SlideShare a Scribd company logo
1 of 24
Scary Acronyms –
A Review of Regulatory and Legal
Issues Core to Health IT
Deven McGraw, JD, MPH, LLM
Director, Health Privacy Project
September 29, 2013
Health Privacy Project at CDT
 Privacy = enabler to flows of data that have the
potential to improve individual, public and population
health
 Aim is to build public trust in these data flows, through
balanced & workable protections, as they are essential
to patient engagement, health reform and building a
“learning health care system.”
 In other words, let’s make the acronyms not so scary
Acronyms to Know
 HIPAA
 HITECH
 FTC
 FDA
 And a few more for good measure: ECPA, SCA, and
FCC, CMIA (California)
HIPAA
 Health Insurance Portability and Accountability Act
 Establishes privacy and security requirements for
identifiable health information (otherwise known as
“protected health information” or PHI) collected, used and
disclosed by “covered entities” and their “business
associates”
 Does not cover all heath data
 You do not trigger HIPAA coverage merely by accepting PHI
from a covered entity or business associate.
HIPAA
 Covered entities: providers, health plans, health care
clearinghouses
 All defined in the regulations (45 Code of Federal Regulations (CFR)
Part 164)
 Business associate: an entity that “creates, receives,
maintains or transmits” PHI in fulfilling certain functions or
activities on behalf of a covered entity. (45 CFR 160.103).
 Recent final regulations clarified who is (and who is not) a
business associate – cloud storage providers are; “mere
conduits” are not. Entities must have BAAs (business
associate agreements).
 See CDT FAQ for more info: https://www.cdt.org/files/pdfs/FAQ-HIPAAandCloud.pdf
HIPAA
 If you are covered by HIPAA:
 Privacy Rule sets forth rules regarding access, use and disclosure
of PHI (paper & electronic); Security Rule sets forth detailed
safeguards regarding electronic PHI (doesn’t apply to paper)
 Privacy Rule:
 Permits some routine uses and disclosures without the need to
obtain patient consent; requires notification in event of breach
 Requires patient authorization for other uses & disclosures
 Security Rule
 Establishes administrative, physical, technical and organizational
safeguards
 Some are required, others are “addressable” implementation specs
HITECH
 Health Information Technology for Economic and Clinical
Health Act of 2009 (part of the American Recovery and
Reinvestment Act (ARRA))
 Authorized tax incentives for purchase and “meaningful use”
of Certified EHR Technology (CEHRT) by certain groups of
providers and hospitals
 Also included changes to HIPAA Privacy Rules (recently
finalized in the “Omnibus Rule”)
 Program began (Stage 1) in 2011; meaningful use objectives
more robust in Stage 2 (begins for early adopters in 2014)
HITECH Opportunities
 Helping providers and hospitals meet meaningful use
“objectives” and quality metrics
 Must use CEHRT (new certification requirements go into
effect in 2014)
 Must use required standards
 In Stage 2, meaningful users must make available – and get
a percentage of their patients to use – portals enabling
patients to view, download and transmit their health
information
 HIPAA new Omnibus Rule also clarified patient’s right to
electronic copies of their health information
Omnibus Rule “Wins” for Patients
 Ordinarily, Security Rule applies to all transmissions of ePHI;
this has been an obstacle to use of some digital technology
to communicate with patients
 BUT recent omnibus rule suggests patient can choose to
receive communications (to the patient) in a form/format
that works for them, even if they are not secure
 Provider must provide “light” warning (this is unsecure
– are you sure?)
 Arguably also relevant to other communications (not just
requests for copies of records)
Omnibus Rule “Wins” for Patients
 Patients also have the right to have information directly
transmitted to the recipient of their choice.
 Choice must be “clear, conspicuous and specific;” per
regulation, just be in writing and signed (can be electronic),
and “clearly identify the designated person and where to
send a copy of the [PHI]”
 Covered entities must implement “reasonable safeguards”
to protect information that is disclosed pursuant to this
provision. (Question: not clear if patient can specify
unsecure e-mail for information transmitted to a 3d party at
the patient’s request)
FTC
 Federal Trade Commission
 Under the Federal Trade Commission Act (FTCA), have the
power to take action against unfair and deceptive trade
practices by entities in commerce (not nonprofits)
 Also enforce breach notification requirements for “personal
health records” (and entities that offer services through
PHRs) enacted under HITECH
 Breach standard – acquisition of identifiable information without
the individual’s authorization.
 Deceptive = breaking commitments to consumers re: data
privacy. Unfair = ?
FTC and Privacy
 FTC final report (March 2012-
http://www.ftc.gov/opa/2012/03/privacyframework.shtm)
 Articulated privacy framework based on fair information
practices; contextual approach to consent
 Called on Congress to enact baseline privacy legislation
 Praised ongoing efforts on Do-Not-Track and endorsed
industry codes of conduct
 Endorsed role for U.S. in achieving harmonization of
U.S.-global data privacy policies
 Workshop on “Internet of Things” on November 19. One
focus is connected self/health
