Protecting Patient Privacy during COVID-19

With the rapid spread of COVID-19 across the country, and increasing numbers of infected patients at hospitals, compliance and privacy teams are taking extra precautions to protect sensitive patient information. Here are some tips to ensure your organization is protecting patient privacy during the COVID-19 outbreak include:

1. Stay up-to-date on all announcements from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). While rules and regulations under the HIPAA Privacy Rules are still operable and enforceable, the OCR has released several waivers for the disclosure of Personal Health Information (PHI) during the COVID-19 crisis. Some of these include Enforcement Discretion for community-based testing sites, business associates, and telehealth services. These announcements are critical for compliance and privacy teams to ensure they are staying compliant during this time. It is important to continually check the OCR website for any new information, visit the OCR website here.

Maize also has a page of these resources for quick access, find it here.

2. Daily tracking of COVID-19 patients. It is important to monitor accesses for all COVID-19 patients on a daily basis to ensure inappropriate accesses are found and mitigated in a timely manner.

3. Notify all employees to stay vigilant. During this pandemic, there has been an increase in cyberattacks on healthcare organizations. It is important for compliance and privacy teams to inform all employees of these risks, and communicate procedures to report suspicious activities. Scams have included calls from people claiming they work for the OCR, baiting healthcare employees to divulge PHI, phishing, and malware emails

Protecting patient information is always important, but during a pandemic, the significance of compliance and privacy teams within healthcare organizations becomes heightened. We hope these tips will help, and we thank you and all the employees at your organization for the work you have been doing to help during this time.

COVID-19 Resources

Maize Analytics wants to ensure that you have all the resources you need to help stay up-to-date on compliance and privacy news during the COVID-19 pandemic. We thank you and all the healthcare workers in your organization for all the work you do to protect and save lives. 

 

The Health and Humans Services (HHS) Office for Civil Rights (OCR) COVID-19 page includes announcements, notifications, guidance and more. Visit their page.

For all news releases from the HSS OCR, visit their Official News page.

To join the OCR Privacy Email List for direct updates, register here.

HealthIT.gov has compiled various resources from the HHS and CDC related to COVID-19 for the health IT community and healthcare providers. Visit their resource page.

 

ICD Codes for COVID-19 

The Centers for Disease Control and Prevention (CDC) has released 2 documents with ICD-10-CM coding guidelines for encounters related to COVID-19. 

HHS OCR HIPAA Privacy Bulletin: February 3, 2020
The HHS OCR issued this bulletin for guidance on how patient information can be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation.

COVID-19 & HIPAA Bulletin: Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency
In March 2020 The Secretary of HHS, Alex Azar, exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with certain privacy rules.

Telehealth Enforcement Discretion Announcement
To help medical providers serve patients during COVID-19, the OCR announced it will waive potential penalties for HIPAA violations against providers serving patients using everyday communication technologies.

HHS OCR Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures or Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19
HHS OCR announced that it will not impose penalties against covered entities or their business associates for uses and disclosures of protected health information (PHI) by business associates for public health oversight activities during the COVID-19 public health emergency.

COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities
To help protect first responders and prevent further spread of the COVID-19 virus, the OCR released guidance on sharing PHI of individuals infected or exposed to COVID-19 with first responders.

HIPAA Enforcement Discretion Regarding COVID-19 Community Based Testing Sites (CBTS) During the COVID-19 Nationwide Public Health Emergency
On April 9, 2020 the OCR issued a Notification Enforcement Discretion announcing that they will not impose penalties against covered entities or business associates for violations of HIPAA in the operation of a COVID-19 community-based testing site (CBTS) during this public health emergency. 

Maize Analytics Operations Director Published Part II of Thesis: Security and Privacy of the Integrated Clinical Environment

Maize Analytics’ Operations Director, Jason Williams, MSIT, JD, LLM, CIPP/US, recently published the second article of his three-part thesis series: Security and Privacy of the Integrated Clinical Environment in the Journal of Health Care Finance.

