SlideShare una empresa de Scribd logo

Scary acronyms

Descargar como PPT, PDF
Deven McGraw
Deven McGraw
TecnologíaEmpresariales
1 de 24
Scary Acronyms – A Review of Regulatory and Legal Issues Core to Health IT Deven McGraw, JD, MPH, LLM Director, Health Privacy Project September 29, 2013
Health Privacy Project at CDT  Privacy = enabler to flows of data that have the potential to improve individual, public and population health  Aim is to build public trust in these data flows, through balanced & workable protections, as they are essential to patient engagement, health reform and building a “learning health care system.”  In other words, let’s make the acronyms not so scary
Acronyms to Know  HIPAA  HITECH  FTC  FDA  And a few more for good measure: ECPA, SCA, and FCC, CMIA (California)
HIPAA  Health Insurance Portability and Accountability Act  Establishes privacy and security requirements for identifiable health information (otherwise known as “protected health information” or PHI) collected, used and disclosed by “covered entities” and their “business associates”  Does not cover all heath data  You do not trigger HIPAA coverage merely by accepting PHI from a covered entity or business associate.
HIPAA  Covered entities: providers, health plans, health care clearinghouses  All defined in the regulations (45 Code of Federal Regulations (CFR) Part 164)  Business associate: an entity that “creates, receives, maintains or transmits” PHI in fulfilling certain functions or activities on behalf of a covered entity. (45 CFR 160.103).  Recent final regulations clarified who is (and who is not) a business associate – cloud storage providers are; “mere conduits” are not. Entities must have BAAs (business associate agreements).  See CDT FAQ for more info: https://www.cdt.org/files/pdfs/FAQ-HIPAAandCloud.pdf
HIPAA  If you are covered by HIPAA:  Privacy Rule sets forth rules regarding access, use and disclosure of PHI (paper & electronic); Security Rule sets forth detailed safeguards regarding electronic PHI (doesn’t apply to paper)  Privacy Rule:  Permits some routine uses and disclosures without the need to obtain patient consent; requires notification in event of breach  Requires patient authorization for other uses & disclosures  Security Rule  Establishes administrative, physical, technical and organizational safeguards  Some are required, others are “addressable” implementation specs
HITECH  Health Information Technology for Economic and Clinical Health Act of 2009 (part of the American Recovery and Reinvestment Act (ARRA))  Authorized tax incentives for purchase and “meaningful use” of Certified EHR Technology (CEHRT) by certain groups of providers and hospitals  Also included changes to HIPAA Privacy Rules (recently finalized in the “Omnibus Rule”)  Program began (Stage 1) in 2011; meaningful use objectives more robust in Stage 2 (begins for early adopters in 2014)
HITECH Opportunities  Helping providers and hospitals meet meaningful use “objectives” and quality metrics  Must use CEHRT (new certification requirements go into effect in 2014)  Must use required standards  In Stage 2, meaningful users must make available – and get a percentage of their patients to use – portals enabling patients to view, download and transmit their health information  HIPAA new Omnibus Rule also clarified patient’s right to electronic copies of their health information
Omnibus Rule “Wins” for Patients  Ordinarily, Security Rule applies to all transmissions of ePHI; this has been an obstacle to use of some digital technology to communicate with patients  BUT recent omnibus rule suggests patient can choose to receive communications (to the patient) in a form/format that works for them, even if they are not secure  Provider must provide “light” warning (this is unsecure – are you sure?)  Arguably also relevant to other communications (not just requests for copies of records)
Omnibus Rule “Wins” for Patients  Patients also have the right to have information directly transmitted to the recipient of their choice.  Choice must be “clear, conspicuous and specific;” per regulation, just be in writing and signed (can be electronic), and “clearly identify the designated person and where to send a copy of the [PHI]”  Covered entities must implement “reasonable safeguards” to protect information that is disclosed pursuant to this provision. (Question: not clear if patient can specify unsecure e-mail for information transmitted to a 3d party at the patient’s request)
FTC  Federal Trade Commission  Under the Federal Trade Commission Act (FTCA), have the power to take action against unfair and deceptive trade practices by entities in commerce (not nonprofits)  Also enforce breach notification requirements for “personal health records” (and entities that offer services through PHRs) enacted under HITECH  Breach standard – acquisition of identifiable information without the individual’s authorization.  Deceptive = breaking commitments to consumers re: data privacy. Unfair = ?
FTC and Privacy  FTC final report (March 2012- http://www.ftc.gov/opa/2012/03/privacyframework.shtm)  Articulated privacy framework based on fair information practices; contextual approach to consent  Called on Congress to enact baseline privacy legislation  Praised ongoing efforts on Do-Not-Track and endorsed industry codes of conduct  Endorsed role for U.S. in achieving harmonization of U.S.-global data privacy policies  Workshop on “Internet of Things” on November 19. One focus is connected self/health http://www.ftc.gov/opa/2013/04/internetthings.shtm
