Office of Statewide Health Planning and Development. Initial Statement Of Reasons

Similar documents
NOTICE OF PROPOSED CHANGES TO PLUMBING STANDARDS OF THE DIVISION OF THE STATE ARCHITECT ACCESS COMPLIANCE (DSA-AC)

S.129. An act relating to containing health care costs by decreasing variability in health care spending and utilization

Copyright Telerad Tech RADSpa. HIPAA Compliance

Spreed Keeps Online Meetings Secure. Online meeting controls and security mechanism.

Online Bill Payment and Presentment Quick Start Guide. By Paul A. Murphy Author of Banking Online for Dummies

Securing the Cloud Infrastructure

sections 201 and 206 of the Public Health Law and sections 363-a and 365-a(2) of the Social

SchoolFront.com Privacy & Security

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Program, you consent to the data practices described in this Privacy Policy.

ESSB H AMD TO APP COMM AMD (H /13) 388 By Representative Taylor FAILED 04/12/2013

WISHIN Pulse Statement on Privacy, Security and HIPAA Compliance

CHAPTER Section 34 of P.L.1970, c.226 (C.24:21-34) is amended to read as follows:

FINAL STATEMENT OF REASONS FOR THE AMENDMENT OF RULES UNDER THE CORPORATE SECURITIES LAW OF 1968

(1) regulate the storage, retention, transmission, and security measures for credit card, debit card, and other payment-related data;

Public Act No

NURSING HOME PENALTY CASH FUND

Privacy Legislation and Industry Security Standards

INSTITUTE FOR SAFE MEDICATION PRACTICES CANADA

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

Minnesota Board of Behavioral Health and Therapy

BACKGROUND CHECKS FOR STUDENT CLINICAL PLACEMENT

Information Security Awareness Training Gramm-Leach-Bliley Act (GLB Act)

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

118 MISSISSIPPI HEALTHCARE DATA REGISTRY SYSTEM REPORTING REQUIREMENTS AND PROCEDURES

Privacy Law Basics and Best Practices

My Docs Online HIPAA Compliance

Online Bill Payment and Presentment Quick Start Guide

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

ARTICLE 11. STATE ENVIRONMENTAL POLICY

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

Department of Behavioral Healthcare, Developmental Disabilities and Hospitals

A Bill Regular Session, 2015 SENATE BILL 133

Secure Client Guide

Website Privacy & Security Policy

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

REGULATORY IMPACT STATEMENT and COST-BENEFIT ANALYSIS PART 1: INTRODUCTION

DOCUMENT RETENTION STRATEGIES FOR HEALTHCARE ORGANIZATIONS

BlueYield, Inc. Vehicle Loan Application Disclosures

Chief Clerk of the Assembly. Secretary of the Senate. Private Secretary of the Governor

SENATE BILL No Introduced by Senator Ducheny. February 25, 2009

New California Legislation Mandates Paid Sick Days for Employees.

Federal Trade Commission Privacy Impact Assessment

STATE OF CALIFORNIA DEPARTMENT OF INSURANCE 300 Capitol Mall, 17 th Floor Sacramento, CA 95814

Understanding Digital Certificates and Secure Sockets Layer (SSL)

State of California Health and Human Services Agency Department of Health Care Services

PLLC NOTICE OF PRIVACY PRACTICES

Frequently Asked Questions About MyBrowardHealth

Regulatory Analysis Form (1) Agency

Management and Storage of Sensitive Information UH Information Security Team (InfoSec)

REGULATORY IMPACT STATEMENT and COST-BENEFIT ANALYSIS PART 1: INTRODUCTION

STATE OF NORTH CAROLINA DEPARTMENT OF TRANSPORTATION DIVISION OF MOTOR VEHICLES

Secretary Sibelius and Assistant Secretary of Aging Kathy Greenlee.