Following Part I of his thesis series, which was a discussion of interoperability and the integrated clinical environment (ICE), Part II reviews the concept of privacy engineering and the various frameworks and methodologies from the National Institute of Standards and Technology (NIST).

Read the full thesis to get an overview of privacy engineering, and how the NIST tools can be utilized to manage privacy and security in an interoperable, ICE throughout an enterprise. Stay tuned for Part III to see how to integrate these frameworks and methodologies into an enterprise architecture to ensure an organization deploying an interoperable ICE is compliant with their obligation to protect the privacy and security of a patient’s health information.1

 

Read Part II
 

1. Security and Privacy of The Integrated Clinical Environment Part II at 16 https://www.healthfinancejournal.com/~junland/index.php/johcf/article/view/207

Read Part I
 


Maize Analytics Operations Director Publishes Thesis: Security and Privacy of the Integrated Clinical Environment Part I

Maize Analytics’ Operations Director, Jason Williams, MSIT, JD, LLM, CIPP/US, recently published the first article of his three-part thesis series: Security and Privacy of the Integrated Clinical Environment in the Journal of Health Care Finance.

Part I of this thesis series reviews the basic concepts of interoperability and the integrated clinical environment (ICE), the legal and regulatory framework impacting an interoperable ICE, and an overview of the risks associated with the deployment of an interoperable ICE.

Read the full thesis to get an introduction to the basic concepts of the integrated clinical environment and the challenges present. Part II will discuss how privacy and security risks can be addressed through the NIST Privacy Frameworks and privacy engineering concepts.

 

Read Part I
 

What’s ahead for AI and Machine Learning in healthcare?

In 2019, we saw increased interest and adoption of machine learning (ML) and artificial intelligence (AI) technology in healthcare. Organizations have been piloting solutions that range from helping diagnose patients, to ensuring the privacy of their data. While the industry is beginning to see some benefits from these tools, many end-users are starting to ask important questions like: how does the tool work, or where are my data stored?

Similarly, in the last year, we have also seen organizations increasingly send and store their data at third-party vendors instead of on-premises. The combination of these two trends has raised concerns about data protection and the vendor’s appropriate use of data.

These conversations are driving the three biggest topics in 2020 for machine learning and AI in healthcare: accountability, interpretability, and transparency.

Accountability of machine learning systems allows organizations to trust that the system is doing its designed-for task, track what data sets were used to train machine learning algorithms, and identify data quality issues. In the hospital setting, these ML systems direct care decisions, so effort must be taken to detect bias or other data issues.

Interpretability in machine learning ensures that organizations can understand why a system makes a decision. For example, if a system predicts patient discharge, it is important to understand which features led to its decision. Interpretability is essential to build trust in machine learning systems, especially in the complex environments of clinical care.

Transparency of data usage in machine learning systems allows organizations to know where their data are stored, how their data are used in machine learning models, and if their data are combined with other data sets. Currently, once data are sent to a third-party vendor, healthcare organizations do not have visibility into what is done with the data. Better transparency ensures that healthcare data is protected and used only as intended.

The adoption of machine learning solutions in healthcare will continue in 2020, along with new policy guidelines for AI/ML in healthcare. In April 2019, the FDA released a discussion paper titled Proposed Regulatory Framework for Modification to Artificial Intelligence/Machine Learning (AI/ML) – Based Software as Medical Device (SAMD)1, which identifies the tension between AI/ML software and regulatory agencies. AI/ML software continually learns, evolves, and improves at a rapid pace while regulatory agencies seek to control the environment and understand the implications of the technology before the technology impacts patient care.

The FDA’s discussion paper indicates a shift in the regulatory framework is coming. Accountability, interpretability, and transparency will be at the focal point of the discussion to ensure that these technologies can be utilized to improve patient care, while understanding the risks to healthcare organizations and patient data.


Dept. of Health & Human Servs., U.S. Food & Drug Admin., Proposed Regulatory Framework for Modification to Artificial Intelligence/Machine Learning (AI/ML) – Based Software as Medical Device (SaMD), Discussion Paper and Request for Feedback (Apr. 2019), https://www.fda.gov/media/122535/download.