http://www.ftc.gov/opa/2013/04/internetthings.shtm
Additional Resources re: Privacy
 CDT and Future of Privacy Forum Best Practices for Mobile
App Developers: https://www.cdt.org/files/pdfs/Best-
Practices-Mobile-App-Developers.pdf
 Markle Common Framework for Networked Personal
Health Information (for connecting consumers):
http://www.markle.org/health/markle-common-
framework/connecting-consumers
FDA
 Food and Drug Administration
 Authorized by Congress to regulate medical devices
 Software that acts as a device is subject to medical device
regulation
 Degree of regulation depends on the risk classification for
the device (ranging from general controls in Class I;
general + special controls in Class II; to premarket
approval in Class III).
 Relevant to manufacturers of software that qualifies as a
medical device.
FDA Regulation of Apps, EHRs
 FDA takes the position that EHRs and other
medical software applications (apps) are medical
devices, subject to FDA regulatory authority
 Issued & sought public comment on initial draft
guidance for “mobile medical apps” (July 2011)
 Seeking to regulate apps that more clearly perform the role of a
medical device; does not include apps designed to be used for
general health & wellness (like a fitness tracking app)
 Distinction not that clear in the draft guidance
FDA Regulation of Apps Controversial
 Guidance generated some controversy.
 Congress (in the FDA Safety and Innovation Act of 2012)
called for federal advisory committee to examine issue,
make recommendations
 Health IT Policy Committee recently recommended a risk-
based framework for regulating medical software
(http://www.healthit.gov/FACAS/sites/faca/files/FDASIARecomm
endationsDraft030913_v2.pdf) (finalized in early September
2013, although initial recommendations were vetted in August
2013)
Final Guidance Issued 9/23
 http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandG
uidance/GuidanceDocuments/UCM263366.pdf
 FDA is focusing only on apps that are medical devices and
“whose functionality could pose a risk to a patient’s safety
if the mobile app were not to function as intended.”
 Focus is on how app is intended to be used
 Will look at all evidence on intended use
 Platform agnostic
 Guidance does not establish “legally enforceable
responsibilities” but instead describes FDA’s current
thinking on a topic.
Final Guidance Issued 9/23
 More clarity on where FDA will focus oversight.
 FDA’s focus is on safety, not privacy
 Medical apps that:
 Are extensions of one or more medical devices (such as those that
display device data);
 Transform a mobile platform into a regulated device; or
 Perform “patient-specific” analysis or provide “patient-specific”
diagnosis or treatment recommendations
Will be subject to device regulation.
Final Guidance Issued 9/23
 Guidance also lists types of apps for which FDA intends to
exercise “enforcement discretion” (no enforcement at this
time):
 Apps that provide or facilitate supplemental clinical care, by coaching or
prompting, to help patients manage their health in a daily environment.
 Apps that provide patients with simple tools to organize and track their health
information.
 Mobile apps that provide easy access to information on a patient’s health
conditions or treatments
 Apps specifically marketed to help patients document, show or communicate to
providers potential medical conditions.
 Apps that perform simple calculations routinely used in clinical practice.
 Apps that enable individuals to interact with PHR or EHR systems.
 More examples provided in guidance.
ECPA (specifically, SCA)
 Electronic Communications Privacy Act, specifically the
provisions of the Stored Communications Act.
 Prohibits entities providing electronic communication
services or remote computing services to the public from
divulging the contents of any communications carried or
stored by the service, absent consent.
 Remote computing services is defined as providing the
public with storage or processing services by means of an
electronic communications system.
ECPA/SCA limits
 Protections can be waived by consent – consent provided
by agreeing to terms of service may be adequate.
 Protections apply only if the provider of the
storage/processing services is not authorized to access the
contents of the communications for purposes of providing
any other services
 So if information analyzed for purposes of targeting
advertisements, or performing analytics, that service may fall
outside of ECPA’s coverage.
FCC
 Federal Communications Commission
 Rules apply to communications carriers (for example,
telephones, wireless devices, cable subscribers) and
prohibit the sharing of certain information about
customers
 http://transition.fcc.gov/cgb/consumerfacts/protectingpri
vacy.pdf
CMIA
 State laws may also be a concern!
 For example, the Confidentiality of Medical Information Act,
the primary health information privacy law in California
 Initially like HIPAA covered medical professionals and
facilities – but legislature has recently expanded coverage
 First expanded to cover “any business organized for the
primary purpose of maintaining medical information” in
order to make it available to an individual or a health care
provider.
 This year expanded further to cover software and medical
apps (AB 658 was signed by the Governor earlier this
month).
Not too scary at all!
Questions?
Deven McGraw
202-637-9800 x115
deven@cdt.org
www.cdt.org/healthprivacy

