emerging privacy and security issues for healthcare n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
“Emerging Privacy and Security Issues for Healthcare” PowerPoint Presentation
Download Presentation
“Emerging Privacy and Security Issues for Healthcare”

Loading in 2 Seconds...

play fullscreen
1 / 30

“Emerging Privacy and Security Issues for Healthcare” - PowerPoint PPT Presentation


  • 116 Views
  • Uploaded on

“Emerging Privacy and Security Issues for Healthcare”. Professor Peter P. Swire The Ohio State University Center for American Progress Sentrigo Webinar July 16, 2008 . Overview. My background Enforcement for medical privacy & security Trends after 2008

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '“Emerging Privacy and Security Issues for Healthcare”' - hung


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
emerging privacy and security issues for healthcare

“Emerging Privacy and Security Issues for Healthcare”

Professor Peter P. Swire

The Ohio State University

Center for American Progress

Sentrigo Webinar

July 16, 2008

overview
Overview
  • My background
  • Enforcement for medical privacy & security
    • Trends after 2008
  • The increased importance of data breach legislation
    • Celebrity records & protecting against insiders
  • EHRs, PHRs, and distributed computing for health care
  • Theme – growing importance of audit & control
i my background
I. My Background
  • Currently:
    • Professor of Law, Ohio State University
    • Senior Fellow, Center for American Progress
      • I live in the DC area
    • “Privacy Year in Review” distributed to all members of International Association of Privacy Professionals
    • “Information Privacy” – official book for Certified Information Privacy Professional
    • www.peterswire.net
chief counselor for privacy
Chief Counselor for Privacy
  • Office of Management & Budget, 1999 to early 2001
  • White House coordinator for 1999 proposed & 2000 final HIPAA medical privacy rule
    • Fall, 1999 – proposed rule
    • 53,000 public comments
    • December, 2000 – final rule
    • 2002 – revised final rule
    • 2003 – compliance went into effect
chief counselor for privacy1
Chief Counselor for Privacy
  • Many other privacy topics (can be raised in question period, if there is interest)
    • GLB financial privacy law & rule
    • Chair, White House Working Group on how to update wiretap & surveillance laws
    • U.S. government’s own compliance with privacy laws
    • Encryption policy
    • Computer security & privacy (FIDNet)
health care since 2001
Health Care since 2001
  • Advisory board for Sentrigo, health care & database protection
  • HIPAA implementation, with Morrison & Foerster, LLP
  • Markle Connecting for Health advisor
  • Frequent speaker & author on computer security & medical privacy
i enforcement
I. Enforcement
  • A slow start to HIPAA privacy and security enforcement
    • Explicit HHS announcement in first year that the goal was “corrective action” rather than punishment
    • “One free violation” – HHS regulation says no civil monetary penalties for first violation
    • Criminal statute narrowly interpreted – only the institution & not the individual
shift in enforcement
Shift in Enforcement?
  • Stronger enforcement statements from HHS – “you’ve had time to comply”
  • Stricter corrective action – 18% of complaints result now in changes in policies and procedures
  • Criminal enforcement – new interpretation says employees can be prosecuted
  • State suits that treat HIPAA as minimum standard of care
the numbers on enforcement
The Numbers on Enforcement
  • 36,000 complaints since 2003
  • 844 complaints in May, 2008
  • 9,548 complaints led to investigation
  • 6,392 of those led to corrective action
  • 435 cases referred to Dept. of Justice for criminal investigation
  • General trend – enforcers expect more than they used to
most common investigations
Most Common Investigations
  • Impermissible uses and disclosures of protected health information (PHI);
  • Lack of safeguards of PHI;
  • Lack of patient access to their PHI;
  • Uses or disclosures of more than the Minimum Necessary PHI; and
  • Lack of or invalid authorizations for uses and disclosures of protected health information.
poll has an institution you have worked with had privacy or security complaints to hhs under hipaa
Poll: Has an institution you have worked with had privacy or security complaints to HHS under HIPAA?