Privacy policy. 1. Collecting Information We may collect Personal Data about you from a number of sources, including the following:

Approval and Promulgation of Implementation Plans; State of. Kansas; Infrastructure SIP Requirements for the 2008 Ozone

Three attacks in SSL protocol and their solutions

Compliance with False Claims Act

WEBSITE PRIVACY POLICY. Last modified 10/20/11

Cisco SSL Encryption Utility

NOTICES OF PROPOSED RULEMAKING

Title 56 Insurance Chapter 2 Insurance Companies Part 1 General Requirements for Doing Business. Tenn. Code Ann (2014)

PCI DSS COMPLIANCE DATA

How Regulations Affect Coding and Documentation

Community-Wide EHR Data and Patient Referrals A Legal Perspective

Health Claims Data Collection, Processing & Public Transparency

SENATE ENROLLED ACT No. 157

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Secur User Guide

Legislative Policy: Health Insurance M-56 1 of 5. Purpose

REPORTING REQUIREMENTS

Protecting Client Data and Maintaining Compliance in an Emerging SaaS World Eight Critical Questions to Consider with SaaS Vendors

Chief Privacy Officer Christian Brothers Services 1205 Windham Parkway Romeoville, IL

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

Internet File Management & HIPAA A Practical Approach towards Responding to the Privacy Regulation of the Act

Privacy Policy Version 1.0, 1 st of May 2016

Senate Bill No. 962 CHAPTER 517

Janet LaBreck U. S. Department of Education 400 Maryland Avenue SW Room 5086 Potomac Center Plaza (PCP) Washington, D.C

South Dakota Parental Rights and Procedural Safeguards

THE FAIR CREDIT REPORTING ACT RECENT (AND PENDING) DEVELOPMENTS. By Kevin G. Fitzgerald 1 FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003

Assembly Bill No. 5 CHAPTER 5

Accreditation of General Hospitals and Diagnostic and Treatment Centers

HOUSE OF REPRESENTATIVES

Arizona Medical Information Exchange Proof Of Concept. Privacy & Security Policy Manual version 1.0

Notice of Intent Office of Technology Services. OTS Consolidation (LAC 4: XV. 101, 301, 303, 501, 503, 701)

SECTION 1: INTRODUCTION

State of California Health and Human Services Agency California Department of Public Health AFL REVISION NOTICE

WEIGHTS AND MEASURES AND PETROLEUM PRODUCTS JANUARY 2015

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

STATE OF CALIFORNIA DEPARTMENT OF INDUSTRIAL RELATIONS Division of Workers Compensation NOTICE OF PROPOSED RULEMAKING

Quality & Compliance Challenges

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA initially went into effect April 14, HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.

Secure User Guide

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

Background Information

General Policies and Procedures; Refund claim procedures Proposed Amendment: N.J.A.C. 18:2-5.8

CMP3002 Advanced Web Technology

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Network Security and Data Privacy Insurance for Physician Groups

Transcription:

State of California Health and Human Services Agency Edmund G. Brown Jr., Governor Office of Statewide Health Planning and Development Initial Statement Of Reasons Title 22, California Code of Regulations Sections 97177.15 and 97244 Background Information Hospitals and freestanding ambulatory surgery clinics licensed by the California Department of Public Health are required by law to file certain patient-level information with the Office at specified intervals. Health and Safety Code section 128735, subdivision (g), requires that each hospital file a Hospital Discharge Abstract Data Record for each patient discharged from the hospital. Health and Safety Code section 128736 requires that each hospital file an Emergency Care Data Record for each patient encounter in a hospital emergency department, and Health and Safety Code section 128737 requires that each general acute hospital and licensed freestanding ambulatory surgery center file an Ambulatory Surgery Data Record for each patient encounter during which at least one ambulatory surgery procedure is performed. These three programs are often referred to as the patient data programs. In addition, Health and Safety Code section 128745, subdivision (c), requires that each hospital at which Coronary Artery Bypass Graft (CABG) surgery is performed file a patient data record for each patient on whom CABG surgery is performed. This specific program is referred to as the California CABG Outcomes Reporting Program (CCORP), as the data are used to produce reports on outcomes of care. Each of the patient data records reported to the Office in these four programs includes a set of data elements that are specified in statute and/or regulation. The data records include individually identifiable medical information. The patient records are submitted to the Office electronically. The patient data programs use the MIRCal system for online reporting (22 CCR 97212) and the CABG program uses the CORC system for online reporting (22 CCR 97170). The Office many years ago also adopted regulations that specify the method of electronic data submission

