HIPAA Qs Portal Notes


Feb. 2, 2017: From OCR: A new workshop and HHS announces a civil money penalty against a hospital

Next week in San Diego, OCR will present at a workshop on privacy and security for health tech entrepreneurs, sponsored by the California Health Care Foundation. Registration is open. Also, HHS has announced a civil money penalty against a hospital for, among other failures, not properly encrypting the patient information on mobile devices and multiple breaches. The announcement is below.

First, the workshop: http://bit.ly/2jDDa2y

Health Data Innovator Privacy and Security Workshop

When:
Wednesday, February 08 2017
11:30 AM - 3:00 PM
Where:
Biocom
10996 Torreyana Road, Suite 200
San Diego, CA 92121
Registration Deadline:
Tuesday, February 07 2017
12:00 PM
Register

Have you heard of HIPAA, but are not sure how it applies to your work? Are you interested in reducing your data security and privacy risks? On Wednesday, February 8th, in the Biocom Boardroom, Biocom will host a data privacy and security workshop for Bio and Health Tech entrepreneurs and their collaborators. The workshop is supported by the California Health Care Foundation, and facilitated byAcademyHealth.

What to Expect

With a focus on use cases, guidance, and practical takeaways, the workshop will outline your responsibilities and help you navigate the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA), including other federal and California privacy and security laws.

In addition, the workshop will review core principles and the key steps required to build a privacy and cybersecurity program for your product(s).

Workshop presenters include:

  • Linda Sanches, Senior Advisor, Health Information Technology and Privacy Policy, at the U.S. Department Health and Human Services (HHS) Office for Civil Rights
  • Jodi Daniel, Partner, Crowell & Moring, LLP, and the former Director of the Office of Policy in the Office of the National Coordinator for Health Information Technology (ONC)

The workshop begins with a networking lunch, where you can connect with other colleagues interested in risk assessment and compliance issues. Space is limited.

Who Will You Meet at the Workshop?

Attendees of the workshop include new market entrants and application developers, investors, and others seeking to learn more about health data privacy and security.

February 1, 2017: Lack of timely action risks security and costs money

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) civil money penalty against Children’s Medical Center of Dallas (Children’s) based on its impermissible disclosure of unsecured electronic protected health information (ePHI) and non-compliance over many years with multiple standards of the HIPAA Security Rule. OCR issued a Notice of Proposed Determination in accordance with 45 CFR 160.420, which included instruction for how Children’s could file a request for a hearing. Children’s did not request a hearing. Accordingly, OCR issued a Notice of Final Determination and Children have paid the full civil money penalty of $3.2 million. Children’s is a pediatric hospital in Dallas, Texas, and is part of Children’s Health, the seventh largest pediatric health care provider in the nation.

On January 18, 2010, Children’s filed a breach report with OCR indicating the loss of an unencrypted, non-password protected BlackBerry device at the Dallas/Fort Worth International Airport on November 19, 2009. The device contained the ePHI of approximately 3,800 individuals. On July 5, 2013, Children's filed a separate HIPAA Breach Notification Report with OCR, reporting the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013. Children's reported the device contained the ePHI of 2,462 individuals. Although Children's implemented some physical safeguards to the laptop storage area (e.g., badge access and a security camera at one of the entrances), it also provided access to the area to workforce not authorized to access ePHI.

OCR’s investigation revealed Children’s noncompliance with HIPAA Rules, specifically, a failure to implement risk management plans, contrary to prior external recommendations to do so, and a failure to deploy encryption or an equivalent alternative measure on all of its laptops, work stations, mobile devices and removable storage media until April 9, 2013. Despite Children's knowledge about the risk of maintaining unencrypted ePHI on its devices as far back as 2007, Children's issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.

The Notice of Proposed Determination and Notice of Final Determination may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/Childrens

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/hipaa/index.html

Follow OCR on Twitter at http://twitter.com/HHSOCR


Jan. 24, 2017: Linda Sanches of OCR to speak at the first Digital Diabetes Congress in San Francisco in March

Linda Sanches of OCR will be speaking about HIPAA privacy & integration of patient information collected through mobile tools and applications into EHRs at the first Digital Diabetes Congress, to be held March 7-8, 2017 in San Francisco (https://www.diabetestechnology.org/ddc/).

From the website: “The meeting will cover areas for mobile communication tools and applications used for diabetes. We will emphasize ways to overcome regulatory, design, clinical, research, and financial barriers, so that useful applications can be created for improved outcomes.”


Jan. 17, 2017: January 2017 Cyber Awareness Newsletter Posted

OCR has posted its January 2017 cyber awareness newsletter about HIPAA Security Rule requirements for audit controls. You can find it posted here: https://www.hhs.gov/sites/default/files/january-2017-cyber-newsletter.pdf.


