Developing Privacy and Security Standards Allen Briskin Allen Briskin

Davis Wright Tremaine LLP Overview What is HIE? Legal baselines HIPAA State laws California HISPC findings Privacy and security principles How Can Lawyers Fit Into Privacy/Security Rulemaking? What is HIE? Legal baselines HIPAA State laws California HISPC findings Privacy and security principles How Can Lawyers Fit Into Privacy/Security Rulemaking?

Davis Wright Tremaine LLP What is HIE? Common notion: Moving data, context and knowledge on an individual’s health from application to application, repository to repository without loss of meaning Requires everyone to be fully equipped to give and receive in context Consider: health information access as an alternative Perhaps the most significant benefit from having access to a patient’s health records is the integrated workflow and compilation of information in meaningful ways to improve diagnosis and treatment decisions What’s needed for access: Data use / data sharing agreement Restricted (1-patient) quarantined portal viewer and secure method of access to the viewer Common method for user authentication and authorization across entity boundaries HIE is going to take many forms in response to market demand Common notion: Moving data, context and knowledge on an individual’s health from application to application, repository to repository without loss of meaning Requires everyone to be fully equipped to give and receive in context Consider: health information access as an alternative Perhaps the most significant benefit from having access to a patient’s health records is the integrated workflow and compilation of information in meaningful ways to improve diagnosis and treatment decisions What’s needed for access: Data use / data sharing agreement Restricted (1-patient) quarantined portal viewer and secure method of access to the viewer Common method for user authentication and authorization across entity boundaries HIE is going to take many forms in response to market demand

Davis Wright Tremaine LLP Legal Baseline: HIPAA Privacy It’s not really about privacy, it’s about facilitating disclosure Patient consent not required for payment, treatment, health operations Notice of Privacy Practices The kitchen sink of policies Like drinking from a fire hose It’s not really about privacy, it’s about facilitating disclosure Patient consent not required for payment, treatment, health operations Notice of Privacy Practices The kitchen sink of policies Like drinking from a fire hose

Davis Wright Tremaine LLP Legal Baseline: HIPAA Security The Privacy Rule sets the standards for who may have access to PHI The Security Rule sets the standards for ensuring that only those who should have access to ePHI will actually have access The security requirements were designed to be technology neutral and scalable The Privacy Rule sets the standards for who may have access to PHI The Security Rule sets the standards for ensuring that only those who should have access to ePHI will actually have access The security requirements were designed to be technology neutral and scalable

Davis Wright Tremaine LLP Legal Baseline: State laws HISPC project discloses a crazy-quilt of state laws Sensitive information HIV/AIDS Mental health Substance abuse Genetic testing “my own private HIPAA” HISPC project discloses a crazy-quilt of state laws Sensitive information HIV/AIDS Mental health Substance abuse Genetic testing “my own private HIPAA”

Davis Wright Tremaine LLP Legal Baseline: California Laws Highlights of California March 30, 2007 Report Stakeholders have varying perceptions about the degree to which privacy laws are enforced A potential deterrent to exchange Detracts from credibility of HIE Privacy is at risk because there are no common standards for users accessing data and non-covered entities under HIPAA Highlights of California March 30, 2007 Report Stakeholders have varying perceptions about the degree to which privacy laws are enforced A potential deterrent to exchange Detracts from credibility of HIE Privacy is at risk because there are no common standards for users accessing data and non-covered entities under HIPAA

Davis Wright Tremaine LLP Legal Baseline: California Laws Privacy rules governing some public health issues are incomplete and unclear It is not feasible for one person to understand the complexity resulting from the convergence of law that affect privacy and security The complex interaction of federal and State laws and differences in stakeholders’ level of knowledge and interpretation results in restrictive sharing of information Privacy rules governing some public health issues are incomplete and unclear It is not feasible for one person to understand the complexity resulting from the convergence of law that affect privacy and security The complex interaction of federal and State laws and differences in stakeholders’ level of knowledge and interpretation results in restrictive sharing of information

Davis Wright Tremaine LLP Legal Baseline: California Laws The Problem: multiple interpretations and applications of laws governing privacy and security result in different approaches to HIE – Solutions: Establish a legal committee to include all stakeholders and their legal counsel The legal committee would recommend solutions to CPSAB concerning the legal issues among federal and state laws and state law pre-emption Compile an index of applicable laws Analyze potential impacts of applying standards to all HIE participants or to all individually identifiable health information, regardless of location Barriers include “inability to agree on core principles, goals or laws” The Problem: multiple interpretations and applications of laws governing privacy and security result in different approaches to HIE – Solutions: Establish a legal committee to include all stakeholders and their legal counsel The legal committee would recommend solutions to CPSAB concerning the legal issues among federal and state laws and state law pre-emption Compile an index of applicable laws Analyze potential impacts of applying standards to all HIE participants or to all individually identifiable health information, regardless of location Barriers include “inability to agree on core principles, goals or laws”

