Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
CS342/MED253 Building for Digital HealthLecture 1B: What makes health apps different?
Oliver AalamiMike Hittle
Fall 2019
https://cs342.stanford.edu
cs342-aut1920.slack.com
Welcome!
Submit your project preferences by tomorrow Sep 27
Deliverables
● Download & Setup Xcode 10.3 on your machine. If you are new to iOS, follow the Build a Basic UI tutorial.
● Submit a screenshot of your running project via Canvas by our next class (Oct 1st).
● Send us your GitHub username: [link in website]
Overview for today● What is HIPAA?● What is a Covered Entity?● What is a Business Associate?● What is PHI? ● What is HIPAA Security Rule?● What is “Consent” in healthcare?● Consequences of a HIPAA Violation or Breach● What is a DRA?● Navigating privacy and compliance at Stanford● 2 Case Studies - StrokeCoach(non-PHI) and STREAM(PHI)
https://cs342.stanford.edu
cs342-aut1920.slack.com
What is HIPAA? ● Health Insurance Portability and Accountability Act (1996, President Bill Clinton)
○ Modernize flow of health information & stipulate how Personal Identifiable Information maintained by healthcare and insurance industries should be protected
● HIPAA Privacy Rule (Standards for Privacy of Individually Identifiable Health Information): first time national standard for the protection of certain health information.
● Issued by U.S. Department of Health and Human Services (HHS)● Under HHS, the Office of Civil Rights (OCR) responsible for implementing and enforcing law● Covered Entities and their Business Associates are covered under this rule (next slide)● Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered
entity or its business associate, in any form or media, whether electronic, paper or oral = Protected Health Information (PHI)
● No restrictions on use or disclosure of De-Identified health information
https://cs342.stanford.edu
cs342-aut1920.slack.com
What is a Covered Entity?● Health Plans, Healthcare Clearinghouses,
Healthcare Providers & Healthcare Services who electronically transmit any health information in connection with transactions for which HHS has adopted standards
● Researchers are covered entities if they are also healthcare providers who electronically transmit health information in connection with any transaction for which HHS has adopted a standard.
https://cs342.stanford.edu
cs342-aut1920.slack.com
What is a Business Associate?● A person or organization, other than a member of a covered entity’s workforce that
performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.
● Examples: Google Cloud Services, Microsoft Azure, AWS
What is a Business Associates Agreement (BAA)?● A covered entity must impose specified written safeguards on the individually
identifiable health information used or disclosed by its business associates● Example: Stanford has a BAA with Google Cloud Platform (GCP)
https://cs342.stanford.edu
cs342-aut1920.slack.com
What is Protected Health Information (PHI)? ● 18 identifiers
https://cs342.stanford.edu
cs342-aut1920.slack.com
What does HIPAA Security Rule require?
● 2-factor authentication● Encryption at rest● Encryption in flight
https://cs342.stanford.edu
cs342-aut1920.slack.com
What is “Consent” in healthcare?● Signed document obtained by covered entity for uses and disclosures
of protected health information for treatment, payment, health care operations or research.
https://cs342.stanford.edu
cs342-aut1920.slack.com
© 2016 Stanford Byers Center for Biodesign
What are the consequences of a HIPAA violation or data breach?
Disclaimer - this is not a “scared straight” campaign.
© 2016 Stanford Byers Center for Biodesign
Consequences for HIPAA Breach2018 - $28,686,400
Source: https://compliancy-group.com/hipaa-fines-directory-year/
© 2016 Stanford Byers Center for Biodesign
Consequences for HIPAA Breach2017 - $20,393,200
Source: https://compliancy-group.com/hipaa-fines-directory-year/
© 2016 Stanford Byers Center for Biodesign
Consequences for HIPAA Breach
Source: https://www.federalregister.gov/documents/2013/01/25/2013-01073/modifications-to-the-hipaa-privacy-security-enforcement-and-breach-notification-rules-under-the#h-95
Penalties are particularly damaging for small players (i.e. your lab)Fine for 320 patients(your study) = 76 million (Anthem)
© 2016 Stanford Byers Center for Biodesign
Consequences for HIPAA Breach
© 2016 Stanford Byers Center for Biodesign
But wait….. What about Tort liability?
