Developing Privacy and Security Standards Allen Briskin Allen Briskin

Slides:



Advertisements
Similar presentations
Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,
Advertisements

Legal Work Group Developing a Uniform EHR/HIE Patient Consent Form.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21,
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.
Internal Auditing and Outsourcing
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
Overview of Engagement – Under the terms of this engagement, the Advisor will provide advice in the areas checked below. Investment Management – Develop.
Privacy: Understanding the Needs, Policy, and Approach Owen Greenspan Director Law and Policy Program.
HIPAA PRIVACY AND SECURITY AWARENESS.
1 Health Information Security and Privacy Collaboration (HISPC) National Conference HISPC Contributions to Massachusetts HIE Privacy and Security Progress:
Patient Protection and Affordable Care Act March 23, 2010.
State Alliance for e-Health Conference Meeting January 26, 2007.
Privacy in Healthcare Challenges Associated with Implementing Privacy in an Electronic Health Records Environment John P. Houston, J.D. Vice President,
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange February 21, 2013.
HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,
LEGAL ISSUES IN MEDICAL HOME DEVELOPMENT Presented by: Gerry Hinkley Davis Wright Tremaine LLP
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Davis Wright Tremaine LLP Healthcare Privacy and Security Issues in HIT, EHR and RHIO Initiatives Fifteenth National HIPAA Summit Summit Day II - December.
Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
A NATIONAL HIPAA SUMMIT AUDIOCONFERENCE Davis Wright Tremaine LLP Legal Requirements For Vendor And Clearinghouse HIPAA Compliance; Business Associate.
Davis Wright Tremaine LLP The Seventh National HIPAA Summit HIPAA Privacy: Privacy Rule Compliance on Public Health Activities and Research Thomas E. Jeffry,
Overview of ONC Report to Congress on Health Information Blocking Presented to the Health IT Policy Committee, Task Force on Clinical, Technical, Organizational,
HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.
Connecting for Health Common Framework: the Model Contract for Health Information Exchange Gerry Hinkley com July 18, 2006 Davis Wright.
APEC Privacy Framework “The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
HIPAA Administrative Simplification
Health Information Security and Privacy Collaborative (HISPC) Overview
SHARING CLINICAL DATA: Legal and Privacy Issues
Refuah Community Health Collaborative (RCHC) PPS
G.D.P.R General Data Protection Regulations
OECD Guidelines Collection Limitation: should be limited to personal data, obtained by lawful and fair means, and (where appropriate) with knowledge and.
American Health Information Management Association
Healthcare Privacy: The Perspective of a Privacy Advocate
Policies for Information Sharing
Presentation to The Fourth National HIPAA Summit
Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP
National Congress on Health Care Compliance
Making Your IRBs and Clinical Investigators HIPAA-Ready
The Health Insurance Portability and Accountability Act
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
IAPP TRUSTe SYMPOSIUM 9-11 JUNE 2004
PRIVACY PRESENTATION TO THE SPRING 2013 CONFERENCE BY HANK MOORLAG
Non-HIPAA Governmental Regulation of Healthcare Privacy and Security
HIPAA Privacy and Security Update - 5 Years After Implementation
Presentation transcript:

Developing Privacy and Security Standards Allen Briskin Allen Briskin

Davis Wright Tremaine LLP Overview What is HIE? Legal baselines HIPAA State laws California HISPC findings Privacy and security principles How Can Lawyers Fit Into Privacy/Security Rulemaking? What is HIE? Legal baselines HIPAA State laws California HISPC findings Privacy and security principles How Can Lawyers Fit Into Privacy/Security Rulemaking?

Davis Wright Tremaine LLP What is HIE? Common notion: Moving data, context and knowledge on an individual’s health from application to application, repository to repository without loss of meaning Requires everyone to be fully equipped to give and receive in context Consider: health information access as an alternative Perhaps the most significant benefit from having access to a patient’s health records is the integrated workflow and compilation of information in meaningful ways to improve diagnosis and treatment decisions What’s needed for access: Data use / data sharing agreement Restricted (1-patient) quarantined portal viewer and secure method of access to the viewer Common method for user authentication and authorization across entity boundaries HIE is going to take many forms in response to market demand Common notion: Moving data, context and knowledge on an individual’s health from application to application, repository to repository without loss of meaning Requires everyone to be fully equipped to give and receive in context Consider: health information access as an alternative Perhaps the most significant benefit from having access to a patient’s health records is the integrated workflow and compilation of information in meaningful ways to improve diagnosis and treatment decisions What’s needed for access: Data use / data sharing agreement Restricted (1-patient) quarantined portal viewer and secure method of access to the viewer Common method for user authentication and authorization across entity boundaries HIE is going to take many forms in response to market demand