More Related Content

What's hot

RapidValue White Paper on Regulations and compliance for enterprise mHealth a...
RapidValue White Paper on Regulations and compliance for enterprise mHealth a...RapidValue White Paper on Regulations and compliance for enterprise mHealth a...
RapidValue White Paper on Regulations and compliance for enterprise mHealth a...Nageena Vijayan
 
Health delivery information system [HDIS] MVP
Health delivery information system [HDIS] MVPHealth delivery information system [HDIS] MVP
Health delivery information system [HDIS] MVPACCESS Health Digital
 
Research Paper - Elizabeth Cartwright; Undergrad, Policy
Research Paper - Elizabeth Cartwright; Undergrad, PolicyResearch Paper - Elizabeth Cartwright; Undergrad, Policy
Research Paper - Elizabeth Cartwright; Undergrad, PolicyElizabeth Cartwright
 
Mobile Medical Apps and FDA Regulatory Approach
Mobile Medical Apps and FDA Regulatory ApproachMobile Medical Apps and FDA Regulatory Approach
Mobile Medical Apps and FDA Regulatory ApproachAkshay Anand
 
Hipaa101 updated
Hipaa101 updatedHipaa101 updated
Hipaa101 updatedkkurapat
 
IRDAI - NHA Joint Working Group: Sub Group on IT
IRDAI - NHA Joint Working Group: Sub Group on ITIRDAI - NHA Joint Working Group: Sub Group on IT
IRDAI - NHA Joint Working Group: Sub Group on ITPankaj Gupta
 
Lm3s Medical Summary
Lm3s  Medical Summary Lm3s  Medical Summary
Lm3s Medical Summary claymalloy
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationHai Nguyen
 
HIPPA---Chantel Artis Spencer
HIPPA---Chantel Artis SpencerHIPPA---Chantel Artis Spencer
HIPPA---Chantel Artis Spencershay1234
 
Duff-Phelps Healthcare IT Insights
Duff-Phelps Healthcare IT InsightsDuff-Phelps Healthcare IT Insights
Duff-Phelps Healthcare IT Insightseynonglyn
 
Electronic renal dialysis patient management network - vision document
Electronic renal dialysis patient management network - vision documentElectronic renal dialysis patient management network - vision document
Electronic renal dialysis patient management network - vision documentsruthisagili
 
The Fundamentals ofHIT
The Fundamentals ofHITThe Fundamentals ofHIT
The Fundamentals ofHITslvhit
 

What's hot (17)

RapidValue White Paper on Regulations and compliance for enterprise mHealth a...
RapidValue White Paper on Regulations and compliance for enterprise mHealth a...RapidValue White Paper on Regulations and compliance for enterprise mHealth a...
RapidValue White Paper on Regulations and compliance for enterprise mHealth a...
 