Additional Resources re: Privacy  CDT and Future of Privacy Forum Best Practices for Mobile App Developers: https://www.cdt.org/files/pdfs/Best- Practices-Mobile-App-Developers.pdf  Markle Common Framework for Networked Personal Health Information (for connecting consumers): http://www.markle.org/health/markle-common- framework/connecting-consumers
FDA  Food and Drug Administration  Authorized by Congress to regulate medical devices  Software that acts as a device is subject to medical device regulation  Degree of regulation depends on the risk classification for the device (ranging from general controls in Class I; general + special controls in Class II; to premarket approval in Class III).  Relevant to manufacturers of software that qualifies as a medical device.
FDA Regulation of Apps, EHRs  FDA takes the position that EHRs and other medical software applications (apps) are medical devices, subject to FDA regulatory authority  Issued & sought public comment on initial draft guidance for “mobile medical apps” (July 2011)  Seeking to regulate apps that more clearly perform the role of a medical device; does not include apps designed to be used for general health & wellness (like a fitness tracking app)  Distinction not that clear in the draft guidance
FDA Regulation of Apps Controversial  Guidance generated some controversy.  Congress (in the FDA Safety and Innovation Act of 2012) called for federal advisory committee to examine issue, make recommendations  Health IT Policy Committee recently recommended a risk- based framework for regulating medical software (http://www.healthit.gov/FACAS/sites/faca/files/FDASIARecomm endationsDraft030913_v2.pdf) (finalized in early September 2013, although initial recommendations were vetted in August 2013)
Final Guidance Issued 9/23  http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandG uidance/GuidanceDocuments/UCM263366.pdf  FDA is focusing only on apps that are medical devices and “whose functionality could pose a risk to a patient’s safety if the mobile app were not to function as intended.”  Focus is on how app is intended to be used  Will look at all evidence on intended use  Platform agnostic  Guidance does not establish “legally enforceable responsibilities” but instead describes FDA’s current thinking on a topic.
Final Guidance Issued 9/23  More clarity on where FDA will focus oversight.  FDA’s focus is on safety, not privacy  Medical apps that:  Are extensions of one or more medical devices (such as those that display device data);  Transform a mobile platform into a regulated device; or  Perform “patient-specific” analysis or provide “patient-specific” diagnosis or treatment recommendations Will be subject to device regulation.
Final Guidance Issued 9/23  Guidance also lists types of apps for which FDA intends to exercise “enforcement discretion” (no enforcement at this time):  Apps that provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in a daily environment.  Apps that provide patients with simple tools to organize and track their health information.  Mobile apps that provide easy access to information on a patient’s health conditions or treatments  Apps specifically marketed to help patients document, show or communicate to providers potential medical conditions.  Apps that perform simple calculations routinely used in clinical practice.  Apps that enable individuals to interact with PHR or EHR systems.  More examples provided in guidance.
ECPA (specifically, SCA)  Electronic Communications Privacy Act, specifically the provisions of the Stored Communications Act.  Prohibits entities providing electronic communication services or remote computing services to the public from divulging the contents of any communications carried or stored by the service, absent consent.  Remote computing services is defined as providing the public with storage or processing services by means of an electronic communications system.
ECPA/SCA limits  Protections can be waived by consent – consent provided by agreeing to terms of service may be adequate.  Protections apply only if the provider of the storage/processing services is not authorized to access the contents of the communications for purposes of providing any other services  So if information analyzed for purposes of targeting advertisements, or performing analytics, that service may fall outside of ECPA’s coverage.
FCC  Federal Communications Commission  Rules apply to communications carriers (for example, telephones, wireless devices, cable subscribers) and prohibit the sharing of certain information about customers  http://transition.fcc.gov/cgb/consumerfacts/protectingpri vacy.pdf
CMIA  State laws may also be a concern!  For example, the Confidentiality of Medical Information Act, the primary health information privacy law in California  Initially like HIPAA covered medical professionals and facilities – but legislature has recently expanded coverage  First expanded to cover “any business organized for the primary purpose of maintaining medical information” in order to make it available to an individual or a health care provider.  This year expanded further to cover software and medical apps (AB 658 was signed by the Governor earlier this month).
Not too scary at all! Questions? Deven McGraw 202-637-9800 x115 deven@cdt.org www.cdt.org/healthprivacy