Davis Wright Tremaine LLP Legal Baseline: HIPAA Privacy It’s not really about privacy, it’s about facilitating disclosure Patient consent not required for payment, treatment, health operations Notice of Privacy Practices The kitchen sink of policies Like drinking from a fire hose It’s not really about privacy, it’s about facilitating disclosure Patient consent not required for payment, treatment, health operations Notice of Privacy Practices The kitchen sink of policies Like drinking from a fire hose

Davis Wright Tremaine LLP Legal Baseline: HIPAA Security The Privacy Rule sets the standards for who may have access to PHI The Security Rule sets the standards for ensuring that only those who should have access to ePHI will actually have access The security requirements were designed to be technology neutral and scalable The Privacy Rule sets the standards for who may have access to PHI The Security Rule sets the standards for ensuring that only those who should have access to ePHI will actually have access The security requirements were designed to be technology neutral and scalable

Davis Wright Tremaine LLP Legal Baseline: State laws HISPC project discloses a crazy-quilt of state laws Sensitive information HIV/AIDS Mental health Substance abuse Genetic testing “my own private HIPAA” HISPC project discloses a crazy-quilt of state laws Sensitive information HIV/AIDS Mental health Substance abuse Genetic testing “my own private HIPAA”

Davis Wright Tremaine LLP Legal Baseline: California Laws Highlights of California March 30, 2007 Report Stakeholders have varying perceptions about the degree to which privacy laws are enforced A potential deterrent to exchange Detracts from credibility of HIE Privacy is at risk because there are no common standards for users accessing data and non-covered entities under HIPAA Highlights of California March 30, 2007 Report Stakeholders have varying perceptions about the degree to which privacy laws are enforced A potential deterrent to exchange Detracts from credibility of HIE Privacy is at risk because there are no common standards for users accessing data and non-covered entities under HIPAA

Davis Wright Tremaine LLP Legal Baseline: California Laws Privacy rules governing some public health issues are incomplete and unclear It is not feasible for one person to understand the complexity resulting from the convergence of law that affect privacy and security The complex interaction of federal and State laws and differences in stakeholders’ level of knowledge and interpretation results in restrictive sharing of information Privacy rules governing some public health issues are incomplete and unclear It is not feasible for one person to understand the complexity resulting from the convergence of law that affect privacy and security The complex interaction of federal and State laws and differences in stakeholders’ level of knowledge and interpretation results in restrictive sharing of information

Davis Wright Tremaine LLP Legal Baseline: California Laws The Problem: multiple interpretations and applications of laws governing privacy and security result in different approaches to HIE – Solutions: Establish a legal committee to include all stakeholders and their legal counsel The legal committee would recommend solutions to CPSAB concerning the legal issues among federal and state laws and state law pre-emption Compile an index of applicable laws Analyze potential impacts of applying standards to all HIE participants or to all individually identifiable health information, regardless of location Barriers include “inability to agree on core principles, goals or laws” The Problem: multiple interpretations and applications of laws governing privacy and security result in different approaches to HIE – Solutions: Establish a legal committee to include all stakeholders and their legal counsel The legal committee would recommend solutions to CPSAB concerning the legal issues among federal and state laws and state law pre-emption Compile an index of applicable laws Analyze potential impacts of applying standards to all HIE participants or to all individually identifiable health information, regardless of location Barriers include “inability to agree on core principles, goals or laws”

Davis Wright Tremaine LLP Privacy and Security Principles (Thanks to Connecting for Health) Openness and Transparency There should be a general policy of openness about developments, practices, and policies with respect to personal data. Individuals should be able to know what information exists about them, the purpose of its use, who can access and use it, and where it resides Purpose Specification and Minimization The purposes for which personal data are collected should be specified at the time of collection, and the subsequent use should be limited to those purposes or others that are specified on each occasion of change of purpose Collection Limitation Personal health information should only be collected for specified purposes, should be obtained by lawful and fair means and, where possible, with the knowledge or consent of the data subject Openness and Transparency There should be a general policy of openness about developments, practices, and policies with respect to personal data. Individuals should be able to know what information exists about them, the purpose of its use, who can access and use it, and where it resides Purpose Specification and Minimization The purposes for which personal data are collected should be specified at the time of collection, and the subsequent use should be limited to those purposes or others that are specified on each occasion of change of purpose Collection Limitation Personal health information should only be collected for specified purposes, should be obtained by lawful and fair means and, where possible, with the knowledge or consent of the data subject