Health information exchange (HIE)
Health information exchange (HIE)Health information exchange (HIE)
Health information exchange (HIE)
 
HIPAA TITLE II (2)
HIPAA TITLE II (2)HIPAA TITLE II (2)
HIPAA TITLE II (2)
 
Health delivery information system [HDIS] MVP
Health delivery information system [HDIS] MVPHealth delivery information system [HDIS] MVP
Health delivery information system [HDIS] MVP
 
Research Paper - Elizabeth Cartwright; Undergrad, Policy
Research Paper - Elizabeth Cartwright; Undergrad, PolicyResearch Paper - Elizabeth Cartwright; Undergrad, Policy
Research Paper - Elizabeth Cartwright; Undergrad, Policy
 
Mobile Medical Apps and FDA Regulatory Approach
Mobile Medical Apps and FDA Regulatory ApproachMobile Medical Apps and FDA Regulatory Approach
Mobile Medical Apps and FDA Regulatory Approach
 
Hipaa101 updated
Hipaa101 updatedHipaa101 updated
Hipaa101 updated
 
IRDAI - NHA Joint Working Group: Sub Group on IT
IRDAI - NHA Joint Working Group: Sub Group on ITIRDAI - NHA Joint Working Group: Sub Group on IT
IRDAI - NHA Joint Working Group: Sub Group on IT
 
Lm3s Medical Summary
Lm3s  Medical Summary Lm3s  Medical Summary
Lm3s Medical Summary
 
N ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authenticationN ye c-rfp-two-factor-authentication
N ye c-rfp-two-factor-authentication
 
HIPPA---Chantel Artis Spencer
HIPPA---Chantel Artis SpencerHIPPA---Chantel Artis Spencer
HIPPA---Chantel Artis Spencer
 
Duff-Phelps Healthcare IT Insights
Duff-Phelps Healthcare IT InsightsDuff-Phelps Healthcare IT Insights
Duff-Phelps Healthcare IT Insights
 
Electronic renal dialysis patient management network - vision document
Electronic renal dialysis patient management network - vision documentElectronic renal dialysis patient management network - vision document
Electronic renal dialysis patient management network - vision document
 
The Fundamentals ofHIT
The Fundamentals ofHITThe Fundamentals ofHIT
The Fundamentals ofHIT
 
Hipaa
HipaaHipaa
Hipaa
 
Pro medoss
Pro medoss Pro medoss
Pro medoss
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA Compliance
 

Similar to Scary acronyms

Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
What explains why certain services were covered and others were not .docx
 What explains why certain services were covered and others were not .docx What explains why certain services were covered and others were not .docx
What explains why certain services were covered and others were not .docxajoy21
 
mHealth Israel_Digital Health Regulation and the FDA
mHealth Israel_Digital Health Regulation and the FDAmHealth Israel_Digital Health Regulation and the FDA
mHealth Israel_Digital Health Regulation and the FDALevi Shapiro
 
free mHealth Checklist
free mHealth Checklistfree mHealth Checklist
free mHealth ChecklistDemet G. Sag
 
Responding To The Opportunity
Responding To The OpportunityResponding To The Opportunity
Responding To The Opportunityguest7042c6
 
HIPAA and RHIOs
HIPAA and RHIOsHIPAA and RHIOs
HIPAA and RHIOsnobumoto
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookElizabeth Dimit
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...susmitaghosh93
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfmohammedfootwear
 
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...Quinnipiac University
 
The Move to Mobile
The Move to MobileThe Move to Mobile
The Move to MobileDale Cooke
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentialityjessie66
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associatesgppcpa
 