Recomendados

FDA Regulation of Mobile Medical Applications
FDA Regulation of Mobile Medical ApplicationsFDA Regulation of Mobile Medical Applications
FDA Regulation of Mobile Medical ApplicationsMichael Swit
 
Mikhaela ripa
Mikhaela ripaMikhaela ripa
Mikhaela ripaemerosegal
 
hitech act
hitech acthitech act
hitech actpadler01
 
Safeguarding_Innovations
Safeguarding_InnovationsSafeguarding_Innovations
Safeguarding_InnovationsPJ Fitzpatrick
 
Emerose galvez
Emerose galvezEmerose galvez
Emerose galvezemerosegal
 
HITECH Act
HITECH ActHITECH Act
HITECH Actmeditrack
 
Health insurance information platform (hiip)
Health insurance information platform (hiip)Health insurance information platform (hiip)
Health insurance information platform (hiip)ACCESS Health Digital
 
Health Care Domain & Testing Challenges
Health Care Domain & Testing ChallengesHealth Care Domain & Testing Challenges
Health Care Domain & Testing ChallengesMindfire Solutions
 

Recomendados

FDA Regulation of Mobile Medical Applications
FDA Regulation of Mobile Medical ApplicationsFDA Regulation of Mobile Medical Applications
FDA Regulation of Mobile Medical ApplicationsMichael Swit
 
Mikhaela ripa
Mikhaela ripaMikhaela ripa
Mikhaela ripaemerosegal
 
hitech act
hitech acthitech act
hitech actpadler01
 
Safeguarding_Innovations
Safeguarding_InnovationsSafeguarding_Innovations
Safeguarding_InnovationsPJ Fitzpatrick
 
Emerose galvez
Emerose galvezEmerose galvez
Emerose galvezemerosegal
 
HITECH Act
HITECH ActHITECH Act
HITECH Actmeditrack
 
Health insurance information platform (hiip)
Health insurance information platform (hiip)Health insurance information platform (hiip)
Health insurance information platform (hiip)ACCESS Health Digital
 
Health Care Domain & Testing Challenges
Health Care Domain & Testing ChallengesHealth Care Domain & Testing Challenges
Health Care Domain & Testing ChallengesMindfire Solutions
 
RapidValue White Paper on Regulations and compliance for enterprise mHealth a...
RapidValue White Paper on Regulations and compliance for enterprise mHealth a...RapidValue White Paper on Regulations and compliance for enterprise mHealth a...
RapidValue White Paper on Regulations and compliance for enterprise mHealth a...Nageena Vijayan
 
Health information exchange (HIE)
Health information exchange (HIE)Health information exchange (HIE)
Health information exchange (HIE)ACCESS Health Digital
 
HIPAA TITLE II (2)
HIPAA TITLE II (2)HIPAA TITLE II (2)
HIPAA TITLE II (2)Quinnipiac University
 
Health delivery information system [HDIS] MVP
Health delivery information system [HDIS] MVPHealth delivery information system [HDIS] MVP
Health delivery information system [HDIS] MVPACCESS Health Digital
 
