1 / 30

“Emerging Privacy and Security Issues for Healthcare”

“Emerging Privacy and Security Issues for Healthcare”. Professor Peter P. Swire The Ohio State University Center for American Progress Sentrigo Webinar July 16, 2008 . Overview. My background Enforcement for medical privacy & security Trends after 2008

hung
Download Presentation

“Emerging Privacy and Security Issues for Healthcare”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “Emerging Privacy and Security Issues for Healthcare” Professor Peter P. Swire The Ohio State University Center for American Progress Sentrigo Webinar July 16, 2008

  2. Overview • My background • Enforcement for medical privacy & security • Trends after 2008 • The increased importance of data breach legislation • Celebrity records & protecting against insiders • EHRs, PHRs, and distributed computing for health care • Theme – growing importance of audit & control

  3. I. My Background • Currently: • Professor of Law, Ohio State University • Senior Fellow, Center for American Progress • I live in the DC area • “Privacy Year in Review” distributed to all members of International Association of Privacy Professionals • “Information Privacy” – official book for Certified Information Privacy Professional • www.peterswire.net

  4. Chief Counselor for Privacy • Office of Management & Budget, 1999 to early 2001 • White House coordinator for 1999 proposed & 2000 final HIPAA medical privacy rule • Fall, 1999 – proposed rule • 53,000 public comments • December, 2000 – final rule • 2002 – revised final rule • 2003 – compliance went into effect

  5. Chief Counselor for Privacy • Many other privacy topics (can be raised in question period, if there is interest) • GLB financial privacy law & rule • Chair, White House Working Group on how to update wiretap & surveillance laws • U.S. government’s own compliance with privacy laws • Encryption policy • Computer security & privacy (FIDNet)

  6. Health Care since 2001 • Advisory board for Sentrigo, health care & database protection • HIPAA implementation, with Morrison & Foerster, LLP • Markle Connecting for Health advisor • Frequent speaker & author on computer security & medical privacy

  7. I. Enforcement • A slow start to HIPAA privacy and security enforcement • Explicit HHS announcement in first year that the goal was “corrective action” rather than punishment • “One free violation” – HHS regulation says no civil monetary penalties for first violation • Criminal statute narrowly interpreted – only the institution & not the individual

  8. Shift in Enforcement? • Stronger enforcement statements from HHS – “you’ve had time to comply” • Stricter corrective action – 18% of complaints result now in changes in policies and procedures • Criminal enforcement – new interpretation says employees can be prosecuted • State suits that treat HIPAA as minimum standard of care

  9. The Numbers on Enforcement • 36,000 complaints since 2003 • 844 complaints in May, 2008 • 9,548 complaints led to investigation • 6,392 of those led to corrective action • 435 cases referred to Dept. of Justice for criminal investigation • General trend – enforcers expect more than they used to

  10. Most Common Investigations • Impermissible uses and disclosures of protected health information (PHI); • Lack of safeguards of PHI; • Lack of patient access to their PHI; • Uses or disclosures of more than the Minimum Necessary PHI; and • Lack of or invalid authorizations for uses and disclosures of protected health information.

  11. Poll: Has an institution you have worked with had privacy or security complaints to HHS under HIPAA? 1. Yes, 2 or more 2. Yes, 1 that I know of 3. None 4. Don’t know

  12. What Could Change in 2009? • Because of press & Hill concern about lack of enforcement, some possibilities: • Civil monetary penalties more quickly • More criminal enforcement • Greater staff/budget for enforcement • Increased audits, as CMS has begun under the HIPAA security rule (hired PWC)

  13. II. State Data Breach Laws • California data breach law in 2003 • Focus was on identity theft, such as loss of Social Security number or bank account number • Medical breaches usually not covered, except for loss of SSNs • Notice to individuals whose data was compromised

  14. Data Breach Laws Spread • Today, over 40 states have data breach laws • Push for federal law, but stalled • ChoicePoint, Veterans’ Administration, and other large breaches listed at www.privacyrights.org • Over 233 million notices sent 2005-2008

  15. Medical Data Breach • New “trigger” for data breach notification • California strikes again, effective Jan. 2008 • Notification required if unauthorized access to unencrypted medical histories, information on mental or physical conditions, and medical treatments and diagnoses • Also for health insurance information

  16. What Does That Mean to You? • Minnesota & Rhode Island now have medical records trigger • Trend quite possibly will continue • A survey in 2006 by Phoenix Health Systems showed that 39 percent of health care providers and 33 percent of insurers reported security incidents in the previous six months • Many health care organizations could face costly breach & notice requirements

  17. III. A Special Form of Breach UCLA fires workers for snooping in Spears files ‘It’s very disappointing,’ says hospital’s human resources director L.A. Times, March 16, 2008

  18. Farrah Fawcett UCLA staffer passed Farrah Fawcett’s medical records to National Enquirer April 2, 2008

  19. Meanwhile, in New Jersey … • “Turns out a lot more people than George Clooney and his girlfriend were hurt by the Hollywood hunk's motorcycle accident last month.” • N.Y. Daily News, Oct. 10, 2007

  20. The Clooney Files “As many as 40 doctors and other employees at the Palisades Medical Center in North Bergen, N.J., got suspensions for allegedly leaking confidential medical information about the couple”

  21. Worse Than Just Losing Your Job Lawanda Jackson indicted for criminal HIPAA violations, for allegedly receiving $4600 from the National Enquirer for 33 disclosures in 2006-07; checks were written to her husband

  22. Poll: Has an institution you have worked with had disclosures of records about a well-known individual? 1. Yes, 2 or more 2. Yes, 1 that I know of 3. Don’t know 4. None (and I’m glad we don’t treat movie stars)

  23. IV. Importance of Audit/Control • Let’s examine topics thus far: • HIPAA enforcement climbing, perhaps rapidly • Medical data breach laws emerging • Celebrity records creating a big stir • Common theme: • The importance of having better control over your organization’s medical records database

  24. Insider Abuse • Computer security experts generally say that a large majority of incidents come from insiders, not outside hackers • The challenge: how to detect, deter, and punish unauthorized insider access to records • The central importance of audit and controls over access/egress for databases

  25. Advantages of Database Control • For celebrity records, send the clear message that violations will become known and traceable to the individual • For data breaches • Ensure good practices to reduce likelihood of breaches • Pinpoint the extent of breach, so notices go to the 100 affected persons, and not the 1,000 or 10,000 who might otherwise have to receive notice

  26. V. EHRs & the Future • Focus thus far has been on the single institution • Electronic health records & the shift to RHIOs (regional health information organizations) • With information sharing comes information risk • How assure control over data you are responsible for? • Existing audit/control systems will not be adequate for the multi-institution near future

  27. Electronic Health Records • Markle Connecting for Health • www.markle.org • “Common Framework for Initiating Private and Secure Health Information Sharing” • Toolkit for implementing effective privacy and security in information sharing • Audit/database control an essential element

  28. The Near Future of EHRs • Both political parties are stressing electronic health records • “Paper kills” • No one wants to be on the side of paper in a future that requires electronic records • How well does your organization control • Its own records (core database) • How records are shared with multiple other organizations?

  29. Conclusion • HIPAA enforcement • Medical data breaches • Celebrity records & publicity about your organization • EHRs and the information-sharing future • For these reasons, audit & control must be a much more prominent feature of medical records management

  30. Contact Information • Professor Peter Swire • www.peterswire.net • www.americanprogress.org • Moritzlaw.osu.edu

More Related