21st Century Act and its Impact on Healthcare IT
21st Century Act and its Impact on Healthcare IT21st Century Act and its Impact on Healthcare IT
21st Century Act and its Impact on Healthcare ITCitiusTech
 
Economic Stimulus Package V4
Economic Stimulus Package V4Economic Stimulus Package V4
Economic Stimulus Package V4bakerdb
 

Similar to Scary acronyms (20)

Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA Training
 
What explains why certain services were covered and others were not .docx
 What explains why certain services were covered and others were not .docx What explains why certain services were covered and others were not .docx
What explains why certain services were covered and others were not .docx
 
mHealth Israel_Digital Health Regulation and the FDA
mHealth Israel_Digital Health Regulation and the FDAmHealth Israel_Digital Health Regulation and the FDA
mHealth Israel_Digital Health Regulation and the FDA
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
 
free mHealth Checklist
free mHealth Checklistfree mHealth Checklist
free mHealth Checklist
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2
 
Responding To The Opportunity
Responding To The OpportunityResponding To The Opportunity
Responding To The Opportunity
 
HIPAA and RHIOs
HIPAA and RHIOsHIPAA and RHIOs
HIPAA and RHIOs
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdf
 
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
HIPAA's Title II- Administrative Simplification Rules: The Three Basic Rules ...
 
Hitech Act
Hitech ActHitech Act
Hitech Act
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA Complaince
 
The Move to Mobile
The Move to MobileThe Move to Mobile
The Move to Mobile
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentiality
 
HIPAA Tittle II
HIPAA Tittle IIHIPAA Tittle II
HIPAA Tittle II
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
 
21st Century Act and its Impact on Healthcare IT
21st Century Act and its Impact on Healthcare IT21st Century Act and its Impact on Healthcare IT
21st Century Act and its Impact on Healthcare IT
 
Economic Stimulus Package V4
Economic Stimulus Package V4Economic Stimulus Package V4
Economic Stimulus Package V4
 

Recently uploaded

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 

Recently uploaded (20)

