Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare?...

CS342/MED253 Building for Digital HealthLecture 1B: What makes health apps different?

Oliver AalamiMike Hittle

Fall 2019

https://cs342.stanford.edu

cs342-aut1920.slack.com

Welcome!


Submit your project preferences by tomorrow Sep 27

Deliverables

● Download & Setup Xcode 10.3 on your machine. If you are new to iOS, follow the Build a Basic UI tutorial.

● Submit a screenshot of your running project via Canvas by our next class (Oct 1st).

● Send us your GitHub username: [link in website]

https://developer.apple.com/library/archive/referencelibrary/GettingStarted/DevelopiOSAppsSwift/BuildABasicUI.html#//apple_ref/doc/uid/TP40015214-CH5-SW1

https://forms.gle/Q3DFwDyQ7SQG2yQNA

https://forms.gle/Q3DFwDyQ7SQG2yQNA

Overview for today● What is HIPAA?● What is a Covered Entity?● What is a Business Associate?● What is PHI? ● What is HIPAA Security Rule?● What is “Consent” in healthcare?● Consequences of a HIPAA Violation or Breach● What is a DRA?● Navigating privacy and compliance at Stanford● 2 Case Studies - StrokeCoach(non-PHI) and STREAM(PHI)




What is HIPAA? ● Health Insurance Portability and Accountability Act (1996, President Bill Clinton)

○ Modernize flow of health information & stipulate how Personal Identifiable Information maintained by healthcare and insurance industries should be protected

● HIPAA Privacy Rule (Standards for Privacy of Individually Identifiable Health Information): first time national standard for the protection of certain health information.

● Issued by U.S. Department of Health and Human Services (HHS)● Under HHS, the Office of Civil Rights (OCR) responsible for implementing and enforcing law● Covered Entities and their Business Associates are covered under this rule (next slide)● Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered

entity or its business associate, in any form or media, whether electronic, paper or oral = Protected Health Information (PHI)

● No restrictions on use or disclosure of De-Identified health information




What is a Covered Entity?● Health Plans, Healthcare Clearinghouses,

Healthcare Providers & Healthcare Services who electronically transmit any health information in connection with transactions for which HHS has adopted standards

● Researchers are covered entities if they are also healthcare providers who electronically transmit health information in connection with any transaction for which HHS has adopted a standard.




What is a Business Associate?● A person or organization, other than a member of a covered entity’s workforce that

performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.

● Examples: Google Cloud Services, Microsoft Azure, AWS

What is a Business Associates Agreement (BAA)?● A covered entity must impose specified written safeguards on the individually

identifiable health information used or disclosed by its business associates● Example: Stanford has a BAA with Google Cloud Platform (GCP)




What is Protected Health Information (PHI)? ● 18 identifiers




What does HIPAA Security Rule require?

● 2-factor authentication● Encryption at rest● Encryption in flight




What is “Consent” in healthcare?● Signed document obtained by covered entity for uses and disclosures

of protected health information for treatment, payment, health care operations or research.




© 2016 Stanford Byers Center for Biodesign

What are the consequences of a HIPAA violation or data breach?

Disclaimer - this is not a “scared straight” campaign.


Consequences for HIPAA Breach2018 - $28,686,400

Source: https://compliancy-group.com/hipaa-fines-directory-year/

https://compliancy-group.com/hipaa-fines-directory-year/


Consequences for HIPAA Breach2017 - $20,393,200

Source: https://compliancy-group.com/hipaa-fines-directory-year/

https://compliancy-group.com/hipaa-fines-directory-year/


Consequences for HIPAA Breach

Source: https://www.federalregister.gov/documents/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the#h-95

Penalties are particularly damaging for small players (i.e. your lab)Fine for 320 patients(your study) = 76 million (Anthem)

https://www.federalregister.gov/documents/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the#h-95


But wait….. What about Tort liability?

Tort = personal injury litigation etc.

HIPAA does NOT preempt Tort liability.


Meet Andrew N. Friedman

Source: https://www.cohenmilstein.com/professional/andrew-n-friedman

https://www.cohenmilstein.com/professional/andrew-n-friedman



This suit only included 19 million people out of 78 million people affected. More to come!




You Don’t Really Want To Meet Andrew N. Friedman




How does Stanford deal with this risk?


1. Data Risk Assessment (DRA)

2. Individual Training and Compliance


1. Data Risk Assessment (DRA)


What is a DRA?• Collaboration between Information Security Office (ISO)

and the University Privacy Office(UPO) - unsung heros• Usually involves a lawyer• Usually involves an engineer or other tech expertise

• Required by the IRB• More people requiring care and fewer people paying into system

• Thorough review of the data you collect and methods of storage and transfer • Data flow diagram• Form, documentation submission • Interview/Meeting(s)

• Takes 2 weeks to ∞24


Critical DRA Elements• Pre-Screening Questionnaire

• https://stanford.service-now.com/it_services?id=sc_cat_item&sys_id=a899efaf13ec3a00d3b6b3b12244b062 • Data Risk Assessment Intake Form

• https://redcap.stanford.edu/webauth/surveys/?s=7CYLWCYK8D

• Data Flow Diagram• Example: https://www.lucidchart.com/documents/edit/2fde1140-2e81-4e90-b302-4a7de8dd4c65?shared=true&

• Data Classification• https://uit.stanford.edu/guide/riskclassifications

25

https://stanford.service-now.com/it_services?id=sc_cat_item&sys_id=a899efaf13ec3a00d3b6b3b12244b062

https://redcap.stanford.edu/webauth/surveys/?s=7CYLWCYK8D

https://www.lucidchart.com/documents/edit/2fde1140-2e81-4e90-b302-4a7de8dd4c65?shared=true&

https://uit.stanford.edu/guide/riskclassifications


Data Flow Diagram

26


Data Risk Classification

27Source: https://uit.stanford.edu/guide/riskclassifications



Case Studies - Two Apps - PHI vs non-PHI

28Source: https://uit.stanford.edu/guide/riskclassifications



StrokeCoach Data Flow - non-PHI

29

DRA Time: 1 month


Stream Data Flow - PHI

30

DRA Time: 3.5 months


2. Individual Training and Compliance


Required Trainings

• STARS - HIPAA Certification • Open up Axess - > Click on “STARS” - > Search “HIPAA”• Select the Web module • Complete the PRIV-2019-WEB Module (120 min)• Once completed, move on to the CLIN-2019-WEB Module (120 min)

• CITI Human Subjects Research Training• Go to: https://www.citiprogram.org/members/index.cfm?pageID=50

• Complete the Group 7 - Basic Course

32

https://www.citiprogram.org/members/index.cfm?pageID=50


Required Compliance

• SOM - Attestation and Device Enrollment

• Encrypt all devices with SWDE • https://uit.stanford.edu/guide/encrypt/config

• Revising your Attestation for already registered devices• https://amie.stanford.edu/attestation

• Indicate that the device will be used for High-Risk data• Follow instructions / steps - not always the easiest

• Add new devices• https://mydevices.stanford.edu/group/mydevices

• Indicate devices will be used for High-Risk data

33

https://uit.stanford.edu/guide/encrypt/config

https://amie.stanford.edu/attestation

https://mydevices.stanford.edu/group/mydevices

Stanford Byers Center for Biodesign318 Campus Drive, E100Stanford, CA 94305

Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare?...

Documents

Transcript of Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare?...