Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare?...
Transcript of Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare?...
![Page 1: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/1.jpg)
CS342/MED253 Building for Digital HealthLecture 1B: What makes health apps different?
Oliver AalamiMike Hittle
Fall 2019
https://cs342.stanford.edu
cs342-aut1920.slack.com
Welcome!
![Page 2: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/2.jpg)
Submit your project preferences by tomorrow Sep 27
![Page 3: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/3.jpg)
Deliverables
● Download & Setup Xcode 10.3 on your machine. If you are new to iOS, follow the Build a Basic UI tutorial.
● Submit a screenshot of your running project via Canvas by our next class (Oct 1st).
● Send us your GitHub username: [link in website]
![Page 5: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/5.jpg)
Overview for today● What is HIPAA?● What is a Covered Entity?● What is a Business Associate?● What is PHI? ● What is HIPAA Security Rule?● What is “Consent” in healthcare?● Consequences of a HIPAA Violation or Breach● What is a DRA?● Navigating privacy and compliance at Stanford● 2 Case Studies - StrokeCoach(non-PHI) and STREAM(PHI)
https://cs342.stanford.edu
cs342-aut1920.slack.com
![Page 6: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/6.jpg)
What is HIPAA? ● Health Insurance Portability and Accountability Act (1996, President Bill Clinton)
○ Modernize flow of health information & stipulate how Personal Identifiable Information maintained by healthcare and insurance industries should be protected
● HIPAA Privacy Rule (Standards for Privacy of Individually Identifiable Health Information): first time national standard for the protection of certain health information.
● Issued by U.S. Department of Health and Human Services (HHS)● Under HHS, the Office of Civil Rights (OCR) responsible for implementing and enforcing law● Covered Entities and their Business Associates are covered under this rule (next slide)● Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered
entity or its business associate, in any form or media, whether electronic, paper or oral = Protected Health Information (PHI)
● No restrictions on use or disclosure of De-Identified health information
https://cs342.stanford.edu
cs342-aut1920.slack.com
![Page 7: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/7.jpg)
What is a Covered Entity?● Health Plans, Healthcare Clearinghouses,
Healthcare Providers & Healthcare Services who electronically transmit any health information in connection with transactions for which HHS has adopted standards
● Researchers are covered entities if they are also healthcare providers who electronically transmit health information in connection with any transaction for which HHS has adopted a standard.
https://cs342.stanford.edu
cs342-aut1920.slack.com
![Page 8: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/8.jpg)
What is a Business Associate?● A person or organization, other than a member of a covered entity’s workforce that
performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.
● Examples: Google Cloud Services, Microsoft Azure, AWS
What is a Business Associates Agreement (BAA)?● A covered entity must impose specified written safeguards on the individually
identifiable health information used or disclosed by its business associates● Example: Stanford has a BAA with Google Cloud Platform (GCP)
https://cs342.stanford.edu
cs342-aut1920.slack.com
![Page 9: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/9.jpg)
What is Protected Health Information (PHI)? ● 18 identifiers
https://cs342.stanford.edu
cs342-aut1920.slack.com
![Page 10: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/10.jpg)
What does HIPAA Security Rule require?
● 2-factor authentication● Encryption at rest● Encryption in flight
https://cs342.stanford.edu
cs342-aut1920.slack.com
![Page 11: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/11.jpg)
What is “Consent” in healthcare?● Signed document obtained by covered entity for uses and disclosures
of protected health information for treatment, payment, health care operations or research.
https://cs342.stanford.edu
cs342-aut1920.slack.com
![Page 12: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/12.jpg)
© 2016 Stanford Byers Center for Biodesign
What are the consequences of a HIPAA violation or data breach?
Disclaimer - this is not a “scared straight” campaign.
![Page 13: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/13.jpg)
© 2016 Stanford Byers Center for Biodesign
Consequences for HIPAA Breach2018 - $28,686,400
Source: https://compliancy-group.com/hipaa-fines-directory-year/
![Page 14: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/14.jpg)
© 2016 Stanford Byers Center for Biodesign
Consequences for HIPAA Breach2017 - $20,393,200
Source: https://compliancy-group.com/hipaa-fines-directory-year/
![Page 15: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/15.jpg)
© 2016 Stanford Byers Center for Biodesign
Consequences for HIPAA Breach
Source: https://www.federalregister.gov/documents/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the#h-95
Penalties are particularly damaging for small players (i.e. your lab)Fine for 320 patients(your study) = 76 million (Anthem)
![Page 16: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/16.jpg)
© 2016 Stanford Byers Center for Biodesign
Consequences for HIPAA Breach
![Page 17: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/17.jpg)
© 2016 Stanford Byers Center for Biodesign
But wait….. What about Tort liability?
Tort = personal injury litigation etc.
HIPAA does NOT preempt Tort liability.
