SECURITY
RESEARCH
PRIVACY
SHARING
AMC
DATA
FISMA
CLOUDCOMPUTING MOBILE HIPAA
OP
ER
AT
ION
S
CINABREACHES REVIEW
ACADEMI C
THREATS CENT
ER
REGULATORY FEDERAL REGULATIONS
EMR
CO
MPL
IA
NC
E
MONITORING
PRACTICES TRENDS AUDITS EM RIRB Month Investigator Meeting
IRB Monthly Investigator Meeting
HIPAA OMNIBUS
New HIPAA requirements effective
September 23, 2013
Office of HIPAA Compliance April 15, 2014
Omnibus Update
Compliance required by September 23, 2013
•
Notice of Privacy Practices
New Notice distributed to Practice Managers 10/11/2013
http://www.cumc.columbia.edu/hipaa/pdf/Notice_of_Privacy_Practices.pdf
•
New Patient Rights
–
Electronic access to medical records
–
Patient out of pocket payments / Do not bill health plan
–
Fundraising
–
Breach Notification
–
Authorization for Use of PHI for Sale / Marketing
May 14, 2014 Omnibus HIPAA Update – Office of
Omnibus Update
•
Business Associate Agreements
–
New BAA created April 2013
–
Approx. 150 business associates need new BAA by Sept. 23, 2014
–
Must not share data without a BAA in place
–
Must get BAA if non-workforce member will access PHI
–
BAA now required for
quality / registries
•
Revised policies
–
Fundraising
–
Privacy Program
–
Authorization to Disclose Medical Records
Omnibus Update - Research Authorization
•
The Final Rule provisions discussed above have important
implications for research:
– The changes concerning compound authorizations will alleviate
administrative burdens on clinical trial subjects and researchers and facilitate harmonization with the Common Rule and global
requirements for research documentation.
– The revised interpretation regarding authorization for future research use will remove barriers on researchers' ability to use data for future research purposes – some of which cannot even be contemplated at the time the data is gathered, but which could hold great promise to advance science and medical care.
– The declassification as "PHI" of certain information of decedents over time will ease researchers' ability to perform research using such
information.
Business Associates
•
Claims processing or administration; data analysis,
processing or administration; utilization review; quality
assurance; billing; benefit management; practice
management; and pricing.
•
Signed agreement required to share information
outside CUMC (INCLUDING RESEARCH DATA)
•
Must comply with Minimum Necessary
•
Must follow terms as established in contract
•
Must secure data during transmission
Breach Requirements
•
Definition:
–
An impermissible use or disclose of protected health
information that compromises the security or privacy of PHI
–
Now includes limited datasets
–
Requires report to the government
–
Can include
substantial fines and penalties
•
Examples
–
Theft of laptop
–
Presentation includes PHI posted on internet
–
Faxing records to the wrong location
–
Disclosing PHI to sponsor
–
USB lost in the mail
May 14, 2014 Footer text is edited under "view/header
HITECH Act (ARRA)
Breach Notification Rule
8
•
New Federal Breach Notification Law – Effective Sept 2009
•
Applies to all electronic
“unsecured Protected Health Information” - “encryption required”•
Requires immediate (60 days) notification to the Federal
Government if more than 500 individuals effected
•
Annual notification if less that 500 individuals
•
Requires notification to patients & appropriate remediation
•
May Require notification to a major media outlet and listing
May 14, 2014 Footer text is edited under "view/header
Questions
• If a patient (research subject) emails us do we need to respond with an encrypted (#encrypt) email in our reply? Exchange account (Outlook)
• Do our cumc.columbia.edu accounts allow us to email to Gmail accounts or do we always have to do "#encrypt" to ensure delivery?
• Can we access email on a non-encrypted computer (e.g. Home desktop)?
• Can we access other Columbia sites that require UNI logon from non-encrypted computers?
• After the HIPAA training we were asked to attest to not using our UNI as a sign-in for social websites, some non-social websites use an email as the username eg. nyp's patient portal. Do we have to remove our columbia.edu emails as user names on all websites or just social ones?
