This is a TestTitle This is a Test Author Juan Cole Created Date 9/14/2009 9:00:07 AM

Future of Healthcare Privacy and Security:

Planning for What is Coming Next

William R. William R. ““BillBill”” Braithwaite, MD, PhD, FACMIBraithwaite, MD, PhD, FACMI Chief Medical OfficerChief Medical Officer

Anakam Inc.Anakam Inc.September 18, 2009September 18, 2009

© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending

2

Future for Healthcare

Goal: High quality, cost-effective healthcare.Means: Clinician/Patient interaction with Clinical Decision Support System (CDSS).Requires: EHR (with CDSS and HIE) and:

Interoperability with sources of clinical data and sources of computable rules for best clinical practices.Incentives to incorporate into healthcare practice.Investigations of systemic failures to allow building systems that detect and prevent errors through feedback at the point of decision making.Trust through agreement on standards for interoperable security and privacy (including patient consent).


3

Most Common Privacy Complaints

The compliance issues investigated by OCR:Impermissible use or disclosure of an individual’s identifiable health information.Lack of adequate safeguards to protect identifiable health information.Refusal or failure to provide the individual with access to or a copy of his/her records.Disclosure of more information than is minimally necessary to satisfy a request for information.Failure to have the individual’s valid authorization for a disclosure that requires one.


4

New Privacy Issues

HSABanks handling PHI to pay medical expenses

PHRNon Covered Entities handling PHI

HIEConsent granularity may need to be more than opt-in/opt-outPatient record matching without SSN

New On-line ServicesBA chain to off-shore servicesMarketing banners and pop-ups

New LawFederal v. State lawRegulations

Rise in Identity TheftIncluding Medical Identity Theft


5

Most Common Security Complaints

Unauthorized access to EPHI (90%).Employees or relatives accessing EPHI .

Loss or theft of devices containing EPHI (10%).Small volume of complaints; large volume of records.

Insufficient access controls for systems containing EPHI.

Shared passwords.Lack of encryption.


6

New Security Risks

Portable devices are being stolen more frequently.Portable media must be encrypted.Consider “lo-jack” features.

Health information is now a target for identity theft.Security must be a dynamic program responding constantly to new risks.

Single factor authentication is inadequate for remote access to sensitive information.

Second factor authentication is now a requirement under CMS guidance and OMB Memoranda.

Challenges:Risk of breach increases as amount of information increases.

HIE aggregates data and risk from many sources.Managing new risks, controlling costs, minimizing disruption to habitual workflows, minimizing user time and hassle, meaningful training, …


7

The American Recovery and Reinvestment Act of 2009 (ARRA)

ARRA signed into Law in February 2009.Title 13: Health Information Technology for Economic and Clinical Health Act (HITECH)

Subtitle D: Privacy (Privacy Rule and Security Rule).

Substantive Modifications to the HIPAA Privacy and Security Rules


8

HITECH Requirements

ONC to update the Federal Health IT Strategic Plan to include specific objectives, milestones, and metrics with respect to:

Incorporation of privacy and security protections for electronic health information exchange.Security methods to ensure appropriate authorization and electronic authentication and specifying technologies or methodologies for rendering health information unusable, unreadable, or indecipherable.

Secretary shall appoint a Chief Privacy Officer of ONC.However, HHS has designated OCR to be in charge of both Securityand Privacy Enforcement.


9

Restrictions, Minimum Necessary

Covered entity must comply with individual’s request for restriction if disclosure:

(1) is to health plan for payment or health care operations and (2) pertains to item/service for which provider was paid in full “out-of-pocket.”Effective Date: 2/2010

Covered entity must limit PHI, to extent practicable, to limited data set, or, if necessary, to minimum necessary.

HHS to issue guidance on what constitutes minimum necessary.

Effective Date: 2/2010 but sunsets after guidance issued.


10

Accounting

Covered entity must include in an accounting any disclosures made through an electronic health record (EHR) for treatment, payment, and health care operations for the three years prior.

HHS to issue regulations on what information shall be collected about such disclosures no later than 6 months after Secretary adopts standards on accounting for TPO disclosures (standards due by 12/2009).

Effective Date: Depends on CE’s adoption of EHR


11

Sale of Records, Access

Covered entity may not directly or indirectly receive any remuneration in exchange for PHI, unless the individual signed an authorization.

Exceptions for public health, research, treatment, sale of business, business associate activities, individual access, and others as determined by Secretary.

Effective Date: Regulations required within 18 months after enactment; provisions apply 6 months later.

If covered entity uses an EHR, individual has a right to a copy of his PHI in electronic format transmitted to a designated entity.

Effective Date: 2/2010


12

Marketing, Fundraising

Places additional restrictions on covered entity making certain communications about products or services, where entity receives payment in exchange for communication.Covered entity’s fundraising communications must provide clear opportunity for individual to opt out of future communications.

Effective Date: 2/2010


13

Education on Health Information Privacy

OCR Health Information Education Initiative.Secretary to appoint Regional Office Privacy Advisors.