Research Paper - Elizabeth Cartwright; Undergrad, Policy
Research Paper - Elizabeth Cartwright; Undergrad, PolicyResearch Paper - Elizabeth Cartwright; Undergrad, Policy
Research Paper - Elizabeth Cartwright; Undergrad, PolicyElizabeth Cartwright
 
Mobile Medical Apps and FDA Regulatory Approach
Mobile Medical Apps and FDA Regulatory ApproachMobile Medical Apps and FDA Regulatory Approach
Mobile Medical Apps and FDA Regulatory ApproachAkshay Anand
 
Hipaa101 updated
Hipaa101 updatedHipaa101 updated
Hipaa101 updatedkkurapat
 
IRDAI - NHA Joint Working Group: Sub Group on IT
IRDAI - NHA Joint Working Group: Sub Group on ITIRDAI - NHA Joint Working Group: Sub Group on IT
IRDAI - NHA Joint Working Group: Sub Group on ITPankaj Gupta
 
Lm3s Medical Summary
Lm3s Medical Summary Lm3s Medical Summary
Lm3s Medical Summary claymalloy
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationHai Nguyen
 
HIPPA---Chantel Artis Spencer
HIPPA---Chantel Artis SpencerHIPPA---Chantel Artis Spencer
HIPPA---Chantel Artis Spencershay1234
 
Duff-Phelps Healthcare IT Insights
Duff-Phelps Healthcare IT InsightsDuff-Phelps Healthcare IT Insights
Duff-Phelps Healthcare IT Insightseynonglyn
 
Electronic renal dialysis patient management network - vision document
Electronic renal dialysis patient management network - vision documentElectronic renal dialysis patient management network - vision document
Electronic renal dialysis patient management network - vision documentsruthisagili
 
The Fundamentals ofHIT
The Fundamentals ofHITThe Fundamentals ofHIT
The Fundamentals ofHITslvhit
 
Hipaa
HipaaHipaa
Hipaabelziebub
 
Pro medoss
Pro medoss Pro medoss
Pro medoss Guy Vinograd ☁
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceManny Oliverez
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
What explains why certain services were covered and others were not .docx
What explains why certain services were covered and others were not .docx What explains why certain services were covered and others were not .docx
What explains why certain services were covered and others were not .docxajoy21
 
mHealth Israel_Digital Health Regulation and the FDA
mHealth Israel_Digital Health Regulation and the FDAmHealth Israel_Digital Health Regulation and the FDA
mHealth Israel_Digital Health Regulation and the FDALevi Shapiro
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibuswardell henley
 
free mHealth Checklist
free mHealth Checklistfree mHealth Checklist
free mHealth ChecklistDemet G. Sag
 

Más contenido relacionado

La actualidad más candente

RapidValue White Paper on Regulations and compliance for enterprise mHealth a...
RapidValue White Paper on Regulations and compliance for enterprise mHealth a...RapidValue White Paper on Regulations and compliance for enterprise mHealth a...
RapidValue White Paper on Regulations and compliance for enterprise mHealth a...Nageena Vijayan
 
Health delivery information system [HDIS] MVP
Health delivery information system [HDIS] MVPHealth delivery information system [HDIS] MVP
Health delivery information system [HDIS] MVPACCESS Health Digital
 
Research Paper - Elizabeth Cartwright; Undergrad, Policy
Research Paper - Elizabeth Cartwright; Undergrad, PolicyResearch Paper - Elizabeth Cartwright; Undergrad, Policy
Research Paper - Elizabeth Cartwright; Undergrad, PolicyElizabeth Cartwright
 
Mobile Medical Apps and FDA Regulatory Approach
Mobile Medical Apps and FDA Regulatory ApproachMobile Medical Apps and FDA Regulatory Approach
Mobile Medical Apps and FDA Regulatory ApproachAkshay Anand
 
Hipaa101 updated
Hipaa101 updatedHipaa101 updated
Hipaa101 updatedkkurapat
 
IRDAI - NHA Joint Working Group: Sub Group on IT
IRDAI - NHA Joint Working Group: Sub Group on ITIRDAI - NHA Joint Working Group: Sub Group on IT
IRDAI - NHA Joint Working Group: Sub Group on ITPankaj Gupta
 
