Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Future of Healthcare Privacy and Security:
Planning for What is Coming Next
William R. William R. ““BillBill”” Braithwaite, MD, PhD, FACMIBraithwaite, MD, PhD, FACMI Chief Medical OfficerChief Medical Officer
Anakam Inc.Anakam Inc.September 18, 2009September 18, 2009
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
2
Future for Healthcare
Goal: High quality, cost-effective healthcare.Means: Clinician/Patient interaction with Clinical Decision Support System (CDSS).Requires: EHR (with CDSS and HIE) and:
Interoperability with sources of clinical data and sources of computable rules for best clinical practices.Incentives to incorporate into healthcare practice.Investigations of systemic failures to allow building systems that detect and prevent errors through feedback at the point of decision making.Trust through agreement on standards for interoperable security and privacy (including patient consent).
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
3
Most Common Privacy Complaints
The compliance issues investigated by OCR:Impermissible use or disclosure of an individual’s identifiable health information.Lack of adequate safeguards to protect identifiable health information.Refusal or failure to provide the individual with access to or a copy of his/her records.Disclosure of more information than is minimally necessary to satisfy a request for information.Failure to have the individual’s valid authorization for a disclosure that requires one.
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
4
New Privacy Issues
HSABanks handling PHI to pay medical expenses
PHRNon Covered Entities handling PHI
HIEConsent granularity may need to be more than opt-in/opt-outPatient record matching without SSN
New On-line ServicesBA chain to off-shore servicesMarketing banners and pop-ups
New LawFederal v. State lawRegulations
Rise in Identity TheftIncluding Medical Identity Theft
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
5
Most Common Security Complaints
Unauthorized access to EPHI (90%).Employees or relatives accessing EPHI .
Loss or theft of devices containing EPHI (10%).Small volume of complaints; large volume of records.
Insufficient access controls for systems containing EPHI.
Shared passwords.Lack of encryption.
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
6
New Security Risks
Portable devices are being stolen more frequently.Portable media must be encrypted.Consider “lo-jack” features.
Health information is now a target for identity theft.Security must be a dynamic program responding constantly to new risks.
Single factor authentication is inadequate for remote access to sensitive information.
Second factor authentication is now a requirement under CMS guidance and OMB Memoranda.
Challenges:Risk of breach increases as amount of information increases.
HIE aggregates data and risk from many sources.Managing new risks, controlling costs, minimizing disruption to habitual workflows, minimizing user time and hassle, meaningful training, …
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
7
The American Recovery and Reinvestment Act of 2009 (ARRA)
ARRA signed into Law in February 2009.Title 13: Health Information Technology for Economic and Clinical Health Act (HITECH)
Subtitle D: Privacy (Privacy Rule and Security Rule).
Substantive Modifications to the HIPAA Privacy and Security Rules
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
8
HITECH Requirements
ONC to update the Federal Health IT Strategic Plan to include specific objectives, milestones, and metrics with respect to:
Incorporation of privacy and security protections for electronic health information exchange.Security methods to ensure appropriate authorization and electronic authentication and specifying technologies or methodologies for rendering health information unusable, unreadable, or indecipherable.
Secretary shall appoint a Chief Privacy Officer of ONC.However, HHS has designated OCR to be in charge of both Securityand Privacy Enforcement.
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
9
Restrictions, Minimum Necessary
Covered entity must comply with individual’s request for restriction if disclosure:
(1) is to health plan for payment or health care operations and (2) pertains to item/service for which provider was paid in full “out-of-pocket.”Effective Date: 2/2010
Covered entity must limit PHI, to extent practicable, to limited data set, or, if necessary, to minimum necessary.
HHS to issue guidance on what constitutes minimum necessary.
Effective Date: 2/2010 but sunsets after guidance issued.
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
10
Accounting
Covered entity must include in an accounting any disclosures made through an electronic health record (EHR) for treatment, payment, and health care operations for the three years prior.
HHS to issue regulations on what information shall be collected about such disclosures no later than 6 months after Secretary adopts standards on accounting for TPO disclosures (standards due by 12/2009).
Effective Date: Depends on CE’s adoption of EHR
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
11
Sale of Records, Access
Covered entity may not directly or indirectly receive any remuneration in exchange for PHI, unless the individual signed an authorization.
Exceptions for public health, research, treatment, sale of business, business associate activities, individual access, and others as determined by Secretary.
Effective Date: Regulations required within 18 months after enactment; provisions apply 6 months later.
If covered entity uses an EHR, individual has a right to a copy of his PHI in electronic format transmitted to a designated entity.
Effective Date: 2/2010
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
12
Marketing, Fundraising
Places additional restrictions on covered entity making certain communications about products or services, where entity receives payment in exchange for communication.Covered entity’s fundraising communications must provide clear opportunity for individual to opt out of future communications.
Effective Date: 2/2010
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
13
Education on Health Information Privacy
OCR Health Information Education Initiative.Secretary to appoint Regional Office Privacy Advisors.
OCR shall develop and maintain multi-faceted national education initiative to enhance public transparency regarding the uses of PHI.programs to educate individuals re uses of PHI.effects of uses & individual rights re uses.variety of languages, clear & understandable manner.