Jan. 9, 2017: From OCR: Privacy Policy Snapshot Challenge Webinar

The Office of the National Coordinator for Health IT (ONC) announced the Privacy Policy Snapshot Challenge to design its Model Privacy Notice (MPN) at the Connected Health Conference last month. Later this week ONC is hosting an informational webinar. OCR worked with ONC to develop the content of the model notice.

The Privacy Policy Snapshot Challenge calls upon developers, designers, health data privacy experts, and creative, out-of-the-box thinkers to use ONC’s Model Privacy Notice template to create an online tool that can generate a user-friendly “snapshot” of a product’s privacy practices. ONC will award a total of $35,000 in prizes through this challenge. Enter your submissions now! The deadline for submission is April 10, 2017 with winners expected to be announced in mid-2017. For more information, view the Federal Register Notice.

Webinar Date & Time: Thursday, January 12, 2017 at 2:00pm – 3:00pm ET

Register for the webinar.


Dec. 14, 2016: From OCR: NEW: Privacy Policy Snapshot Challenge

The HHS Office of the National Coordinator for Health IT (ONC) announced the Privacy Policy Snapshot Challenge. The Privacy Policy Snapshot Challenge calls upon developers, designers, health data privacy experts, and creative, out-of-the-box thinkers to use ONC’s Model Privacy Notice template to create an online tool that can generate a user-friendly “snapshot” of a product’s privacy practices. ONC will award a total of $35,000 in prizes through this challenge. Enter your submissions now! The deadline for submission is April 10, 2017 with winners expected to be announced in mid-2017. For more information, view the Federal Register Notice.

Continue the discussion by joining ONC’s Office of the Chief Privacy Officer at the Privacy Policy Snapshot Challenge webinar. The webinar will answer your questions and provide information about the challenge and ONC’s Model Privacy Notice initiative. Date & Time: Thursday, January 12, 2017 at 2:00pm – 3:00pm ET. Register for the webinar.


Oct. 18, 2016: From OCR - New Helpful Links, Notes and Answered Questions Page

Last week, we announced some new guidance on the site, including a new cloud computing guidance doc, which can be accessed from the OCR developer portal landing page as well as from OCR’s website.

This week, we'd like to announce a few more updates:

  • We've added some more Helpful Links on the Helpful Links page, and we've also reorganized them.
  • We've added a Notes page. It's a one-stop shop for all the messages we've sent from this community. If you missed one or misplaced one, don't worry; you can always get the info from the Notes page.
  • We've also added an Answered Qs page where you can easily find the answers to archived questions.

As always, keep coming back to the community to share new questions and comment on existing questions. Thanks!


Oct. 11, 2016: From OCR - New Cloud Computing Guidance Up!

We are excited to announce an important new resource for the health tech industry--Guidance on HIPAA and Cloud Computing. Developers and other users of this portal have raised many questions about how HIPAA applies to business relationships in the rapidly evolving health IT community. With the proliferation and widespread adoption of cloud computing solutions, HIPAA covered entities and business associates are questioning whether and how they can take advantage of cloud computing while complying with the HIPAA Rules. In response, OCR has issued this new guidance to assist organizations, including cloud service providers (CSPs), in understanding their HIPAA obligations. The guidance presents key questions and answers to assist HIPAA regulated CSPs and their customers in understanding their responsibilities under the HIPAA Rules when they create, receive, maintain or transmit electronic protected health information using cloud products and services. The questions addressed should look familiar to portal users, as the guidance drew upon your questions and comments. You can find the guidance on the OCR developer portal landing page as well as on OCR’s website.

Safeguarding Health Information: Building Assurance through HIPAA Security

The National Institute for Standards and Technology (NIST) and OCR are pleased to co-host the 9th annual conference, Safeguarding Health Information: Building Assurance through HIPAA Security, on October 19-20, 2016 at the Capital Hilton, Washington, D.C. Registration for this event is now open: https://www2.nist.gov/news-events/events/2016/10/safeguarding-health-information-building-assurance-through-hipaa-security. The conference will highlight the present state of healthcare cybersecurity, and practical strategies, tips and techniques for implementing the HIPAA Security Rule.

Ransomware

Malicious cyber-attacks on electronic health information systems, such as through ransomware, compromise the integrity and availability of data, and are one of the biggest current threats to health information privacy. OCR has issued HIPAA guidance to help health care entities better understand and respond to the threat of ransomware.

The Crosswalk

In February 2016, OCR issued a crosswalk between the HIPAA Security Rule and the NIST National Cybersecurity Framework, which NIST developed in 2014. This tool helps HIPAA covered entities and business associates manage and reduce cyber risks.