Lm3s Medical Summary
Lm3s Medical Summary Lm3s Medical Summary
Lm3s Medical Summary claymalloy
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationHai Nguyen
 
HIPPA---Chantel Artis Spencer
HIPPA---Chantel Artis SpencerHIPPA---Chantel Artis Spencer
HIPPA---Chantel Artis Spencershay1234
 
Duff-Phelps Healthcare IT Insights
Duff-Phelps Healthcare IT InsightsDuff-Phelps Healthcare IT Insights
Duff-Phelps Healthcare IT Insightseynonglyn
 
Electronic renal dialysis patient management network - vision document
Electronic renal dialysis patient management network - vision documentElectronic renal dialysis patient management network - vision document
Electronic renal dialysis patient management network - vision documentsruthisagili
 
The Fundamentals ofHIT
The Fundamentals ofHITThe Fundamentals ofHIT
The Fundamentals ofHITslvhit
 

La actualidad más candente (17)

RapidValue White Paper on Regulations and compliance for enterprise mHealth a...
RapidValue White Paper on Regulations and compliance for enterprise mHealth a...RapidValue White Paper on Regulations and compliance for enterprise mHealth a...
RapidValue White Paper on Regulations and compliance for enterprise mHealth a...
 
Health information exchange (HIE)
Health information exchange (HIE)Health information exchange (HIE)
Health information exchange (HIE)
 
HIPAA TITLE II (2)
HIPAA TITLE II (2)HIPAA TITLE II (2)
HIPAA TITLE II (2)
 
Health delivery information system [HDIS] MVP
Health delivery information system [HDIS] MVPHealth delivery information system [HDIS] MVP
Health delivery information system [HDIS] MVP
 
Research Paper - Elizabeth Cartwright; Undergrad, Policy
Research Paper - Elizabeth Cartwright; Undergrad, PolicyResearch Paper - Elizabeth Cartwright; Undergrad, Policy
Research Paper - Elizabeth Cartwright; Undergrad, Policy
 
Mobile Medical Apps and FDA Regulatory Approach
Mobile Medical Apps and FDA Regulatory ApproachMobile Medical Apps and FDA Regulatory Approach
Mobile Medical Apps and FDA Regulatory Approach
 
Hipaa101 updated
Hipaa101 updatedHipaa101 updated
Hipaa101 updated
 
IRDAI - NHA Joint Working Group: Sub Group on IT
IRDAI - NHA Joint Working Group: Sub Group on ITIRDAI - NHA Joint Working Group: Sub Group on IT
IRDAI - NHA Joint Working Group: Sub Group on IT
 
Lm3s Medical Summary
Lm3s Medical Summary Lm3s Medical Summary
Lm3s Medical Summary
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
HIPPA---Chantel Artis Spencer
HIPPA---Chantel Artis SpencerHIPPA---Chantel Artis Spencer
HIPPA---Chantel Artis Spencer
 
Duff-Phelps Healthcare IT Insights
Duff-Phelps Healthcare IT InsightsDuff-Phelps Healthcare IT Insights
Duff-Phelps Healthcare IT Insights
 
Electronic renal dialysis patient management network - vision document
Electronic renal dialysis patient management network - vision documentElectronic renal dialysis patient management network - vision document
Electronic renal dialysis patient management network - vision document
 
The Fundamentals ofHIT
The Fundamentals ofHITThe Fundamentals ofHIT
The Fundamentals ofHIT
 
Hipaa
HipaaHipaa
Hipaa
 
Pro medoss
Pro medoss Pro medoss
Pro medoss
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA Compliance
 

Similar a Scary acronyms

Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
What explains why certain services were covered and others were not .docx
What explains why certain services were covered and others were not .docx What explains why certain services were covered and others were not .docx
What explains why certain services were covered and others were not .docxajoy21
 
mHealth Israel_Digital Health Regulation and the FDA
mHealth Israel_Digital Health Regulation and the FDAmHealth Israel_Digital Health Regulation and the FDA
mHealth Israel_Digital Health Regulation and the FDALevi Shapiro
 
free mHealth Checklist
free mHealth Checklistfree mHealth Checklist
free mHealth ChecklistDemet G. Sag
 