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 

Scary acronyms

  • 1. Scary Acronyms – A Review of Regulatory and Legal Issues Core to Health IT Deven McGraw, JD, MPH, LLM Director, Health Privacy Project September 29, 2013
  • 2. Health Privacy Project at CDT  Privacy = enabler to flows of data that have the potential to improve individual, public and population health  Aim is to build public trust in these data flows, through balanced & workable protections, as they are essential to patient engagement, health reform and building a “learning health care system.”  In other words, let’s make the acronyms not so scary
  • 3. Acronyms to Know  HIPAA  HITECH  FTC  FDA  And a few more for good measure: ECPA, SCA, and FCC, CMIA (California)
  • 4. HIPAA  Health Insurance Portability and Accountability Act  Establishes privacy and security requirements for identifiable health information (otherwise known as “protected health information” or PHI) collected, used and disclosed by “covered entities” and their “business associates”  Does not cover all heath data  You do not trigger HIPAA coverage merely by accepting PHI from a covered entity or business associate.
  • 5. HIPAA  Covered entities: providers, health plans, health care clearinghouses  All defined in the regulations (45 Code of Federal Regulations (CFR) Part 164)  Business associate: an entity that “creates, receives, maintains or transmits” PHI in fulfilling certain functions or activities on behalf of a covered entity. (45 CFR 160.103).  Recent final regulations clarified who is (and who is not) a business associate – cloud storage providers are; “mere conduits” are not. Entities must have BAAs (business associate agreements).  See CDT FAQ for more info: https://www.cdt.org/files/pdfs/FAQ-HIPAAandCloud.pdf
  • 6. HIPAA  If you are covered by HIPAA:  Privacy Rule sets forth rules regarding access, use and disclosure of PHI (paper & electronic); Security Rule sets forth detailed safeguards regarding electronic PHI (doesn’t apply to paper)  Privacy Rule:  Permits some routine uses and disclosures without the need to obtain patient consent; requires notification in event of breach  Requires patient authorization for other uses & disclosures  Security Rule  Establishes administrative, physical, technical and organizational safeguards  Some are required, others are “addressable” implementation specs
  • 7. HITECH  Health Information Technology for Economic and Clinical Health Act of 2009 (part of the American Recovery and Reinvestment Act (ARRA))  Authorized tax incentives for purchase and “meaningful use” of Certified EHR Technology (CEHRT) by certain groups of providers and hospitals  Also included changes to HIPAA Privacy Rules (recently finalized in the “Omnibus Rule”)  Program began (Stage 1) in 2011; meaningful use objectives more robust in Stage 2 (begins for early adopters in 2014)
  • 8. HITECH Opportunities  Helping providers and hospitals meet meaningful use “objectives” and quality metrics  Must use CEHRT (new certification requirements go into effect in 2014)  Must use required standards  In Stage 2, meaningful users must make available – and get a percentage of their patients to use – portals enabling patients to view, download and transmit their health information  HIPAA new Omnibus Rule also clarified patient’s right to electronic copies of their health information
  • 9. Omnibus Rule “Wins” for Patients  Ordinarily, Security Rule applies to all transmissions of ePHI; this has been an obstacle to use of some digital technology to communicate with patients  BUT recent omnibus rule suggests patient can choose to receive communications (to the patient) in a form/format that works for them, even if they are not secure  Provider must provide “light” warning (this is unsecure – are you sure?)  Arguably also relevant to other communications (not just requests for copies of records)
  • 10. Omnibus Rule “Wins” for Patients  Patients also have the right to have information directly transmitted to the recipient of their choice.  Choice must be “clear, conspicuous and specific;” per regulation, just be in writing and signed (can be electronic), and “clearly identify the designated person and where to send a copy of the [PHI]”  Covered entities must implement “reasonable safeguards” to protect information that is disclosed pursuant to this provision. (Question: not clear if patient can specify unsecure e-mail for information transmitted to a 3d party at the patient’s request)
  • 11. FTC  Federal Trade Commission  Under the Federal Trade Commission Act (FTCA), have the power to take action against unfair and deceptive trade practices by entities in commerce (not nonprofits)  Also enforce breach notification requirements for “personal health records” (and entities that offer services through PHRs) enacted under HITECH  Breach standard – acquisition of identifiable information without the individual’s authorization.  Deceptive = breaking commitments to consumers re: data privacy. Unfair = ?
  • 12. FTC and Privacy  FTC final report (March 2012- http://www.ftc.gov/opa/2012/03/privacyframework.shtm)  Articulated privacy framework based on fair information practices; contextual approach to consent  Called on Congress to enact baseline privacy legislation  Praised ongoing efforts on Do-Not-Track and endorsed industry codes of conduct  Endorsed role for U.S. in achieving harmonization of U.S.-global data privacy policies  Workshop on “Internet of Things” on November 19. One focus is connected self/health http://www.ftc.gov/opa/2013/04/internetthings.shtm
  • 13. Additional Resources re: Privacy  CDT and Future of Privacy Forum Best Practices for Mobile App Developers: https://www.cdt.org/files/pdfs/Best- Practices-Mobile-App-Developers.pdf  Markle Common Framework for Networked Personal Health Information (for connecting consumers): http://www.markle.org/health/markle-common- framework/connecting-consumers