Tort = personal injury litigation etc.
HIPAA does NOT preempt Tort liability.
© 2016 Stanford Byers Center for Biodesign
Meet Andrew N. Friedman
Source: https://www.cohenmilstein.com/professional/andrew-n-friedman
© 2016 Stanford Byers Center for Biodesign
Consequences for HIPAA Breach
This suit only included 19 million people out of 78 million people affected. More to come!
Source: https://www.cohenmilstein.com/professional/andrew-n-friedman
© 2016 Stanford Byers Center for Biodesign
You Don’t Really Want To Meet Andrew N. Friedman
Source: https://www.cohenmilstein.com/professional/andrew-n-friedman
© 2016 Stanford Byers Center for Biodesign
How does Stanford deal with this risk?
© 2016 Stanford Byers Center for Biodesign
1. Data Risk Assessment (DRA)
2. Individual Training and Compliance
© 2016 Stanford Byers Center for Biodesign
1. Data Risk Assessment (DRA)
© 2016 Stanford Byers Center for Biodesign
What is a DRA?• Collaboration between Information Security Office (ISO)
and the University Privacy Office(UPO) - unsung heros• Usually involves a lawyer• Usually involves an engineer or other tech expertise
• Required by the IRB• More people requiring care and fewer people paying into system
• Thorough review of the data you collect and methods of storage and transfer • Data flow diagram• Form, documentation submission • Interview/Meeting(s)
• Takes 2 weeks to ∞24
© 2016 Stanford Byers Center for Biodesign
Critical DRA Elements• Pre-Screening Questionnaire
• https://stanford.service-now.com/it_services?id=sc_cat_item&sys_id=a899efaf13ec3a00d3b6b3b12244b062 • Data Risk Assessment Intake Form
• https://redcap.stanford.edu/webauth/surveys/?s=7CYLWCYK8D
• Data Flow Diagram• Example: https://www.lucidchart.com/documents/edit/2fde1140-2e81-4e90-b302-4a7de8dd4c65?shared=true&
• Data Classification• https://uit.stanford.edu/guide/riskclassifications
25
© 2016 Stanford Byers Center for Biodesign
Data Flow Diagram
26
© 2016 Stanford Byers Center for Biodesign
Data Risk Classification
27Source: https://uit.stanford.edu/guide/riskclassifications
© 2016 Stanford Byers Center for Biodesign
Case Studies - Two Apps - PHI vs non-PHI
28Source: https://uit.stanford.edu/guide/riskclassifications
© 2016 Stanford Byers Center for Biodesign
StrokeCoach Data Flow - non-PHI
29
DRA Time: 1 month
© 2016 Stanford Byers Center for Biodesign
Stream Data Flow - PHI
30
DRA Time: 3.5 months
© 2016 Stanford Byers Center for Biodesign
2. Individual Training and Compliance
© 2016 Stanford Byers Center for Biodesign
Required Trainings
• STARS - HIPAA Certification • Open up Axess - > Click on “STARS” - > Search “HIPAA”• Select the Web module • Complete the PRIV-2019-WEB Module (120 min)• Once completed, move on to the CLIN-2019-WEB Module (120 min)
• CITI Human Subjects Research Training• Go to: https://www.citiprogram.org/members/index.cfm?pageID=50
• Complete the Group 7 - Basic Course
32
© 2016 Stanford Byers Center for Biodesign
Required Compliance
• SOM - Attestation and Device Enrollment
• Encrypt all devices with SWDE • https://uit.stanford.edu/guide/encrypt/config
• Revising your Attestation for already registered devices• https://amie.stanford.edu/attestation
• Indicate that the device will be used for High-Risk data• Follow instructions / steps - not always the easiest
• Add new devices• https://mydevices.stanford.edu/group/mydevices
• Indicate devices will be used for High-Risk data
33
Stanford Byers Center for Biodesign318 Campus Drive, E100Stanford, CA 94305