Responding To The Opportunity
Responding To The OpportunityResponding To The Opportunity
Responding To The Opportunityguest7042c6
 
HIPAA and RHIOs
HIPAA and RHIOsHIPAA and RHIOs
HIPAA and RHIOsnobumoto
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookElizabeth Dimit
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...susmitaghosh93
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfmohammedfootwear
 
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...Quinnipiac University
 
The Move to Mobile
The Move to MobileThe Move to Mobile
The Move to MobileDale Cooke
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentialityjessie66
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associatesgppcpa
 
21st Century Act and its Impact on Healthcare IT
21st Century Act and its Impact on Healthcare IT21st Century Act and its Impact on Healthcare IT
21st Century Act and its Impact on Healthcare ITCitiusTech
 
Economic Stimulus Package V4
Economic Stimulus Package V4Economic Stimulus Package V4
Economic Stimulus Package V4bakerdb
 

Similar a Scary acronyms (20)

Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA Training
 
What explains why certain services were covered and others were not .docx
What explains why certain services were covered and others were not .docx What explains why certain services were covered and others were not .docx
What explains why certain services were covered and others were not .docx
 
mHealth Israel_Digital Health Regulation and the FDA
mHealth Israel_Digital Health Regulation and the FDAmHealth Israel_Digital Health Regulation and the FDA
mHealth Israel_Digital Health Regulation and the FDA
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
 
free mHealth Checklist
free mHealth Checklistfree mHealth Checklist
free mHealth Checklist
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2
 
Responding To The Opportunity
Responding To The OpportunityResponding To The Opportunity
Responding To The Opportunity
 
HIPAA and RHIOs
HIPAA and RHIOsHIPAA and RHIOs
HIPAA and RHIOs
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdf
 
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
 
Hitech Act
Hitech ActHitech Act
Hitech Act
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA Complaince
 
The Move to Mobile
The Move to MobileThe Move to Mobile
The Move to Mobile
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentiality
 
HIPAA Tittle II
HIPAA Tittle IIHIPAA Tittle II
HIPAA Tittle II
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
 
21st Century Act and its Impact on Healthcare IT
21st Century Act and its Impact on Healthcare IT21st Century Act and its Impact on Healthcare IT
21st Century Act and its Impact on Healthcare IT
 
Economic Stimulus Package V4
Economic Stimulus Package V4Economic Stimulus Package V4
Economic Stimulus Package V4
 

Último

[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 

Último (20)