  • 14. FDA  Food and Drug Administration  Authorized by Congress to regulate medical devices  Software that acts as a device is subject to medical device regulation  Degree of regulation depends on the risk classification for the device (ranging from general controls in Class I; general + special controls in Class II; to premarket approval in Class III).  Relevant to manufacturers of software that qualifies as a medical device.
  • 15. FDA Regulation of Apps, EHRs  FDA takes the position that EHRs and other medical software applications (apps) are medical devices, subject to FDA regulatory authority  Issued & sought public comment on initial draft guidance for “mobile medical apps” (July 2011)  Seeking to regulate apps that more clearly perform the role of a medical device; does not include apps designed to be used for general health & wellness (like a fitness tracking app)  Distinction not that clear in the draft guidance
  • 16. FDA Regulation of Apps Controversial  Guidance generated some controversy.  Congress (in the FDA Safety and Innovation Act of 2012) called for federal advisory committee to examine issue, make recommendations  Health IT Policy Committee recently recommended a risk- based framework for regulating medical software (http://www.healthit.gov/FACAS/sites/faca/files/FDASIARecomm endationsDraft030913_v2.pdf) (finalized in early September 2013, although initial recommendations were vetted in August 2013)
  • 17. Final Guidance Issued 9/23  http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandG uidance/GuidanceDocuments/UCM263366.pdf  FDA is focusing only on apps that are medical devices and “whose functionality could pose a risk to a patient’s safety if the mobile app were not to function as intended.”  Focus is on how app is intended to be used  Will look at all evidence on intended use  Platform agnostic  Guidance does not establish “legally enforceable responsibilities” but instead describes FDA’s current thinking on a topic.
  • 18. Final Guidance Issued 9/23  More clarity on where FDA will focus oversight.  FDA’s focus is on safety, not privacy  Medical apps that:  Are extensions of one or more medical devices (such as those that display device data);  Transform a mobile platform into a regulated device; or  Perform “patient-specific” analysis or provide “patient-specific” diagnosis or treatment recommendations Will be subject to device regulation.
  • 19. Final Guidance Issued 9/23  Guidance also lists types of apps for which FDA intends to exercise “enforcement discretion” (no enforcement at this time):  Apps that provide or facilitate supplemental clinical care, by coaching or prompting, to help patients manage their health in a daily environment.  Apps that provide patients with simple tools to organize and track their health information.  Mobile apps that provide easy access to information on a patient’s health conditions or treatments  Apps specifically marketed to help patients document, show or communicate to providers potential medical conditions.  Apps that perform simple calculations routinely used in clinical practice.  Apps that enable individuals to interact with PHR or EHR systems.  More examples provided in guidance.
  • 20. ECPA (specifically, SCA)  Electronic Communications Privacy Act, specifically the provisions of the Stored Communications Act.  Prohibits entities providing electronic communication services or remote computing services to the public from divulging the contents of any communications carried or stored by the service, absent consent.  Remote computing services is defined as providing the public with storage or processing services by means of an electronic communications system.
  • 21. ECPA/SCA limits  Protections can be waived by consent – consent provided by agreeing to terms of service may be adequate.  Protections apply only if the provider of the storage/processing services is not authorized to access the contents of the communications for purposes of providing any other services  So if information analyzed for purposes of targeting advertisements, or performing analytics, that service may fall outside of ECPA’s coverage.
  • 22. FCC  Federal Communications Commission  Rules apply to communications carriers (for example, telephones, wireless devices, cable subscribers) and prohibit the sharing of certain information about customers  http://transition.fcc.gov/cgb/consumerfacts/protectingpri vacy.pdf
  • 23. CMIA  State laws may also be a concern!  For example, the Confidentiality of Medical Information Act, the primary health information privacy law in California  Initially like HIPAA covered medical professionals and facilities – but legislature has recently expanded coverage  First expanded to cover “any business organized for the primary purpose of maintaining medical information” in order to make it available to an individual or a health care provider.  This year expanded further to cover software and medical apps (AB 658 was signed by the Governor earlier this month).
  • 24. Not too scary at all! Questions? Deven McGraw 202-637-9800 x115 deven@cdt.org www.cdt.org/healthprivacy

Editor's Notes

  1. FDA does not intend to regulate “mobile apps that are solely used to log, record, track, evaluate, or make decisions or suggestions related to developing or maintaining general health and wellness.”  Examples of health and wellness apps are provided in the guidance, and include dietary tracking logs, appointment reminders, dietary suggestions based on a calorie counter, posture suggestions, exercise suggestions, etc. In contrast, a mobile medical app is one that is intended for “curing, treating, seeking treatment for, mitigating, or diagnosing a specific disease, disorder, patient state, or any specific, identifiable health condition.” FDA intends to place most stringent requirements on devices that pose the most risk; general controls only for those that pose minimum risk to morbidity/mortality