Concerns of a Privacy Advocate – and How to Respond

Slides:

Advertisements

Similar presentations

HEALTH I.T. and PRIVACY Breaking the gridlock Breaking the gridl ck.

Advertisements

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

Westbrook Technologies from Document Management’s Role in HIPAA.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.

Massachusetts privacy law and your business  Jonathan Gossels, President, SystemExperts Corporation  Moderator: Illena Armstrong  Actual Topic: Intersecting.

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

Health Insurance Portability & Accountability Act (HIPAA)

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

2 HIPAA, HITECH, and Medical Records. Learning Outcomes When you finish this chapter, you will be able to: 2.1Discuss the importance of medical records.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

Banks and the Privacy of Medical Information 8 th National HIPAA Summit March 8, 2004 Joy Pritts, JD Health Policy Institute Georgetown University

Navigating Privacy and Security Issues for HIE: A Consumer Perspective Deven McGraw Chief Operating Officer National Partnership for Women & Families

HIPAA PRIVACY AND SECURITY AWARENESS.

California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 1 NEW OBLIGATIONS.

Can We Have EHRs and Privacy Too? Dr. Alan F. Westin Professor of Public Law and Government Emeritus, Columbia University; Principal, Privacy Consulting.

1 Healthcare Privacy and Security: Concepts and Challenges Dixie B. Baker, Ph.D. Chair, HIMSS Privacy and Security Advocacy Task Force.

Update on Federal HIT Legislation Kirsten Beronio Mental Health America.

Nationwide Health Information Network: Conditions for Trusted Exchange Request For Information (RFI) Steven Posnack, MHS, MS, CISSP Director, Federal Policy.

HITECH Act and HIPAA: Important Compliance Update Susan E. Ziel Gerald “Jud” DeLoss.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.

HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

The Paradox in HIPAA Deven McGraw, JD, MPH, LLM Partner Manatt, Phelps & Phillips, LLP December 8, 2014.

Imagine a health system that focuses on health, not just health care. Imagine a sustainable health system with one goal: to improve the lives of the people.

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.

ONC’s Proposed Strategy on Governance for the Nationwide Health Information Network Following Public Comments on RFI HIT Standards Committee Meeting September.

Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.

HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc

Snowe Amendment to the Wired Act William F. Pewen, Ph.D., M.P.H. Office of Senator Olympia J. Snowe, ME (202)

Health Big Data Discussion Privacy and Security Workgroup Deven McGraw, Chair Stanley Crosley, Co-chair June 8, 2015.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

1 Overview of HIT Policy Committee’s Privacy Hearing Jodi Daniel, JD, MPH Director, Office of Policy and Research Office of the National Coordinator for.

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

HIPAA Training Workshop #1 Council of Community Clinics – San Diego February 7, 2003 by Kaye L. Rankin Rankin Healthcare Consultants, Inc.

1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.

Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.

HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.

AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc

 Health Insurance and Accountability Act Cornelius Villalon Jr.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.

Office of the Secretary Office for Civil Rights (OCR) Enforcement and Policy Challenges in Health Information Privacy Linda Sanches HIPAA Summit Special.

Public Health IT Privacy, Confidentiality and Security of Public Health Information This material (Comp13_Unit2) was developed Columbia University, funded.

HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule Melinda Hatton -- Oct. 31, 2002.

HIPAA THE PRIVACY RULE Reviewed December 2012.

Privacy & Information Security Basics

HIPAA CONFIDENTIALITY

Disability Services Agencies Briefing On HIPAA

American Health Information Management Association

Healthcare Privacy: The Perspective of a Privacy Advocate

Policies for Information Sharing

manatt | phelps | phillips

National Congress on Health Care Compliance

Introduction to Health Privacy

Enforcement and Policy Challenges in Health Information Privacy

THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,

Objectives Describe the purposes of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 Explore how the HITECH Act.