![Page 18: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/18.jpg)
© 2016 Stanford Byers Center for Biodesign
Meet Andrew N. Friedman
Source: https://www.cohenmilstein.com/professional/andrew-n-friedman
![Page 19: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/19.jpg)
© 2016 Stanford Byers Center for Biodesign
Consequences for HIPAA Breach
This suit only included 19 million people out of 78 million people affected. More to come!
Source: https://www.cohenmilstein.com/professional/andrew-n-friedman
![Page 20: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/20.jpg)
© 2016 Stanford Byers Center for Biodesign
You Don’t Really Want To Meet Andrew N. Friedman
Source: https://www.cohenmilstein.com/professional/andrew-n-friedman
![Page 21: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/21.jpg)
© 2016 Stanford Byers Center for Biodesign
How does Stanford deal with this risk?
![Page 22: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/22.jpg)
© 2016 Stanford Byers Center for Biodesign
1. Data Risk Assessment (DRA)
2. Individual Training and Compliance
![Page 23: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/23.jpg)
© 2016 Stanford Byers Center for Biodesign
1. Data Risk Assessment (DRA)
![Page 24: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/24.jpg)
© 2016 Stanford Byers Center for Biodesign
What is a DRA?• Collaboration between Information Security Office (ISO)
and the University Privacy Office(UPO) - unsung heros• Usually involves a lawyer• Usually involves an engineer or other tech expertise
• Required by the IRB• More people requiring care and fewer people paying into system
• Thorough review of the data you collect and methods of storage and transfer • Data flow diagram• Form, documentation submission • Interview/Meeting(s)
• Takes 2 weeks to ∞24
![Page 25: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/25.jpg)
© 2016 Stanford Byers Center for Biodesign
Critical DRA Elements• Pre-Screening Questionnaire
• https://stanford.service-now.com/it_services?id=sc_cat_item&sys_id=a899efaf13ec3a00d3b6b3b12244b062 • Data Risk Assessment Intake Form
• https://redcap.stanford.edu/webauth/surveys/?s=7CYLWCYK8D
• Data Flow Diagram• Example: https://www.lucidchart.com/documents/edit/2fde1140-2e81-4e90-b302-4a7de8dd4c65?shared=true&
• Data Classification• https://uit.stanford.edu/guide/riskclassifications
25
![Page 26: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/26.jpg)
© 2016 Stanford Byers Center for Biodesign
Data Flow Diagram
26
![Page 27: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/27.jpg)
© 2016 Stanford Byers Center for Biodesign
Data Risk Classification
27Source: https://uit.stanford.edu/guide/riskclassifications
![Page 28: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/28.jpg)
© 2016 Stanford Byers Center for Biodesign
Case Studies - Two Apps - PHI vs non-PHI
28Source: https://uit.stanford.edu/guide/riskclassifications
![Page 29: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/29.jpg)
© 2016 Stanford Byers Center for Biodesign
StrokeCoach Data Flow - non-PHI
29
DRA Time: 1 month
![Page 30: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/30.jpg)
© 2016 Stanford Byers Center for Biodesign
Stream Data Flow - PHI
30
DRA Time: 3.5 months
![Page 31: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/31.jpg)
© 2016 Stanford Byers Center for Biodesign
2. Individual Training and Compliance
![Page 32: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/32.jpg)
© 2016 Stanford Byers Center for Biodesign
Required Trainings
• STARS - HIPAA Certification • Open up Axess - > Click on “STARS” - > Search “HIPAA”• Select the Web module • Complete the PRIV-2019-WEB Module (120 min)• Once completed, move on to the CLIN-2019-WEB Module (120 min)
• CITI Human Subjects Research Training• Go to: https://www.citiprogram.org/members/index.cfm?pageID=50
• Complete the Group 7 - Basic Course
32
![Page 33: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/33.jpg)
© 2016 Stanford Byers Center for Biodesign
Required Compliance
• SOM - Attestation and Device Enrollment
• Encrypt all devices with SWDE • https://uit.stanford.edu/guide/encrypt/config
• Revising your Attestation for already registered devices• https://amie.stanford.edu/attestation
• Indicate that the device will be used for High-Risk data• Follow instructions / steps - not always the easiest
• Add new devices• https://mydevices.stanford.edu/group/mydevices
• Indicate devices will be used for High-Risk data
33
![Page 34: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/34.jpg)
![Page 35: Welcome! [web.stanford.edu] · What is HIPAA Security Rule? What is “Consent” in healthcare? Consequences of a HIPAA Violation or Breach ... the Office of Civil Rights (OCR)](https://reader036.fdocuments.in/reader036/viewer/2022070713/5ed38e02b2f60b394020c336/html5/thumbnails/35.jpg)
Stanford Byers Center for Biodesign318 Campus Drive, E100Stanford, CA 94305