April 2014 AUDITS TRENDS EMR COMPLIANCE PRACTICES EMR FEDERAL REGULATIONS MONITORING REGULATORY SECURITY THREATS ACADEMI CINA BREACHES REVIEW COMPUTING MOBILE CLOUD HIPAA CENTER OPERATION S RESEARCH C SHARING PRIVACY AMC DATA FISMA IRB Month Investigator Meeting
IRB Monthly Investigator Meeting HIPAA OMNIBUS New HIPAA requirements effective September 23, 2013 Office of HIPAA Compliance April 15, 2014
Omnibus Update Compliance required by September 23, 2013 Notice of Privacy Practices New Notice distributed to Practice Managers 10/11/2013 http://www.cumc.columbia.edu/hipaa/pdf/notice_of_privacy_practices.pdf New Patient Rights Electronic access to medical records Patient out of pocket payments / Do not bill health plan Fundraising Breach Notification Authorization for Use of PHI for Sale / Marketing May 14, 2014 Omnibus HIPAA Update Office of HIPAA Compliance Page 3
Omnibus Update Business Associate Agreements New BAA created April 2013 Approx. 150 business associates need new BAA by Sept. 23, 2014 Must not share data without a BAA in place Must get BAA if non-workforce member will access PHI BAA now required for quality / registries Revised policies Fundraising Privacy Program Authorization to Disclose Medical Records May 14, 2014 Office of HIPAA Compliance Page 4
Omnibus Update - Research Authorization The Final Rule provisions discussed above have important implications for research: The changes concerning compound authorizations will alleviate administrative burdens on clinical trial subjects and researchers and facilitate harmonization with the Common Rule and global requirements for research documentation. The revised interpretation regarding authorization for future research use will remove barriers on researchers' ability to use data for future research purposes some of which cannot even be contemplated at the time the data is gathered, but which could hold great promise to advance science and medical care. The declassification as "PHI" of certain information of decedents over time will ease researchers' ability to perform research using such information. May 14, 2014 Page 5
Business Associates Claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and pricing. Signed agreement required to share information outside CUMC (INCLUDING RESEARCH DATA) Must comply with Minimum Necessary Must follow terms as established in contract Must secure data during transmission
Breach Requirements Definition: An impermissible use or disclose of protected health information that compromises the security or privacy of PHI Now includes limited datasets Requires report to the government Can include substantial fines and penalties Examples Theft of laptop Presentation includes PHI posted on internet Faxing records to the wrong location Disclosing PHI to sponsor USB lost in the mail May 14, 2014 Footer text is edited under "view/header and footer" menu Page 7
HITECH Act (ARRA) Breach Notification Rule New Federal Breach Notification Law Effective Sept 2009 Applies to all electronic unsecured Protected Health Information - encryption required Requires immediate (60 days) notification to the Federal Government if more than 500 individuals effected Annual notification if less that 500 individuals Requires notification to patients & appropriate remediation May Require notification to a major media outlet and listing on organizations website 8
May 14, 2014 Footer text is edited under "view/header and footer" menu Page 9
Questions If a patient (research subject) emails us do we need to respond with an encrypted (#encrypt) email in our reply? Exchange account (Outlook) Do our cumc.columbia.edu accounts allow us to email to Gmail accounts or do we always have to do "#encrypt" to ensure delivery? Can we access email on a non-encrypted computer (e.g. Home desktop)? Can we access other Columbia sites that require UNI logon from non-encrypted computers? After the HIPAA training we were asked to attest to not using our UNI as a signin for social websites, some non-social websites use an email as the username eg. nyp's patient portal. Do we have to remove our columbia.edu emails as user names on all websites or just social ones? May 14, 2014 Office of HIPAA Compliance Page 10
Dear Karen, On August 1, the CUMC Information Security Office and Office of HIPAA Compliance introduced Sight Training, our new online training system for learning about major changes to HIPAA regulations, updated security requirements, and related Columbia University policies. Sight Training is tailored to address the information security and privacy issues most relevant to our community. All CUMC faculty, staff, and students are required to complete this training. Sight Training makes the process straightforward and convenient. You may take the courses on any computer;each course should take no more than 30-45 minutes. All courses must be completed by November 1, 2013. You have been assigned the following courses: Security Essentials CUMC HIPAA Privacy Rules Please take the time in the next few days to complete this training. It should take no more than 45 minutes. To access the course(s), go to https://columbia.sighttraining.com/ and log in with your UNI and password. Failure to complete the training by November 1may result in: A) notification of your departmental administrator B) loss of access to clinical systems, such as CROWN, IDX, and WebCIS; or C) loss of access to research systems, such as RASCAL
Research Reminders ENCRYPT EVERYTHING #Encrypt Laptops Desktops Home computers Student devices ANYONE who will access to your data May 14, 2014 Footer text is edited under "view/header and footer" menu Page 12
Protected Health Information (PHI) Protected Health Information is any information that : is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse"; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual All information whether maintained in electronic, paper or oral format 13
HIPAA FORMS REVIEWED AND APPROVED IN RASCAL FORM Label FORM TITLE REVIEW COMMENTS HIPAA Form A Authorization for Research High Volume HIPAA form B Waiver of Authorization Significant Review time required *Usually retrospective HIPAA form C Recruitment Waiver Rare Directly approach subject without treatment provider relationship HIPAA form D Preparatory to Research Important for NYP Data HIPAA form E Decedent Data Not needed unless all subjects are deceased HIPAA form F Data Use Agreement Significant Review time required CUMC Data Recipient or Disclosing Data? HIPAA form G De-Identified Data De-identifed by HIPAA Definition
Research HIPAA FAQ Waiver of Authorization Only for Columbia data Do not answer N/A Primarily for retrospective data analysis State data collection timeframe Data Use Agreements When disclosing data outside of CUMC must have some form of agreement (DUA, BAA etc.) When received data from another organization must include their agreement within the protocol May 14, 2014 Footer text is edited under "view/header and footer" menu Page 15
Coded data De-identified vs. Coded Data contains an assigned code so even though the information has been stripped of identifiers, the health information can be linked back to the individual by the research team. De-identified data Stripped data with no code. It cannot be linked back to the subject. A re-identification code can be assigned to a de-identified dataset by a covered entity; however, members of the research team may not have the access to the means/method of re-identification. If a member of the research team has access to the re-identification key/method, the data is not considered to be de-identified. 16
18 identifiers as defined by the HIPAA Privacy Rule: 1. Name 2. Geographic Location (including city, state, zip) 3. Elements of Dates 4. Telephone Number 5. Fax Number 6. E-mail Address 7. Social Security Number 8. Medical Record or Prescription Numbers 9. Health Plan Beneficiary Number 10. Account Number 11. Certificate/license Number 12. VIN and Serial Numbers, License Plate Number 13. Device identifiers, serial numbers 14. Web URLs 15. IP Address Numbers 16. Biometric Identifiers (finger prints) 17. Full face, comparable photo images 18. Unique Identifying numbers (e.g. CODED DATA) 17
HIPAA Privacy Program Elements http://privacyruleandresearch.nih.gov/ http://www.cumc.columbia.edu/hipaa/ https://secure.cumc.columbia.edu/cumcit/secure/security/ See website for policies and procedures See website for HIPAA forms See website for educational material All staff are required to complete HIPAA Privacy & IT Security education Contact the Privacy Officer for questions or reports HIPAA@columbia.edu or (212) 305-7315. Contact Information Security Officer for questions about HIPAA Information Security
Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu HIPAA@columbia.edu (212) 305-7315 19