Non-HIPAA Governmental Regulation of Healthcare Privacy and Security

Presentation transcript:

Concerns of a Privacy Advocate – and How to Respond Deven McGraw

The Health Privacy Project at CDT Health IT and electronic health information exchange are the engines of health reform & have tremendous potential to improve health care quality, reduce costs, and empower consumers. Some progress has been made on resolving the privacy and security issues raised by e-health – but gaps remain and implementation challenges loom. Project’s aim: Develop and promote workable privacy and security policy solutions for personal health information.

People want Health IT - but also have significant privacy concerns Survey data shows the public wants electronic access to their personal health information. But a majority - 67% - also have significant concerns about the privacy of their medical records (California Healthcare Foundation 2005; more recent AHRQ focus groups confirm).

Consequences of Failing to Act Protecting privacy is important Prevents harm Good health care depends on accurate and reliable information Without privacy protections, people will engage in “privacy-protective behaviors” to avoid having their information used inappropriately. 1 in 6 adults withhold information from providers due to privacy concerns. (Harris Interactive 2007) Persons in poor health, and racial and ethnic minorities, report even higher levels of concern and are more likely to engage in privacy-protective behaviors. (CHF 2005)

Health IT Can Protect Privacy - But Also Magnifies Risk Technology can enhance protections for health data (for example, encryption; role-based access; identity proofing & authentication) But moving & storing health information in electronic form - in the absence of strong privacy and security safeguards - magnifies the risks. Recent thefts of laptops, inadvertent posting of data on the Internet, “snooping” Cumulative effect of these reports deepens consumer distrust

A Comprehensive Approach is Needed Privacy and security protections are not the obstacle - enhanced privacy and security can be an enabler to health IT. A comprehensive privacy and security framework is needed to facilitate health IT and health information exchange. Fair information practices – strong data stewardship model Sound network design Accountability/Oversight

“Next Generation” of Health Privacy Build on HIPAA for traditional health care entities (ARRA took first steps here) Establish new protections to address concerns raised by access to information outside of the health care system Hold all who handle health data accountable for complying with baseline protections

ARRA (Title XIII- HITECH) Broke the privacy “logjam” Most significant change to the healthcare privacy and security environment since the original HIPAA privacy rule Not a change to everything about HIPAA – but some significant changes that will need to be addressed by many entities handling health care information Most provisions require further regulatory clarification

Provisions of HITECH/ARRA Filled a number of gaps in HIPAA “Business associates” now directly accountable for complying with most (but not all) HIPAA privacy and security regs (and HIEs/RHIOs are considered to be BAs) Breach notification provisions go into effect on September 23, 2009; exception for data that is encrypted Strengthened right for patients to receive an accounting of disclosures from their record Patients who pay out of pocket can request that data not be sent to their health plan Prohibition on sales of protected health information Strengthened rules re: use of data for marketing Patient right to receive electronic copy from electronic health/medical record

Filling gaps in HIPAA (cont.) Stronger enforcement State AGs now authorized to enforce Civil monetary penalties increased HHS required to impose penalties in cases of willful neglect HHS required to do privacy and security audits

Still Work to be Done Personal Health Records Currently not covered by HIPAA if offered by Microsoft, Google, Dossia, WebMD & others (except if HIPAA business associate provisions apply) ARRA established breach notification requirements, strengthened right to receive electronic copy of data HHS (working with FTC) to provide recommendations to Congress by 2/2010 on privacy & security protections

Work to be Done (cont.) - PHRs Need consistent regulation – but HIPAA as currently structured is not the answer Treatment, payment & operations exception makes little sense for PHRs, which should be consumer controlled Reliance on authorization for marketing & business uses provides weak protection Markle Common Framework for Networked Personal Health Information provides good model FTC should play a role in regulating PHRs

Work to be Done (cont.) Successful implementation of new rules Addressing downstream or “secondary” uses of data by trading partners Tight implementation of new marketing provisions Addressing “identifiability” of data through minimum necessary guidance and better de-identification policy – plus strict penalties for re-identification Sound policies to govern (and build trust in) exchange through networks

For privacy to enable health IT, we need to “enable” privacy deven@cdt.org