Davis Wright Tremaine LLP Privacy and Security Principles (Thanks to Connecting for Health) Use Limitation Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified Individual Participation and Control Individuals should control access to their personal information: Individuals should be able to obtain from each entity that controls personal health data information about whether or not the entity has data relating to them Individuals should have the right to: Have personal data relating to them communicated within a reasonable time (at an affordable charge, if any), and in a form that is readily understandable; Be given reasons if a request (as described above) is denied, and to be able to challenge such denial; and Challenge data relating to them and have it rectified, completed, or amended Use Limitation Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified Individual Participation and Control Individuals should control access to their personal information: Individuals should be able to obtain from each entity that controls personal health data information about whether or not the entity has data relating to them Individuals should have the right to: Have personal data relating to them communicated within a reasonable time (at an affordable charge, if any), and in a form that is readily understandable; Be given reasons if a request (as described above) is denied, and to be able to challenge such denial; and Challenge data relating to them and have it rectified, completed, or amended

Davis Wright Tremaine LLP Privacy and Security Principles (Thanks to Connecting for Health) Data Integrity and Quality All personal data collected should be relevant to the purposes for which they are used and should be accurate, complete, and current Security Safeguards and Controls Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure Accountability and Oversight Entities in control of personal health data must be held accountable for implementing these information practices Remedies Legal and financial remedies must exist to address any security breaches or privacy violations Data Integrity and Quality All personal data collected should be relevant to the purposes for which they are used and should be accurate, complete, and current Security Safeguards and Controls Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure Accountability and Oversight Entities in control of personal health data must be held accountable for implementing these information practices Remedies Legal and financial remedies must exist to address any security breaches or privacy violations

Davis Wright Tremaine LLP Privacy Meets Security Privacy rules protect the individual’s interest in maintaining confidentiality of and directing the use and disclosure of his/her personal health information Security rules are to ensure only those who should have access to personal health information will have access Privacy rules protect the individual’s interest in maintaining confidentiality of and directing the use and disclosure of his/her personal health information Security rules are to ensure only those who should have access to personal health information will have access

Davis Wright Tremaine LLP How Can Lawyers Fit Into Privacy/Security Rulemaking? Goal: reconciling the legal baselines and the principles and removing roadblocks to create a socially accepted, legally sound set of rules Why do we need lawyers? IT professionals generally do not know what lawyers do The laws and regs are the specifications for life and, since they are written down, they should be easy to figure out Tell me what’s really important? Goal: reconciling the legal baselines and the principles and removing roadblocks to create a socially accepted, legally sound set of rules Why do we need lawyers? IT professionals generally do not know what lawyers do The laws and regs are the specifications for life and, since they are written down, they should be easy to figure out Tell me what’s really important?

Davis Wright Tremaine LLP Case Study – Common Framework for HIE – Model Agreement We were hired by Connecting for Health to prepare the model We consulted with the client to get direction on relevant precedent and general scope of the project We prepared a draft based on legal principles and precedent We highlighted the legal issues and provided alternatives We vetted the document with a small group and revised to reflect their input The policy subcommittee then vetted with a large group We made revisions The policy subcommittee finalized it We were hired by Connecting for Health to prepare the model We consulted with the client to get direction on relevant precedent and general scope of the project We prepared a draft based on legal principles and precedent We highlighted the legal issues and provided alternatives We vetted the document with a small group and revised to reflect their input The policy subcommittee then vetted with a large group We made revisions The policy subcommittee finalized it

Davis Wright Tremaine LLP How Can Lawyers Fit Into Privacy/Security Rulemaking? It is difficult and unproductive to address legal issues in a vacuum It is not necessary to address all potential legal issues just in case There needs to be a nexus between the expected policy deliverables and legal advice Lawyers should highlight the legal issues and provide alternatives Lawyers should assist in the initial drafting The policymaking body should then vet the proposals Lawyers provide advice The policymaking body then decides what to go with It is difficult and unproductive to address legal issues in a vacuum It is not necessary to address all potential legal issues just in case There needs to be a nexus between the expected policy deliverables and legal advice Lawyers should highlight the legal issues and provide alternatives Lawyers should assist in the initial drafting The policymaking body should then vet the proposals Lawyers provide advice The policymaking body then decides what to go with

Davis Wright Tremaine LLP This is a publication of the Health Information Technology Group of Davis Wright Tremaine LLP with a purpose to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations. Copyright 2008, Davis Wright Tremaine LLP (reprints with attribution permitted) This is a publication of the Health Information Technology Group of Davis Wright Tremaine LLP with a purpose to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations. Copyright 2008, Davis Wright Tremaine LLP (reprints with attribution permitted)

Davis Wright Tremaine LLP Questions?