Hypothetical Case Study Health Care Privacy Exploring Issues Commonly Confronted by Privacy Officers Harvard University August 22, 2007 Dan Steinberg, JD, CIPP Booz Allen Hamilton (703) 377-1261 steinberg_daniel@bah.com Becky Williams, RN, JD Davis Wright Tremaine LLP (206) 757-8171 beckywilliams@dwt.com Booz Allen Hamilton Standard Colors Colors should be used in the color pairs whenever possible. Do not mix and match colors, use pairs together as shown. Black, White and Gray can be used with any of the other colors. Purple Pantone 2765 R 12 G 4 B 79 Green Pantone 357 R 15 G 67 B 24 Blue Pantone 2 88 R 11 G 31 B 101 Pantone Cool Gray 6 R 158 G 158 B 158 Davis Wright Tremaine LLP Black Red Pantone 485 R 252 G 5 B 14 Yellow Pantone 3965 R 232 G 244 B 4 Aqua Pantone 319 R 126 G 204 B 189 White

The Privacy Symposium’s Overall Goals. Identify current challenges in the field of health care privacy Identify and discuss best practices Define the responsibilities of a privacy officer Identify participants’ areas of interest and expertise

The events you are about to discuss take pace at Daviswright Hospital in the State of Boozylvania. A 500 bed teaching hospital Included in the provider network of the three major managed care companies (MCOs) that operate in the state of Boozylvania Affiliated with Boozylvania State University Medical School (Booz U. Med.) In 2006, made a large investment in an information management system that includes a system for maintaining electronic health records (EHRs) Employs a chief of IT operations and in-house counsel, but no privacy officer Divides privacy responsibilities among IT staff and legal staff You are general counsel and the chief compliance officer for Daviswright Hospital You also serve on its Institutional Review Board (IRB)

Case 1: When my CEO smiles at me, I go to a RHIO! Daviswright’s CEO tells you, “We’re joining the Boozylvania Regional Health Information Organization (RHIO)!” “We’re going to need to use the RHIO’s identity management system.” The RHIO won’t have special treatment for: Psychiatric records Substance abuse records AIDS/HIV “We’ll need to reformat all patients’ records. Let’s outsource the data transfer and reformatting responsibilities overseas.” “This should be straightforward, don’t you think?”

Case 2: “Sure I respect patient privacy Case 2: “Sure I respect patient privacy. But these people aren’t patients, they’re human subjects!” A call from a public health researcher from Boozylvania University is referred to you The proposed study concerns the connection between being the victim of violent crime and future ER visits and chronic illnesses Requires access to all patient records to formulate the project Once constructed, will need access to all EHRs, including histories that detail whether treatment was occasioned by a violent crime Will need some information about the subjects (neighborhood, treatment dates) Will not need patients’ names or other contact information Research will be conducted in conjunction with other researchers at institutions in different states The researcher intends to use an external institution's IRB as the IRB of record What concerns do you have? Who needs to be consulted?

Case 3: “If famous people wanted privacy, why did they become famous?” US Senator and former world ping pong champion Luke Beckenforth is admitted to Daviswright Hospital Internet rumors of suicide Actual chief complaint: impacted bowel Beckenforth has been highly medicated and sedated for over a day Over 300 calls have come into the hospital from: Concerned constituents Journalists Beckenforth’s staff Beckenforth’s estranged wife Hilda Senate colleagues concerned that he will be unavailable for upcoming critical floor votes What information, if any, should be released to each of these callers?

Case 4: This information is available on a “really-really-want-to-know” basis only. No exceptions. You request an audit of access to Beckenforth’s EHR Over 80% of staff with access to the EHR have accessed Beckenforth’s record You ask three staffers why they did so: One responds: “Given the high profile of this patient, I need to be ready to meet any of his needs.” The staffer is a nurse in the same department as the Senator but who has not yet been on a shift with the Senator Another person, a lab technician, says she was concerned about the Senator because she “admires and respects him” The last person admits that a reporter paid him to leak information What should you do now?

Case 5: Whether you blame genetics or environment, it’s best not to have stupid parents. Daviswright houses a genetic counseling service Genetic testing is performed under contract at Booz U. facilities Results are transmitted back to Daviswright Hospital All test results to the subject are delivered at a face-to-face appointment One genetic counselor, Sara Toanin, has lost her personal laptop She used to review records at home via open wireless Internet access points Her laptop contained over 300 patient records, including EHRs indicating records of genetic predispositions to cancer, carriers of genetic illnesses, and others What are your concerns? What are your next steps, now and in the future?

Contact Information Rebecca L. Williams, RN, JD Partner; Co-Chair of Health Information Technology/HIPAA Practice Davis Wright Tremaine LLP (206) 757-8171 beckywilliams@dwt.com Daniel Steinberg, JD, CIPP Associate Booz Allen Hamilton (703) 377-1261 steinberg_daniel@bah.com