new types of organizations and entities may capture, use and share data about an individual’s health
New Tech
HIPAA and HIT Policy
AMC 19
• Data has expanded beyond traditional medical records to encompass genomic, lifestyle, financial, environmental and other information. Much of this health data exists outside HIPAA privacy protections
• Precision Medicine Initiative, Big Data, Non CE options
• OCR works closely with ONC, CMS, FTC, FDA
• We all need to identify and address gaps in privacy and security protections for individual health data in consumer directed health products and services
IoT
Internet of Things
AMC 20
• The pace of health IT innovation is rapid—with benefits come new privacy and security challenges
• External bad actors... – Hacking and IT incidents in the health care industry are on the rise,
and have the potential to affect millions of individuals at a time.
– Theft, particularly of laptops and other mobile devices, is still our most frequently cited cause of a breach.
– Take advantage of longstanding challenges – insufficient risk analyses, lost paper records and unencrypted devices, lax or nonexistent policies and safeguards for information, lack of workforce training and/or failures to ensure employees are following established policies…
Health IT
Health IT
AMC 21
• Foster patient and provider trust in the privacy and integrity of health records and the health care system.
• Addressing and assuring strong privacy and security is essential to support new technologies to improve the delivery of health care and health outcomes.
• OCR tools to advance these important goals: – strong enforcement to hold CE and BA accountable for HIPAA compliance, – development of balanced policies that take into consideration the many
interests at stake; – effective outreach to ensure consumers are aware of their rights &
protections; and – guidance & technical assistance for the regulated entities so they have the
tools they need to comply with the law.
Actions
Supporting a Learning Health System
AMC 22
• What privacy and security standards protect data they collect about the health of individuals?
– Who are their clients?
– What services do they provide?
– What information?
• Creating a portal to enable developers & other stakeholders to communicate directly with us about issues—to inform our guidance work
Guidance Focus
Developers of mHealth and HIT
AMC 23
the same as for other stakeholders!
• A thorough and up to date risk analysis is critical to your security considerations.
• Know the vulnerabilities inherent in the use of your technology, and manage it.
• Easier to build security protections and privacy functionality during the design phase rather than attempting to jam them in later.
Developers
mHealth Developers—at this point, key messages is…
AMC 24
New Guidance:
BUSINESS ASSOCIATES
The HIPAA Omnibus Rule https://www.youtube.com/watch?v=mX-QL9PoePU
AMC 25
Consumer Awareness:
PUBLIC OUTREACH INITIATIVES
AMC
Your New Rights Under HIPAA - Consumers https://www.youtube.com/watch?v=3-wV23_E4eQ Over 262,000 views since September 4, 2013
26
Mobile Devices:
http://www.healthit.gov/mobiledevices
MOBILE DEVICES
AMC 27
NOTICE OF PRIVACY PRACTICES
http://www.hhs.gov/ocr/privacy/hipaa/modelnotices.html
AMC 28
Medscape Resource Center:
PUBLIC OUTREACH INITIATIVES
AMC
http://www.medscape.org/sites/advances/patients-rights
29
What’s Coming from OCR
Expect
• Rulemaking
• Policy guidance
• Portal for health app and IT developers
• Enforcement
• Audit
30 AMC
Quiz Questions?
AMC 31