1. Yes, 2 or more

2. Yes, 1 that I know of

3. None

4. Don’t know

what could change in 2009
What Could Change in 2009?
  • Because of press & Hill concern about lack of enforcement, some possibilities:
    • Civil monetary penalties more quickly
    • More criminal enforcement
    • Greater staff/budget for enforcement
    • Increased audits, as CMS has begun under the HIPAA security rule (hired PWC)
ii state data breach laws
II. State Data Breach Laws
  • California data breach law in 2003
  • Focus was on identity theft, such as loss of Social Security number or bank account number
  • Medical breaches usually not covered, except for loss of SSNs
  • Notice to individuals whose data was compromised
data breach laws spread
Data Breach Laws Spread
  • Today, over 40 states have data breach laws
  • Push for federal law, but stalled
  • ChoicePoint, Veterans’ Administration, and other large breaches listed at www.privacyrights.org
  • Over 233 million notices sent 2005-2008
medical data breach
Medical Data Breach
  • New “trigger” for data breach notification
  • California strikes again, effective Jan. 2008
  • Notification required if unauthorized access to unencrypted medical histories, information on mental or physical conditions, and medical treatments and diagnoses
  • Also for health insurance information
what does that mean to you
What Does That Mean to You?
  • Minnesota & Rhode Island now have medical records trigger
  • Trend quite possibly will continue
  • A survey in 2006 by Phoenix Health Systems showed that 39 percent of health care providers and 33 percent of insurers reported security incidents in the previous six months
  • Many health care organizations could face costly breach & notice requirements
iii a special form of breach
III. A Special Form of Breach

UCLA fires workers for snooping in Spears files

‘It’s very disappointing,’ says hospital’s human resources director

L.A. Times, March 16, 2008

farrah fawcett
Farrah Fawcett

UCLA staffer passed Farrah Fawcett’s medical records to National Enquirer

April 2, 2008

meanwhile in new jersey
Meanwhile, in New Jersey …
  • “Turns out a lot more people than George Clooney and his girlfriend were hurt by the Hollywood hunk's motorcycle accident last month.”
  • N.Y. Daily News, Oct. 10, 2007
the clooney files
The Clooney Files

“As many as 40 doctors and other employees at the Palisades Medical Center in North Bergen, N.J., got suspensions for allegedly leaking confidential medical information about the couple”

worse than just losing your job
Worse Than Just Losing Your Job

Lawanda Jackson indicted for criminal HIPAA violations, for allegedly receiving $4600 from the National Enquirer for 33 disclosures in 2006-07; checks were written to her husband

slide22
Poll: Has an institution you have worked with had disclosures of records about a well-known individual?

1. Yes, 2 or more

2. Yes, 1 that I know of

3. Don’t know

4. None (and I’m glad we don’t treat movie stars)

iv importance of audit control
IV. Importance of Audit/Control
  • Let’s examine topics thus far:
    • HIPAA enforcement climbing, perhaps rapidly
    • Medical data breach laws emerging
    • Celebrity records creating a big stir
  • Common theme:
    • The importance of having better control over your organization’s medical records database
insider abuse
Insider Abuse
  • Computer security experts generally say that a large majority of incidents come from insiders, not outside hackers
  • The challenge: how to detect, deter, and punish unauthorized insider access to records
  • The central importance of audit and controls over access/egress for databases
advantages of database control
Advantages of Database Control
  • For celebrity records, send the clear message that violations will become known and traceable to the individual
  • For data breaches
    • Ensure good practices to reduce likelihood of breaches
    • Pinpoint the extent of breach, so notices go to the 100 affected persons, and not the 1,000 or 10,000 who might otherwise have to receive notice
v ehrs the future
V. EHRs & the Future
  • Focus thus far has been on the single institution
  • Electronic health records & the shift to RHIOs (regional health information organizations)
  • With information sharing comes information risk
  • How assure control over data you are responsible for?
  • Existing audit/control systems will not be adequate for the multi-institution near future
electronic health records
Electronic Health Records
  • Markle Connecting for Health
  • www.markle.org
  • “Common Framework for Initiating Private and Secure Health Information Sharing”
    • Toolkit for implementing effective privacy and security in information sharing
    • Audit/database control an essential element
the near future of ehrs
The Near Future of EHRs
  • Both political parties are stressing electronic health records
    • “Paper kills”
    • No one wants to be on the side of paper in a future that requires electronic records
  • How well does your organization control
    • Its own records (core database)
    • How records are shared with multiple other organizations?
conclusion
Conclusion
  • HIPAA enforcement
  • Medical data breaches
  • Celebrity records & publicity about your organization
  • EHRs and the information-sharing future
  • For these reasons, audit & control must be a much more prominent feature of medical records management
contact information
Contact Information
  • Professor Peter Swire
  • www.peterswire.net
  • www.americanprogress.org
  • Moritzlaw.osu.edu