1




HIPAA and Son of HIPAA:
Rain on Your Parade

HealthCamp Boston     David Harlow JD MPH
                    THE HARLO...
2

                            THE HARLOW GROUP LLC


HIPAA and Son of HIPAA Meet Social
Media in Health Care
            ...
3

                                        THE HARLOW GROUP LLC



HITECH Act rules
• Layered on top of existing HIPAA pri...
4

                                                                  THE HARLOW GROUP LLC



PHR privacy regulated by FTC
...
5

                                    THE HARLOW GROUP LLC



FTC carries a big stick
• If FTC is key enforcement agency,...
6

                                        THE HARLOW GROUP LLC



BAA requirement
SEC. 13408. BUSINESS ASSOCIATE CONTRACT...
7

                                THE HARLOW GROUP LLC



Business Associate obligations

• HIPAA compliance policies and...
8

                          THE HARLOW GROUP LLC




What does all this have to do
with social media?
9

                                    THE HARLOW GROUP LLC



Social Media meets
HIPAA & Son of HIPAA
• What if a patient...
10

               THE HARLOW GROUP LLC




Other Issues
•
•
•
•
•
11

                      THE HARLOW GROUP LLC




Questions, Approaches, Solutions
•
•
•
•
•
12

                               THE HARLOW GROUP LLC




Discussion
         David Harlow JD MPH
        THE HARLOW GRO...
Upcoming SlideShare
Loading in …5
×

HIPAA and Son of HIPAA - Notes from HealthCamp Boston Unconference

1,651 views

Published on

Published in: Health & Medicine, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,651
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

HIPAA and Son of HIPAA - Notes from HealthCamp Boston Unconference

  1. 1. 1 HIPAA and Son of HIPAA: Rain on Your Parade HealthCamp Boston David Harlow JD MPH THE HARLOW GROUP LLC April 21, 2009
  2. 2. 2 THE HARLOW GROUP LLC HIPAA and Son of HIPAA Meet Social Media in Health Care • The promise of interoperable patient- centered health records, and social media . . . • And the potential collision with “new and improved” HIPAA and related privacy rules in the HITECH Act
  3. 3. 3 THE HARLOW GROUP LLC HITECH Act rules • Layered on top of existing HIPAA privacy and security rules we have: • Security breach notification requirement ▫ FTC rule published last week • Make it indecipherable requirement ▫ HHS guidance published last week  If it’s indecipherable, release is not a breach ▫ Open Q: Is a fingerprint-locked flash drive secure?
  4. 4. 4 THE HARLOW GROUP LLC PHR privacy regulated by FTC SEC. 13407. TEMPORARY BREACH NOTIFICATION REQUIREMENT FOR VENDORS OF PERSONAL HEALTH RECORDS AND OTHER NON-HIPAA COVERED ENTITIES. (a) In General- In accordance with subsection (c), each vendor of personal health records, following the discovery of a breach of security of unsecured PHR identifiable health information that is in a personal health record maintained or offered by such vendor, and each entity described in clause (ii), (iii), or (iv) of section 13424(b)(1)(A),** following the discovery of a breach of security of such information that is obtained through a product or service provided by such entity, shall-- (1) notify each individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of such a breach of security; and (2) notify the Federal Trade Commission. .... ** (ii) entities that offer products or services through the website of a vendor of personal health records; (iii) entities that are not covered entities and that offer products or services through the websites of covered entities that offer individuals personal health records; (iv) entities that are not covered entities and that access information in a personal health record or send information to a personal health record;
  5. 5. 5 THE HARLOW GROUP LLC FTC carries a big stick • If FTC is key enforcement agency, expect a lot of activity and the very heavy enforcement of privacy law (“unfair business practice” enforcer) • One observer: ▫ “The goal is to rein it in … have some modicum of control over the Web 2.0, health IT, PHI mashup craze before it ends in a privacy and security train wreck.”
  6. 6. 6 THE HARLOW GROUP LLC BAA requirement SEC. 13408. BUSINESS ASSOCIATE CONTRACTS REQUIRED FOR CERTAIN ENTITIES. Each organization, with respect to a covered entity, that provides data transmission of protected health information to such entity (or its business associate) and that requires access on a routine basis to such protected health information, such as a Health Information Exchange Organization, Regional Health Information Organization, E-prescribing Gateway, or each vendor that contracts with a covered entity to allow that covered entity to offer a personal health record to patients as part of its electronic health record, is required to enter into a [Business Associate Agreement]
  7. 7. 7 THE HARLOW GROUP LLC Business Associate obligations • HIPAA compliance policies and procedures • Subject to audit • Subject to liability for unauthorized release / security breach • Increased penalties and enforcement in hands of: ▫ HHS ▫ FTC ▫ State AGs
  8. 8. 8 THE HARLOW GROUP LLC What does all this have to do with social media?
  9. 9. 9 THE HARLOW GROUP LLC Social Media meets HIPAA & Son of HIPAA • What if a patient releases information online (in social media context)? • What if provider releases? • BAA required? • When is consent given, when can it be assumed? Can it ever be assumed? (New, messier rules re: consent) • If there is a “private” 1-on-1 conversation between a patient & a provider via an online service ▫ Is the online service a Business Associate? ▫ What are its obligations? ▫ What protections should it have in place?
  10. 10. 10 THE HARLOW GROUP LLC Other Issues • • • • •
  11. 11. 11 THE HARLOW GROUP LLC Questions, Approaches, Solutions • • • • •
  12. 12. 12 THE HARLOW GROUP LLC Discussion David Harlow JD MPH THE HARLOW GROUP LLC www.harlowgroup.net www.healthblawg.typepad.com www.twitter.com/healthblawg david@harlowgroup.net 617.965.9732

×