Maize Analytics Team Gains Insight at SciPy 2019

Last week, two software engineers from the Maize team attended the 2019 SciPy convention in Austin, Texas. This was the 18th annual conference, where over 800 participants came together from industry, academia, and government to showcase their latest projects, learn from skilled users and developers, and collaborate on code development. Our team was able to meet with their peers who also use machine learning and data mining in their research. Talks and discussions focused on better, faster, and more accurate ways of classifying, predicting, and displaying larger datasets. Our team came back with some great insights, and we’re excited to incorporate these state-of-the-art methods into our tool, allowing us to progress at the forefront of the smart auditing field. 

Maize Analytics continues to grow with the help of local technical vocational school

Maize Analytics is a Nashville-based software company that has continued to grow over the last few years, especially in the technology-focused areas. When searching for candidates, Maize has looked to Nashville Software School (NSS) – a Tennessee non-profit coding boot camp with the mission of “expanding the technology workforce in middle Tennessee by providing access to a career in technology through training, mentorship, and hands-on learning” – Maize has hired 4 NSS students to date, with skills ranging from Python, SQL, Javascript and more.

As Nashville grows and becomes a larger hub for businesses, the need for technology talent has increased. NSS has helped fill this void by training over 220 students in the last year, each entering the workforce with solid technical abilities, exposure to software development or data science practices, and a drive to enter the local technology community.

Maize is proud to work with NSS to support their mission and help place graduates in technology roles. As the company continue to grow, we are always looking for capable candidates to join the team. If building tools to protect data sounds interesting to you, send your resume to info@maizeanalytics.com.

Maize Now Available on Azure Marketplace

Maize Analytics’ Patient Privacy Monitoring tool is now available in the Azure Marketplace to allow for a seamless user management and sign on experience. This integration of the Maize tool and Azure Active Directory (Azure AD) allows Maize customers to grant and control access to their privacy monitoring tool through their Azure AD account. Maize believes this integration will help customers get up and running more efficiently while leveraging the same security controls Azure AD users are familiar with.

To configure this integration you will need an Azure AD subscription as well as a subscription to the Maize Analytics tool.

For more information, read the integration tutorial here. 

Hospitals Spend More After Data Breach, but there is a Fix.

Two recently published reports discuss the high costs healthcare organizations incur due to a data breach. The Department of Health and Human Services estimates that it takes a breached organization a full year to recover. From fines and lawsuits, to having to rebuild the hospital’s image, it is hours of work at a high cost. Both studies however, found that there is a way to mitigate these costs and resolve the issue before it starts – better data security and privacy controls.

In July 2018, the Ponemon Institute published a report analyzing the costs of data breaches that have occurred over the 12 months preceding the report. The Institute discovered three things –  (i) that faster identification of a data breach reduced costs, (ii) hackers and criminal insiders caused the most data breaches (48%), and (iii) the loss of customers had significant financial consequences on the organization.

Moreover, after breaches, organizations can lose customers, which hurts their bottom line. The average cost of organizations losing less than one percent of their customers was $2.8 million; however, the average cost increased to $6 million if the organization lost four percent or more of their customers due to a data breach. The average organizational cost for a data breach in the United States was $7.91 million. The healthcare industry had the highest rate of customer churn (6.7%) associated with a data breach, while the average customer churn rate associated with a breach was 3.4%.

The cost of remediating a breach is also high with the U.S. having the highest notification costs associated with breaches at $740,000. Heavily regulated industries such as healthcare have the highest costs associated with data breaches. The per capita cost for each record breached in the healthcare sector was $408. The healthcare sector also had the highest average time to contain a breach at 100 days and the second highest average time to identify a breach, at 255 days.

Part of the costs of managing a breach include marketing and advertising. In a recent report from the American Journal of Managed Care, it was found that hospitals spend 64% more annually on advertising after a data breach over the following two years. This increase is due to the cost that comes with repairing the hospital’s image and trying to minimize patient loss to competitors.