Davis Wright Tremaine LLP Privacy and Security Principles (Thanks to Connecting for Health) Openness and Transparency There should be a general policy of openness about developments, practices, and policies with respect to personal data. Individuals should be able to know what information exists about them, the purpose of its use, who can access and use it, and where it resides Purpose Specification and Minimization The purposes for which personal data are collected should be specified at the time of collection, and the subsequent use should be limited to those purposes or others that are specified on each occasion of change of purpose Collection Limitation Personal health information should only be collected for specified purposes, should be obtained by lawful and fair means and, where possible, with the knowledge or consent of the data subject Openness and Transparency There should be a general policy of openness about developments, practices, and policies with respect to personal data. Individuals should be able to know what information exists about them, the purpose of its use, who can access and use it, and where it resides Purpose Specification and Minimization The purposes for which personal data are collected should be specified at the time of collection, and the subsequent use should be limited to those purposes or others that are specified on each occasion of change of purpose Collection Limitation Personal health information should only be collected for specified purposes, should be obtained by lawful and fair means and, where possible, with the knowledge or consent of the data subject

Davis Wright Tremaine LLP Privacy and Security Principles (Thanks to Connecting for Health) Use Limitation Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified Individual Participation and Control Individuals should control access to their personal information: Individuals should be able to obtain from each entity that controls personal health data information about whether or not the entity has data relating to them Individuals should have the right to: Have personal data relating to them communicated within a reasonable time (at an affordable charge, if any), and in a form that is readily understandable; Be given reasons if a request (as described above) is denied, and to be able to challenge such denial; and Challenge data relating to them and have it rectified, completed, or amended Use Limitation Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified Individual Participation and Control Individuals should control access to their personal information: Individuals should be able to obtain from each entity that controls personal health data information about whether or not the entity has data relating to them Individuals should have the right to: Have personal data relating to them communicated within a reasonable time (at an affordable charge, if any), and in a form that is readily understandable; Be given reasons if a request (as described above) is denied, and to be able to challenge such denial; and Challenge data relating to them and have it rectified, completed, or amended

Davis Wright Tremaine LLP Privacy and Security Principles (Thanks to Connecting for Health) Data Integrity and Quality All personal data collected should be relevant to the purposes for which they are used and should be accurate, complete, and current Security Safeguards and Controls Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure Accountability and Oversight Entities in control of personal health data must be held accountable for implementing these information practices Remedies Legal and financial remedies must exist to address any security breaches or privacy violations Data Integrity and Quality All personal data collected should be relevant to the purposes for which they are used and should be accurate, complete, and current Security Safeguards and Controls Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure Accountability and Oversight Entities in control of personal health data must be held accountable for implementing these information practices Remedies Legal and financial remedies must exist to address any security breaches or privacy violations

Davis Wright Tremaine LLP Privacy Meets Security Privacy rules protect the individual’s interest in maintaining confidentiality of and directing the use and disclosure of his/her personal health information Security rules are to ensure only those who should have access to personal health information will have access Privacy rules protect the individual’s interest in maintaining confidentiality of and directing the use and disclosure of his/her personal health information Security rules are to ensure only those who should have access to personal health information will have access

Davis Wright Tremaine LLP How Can Lawyers Fit Into Privacy/Security Rulemaking? Goal: reconciling the legal baselines and the principles and removing roadblocks to create a socially accepted, legally sound set of rules Why do we need lawyers? IT professionals generally do not know what lawyers do The laws and regs are the specifications for life and, since they are written down, they should be easy to figure out Tell me what’s really important? Goal: reconciling the legal baselines and the principles and removing roadblocks to create a socially accepted, legally sound set of rules Why do we need lawyers? IT professionals generally do not know what lawyers do The laws and regs are the specifications for life and, since they are written down, they should be easy to figure out Tell me what’s really important?

Davis Wright Tremaine LLP Case Study – Common Framework for HIE – Model Agreement We were hired by Connecting for Health to prepare the model We consulted with the client to get direction on relevant precedent and general scope of the project We prepared a draft based on legal principles and precedent We highlighted the legal issues and provided alternatives We vetted the document with a small group and revised to reflect their input The policy subcommittee then vetted with a large group We made revisions The policy subcommittee finalized it We were hired by Connecting for Health to prepare the model We consulted with the client to get direction on relevant precedent and general scope of the project We prepared a draft based on legal principles and precedent We highlighted the legal issues and provided alternatives We vetted the document with a small group and revised to reflect their input The policy subcommittee then vetted with a large group We made revisions The policy subcommittee finalized it

Davis Wright Tremaine LLP How Can Lawyers Fit Into Privacy/Security Rulemaking? It is difficult and unproductive to address legal issues in a vacuum It is not necessary to address all potential legal issues just in case There needs to be a nexus between the expected policy deliverables and legal advice Lawyers should highlight the legal issues and provide alternatives Lawyers should assist in the initial drafting The policymaking body should then vet the proposals Lawyers provide advice The policymaking body then decides what to go with It is difficult and unproductive to address legal issues in a vacuum It is not necessary to address all potential legal issues just in case There needs to be a nexus between the expected policy deliverables and legal advice Lawyers should highlight the legal issues and provide alternatives Lawyers should assist in the initial drafting The policymaking body should then vet the proposals Lawyers provide advice The policymaking body then decides what to go with

Davis Wright Tremaine LLP This is a publication of the Health Information Technology Group of Davis Wright Tremaine LLP with a purpose to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations. Copyright 2008, Davis Wright Tremaine LLP (reprints with attribution permitted) This is a publication of the Health Information Technology Group of Davis Wright Tremaine LLP with a purpose to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations. Copyright 2008, Davis Wright Tremaine LLP (reprints with attribution permitted)

Davis Wright Tremaine LLP Questions?