Statutory Deadline: 2/2010
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
14
Guidance
Section 13402: HHS must issue guidance on “unsecured protected health information.”
Published: 4/17/2009
Section 13424: HHS must issue guidance on de-identification.
Statutory Deadline: 2/2010
Section 13405: HHS must issue guidance on minimum necessary.
Statutory Deadline: 8/2010
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
15
Studies and Reports
Annual report on compliance to Senate HELP Committee and House Ways and Means and Energy and Commerce Committees.HHS and FTC study on privacy and security requirements for entities not covered and report findings to Senate HELP Committee and House Ways and Means and Energy and Commerce Committees.HHS study on “psychotherapy notes.”
Statutory Deadline: 2/2010
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
16
Security Standards
The HIT Policy Committee shall recommend … named standards, architectures, and software schemes for the authentication and security of PHI.HIPAA Security Rule shall apply to a business associate of a covered entity in the same manner as it applies to the covered entity. HIPAA Civil and Criminal Penalties shall apply to a business associate in the same manner as they apply to a covered entity.Secretary shall annually issue guidance on the most effective and appropriate technical safeguards for use in carrying out the HIPAA security standards.
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
17
Breach Notification
A CE that discovers a breach shall notify each individual whose unsecured PHI is reasonably believed to have been, accessed, acquired, or disclosed.
Final Rule by HHS issued August 2009.
A BA that discovers a breach of unsecured PHI shall notify the CE. A vendor of personal health records that discovers a breach of unsecured PHR identifiable health information shall notify each individual whose information was acquired by an unauthorized person; and notify the Federal Trade Commission.
Final Rule by FTC issued August 2009.
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
18
HIE, eRx, and PHR Services are BAs
New entities are Business Associates:Health Information Exchange.Regional Health Information Organization.ePrescribing Gateway.Vendor of personal health record that contracts with a covered entity to allow that covered entity to offer a PHR to patients as part of its EHR.
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
19
Improved Enforcement
Secretary shall formally investigate if a preliminary investigation indicates violation is due to willful neglect.
Secretary is required to impose a penalty in such cases.
Tiered penalties increase up to $50,000 (maximum $1,500,000). Any monetary settlement related to privacy or security shall be transferred to OCR to be used for purposes of enforcement.
An individual who is harmed by an offense may receive a percentage of any civil monetary penalty or monetary settlement.A State attorney general may bring a civil action in a district court to enjoin further violation or to obtain damages. The Secretary shall provide for periodic audits to ensure that covered entities and business associates comply with requirements.
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
20
Clarification Of Wrongful Disclosures Criminal Penalties
Contrary to DOJ opinion that only covered entities may be prosecuted under HIPAA’s criminal penalties clause, HITECH says –
A person (including an employee or other individual) shall be considered to have obtained or disclosed individually identifiable health information in violation of this part if theindividual obtained or disclosed such information without authorization.
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
21
Onsite HIPAA Security Compliance Reviews
Compliance reviews have revealed several key areas of vulnerability to include:
Lack of encryption for portable devices and media.Lack of verification of role-based access privileges.
Reviews have resulted in CAPs that include:Policies and procedures for remote use/access.Designation of internal security audit personnel.
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
22
OIG Security Audit Initiative
Objective is to determine if certain covered entities have implemented measures in accordance with provisions of the HIPAA Security Rule.The OIG review of Piedmont Hospital highlighted issues related to:
Technical safeguard vulnerabilities for wireless communications .Vulnerabilities involving physical access to electronic information systems and the facilities.Administrative safeguard vulnerability related to business associate contracts.
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
23
Effect on HIPAA transactions
May not transmit to health plan if patient has asked for restriction and paid out-of-pocket.Must meet encryption standards for data at rest and in motion or breaches will require notifications of all patients involved.
Regulation issued by ONC and FTC in August 2009.
Must be accounted for as disclosures for TPO when sent from an EHR.Clearinghouses (as BAs) must implement HIPAA full Privacy and Security Rules (and penalties).
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
24
Federal Agency Interactions with Private Sector
Federal agencies are required to follow all the controls of FISMA while the private sector largely follows HIPAA
Differences in practices and policies creates a barrier for HIE Federal agencies want assurance that information will be protected once outside their control
Expect Guidance on what compensating controls are required in addition to basic HIPAA security.Expect Federal implementation of security services necessary to provide a voluntary, cost-effective pathway for private entities to meet Guidance requirements.Expect requirement to comply with final Guidance as a condition of participation in the NHIN.
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
25
Expectations for Future
Privacy and security rules, guidance, and practices will evolve to give individuals more granular control over who can use and disclose their PHI.Technology to enable more secure access and more granular patient controls will become more available and cost-effective.
Identity management (Remote ID Proofing and Strong Authentication methods).Patient Privacy Directive access controls.
Expect significant Federal Guidance and Requirements to implement reasonable and appropriate protections to keep up with increasing risks.
© 2009 Anakam® Inc.Anakam® Proprietary Information – Multiple Patents Pending
26
Questions?
William R. “Bill” Braithwaite, MD, PhD, FACMI Chief Medical Officer
Anakam [email protected]
Large-Scale, Cost-Effective, Authentication and Identity Management Solutions