A common theme from both reports is that the deployment of additional and more advanced security controls can mitigate breach costs. The Ponemon Institute stated that the “deployment of an artificial intelligence platform as part of a security automation solution” influenced the cost of a data breach.  The Institute found that “deployment of an AI platformed saved $8 per compromised record.” Similarly, the American Journal of Managed Care researchers wrote that “advertising costs subsequent to a breach are another cost to the healthcare system that could be avoided with better data security.”

The Ponemon Institute also found the cost of a data breach is lower, the faster the breach is identified. Companies that identified a breach in less than 100 days saved more than $1 million when compared to companies that took over 100 days. The best way to mitigate the costs of a breach is by having the proper policies and solutions in place to identify a data breach early. Quick identification could result in millions of dollars being saved as a hospital works to rebuild their   business and image following a breach.

Ponemon Institute. (2018, July). 2018 Cost of a Data Breach Study: Global Overview. Retrieved from https://www.ibm.com/security/data-breach

Ponemon Institute, 2018, pp. 9-10

Ponemon Institute, 2018, p. 15

Ponemon Institute, 2018 p. 25

Ponemon Institute, 2018 p. 27

  Ponemon Institute, 2018 p. 18

Ponemon Institute, 2018 p. 35

Health IT Security (2019, January), Hospitals Spend 64% More on Advertising After a Data Breach https://healthitsecurity.com/news/hospitals-spend-64-more-on-advertising-after-a-data-breach

Ponemon Institute, 2018, p. 22

Ponemon Institute, 2018, p. 9

The National Institute of Standards and Technology Privacy Framework

 

The National Institute of Standards and Technology (NIST) has released a request for information for the NIST Privacy Framework: An Enterprise Risk Management Tool (”Privacy Framework”).1The purpose of the privacy framework is to improve management of privacy risk, which is a major gap across healthcare organizations today.

A good privacy risk framework should “factor the extent to which the system and processes are vulnerable to problematic data actions as well as the likelihood of a problematic data action, ”2and adverse events. Moreover, the framework should take into account that organizations work with limited resources. Due to the resource limitation, “an important function of a risk assessment is to prioritize risk to enable determination about the appropriate response. Risk can be managed, but it cannot be eliminated.”3

The NIST recognizes that a good cybersecurity program can help protect ePHI and manage some privacy risks; however, privacy risk also emerges from the ways an organization collects, stores, shares, and uses ePHI.The Privacy Framework is intended to “provide a prioritized, flexible, risk-based, outcome-based, and cost-effective approach that can be compatible with existing legal and regulatory regimes in order to be the most useful to organizations and enable widespread adoption.”5

The NIST lists the following as the minimum attributes required for the Privacy Framework to be effective:

  1. Consensus-driven and developed and updated through an open, transparent process.
  2. Common and accessible language.
  3. Adaptable to many different organizations, technologies, lifecycle phases, sectors, and uses.
  4. Risk-based, outcome-based, voluntary, and non-prescriptive.
  5. Readily usable as part of any enterprise’s broader risk management strategy and process.
  6. Compatible with or may be paired with other privacy approaches.
  7. A living document.6

The request for information contains 26 specific requests grouped into the following 3 categories:

  1. Organizational Considerations: What are the greatest challenges in improving the organization’s privacy protections, how the organization assesses privacy risks, what an outcome-based approach would look like, and should the Privacy Framework mandate the use of specific standards, methodologies, tools, guidelines, or principles.7
  2. Structuring the Privacy Framework: Whether aspects of the NIST Cybersecurity Framework could be a model for the Privacy Framework and what organizational structure is preferred for the Framework such as lifecycle, FIPPs, or the NIST privacy engineering objectives.8
  3. Specific Privacy Practices: De-identification; enabling users to have a reliable understanding of how information is being collected, stored, used, and shared; enabling user preferences; setting default privacy configurations; use of cryptographic technology to achieve privacy outcomes; data management, including: tracking permissions, metadata, machine readability, data correction and deletion; and usable design or requirements.9

At Maize, we believe these types of frameworks are extremely important. The request for information regarding the Privacy Framework strongly suggests NIST intends to develop a framework focusing on a risk-based approach that can be widely adopted by organizations regardless of their business objectives or industry.