Page 2 using these systems - Title 22, CCR, 97244 for MIRCal and Title 22, CCR, 97177.15 for CORC. Until the emergency regulations went into effect, February 9, 2015, each of these sections specified use of a Microsoft Internet Explorer web browser that supports a secure Internet connection utilizing HTTPS and Secure Socket Layer (SSL) technology, an encryption technology. Problem Statement SSL technology has become outdated and has been found to have security vulnerability. On January 8, 2015, the Office received a notice from the Department of Technology that in order to fully remediate the SSL security vulnerability, OTech would completely disable SSL. All OTech client departments, including the Office, will be required to instead use the replacement encryption technology, Transport Layer Security (TLS), which is now standard. This remediation began February 13, 2015. To deal with the security vulnerability, with the attendant risk to patient privacy, the Office needed to delete the outdated requirements to use SSL. Purpose and Benefits of this Regulatory Action The Health and Safety Code provisions requiring that patient data be reported to the Office also require that the Office protect patients rights of confidentiality. In light of these specific provisions, as well as the California Information Practices Act of 1977 (Civil Code section 1798 et seq.), the Office must at all times insure that the systems used to collect and store confidential patient information are secure consistent with current technological capabilities and healthcare industry practice. The Office is proposing to permanently amend the two regulatory sections that require use of SSL encryption technology in order to avoid mandating use of an outdated technology with security vulnerabilities by facilities that are reporting identifiable patient medical information to the Office. The amended regulations provide greater protection of data confidentiality and patient privacy. Specific Purpose of Each Amendment Section 97177.15: The specific proposed regulatory changes to section 97177.15 will delete the regulatory text containing the browser requirements that include SSL. The

Page 3 regulatory text is also modified to require that a Microsoft supported version of Internet Explorer be used; while older versions of Internet Explorer that are no longer supported by Microsoft may only accept SSL, the supported versions of Internet Explorer will accept TLS. In addition to being dangerously outdated, the references to the browser system requirements including SSL are also unnecessary. The current on-line reporting system - CORC - requires the use of data encryption and can be used with SSL, but can also be used with TLS, the more current standard. Because use of the CORC system for on-line reporting is separately mandated in the regulations, and the system requires data encryption, there is no need to list the encryption requirement in section 97177.15. Section 97244: The specific proposed regulatory changes to section 97244 will delete the regulatory text containing the browser requirements that include SSL. The regulatory text is also modified to require that a Microsoft supported version of Internet Explorer be used; while older versions of Internet Explorer that are no longer supported by Microsoft may only accept SSL, the supported versions of Internet Explorer will accept TLS. In addition to being dangerously outdated, the references to the browser system requirements including SSL are also unnecessary. The current on-line reporting system - MIRCal - requires the use of data encryption and can be used with SSL, but can also be used with TLS, the more current standard. Because use of the MIRCal system for on-line reporting is separately mandated in the regulations, and the system requires data encryption, there is no need to list the encryption requirement in section 97244. Necessity It is necessary to amend both Section 97177.15 and Section 97244, the two regulatory sections that require use of SSL technology, in order to avoid mandating use of an outdated technology with security vulnerabilities by facilities that are reporting identifiable patient medical information to the Office. Approximately 16.6 million patient records are transmitted to the Office over the course of each year. These regulatory changes are necessary to prevent a serious security risk to medical privacy that could impact millions of Californians. Exposure of their personal medical information would cause serious harm to the public health, safety, and general welfare.

Page 4 Economic Impact Assessment Repeal of the mandate to use the outdated SSL encryption technology when filing patient data with the Office is not anticipated to impose any new costs on the reporting facilities. Therefore, the Office concludes that this regulatory action will not affect the following: The creation of jobs within the state The elimination of jobs within the state The creation of new businesses within the state The elimination of existing businesses within the state The expansion of businesses currently doing business in the state The benefit to the public is that patient privacy will be more stringently protected. Technical, Theoretical, and Empirical Study, Reports, or Similar Documents Relied Upon The Office did not rely upon any technical, theoretical, and empirical studies, reports, or similar documents in proposing the amendment of these regulations. Reasonable Alternatives The Office has not identified any alternatives to the proposed regulation that would be less burdensome and equally effective in achieving the purpose of the regulation, and no alternatives have otherwise been identified and brought to the attention of the Office. The Office has not identified any reasonable alternatives to the proposed regulatory action, including alternatives that would lessen any adverse impact on small business. There is no anticipated adverse impact on small business. Evidence Supporting Finding of No Significant Adverse Economic Impact on Business The Office has made an initial determination that permanent adoption of the proposed regulations would not have a significant adverse economic impact on business because it is not anticipated to impose any costs on business. Healthcare facilities today all must have the capacity to transmit identifiable patient health information securely, including the use of encryption technology. SSL is outdated technology, and the industry standard is now TLS. In today s healthcare environment, it can reasonably be

presumed that health facilities that transmit data to the Office have the capacity to submit data using the more current TLS standard. The Office must make sure it does not specifically mandate the use of the less secure technology. Page 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information