Executive Order 13636, Improving Critical Infrastructure Cybersecurity, directed NIST to develop a Framework for Improving Critical Infrastructure Cybersecurity and to help organizations in various industries understand, communicate, and manage cybersecurity risks. We worked with the National Institute for Standards and Technology (NIST) and the HHS Office of the National Coordinator for Health Information Technology (ONC) to map the SR to the framework.

In the health care space, HIPAA covered entities and business associates must ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that they create, receive, maintain, or transmit. This includes efforts to understand, and address cybersecurity.

The crosswalk is a voluntary tool to assist organizations in assessing and managing security risks, while also assuring critical operations and service delivery.

This crosswalk maps each administrative, physical and technical safeguard standard and implementation specification in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework Subcategory.

The Crosswalk and links to additional resources may be found on OCR’s website at: www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf.


Oct. 5, 2016: From OCR – Health 2.0; new FAQ about Health IT Business Associates; Upcoming Security Conference

Last week I had the opportunity to attend the 10th Health 2.0 fall conference in Santa Clara, CA. When I was not learning about innovative technology collaborations and considering their potential contributions to individual and community health, I was meeting with technology start-ups, patient advocates and policy makers. I also presented on two panels for the Health Data Innovator Privacy and Security Workshop, offered by AcademyHealth and the California Health Care Foundation. The workshop was designed to help health care entrepreneurs and app developers understand HIPAA regulations and other privacy and security laws and consider strategies for navigating them. AcademyHealth and HHS previously collaborated on the Health Datapalooza 2016 workshop, Privacy and Security 2.0: From Challenge to Enabler—the materials are still posted on their site.

Also last week, OCR posted an FAQ about the obligations of Health IT business associates to make health information available to their health plan and health care provider customers. You may find the new FAQ on OCR’s website at: http://www.hhs.gov/hipaa/for-professionals/faq/.

Finally, register for a new event: the National Institute for Standards and Technology (NIST) and OCR are pleased to co-host the 9th annual conference, Safeguarding Health Information: Building Assurance through HIPAA Security, on October 19-20, 2016 at the Capital Hilton, Washington, D.C. Registration for this event is now open: https://www2.nist.gov/news-events/events/2016/10/safeguarding-health-information-building-assurance-through-hipaa-security. The conference will highlight the present state of healthcare cybersecurity, and practical strategies, tips and techniques for implementing the HIPAA Security Rule.

Follow us on Twitter @HHSOCR.

Linda Sanches
Senior Advisor, Health IT and Privacy Policy
Office for Civil Rights, HHS
http://hipaaqsportal.hhs.gov/


July 20, 2016: HIPAA Developers and Friends: HHS released several items over the last week that may interest you.

Ransomware: To help health care entities and business associates better understand and respond to the threat of ransomware, OCR has released new HIPAA guidance on ransomware. The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats. See http://www.hhs.gov/blog/2016/07/11/your-money-or-your-phi.html and http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.

Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA: Our colleagues at the Office of the National Coordinator for Health IT released a new report that takes a look at the challenges of protecting privacy and security of identifiable health information in some new health IT technologies. As more and more health information is digitized with tools like wearables, fitness trackers and even health social media, the need to make sure identifiable health information is private and secure increases. However, many of these tools didn’t exist when HIPAA was first enacted in 1996. OCR and the FTC worked with ONC to produce the report. See https://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/examining-oversight-privacy-security-health-data-collected-entities-not-regulated-hipaa/.

HIPAA Audits: Last week, Phase 2 of the audit program kicked into high gear when OCR issued notice to 167 covered entities that they will be undergoing desk audits. Business associates will be selected and audited later this year. See http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.

$2.7 million settlement for potential HIPAA violations: And, in the category of learn-from-the-experiences-of-others: http://www.hhs.gov/about/news/2016/07/18/widespread-hipaa-vulnerabilities-result-in-settlement-with-oregon-health-science-university.html. In this case, OCR’s investigation uncovered evidence of widespread vulnerabilities within the entity’s HIPAA compliance program, including the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement. In addition, the entity did not act in a timely manner to implement measures to address documented risks and vulnerabilities to a reasonable and appropriate level, and also lacked policies and procedures to prevent, detect, contain, and correct security violations and failed to implement a mechanism to encrypt and decrypt ePHI or an equivalent alternative measure for ePHI maintained on its workstations, despite having identified this lack of encryption as a risk. To learn more about how to protect individual health information, take a look at the helpful links page, and https://www.healthit.gov/providers-professionals/ehr-privacy-security.


June 21, 2016: HIPAA Qs Portal Update

Good afternoon to our HIPAA Qs followers.