[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 

Scary acronyms

  • 1. Scary Acronyms – A Review of Regulatory and Legal Issues Core to Health IT Deven McGraw, JD, MPH, LLM Director, Health Privacy Project September 29, 2013
  • 2. Health Privacy Project at CDT  Privacy = enabler to flows of data that have the potential to improve individual, public and population health  Aim is to build public trust in these data flows, through balanced & workable protections, as they are essential to patient engagement, health reform and building a “learning health care system.”  In other words, let’s make the acronyms not so scary
  • 3. Acronyms to Know  HIPAA  HITECH  FTC  FDA  And a few more for good measure: ECPA, SCA, and FCC, CMIA (California)
  • 4. HIPAA  Health Insurance Portability and Accountability Act  Establishes privacy and security requirements for identifiable health information (otherwise known as “protected health information” or PHI) collected, used and disclosed by “covered entities” and their “business associates”  Does not cover all heath data  You do not trigger HIPAA coverage merely by accepting PHI from a covered entity or business associate.
  • 5. HIPAA  Covered entities: providers, health plans, health care clearinghouses  All defined in the regulations (45 Code of Federal Regulations (CFR) Part 164)  Business associate: an entity that “creates, receives, maintains or transmits” PHI in fulfilling certain functions or activities on behalf of a covered entity. (45 CFR 160.103).  Recent final regulations clarified who is (and who is not) a business associate – cloud storage providers are; “mere conduits” are not. Entities must have BAAs (business associate agreements).  See CDT FAQ for more info: https://www.cdt.org/files/pdfs/FAQ-HIPAAandCloud.pdf
  • 6. HIPAA  If you are covered by HIPAA:  Privacy Rule sets forth rules regarding access, use and disclosure of PHI (paper & electronic); Security Rule sets forth detailed safeguards regarding electronic PHI (doesn’t apply to paper)  Privacy Rule:  Permits some routine uses and disclosures without the need to obtain patient consent; requires notification in event of breach  Requires patient authorization for other uses & disclosures  Security Rule  Establishes administrative, physical, technical and organizational safeguards  Some are required, others are “addressable” implementation specs
  • 7. HITECH  Health Information Technology for Economic and Clinical Health Act of 2009 (part of the American Recovery and Reinvestment Act (ARRA))  Authorized tax incentives for purchase and “meaningful use” of Certified EHR Technology (CEHRT) by certain groups of providers and hospitals  Also included changes to HIPAA Privacy Rules (recently finalized in the “Omnibus Rule”)  Program began (Stage 1) in 2011; meaningful use objectives more robust in Stage 2 (begins for early adopters in 2014)
  • 8. HITECH Opportunities  Helping providers and hospitals meet meaningful use “objectives” and quality metrics  Must use CEHRT (new certification requirements go into effect in 2014)  Must use required standards  In Stage 2, meaningful users must make available – and get a percentage of their patients to use – portals enabling patients to view, download and transmit their health information  HIPAA new Omnibus Rule also clarified patient’s right to electronic copies of their health information
  • 9. Omnibus Rule “Wins” for Patients  Ordinarily, Security Rule applies to all transmissions of ePHI; this has been an obstacle to use of some digital technology to communicate with patients  BUT recent omnibus rule suggests patient can choose to receive communications (to the patient) in a form/format that works for them, even if they are not secure  Provider must provide “light” warning (this is unsecure – are you sure?)  Arguably also relevant to other communications (not just requests for copies of records)
  • 10. Omnibus Rule “Wins” for Patients  Patients also have the right to have information directly transmitted to the recipient of their choice.  Choice must be “clear, conspicuous and specific;” per regulation, just be in writing and signed (can be electronic), and “clearly identify the designated person and where to send a copy of the [PHI]”  Covered entities must implement “reasonable safeguards” to protect information that is disclosed pursuant to this provision. (Question: not clear if patient can specify unsecure e-mail for information transmitted to a 3d party at the patient’s request)
  • 11. FTC  Federal Trade Commission  Under the Federal Trade Commission Act (FTCA), have the power to take action against unfair and deceptive trade practices by entities in commerce (not nonprofits)  Also enforce breach notification requirements for “personal health records” (and entities that offer services through PHRs) enacted under HITECH  Breach standard – acquisition of identifiable information without the individual’s authorization.  Deceptive = breaking commitments to consumers re: data privacy. Unfair = ?
  • 12. FTC and Privacy  FTC final report (March 2012- http://www.ftc.gov/opa/2012/03/privacyframework.shtm)  Articulated privacy framework based on fair information practices; contextual approach to consent  Called on Congress to enact baseline privacy legislation  Praised ongoing efforts on Do-Not-Track and endorsed industry codes of conduct  Endorsed role for U.S. in achieving harmonization of U.S.-global data privacy policies  Workshop on “Internet of Things” on November 19. One focus is connected self/health http://www.ftc.gov/opa/2013/04/internetthings.shtm
  • 13. Additional Resources re: Privacy  CDT and Future of Privacy Forum Best Practices for Mobile App Developers: https://www.cdt.org/files/pdfs/Best- Practices-Mobile-App-Developers.pdf  Markle Common Framework for Networked Personal Health Information (for connecting consumers): http://www.markle.org/health/markle-common- framework/connecting-consumers