Dear Karen,
On August 1, the CUMC Information Security Office and Office of HIPAA Compliance introduced Sight Training, our new online training system for learning about major changes to HIPAA regulations, updated security requirements, and related Columbia University policies. Sight Training is tailored to address the information security and privacy issues most relevant to our community.
All CUMC faculty, staff, and students are required to complete this training. Sight Training makes the process straightforward and convenient. You may take the courses on any computer;each course should take no more than 30-45 minutes. All courses must be completed by November 1, 2013. You have been assigned the following courses:
• Security Essentials CUMC
• HIPAA Privacy Rules
Please take the time in the next few days to complete this training. It should take no more than 45 minutes.
To access the course(s), go to https://columbia.sighttraini ng.com/ and log in with your UNI and password.
Failure to complete the training by November 1may result in: A) notification of your departmental administrator
B) loss of access to clinical systems, such as CROWN, IDX, and WebCIS; or
Research Reminders
•
ENCRYPT EVERYTHING
• #Encrypt • Laptops • Desktops • Home computers • Student devices• ANYONE who will access to your data
May 14, 2014 Footer text is edited under "view/header
P
rotected
H
ealth
I
nformation
(PHI)
•
Protected Health Information is any information that :
“ is created or received by a health care provider, health plan, public
health authority, employer, life insurer, school or university, or
health care clearinghouse"; and
“ relates to the past, present, or future physical or mental health or
condition of an individual; the provision of health care to an
individual; or the past, present, or future payment for the provision
of health care to an individual”
All information whether maintained
in electronic, paper or
oral format
HIPAA FORMS REVIEWED AND
APPROVED IN RASCAL
FORM Label FORM TITLE REVIEW COMMENTS
HIPAA Form A Authorization for Research High Volume
HIPAA form B Waiver of Authorization Significant Review time required *Usually retrospective
HIPAA form C Recruitment Waiver Rare Directly approach subject without treatment provider relationship
HIPAA form D Preparatory to Research Important for NYP Data
HIPAA form E Decedent Data Not needed unless all subjects are deceased
HIPAA form F Data Use Agreement Significant Review time required
CUMC Data Recipient or Disclosing Data?
Research HIPAA FAQ
•
Waiver of Authorization
–
Only for Columbia data
–
Do not answer N/A
–
Primarily for retrospective data analysis
–
State data collection timeframe
•
Data Use Agreements
–
When disclosing data outside of CUMC must have
some form of agreement (DUA, BAA etc.)
–
When received data from another organization must
include their agreement within the protocol
May 14, 2014 Footer text is edited under "view/header
De-identified vs. Coded Data
Coded data
•
contains an
assigned code
so even though the information has been
stripped of identifiers, the health information can be linked back to
the individual by the research team.
De-identified data
•
Stripped data with
no code
.
•
It cannot be linked back to the subject.
•
A re-identification code can be assigned to a de-identified dataset
by a covered entity; however, members of the research team may
not have the access to the means/method of re-identification.
•
If a member of the research team has access to the re-identification
key/method, the data is not considered to be de-identified.
18 identifiers as defined by the HIPAA
Privacy Rule:
1. Name
2. Geographic Location (including city, state, zip)
3. Elements of Dates
4. Telephone Number 5. Fax Number
6. E-mail Address
7. Social Security Number
8. Medical Record or Prescription Numbers 9. Health Plan Beneficiary Number
10. Account Number
11. Certificate/license Number
12. VIN and Serial Numbers, License Plate Number 13. Device identifiers, serial numbers
14. Web URLs
15. IP Address Numbers
16. Biometric Identifiers (finger prints) 17. Full face, comparable photo images
18. Unique Identifying numbers (e.g. CODED DATA)
HIPAA Privacy Program Elements
http://privacyruleandresearch.nih.gov/ http://www.cumc.columbia.edu/hipaa/
https://secure.cumc.columbia.edu/cumcit/secure/security/
• See website for policies and procedures • See website for HIPAA forms
• See website for educational material
• All staff are required to complete HIPAA Privacy & IT Security education
• Contact the Privacy Officer for questions or reports HIPAA@columbia.edu or (212) 305-7315.
• Contact Information Security Officer for questions about HIPAA Information Security
19 Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu HIPAA@columbia.edu (212) 305-7315