HIPAA Privacy and Security and Research

Transcription

1 ICTS Brown Bag Seminar Successful Completion: Participants must complete an evaluation form to receive a certificate of completion Contact Hours: 1 contact hours is available to those who meet the successful completion requirements Sponsorship & Commercial Support: This activity has received no sponsorship or commercial support Conflict of Interest: No conflicts of interest were identified Non-Endorsement: Accreditation approval refers only to MONAs continuing education activities and does not imply MONA or ANCC Commission on Accreditation endorsement of any commercial products Off Label Use: There will be no discussion of uses of products other than what is approved by the FDA. Expiration: Contact Hours expire on November 17, 2013 HIPAA Privacy and Security and Research 1

2 RIPPED FROM THE HEADLINES! UCLA Health Systems Settles Potential HIPAA Privacy and Security Violations $865,000 fine Corrective Action Plan Related to inappropriate medical record access Massachusetts General Hospital $1 million fines Corrective Action Plan Related to loss of PHI of 192 patients How does HIPAA impact YOU? Understand exposure to PHI Appropriate Access is granted Protect PHI Transport of PHI Understand how you can share PHI Report any suspected problems where you are working 2

3 PENDING LEGISLATION Pending Legislation Senate S3742: Data Security & Breach Notification Act: S1490: Personal Data Privacy & Security Act: S3789: Social Security Number Protection Act House of Representatives HR5108: Cyber Privacy Law HR3306: Social Security Number Privacy & Identity Theft Protection Act 3

4 HIPAA & Research What s New? Advanced Notice of Proposed Rulemaking Potential Changes to Accounting Rules More HITECH Consents for research Data Breaches Encryption Policy Common Rule: ANPRM Potential Privacy Changes Human Subjects Research Protections: Enhancing Protections ti for Research Subjects and Reducing Burden, Delay, and Ambiguity for Investigators, published July 26, 2011 Jointly issued by the Office of the Secretary, HHS, and FDA Only a proposal at this time If changes accepted, implementation still a year or more away 4

5 ANPRM Potential Privacy Changes Aligning standards on what constitutes individually identifiable information, limited data sets, and de-identified data with HIPAA Biospecimens may be determined to be individually identifiable information due to advances in genomics Establishing data security, information protection, and data breach notification standards similar to HIPAA Eliminating IRB responsibility to determine adequate provisions to protect privacy of subjects and confidentiality of data. HITECH: Accounting for Disclosures HIPAA Privacy Rule Accounting for Disclosures Under the Health Information Technology for Economic and Clinical Health Act; Proposed Rule, published May 31, 2011 contains provisions that, if enacted, will: Eliminate accountings for research disclosures Require access reports for electronic designated record sets, including access for research purposes, which would: Go back 3 years Include the following information: Date and time of access Name of person or in unavailable, entity making access Description of information access, if available Description of action by user, if available 5

6 HITECH (cont.) Proposal to amend (b)(3)(i) and (iii) to allow a covered entity to combine conditioned and unconditioned research components, such as a treatment-related study and tissue banking. Request for comments on whether to permit an authorization to be not research-study specific, i.e., combine current and future research BREACH NOTIFICATION 6

7 Data Breaches Research data subject to Breach Notification rule Research data may also include state regulated personally identifiable information (PII) and be subject to state data breach notification as well WUSM has a cyber-risk risk policy in place with Beasley in the event we have a breach of data State laws California was 1 st state to create data breach law in 2003 In less than 5 years, 44 additional states adopt breach laws Currently only Alabama, Kentucky, Mississippi, New Mexico and South Dakota do not have statutes specifically addressing data security incidents 7

8 Breach HITECH Definitions Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information. For purposes of this definition, compromises the security or privacy of the protected health information means poses a significant risk of financial, reputational, or other harm to the individual. Breach Excludes Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part. 8

9 Breach Excludes Any inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access PHI at the same CE or business associate, or organized health care arrangement in which the covered entity participates, and the information received is not further used or disclosed in a manner not permitted under Subpart E of this part. Breach Excludes A disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information. 9

10 Encryption Only safe harbor under both federal and state Breach Notification laws Encryption is the process of rendering data unusable, unreadable, or indecipherable to unauthorized individuals through the use of technology. Encryption Policy Covers data at rest and data in motion Requires all hard drives that store PHI to be encrypted. All mobile devices (e.g., laptops, smart phones, ipads, flash drives) that are used to transport or store PHI must be encrypted. attachments containing PHI must be encrypted. 10

11 ISSUES AND TRENDS Local Issues Unsecured and/or Loss of ephi Misplaced Flash Drives Lost and/or Stolen Devices Unmarked box of PHI for shredding thrown away by housekeeping Unauthorized Access of ephi Using clinical systems for personal use versus business need PHI mistakenly posted on Facebook Unauthorized Disclosure of PHI Discussion of patient s history in public area in front of other patients This is just from January 2, 2012 to today 11

12 OCR Enforcement Activities Added auditing staff Training for States Attorneys General in April 2011 Audits began 11/ CE s will be audited within the next 12 months Upcoming Audits KPMG will perform approximately 150 audits Have started pilot audits (20) to develop an audit protocol First proactive compliance effort under the Privacy Rule Largest proactive compliance effort under the Security Rule Ends December 31, 2012 Mostly CE s of varying size/scope General compliance (rather than specific issues) 12

13 IRB Trends Information Security IRB will ask for a security review in these situations Requesting Social Security Number Storing ephi on workstations, ti laptops or mobile media Transmitting ephi Skype or Text Messages Surveys (SurveyMonkey, Survey Gizmo) Collect or store information on non-wash U system Social Media (Facebook) Use of Social Security Number External National Death Index CDC NDI Social Security Administration i ti Online Death Index Portal National Center for Health Statistics NDI Vendor Care Evolution Internal Use transplant patient s SSN to get information from Surgical Pathology. 13

14 Data Sets Identifiable Medical Information with any of the following patient name, date of birth, dates of service, MRN, Invoice numbers, SSN, address, address, facial photos or other identifying photos or numbers Limited Medical Information can include date of birth, dates of service and/or zipcode De-Identified All identifiers removed Storing ephi Workstations/Servers in Labs Laptops USB Flash and Mass Storage Drives Smart Phones Cameras, Video Recorders and Voice Recorders ipads TIP #1: If only using de-identified data note that in bold on your study submission TIP #2: If ephi is in password protected office document or stored on a WUSM Approved encrypted device note that in the security/privacy section 14

15 Skype or Text Messages Approved Reminders to take medications Custom Droid Survey that t stores no information on phone for Bi-Polar Patients Denied Asked about sex habits or specific health questions Transmitting ephi WUSTL Dropbox Password protect and encrypt attachments in s Multi-Center Trials specific instructions 15

16 External Systems Surveys SurveyMonkey, Survey Gizmo (approved if ask no identifying questions) Public Sites Healthmunk, SparkPeople (Nutrition and Healthy Habits) Sponsored Pfizer Social Media Facebook Informational only Hide Friends and who likes site Review of Security and Privacy Controls Contact Information Mike Caputo Kevin Hardcastle Sondra Hornsey Report Incidents to Security Questions to Privacy Questions to 16

17 Questions? 17