  • 14. FDA  Food and Drug Administration  Authorized by Congress to regulate medical devices  Software that acts as a device is subject to medical device regulation  Degree of regulation depends on the risk classification for the device (ranging from general controls in Class I; general + special controls in Class II; to premarket approval in Class III).  Relevant to manufacturers of software that qualifies as a medical device.
  • 15. FDA Regulation of Apps, EHRs  FDA takes the position that EHRs and other medical software applications (apps) are medical devices, subject to FDA regulatory authority  Issued & sought public comment on initial draft guidance for “mobile medical apps” (July 2011)  Seeking to regulate apps that more clearly perform the role of a medical device; does not include apps designed to be used for general health & wellness (like a fitness tracking app)  Distinction not that clear in the draft guidance
  • 16. FDA Regulation of Apps Controversial  Guidance generated some controversy.  Congress (in the FDA Safety and Innovation Act of 2012) called for federal advisory committee to examine issue, make recommendations  Health IT Policy Committee recently recommended a risk- based framework for regulating medical software (http://www.healthit.gov/FACAS/sites/faca/files/FDASIARecomm endationsDraft030913_v2.pdf) (finalized in early September 2013, although initial recommendations were vetted in August 2013)
  • 17. Final Guidance Issued 9/23  http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandG uidance/GuidanceDocuments/UCM263366.pdf  FDA is focusing only on apps that are medical devices and “whose functionality could pose a risk to a patient’s safety if the mobile app were not to function as intended.”  Focus is on how app is intended to be used  Will look at all evidence on intended use  Platform agnostic  Guidance does not establish “legally enforceable responsibilities” but instead describes FDA’s current thinking on a topic.
  • 18. Final Guidance Issued 9/23  More clarity on where FDA will focus oversight.  FDA’s focus is on safety, not privacy  Medical apps that:  Are extensions of one or more medical devices (such as those that display device data);  Transform a mobile platform into a regulated device; or  Perform “patient-specific” analysis or provide “patient-specific” diagnosis or treatment recommendations Will be subject to device regulation.
  • 19. Final Guidance Issued 9/23  Guidance also lists types of apps for which FDA intends to exercise “enforcement discretion” (no enforcement at this time):  Apps that provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in a daily environment.  Apps that provide patients with simple tools to organize and track their health information.  Mobile apps that provide easy access to information on a patient’s health conditions or treatments  Apps specifically marketed to help patients document, show or communicate to providers potential medical conditions.  Apps that perform simple calculations routinely used in clinical practice.  Apps that enable individuals to interact with PHR or EHR systems.  More examples provided in guidance.
  • 20. ECPA (specifically, SCA)  Electronic Communications Privacy Act, specifically the provisions of the Stored Communications Act.  Prohibits entities providing electronic communication services or remote computing services to the public from divulging the contents of any communications carried or stored by the service, absent consent.  Remote computing services is defined as providing the public with storage or processing services by means of an electronic communications system.
  • 21. ECPA/SCA limits  Protections can be waived by consent – consent provided by agreeing to terms of service may be adequate.  Protections apply only if the provider of the storage/processing services is not authorized to access the contents of the communications for purposes of providing any other services  So if information analyzed for purposes of targeting advertisements, or performing analytics, that service may fall outside of ECPA’s coverage.
  • 22. FCC  Federal Communications Commission  Rules apply to communications carriers (for example, telephones, wireless devices, cable subscribers) and prohibit the sharing of certain information about customers  http://transition.fcc.gov/cgb/consumerfacts/protectingpri vacy.pdf
  • 23. CMIA  State laws may also be a concern!  For example, the Confidentiality of Medical Information Act, the primary health information privacy law in California  Initially like HIPAA covered medical professionals and facilities – but legislature has recently expanded coverage  First expanded to cover “any business organized for the primary purpose of maintaining medical information” in order to make it available to an individual or a health care provider.  This year expanded further to cover software and medical apps (AB 658 was signed by the Governor earlier this month).
  • 24. Not too scary at all! Questions? Deven McGraw 202-637-9800 x115 deven@cdt.org www.cdt.org/healthprivacy

Notas del editor

  1. FDA does not intend to regulate “mobile apps that are solely used to log, record, track, evaluate, or make decisions or suggestions related to developing or maintaining general health and wellness.”  Examples of health and wellness apps are provided in the guidance, and include dietary tracking logs, appointment reminders, dietary suggestions based on a calorie counter, posture suggestions, exercise suggestions, etc. In contrast, a mobile medical app is one that is intended for “curing, treating, seeking treatment for, mitigating, or diagnosing a specific disease, disorder, patient state, or any specific, identifiable health condition.” FDA intends to place most stringent requirements on devices that pose the most risk; general controls only for those that pose minimum risk to morbidity/mortality