Healthcare Privacy: The Perspective of a Privacy Advocate

Slides:

Advertisements

Similar presentations

Opportunities & Dangers: Consumers and Electronic Health Records Paul Feldman, Health Privacy Project Deven McGraw, National Partnership for Women & Families.

Advertisements

Privacy: Who Owns What and Who Gets Access? Allen Fremont, M.D., Ph.D. RAND Corporation Annual Meeting of AcademyHealth Sunday, June, 25 th 2006 Seattle,

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.

INTERNATIONAL UNION FOR CONSERVATION OF NATURE. 2 Implemented in 12 countries of Africa, Asia, Latin America and the Middle East, through IUCN regional.

Legal Framework for Information Sharing in Organ Donation and Transplantation Alexandra K. Glazier, Esq. VP & General Counsel New England Organ Bank.

Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21,

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

Confidentiality, Ethics, Privacy, and Access REPORT FROM CONFIDENTIALITY, ETHICS, PRIVACY AND ACCESS Group B.

Health Information Security & Privacy February 9, 2014 ONC Policy HIT Policy Committee Privacy and Security Workgroup Denise Anthony Sociology and ISTS.

Credit Reporting: What’s the role for the state? Fredes Montes Financial Infrastructure The World Bank.

Strand 1 Social and ethical significance. Reliability and Integrity Reliability ◦Refers the operation of hardware, the design of software, the accuracy.

Developing Privacy and Security Standards Allen Briskin Allen Briskin

© CSR Asia 2010 ISO Richard Welford CSR Asia

P3P: Platform for Privacy Preferences Charlin Lu Sensitive Information in a Wired World November 11, 2003.

Session 3 - Plenary on implementing Principle 1 on an Explicit Policy on Regulatory Quality, Principle 3 on Regulatory Oversight, and Principle 6 on Reviewing.

Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

“Privacy Implications of RFID Technology in Health Care Settings” Marc Rotenberg President EPIC Dept. of Health & Human Services Washington, DC 11 January.

Banks and the Privacy of Medical Information 8 th National HIPAA Summit March 8, 2004 Joy Pritts, JD Health Policy Institute Georgetown University

Tackling the Policy Challenges of Health Information Exchange Carol Diamond, MD, MPH Managing Director, Markle Foundation.

Navigating Privacy and Security Issues for HIE: A Consumer Perspective Deven McGraw Chief Operating Officer National Partnership for Women & Families

ISO Richard Welford CSR Asia © CSR Asia 2011.

1 Health Information Security and Privacy Collaboration (HISPC) National Conference HISPC Contributions to Massachusetts HIE Privacy and Security Progress:

Privacy and Security Tiger Team Recommendations Adopted by The Health IT Policy Committee Relevant to Consumer Empowerment May 24, 2013.

Can We Have EHRs and Privacy Too? Dr. Alan F. Westin Professor of Public Law and Government Emeritus, Columbia University; Principal, Privacy Consulting.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

1 Healthcare Privacy and Security: Concepts and Challenges Dixie B. Baker, Ph.D. Chair, HIMSS Privacy and Security Advocacy Task Force.

Update on Federal HIT Legislation Kirsten Beronio Mental Health America.

State Alliance for e-Health Conference Meeting January 26, 2007.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Europe's work in progress: quality of mHealth Pēteris Zilgalvis, J.D., Head of Unit, Health and Well-Being, DG CONNECT Voka Health Community 29 September.

HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Organizational and Legal Issues -- Developing organization and governance models for HIE Day 2 -Track 5 – SECOND SESSION – PRIVACY AND SECURITY CONNECTING.

The Paradox in HIPAA Deven McGraw, JD, MPH, LLM Partner Manatt, Phelps & Phillips, LLP December 8, 2014.

HIT Policy Committee Information Exchange Workgroup NwHIN Conditions for Trusted Exchange Request For Information (RFI) May 18,

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

Malcolm Crompton APEC Information Privacy Framework: review, impact, & progress APEC Symposium on Information Privacy Protection in E Government & E Commerce.

HIT Policy Committee Privacy and Security Tiger Team Deven McGraw, Chair Paul Egerman, Co-Chair October 20,

Unit 7 Seminar.  According to Sanderson (2009), the problems with the current paper-based health record system have been well documented. The author.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

Overview of ONC Report to Congress on Health Information Blocking Presented to the Health IT Policy Committee, Task Force on Clinical, Technical, Organizational,

HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.

APEC Privacy Framework “The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element.

Challenges in Promoting RCR: Reflections from a Public Funder´s Perspective Secretariat on Responsible Conduct of Research [Canadian Institutes of Health.

Office of the Secretary Office for Civil Rights (OCR) Enforcement and Policy Challenges in Health Information Privacy Linda Sanches HIPAA Summit Special.

1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.

HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule Melinda Hatton -- Oct. 31, 2002.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)

HIPAA Administrative Simplification

Research Ethics Matthew Billington

Overview of the Connecting for Health Common Framework Resources

Ethical questions on the use of big data in official statistics

Pragmatic RCTs and the Learning Healthcare System

American Health Information Management Association

Data Access and Stewardship

Concerns of a Privacy Advocate – and How to Respond

Policies for Information Sharing

Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP

Drew Hunt Network Security Analyst Valley Medical Center

National Congress on Health Care Compliance

Introduction to Health Privacy

Enforcement and Policy Challenges in Health Information Privacy

Role of Patients in Getting Communities Connected

THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,

Managing Privacy Risk in Your Commercial Practices

Non-HIPAA Governmental Regulation of Healthcare Privacy and Security

HIPAA Privacy and Security Update - 5 Years After Implementation

Presentation transcript:

Healthcare Privacy: The Perspective of a Privacy Advocate Deven McGraw

The Health Privacy Project at CDT Health IT and electronic health information exchange have tremendous potential to improve health care quality, reduce costs, and empower consumers. But little progress has been made on resolving the privacy and security issues raised by e-health. Project’s aim: Develop and promote workable privacy and security policy solutions for personal health information.

People want Health IT - but also have significant privacy concerns Survey data shows the public wants electronic access to their personal health information. But a majority - 67% - also have significant concerns about the privacy of their medical records (California Healthcare Foundation 2005).

Consequences of Failing to Act Good health care depends on accurate and reliable information. Without privacy protections, people will engage in “privacy-protective behaviors” to avoid having their information used inappropriately. 1 in 6 adults withhold information from providers due to privacy concerns. (Harris Interactive 2007) Persons in poor health, and racial and ethnic minorities, report even higher levels of concern and are more likely to engage in privacy-protective behaviors. (CHF 2005)

Health IT Can Protect Privacy - But Also Magnifies Risk Tools of technology can better protect privacy But moving health information into electronic form - in the absence of strong privacy and security safeguards - magnifies the risks. Recent thefts of laptops, inadvertent posting of data on the Internet Cumulative effect of these reports deepens consumer distrust

A Comprehensive Approach is Needed Privacy and security protections are not the obstacle - enhanced privacy and security is an enabler to health IT. A comprehensive privacy and security framework is needed to facilitate the adoption of health IT and health information exchange. Rules should be tailored to different contexts.

What Does a Comprehensive Framework Look Like? Includes core privacy principles, incorporates trusted network design characteristics, and establishes oversight and accountability mechanisms. (Markle Foundation) The framework should also cover generally accepted fair information practices that have been used to shape policies governing uses of PHI in a variety of contexts. No single formulation - but Markle’s Common Framework provides a good model.

Common Framework Principles Openness and transparency Purpose specification and minimization Collection limitation Use limitation Individual participation and control Data integrity and quality Security safeguards and controls Accountability and Oversight Remedies

Role of HIPAA in New Environment HIPAA Privacy and Security Rules reflect elements of this framework and provide important protections governing access, use and disclosure of PHI by health system entities. But the regulations are insufficient to cover the new and rapidly evolving e-health environment - particularly the migration of health information out of the health care system. Effective enforcement is also lacking.

What About Patient Consent Individual control is an important component of fair information practices - but it is just one component. In the context of PHRs and accounts in health record banks, consumer control is the model - and the rules that govern these tools should enforce that principle. Will that become the prevailing model of health information exchange?

Patient Consent (cont.) For records held by health system entities, providing greater authorization rights is not the best way to protect privacy and security. Data stewardship responsibility should primarily vest with the entity holding the data. Places most of the burden of privacy protection on the individual at a time when they are least able to make complicated decisions about the use of their data. Research shows that patients do not read consent forms - and if they do read them, they frequently do not understand them and inherently believe they protect privacy even in cases where the opposite is true.

Consent (cont.) Blanket authorizations or easy “check the box” electronic forms in particular can easily become shields for inappropriate uses. Relying on consent relieves entities of the burden of adopting strong privacy and security policies and practices. There is a role for consent - and we want consumers to be paying attention in those moments (no “consent fatigue”).

Consent (cont.) The adoption of a comprehensive privacy and security framework that places clear limits on the access, use and disclosure of identifiable health information - with aggressive enforcement - will better protect privacy in e-health systems. But health systems should be engineered to honor (and appropriately manage) patient consent where such consent is legally required or voluntarily sought. Is there room for a hybrid approach?

Consent (cont.) We need to consider the appropriate role for consent - particularly with respect to information that is particularly sensitive and stigmatizing. HHS should follow-up on NCVHS recommendations concerning the right to restrict information in sensitive categories. Consider work already being done in state and regional health information exchanges.

For privacy to enable health IT, we need to “enable” privacy deven@cdt.org