Take a look at this blog post by the HHS Chief Privacy Officer, about the new web tool we created in collaboration with our colleagues there and in FDA and FTC. https://www.healthit.gov/buzz-blog/privacy-and-security-of-ehrs/educating-health-app-developers-regulatory-requirements/

When does information received by a covered entity become subject to HIPAA? What about when a physician hears about a celebrity’s health condition from a TV talk show? This was a comment on the question of HIPAA and patient generated data. OCR responded to this query today.

Last week we answered a question about selling data collected by a consumer-targeted health app. This is the second portal question about de-identification — you can find the other one by searching on the term from the Questions page.

What about text messaging? This topic is the top vote-getter, and we assure you — we noticed. These questions are feeding in to the guidance that we are developing on the topic. Meanwhile, please vote on questions so we understand your priorities.


June 14, 2016: A Pro Tip from HIPAA Qs Portal

A few things to share this week: an interesting article about the Portal and a pro tip for users.

We found this article about the guidance on the HIPAA Qs Portal interesting: It calls the OCR health app guidance “the beginning of an evolution” of mobile in health care. Read it here: http://searchhealthit.techtarget.com/feature/Experts-weigh-in-on-HHS-healthcare-app-development-guidance.

Also, a pro tip: With all the new questions coming in, it's hard to keep track of what you've seen and what you haven't. Did you know that you could see a random assortment of them each time you enter the community?

All you have to do is click on the "Random" tab to see a random assortment of questions. This way, you're not always seeing the most recent or most popular questions, enabling you to potentially catch ones you might have missed. http://hipaaqsportal.hhs.gov/.


June 7, 2016: HIPAA Qs Portal Update

Last week we posted answers to five more questions; take a look at the “Answered Questions” section. We also have added new links we think you might want to explore if you are developing tools for consumers and their health information. You can find them on the helpful links page, and below.

  • In January and February, 2016, OCR issued comprehensive guidance on the right of consumers, under the HIPAA Privacy Rule, to access and obtain a copy of their health information, and have it sent to a third party. The guidance explains how that right applies to electronic health information. With the increasing use of and continued advances in health IT, individuals have ever expanding and innovative opportunities to access their health information electronically, more quickly and easily, in real time and on demand. Health app technology companies can build on this guidance to develop consumer facing products that enable consumers to take charge of their health. Health app developers also may offer products to covered providers and health plans that incorporate the required functionality. http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
  • Last Thursday, OCR and the Office of the National Coordinator for Health IT released Your Health Information, Your Rights!, a series of three short, educational videos to help consumers understand their right under HIPAA to access and receive a copy of their health information. The videos cover patient health apps. http://www.hhs.gov/hipaa/for-individuals/guidance-materials-for-consumers/index.html
  • Finally, please come back into the community and take our poll on where we should post our guidance.


May 23, 2016: An Update and a Pro Tip From the HIPAA Qs Portal

Thanks again for all your great input to the HIPAA Questions Portal! We've had quite an uptick in participation over the last couple weeks, with several new questions, comments and responses from OCR. So be sure to log back in and check it out!

On that note, If you'd like to keep up to date with everything going on in this community, click "Subscribe to Campaign" here in the navigation bar. (You'll have to be logged in for it to appear.) This will send you an email notification anytime there's a new question or answer posted.

Keep those great questions coming!


May 16, 2016

Greetings! Many of you have let us know that you are having trouble accessing the Health App Use Scenarios and HIPAA guidance and we apologize for the broken links and confusion. We have applied new security settings in the community, and these security actions mean that you can no longer access the document directly from your browser. Instead, from your browser navigate to the community URL: http://hipaaqsportal.hhs.gov/. From there or the helpful links page you can click on the button to open the document. You may need to clear your cache so your browser does not automatically redirect to the no-longer-functioning address.


May 9, 2016

First, thanks again for taking the time to join the discussion at hipaaqsportal.hhs.gov. We appreciate your questions and your feedback and are working to respond in a variety of ways. We have commented directly to some questions. Others we used to develop the health app developer use scenarios—which you can read from our home page. Some questions helped us design the new FTC mobile health app tool, which you can reach on the “which federal laws apply to you” button on the links page.

Secondly, we want to announce a few additions to the community that we hope will make your experience more intuitive and rewarding.

New additions:

1) Based on your requests, we've added some new content to the helpful links page. Check it out!

2) Speaking of helpful links, we'll be running a poll over the next month to get your feedback on where you'd like us to house additional information developed on the topic of health apps and health privacy and security. Check back in to give us your opinion!

3) Finally, we've debuted a new section where we'll move all questions that have been answered, titled "Answered Questions." You'll now be able to see the question and OCR's response. You'll then have the opportunity to continue commenting on the question to get further clarification.

Thanks again for your participation, and don't forget to log back in to see, vote and comment on the latest questions and answers, and to add your own!