OCR shall develop and maintain multi-faceted national education initiative to enhance public transparency regarding the uses of PHI.programs to educate individuals re uses of PHI.effects of uses & individual rights re uses.variety of languages, clear & understandable manner.

Statutory Deadline: 2/2010


14

Guidance

Section 13402: HHS must issue guidance on “unsecured protected health information.”

Published: 4/17/2009

Section 13424: HHS must issue guidance on de-identification.


Section 13405: HHS must issue guidance on minimum necessary.



15

Studies and Reports

Annual report on compliance to Senate HELP Committee and House Ways and Means and Energy and Commerce Committees.HHS and FTC study on privacy and security requirements for entities not covered and report findings to Senate HELP Committee and House Ways and Means and Energy and Commerce Committees.HHS study on “psychotherapy notes.”



16

Security Standards

The HIT Policy Committee shall recommend … named standards, architectures, and software schemes for the authentication and security of PHI.HIPAA Security Rule shall apply to a business associate of a covered entity in the same manner as it applies to the covered entity. HIPAA Civil and Criminal Penalties shall apply to a business associate in the same manner as they apply to a covered entity.Secretary shall annually issue guidance on the most effective and appropriate technical safeguards for use in carrying out the HIPAA security standards.


17

Breach Notification

A CE that discovers a breach shall notify each individual whose unsecured PHI is reasonably believed to have been, accessed, acquired, or disclosed.

Final Rule by HHS issued August 2009.

A BA that discovers a breach of unsecured PHI shall notify the CE. A vendor of personal health records that discovers a breach of unsecured PHR identifiable health information shall notify each individual whose information was acquired by an unauthorized person; and notify the Federal Trade Commission.

Final Rule by FTC issued August 2009.


18

HIE, eRx, and PHR Services are BAs

New entities are Business Associates:Health Information Exchange.Regional Health Information Organization.ePrescribing Gateway.Vendor of personal health record that contracts with a covered entity to allow that covered entity to offer a PHR to patients as part of its EHR.


19

Improved Enforcement

Secretary shall formally investigate if a preliminary investigation indicates violation is due to willful neglect.

Secretary is required to impose a penalty in such cases.

Tiered penalties increase up to $50,000 (maximum $1,500,000). Any monetary settlement related to privacy or security shall be transferred to OCR to be used for purposes of enforcement.

An individual who is harmed by an offense may receive a percentage of any civil monetary penalty or monetary settlement.A State attorney general may bring a civil action in a district court to enjoin further violation or to obtain damages. The Secretary shall provide for periodic audits to ensure that covered entities and business associates comply with requirements.


20

Clarification Of Wrongful Disclosures Criminal Penalties

Contrary to DOJ opinion that only covered entities may be prosecuted under HIPAA’s criminal penalties clause, HITECH says –

A person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if theindividual obtained or disclosed such information without authorization.


21

Onsite HIPAA Security Compliance Reviews

Compliance reviews have revealed several key areas of vulnerability to include:

Lack of encryption for portable devices and media.Lack of verification of role-based access privileges.

Reviews have resulted in CAPs that include:Policies and procedures for remote use/access.Designation of internal security audit personnel.


22

OIG Security Audit Initiative

Objective is to determine if certain covered entities have implemented measures in accordance with provisions of the HIPAA Security Rule.The OIG review of Piedmont Hospital highlighted issues related to:

Technical safeguard vulnerabilities for wireless communications .Vulnerabilities involving physical access to electronic information systems and the facilities.Administrative safeguard vulnerability related to business associate contracts.


23

Effect on HIPAA transactions

May not transmit to health plan if patient has asked for restriction and paid out-of-pocket.Must meet encryption standards for data at rest and in motion or breaches will require notifications of all patients involved.

Regulation issued by ONC and FTC in August 2009.

Must be accounted for as disclosures for TPO when sent from an EHR.Clearinghouses (as BAs) must implement HIPAA full Privacy and Security Rules (and penalties).


24

Federal Agency Interactions with Private Sector

Federal agencies are required to follow all the controls of FISMA while the private sector largely follows HIPAA

Differences in practices and policies creates a barrier for HIE Federal agencies want assurance that information will be protected once outside their control

Expect Guidance on what compensating controls are required in addition to basic HIPAA security.Expect Federal implementation of security services necessary to provide a voluntary, cost-effective pathway for private entities to meet Guidance requirements.Expect requirement to comply with final Guidance as a condition of participation in the NHIN.


25

Expectations for Future

Privacy and security rules, guidance, and practices will evolve to give individuals more granular control over who can use and disclose their PHI.Technology to enable more secure access and more granular patient controls will become more available and cost-effective.

Identity management (Remote ID Proofing and Strong Authentication methods).Patient Privacy Directive access controls.

Expect significant Federal Guidance and Requirements to implement reasonable and appropriate protections to keep up with increasing risks.


26

Questions?

William R. “Bill” Braithwaite, MD, PhD, FACMI Chief Medical Officer

Anakam [email protected]

Large-Scale, Cost-Effective, Authentication and Identity Management Solutions

mailto:[email protected]

Documents

This is a TestTitle This is a Test Author Juan Cole Created Date 9/14/2009 9:00:07 AM