1 / 9

AMC Security and Privacy Conference: Daily Track Report

AMC Security and Privacy Conference: Daily Track Report. For the Futures Track Track Co-chairs: Mariann Yeager myeager@truarx.com 703-519-0817 John Parmigiani jparmigiani@quickcompliance.net 410-750-2497. Sessions Being Reported On:.

jace
Download Presentation

AMC Security and Privacy Conference: Daily Track Report

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. AMC Security and Privacy Conference: Daily Track Report For the Futures Track Track Co-chairs: Mariann Yeager myeager@truarx.com 703-519-0817 John Parmigiani jparmigiani@quickcompliance.net 410-750-2497

  2. Sessions Being Reported On: • Future of the Common Rule and Its Effect on Privacy and Security • International Security & Privacy • RHIOs – New Security and Privacy Issues

  3. Key Points: Future Uses of Encryption • Difficulty with harmonization Privacy Rule and Common Rule even after 2 years • Compliance obligations linked – HIPAA, Common Rule, AAHRPP • Conflict arises because Privacy Rule is permissive in areas where the Common Rule isn’t (ex. de-identification, IRB approval of authorization, recruitment strategies or monitoring) • Future of guidance – further harmonization HIPAA and Common Rule • Issues still under discussion: data repositories/tissue banks and future unspecified research, compound authorizations, genetic samples, recruitment strategies (e.g. telephone screening tools, researchers outside the CE that contact patients, etc.)

  4. Key Instant Poll Results • Polled item/responses: • 3 participants sat on IRBs (out of 18 total) • IRBs will not approve informed consent and HIPAA authorizations that are inconsistent on the future use issue – if known • About ½ of the participants said that their IRBs review authorizations – even though IRB review is not required to do so under HIPAA • Most institutions are making use of verbal authorizations (per guidance) • Key observation: • IRBs may not deeply investigate finer points of these issues, but exercise their best judgment for the moment

  5. Follow ups • Need for additional harmonization between Common Rule and HIPAA • Need for ongoing discussion and education regarding these issues

  6. Key Points: International Security & Privacy • International data protection controls more stringent than US • International principles are similar: Notice, individual choice and consent, participant access to data, security and organizational accountability • Additional levels of accountability in other countries: • Data processing authority – regional centralized authorities that manage study data • Data Controller – regulated entity that is subject to the local law where they are located. • Desire for harmonized legal framework (particularly in Europe) • International Conference on Harmonization (ICH) of Technical Requirements for Regulation of Human Use • Safe harbors to allow US to participate in international research

  7. Follow ups • More study on: • Issues surrounding privacy and security related to international research are complex • Future implications of interoperable EHR and data that will be more accessible outside the institution and potentially internationally • International threats to local vulnerabilities with resulting risk to healthcare infrastructure

  8. Key Points: RHIOs: New Security and Privacy Issues • Central goal is to give providers better information for treatment purposes at the point of care • RHIOs are real - 25 “fully operational” (up from 9 in 2004) • 59% of “advanced stage respondents” – privacy policies go beyond HIPAA requirements • RHIOs have greater risk than the organizations – bigger and more attractive target • Many legal issues and complexities – type of CE, liability, plethora of other laws/regs, contracts, data ownership, intellectual property, etc. • Varying privacy and security issues based upon model – repository, peer-to-peer, etc.

  9. Follow ups • Have further discussion regarding governance structure, entity type, etc. • Need to fully understand risks that RHIOs undertake – risk assessment tool/model • More education / dialogue needed around these issues

More Related