If you want to get involved: comments regarding the Privacy Framework must be received by December 31, 2018. Written comments may be submitted by mail to:

Kate MacFarland

National Institute of Standards and Technology

100 Bureau Drive, Stop 200

Gaithersburg, MD 20899

Electronic submissions may be sent to, privacyframework@nist.gov, and may be in any of the following formats: HTML, ASCII, Word, RTF, or PDF. The request for information can be found here.

Sources:

1 U.S. Dept. of Commerce, Nat. Inst. of Std. & Tech., Developing a Privacy Framework, 83 F.R. 56824, (Nov. 14, 2018), https://www.federalregister.gov/documents/2018/11/14/2018-24714/developing-a-privacy-framework .

U.S. Dept. of Commerce, Nat. Inst. of Std. & Tech., NISTR 8062: An Introduction to Privacy Engineering and Risk Management in Federal Systems 21-22 (Jan. 2017), https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf 

3 NIST, NISTR 8062 at 22.

4 NIST, Privacy Framework at 56824

5 NIST, Privacy Framework at 56824

6 NIST, Privacy Framework at 56825

7 NIST, Privacy Framework at 56826

8 NIST, Privacy Framework at 56826

9 NIST, Privacy Framework at 56826

Creating a Culture of Compliance in Healthcare Organizations through Collaboration

Privacy officials are responsible for adjudicating potential privacy violations in healthcare organizations. In the news of late, we have heard of cases of unauthorized access to patient data. Although what is considered unauthorized access can take many forms, some examples include snooping on a family member’s medical record or looking at another employee’s chart. Traditionally, healthcare organizations have relied on manual processes to determine if a suspicious or questionable access is a violation. These manual processes require a privacy official to examine long lists of access events and interview employees in order to make a final determination regarding authorization.

Over the last couple years, The University of Kansas Health System (”UKHS”) has leveraged Maize Analytics’ machine learning auditing system to help automate the manual processes surrounding access and authorization in its process to ensure its compliance efforts and to best protect patient data. The auditing system allows privacy officials to focus on high-risk behavior, while reducing false positive alerts. The system learns to recognize when access is necessary based on clinical context (e.g., an appointment, medication order, etc.) in order to identify and rank suspicious record entries which may be lacking a clinical or operational justification and flags these particular record entries for review.

Once a potential unauthorized record entry has been identified, the privacy team investigates the access. Instead of completing the review in isolation, the privacy official uses Maize’s collaborative reviewer system to help streamline the process. For each suspicious access, the privacy official assigns the user’s manager (or other relevant personnel) to the investigation. The manager then provides input on the employee’s involvement with the patient’s care (e.g., was the employee floating on a floor to provide clinical support). To date, over 150 managers have participated as a reviewer of an investigation, allowing the privacy office to more efficiently work through cases and attain relevant information more quickly than before.

The deployment of the auditing system and the collaborative privacy process is helping UKHS to ensure its culture of compliance. UKHS employees, like most healthcare institution employees, are continuously trained and educated regarding HIPAA compliance and UKHS’s policies and procedures related to HIPAA. A part of UKHS’s thorough compliance training includes making employees aware that their accesses are being monitored, which UKHS believes is helping to deter non-compliant behavior. Since the system has been deployed, UKHS has been more efficient in monitoring and investigating possible unauthorized medical record access and has been able to achieve and confirm its goals related to HIPAA compliance. Moreover, because privacy responsibilities are now shared visibly across the organization, privacy processes are increasingly becoming a visible component of day-to-day operations in addition to scheduled mandatory and annual compliance training.

Ensuring the privacy of patient data is one of UKHS’s paramount responsibilities. In collaboration with Maize Analytics, the University of Kansas Health System is working to deploy effective tools and successful processes to protect the privacy of patients entrusted to its care.