WILLIAM HERSH, MD OREGON HEALTH & SCIENCE UNIVERSITY Privacy, Confidentiality, and Security: Basic Concepts Content licensed under Creative Commons Attribution-Share.

Slides:



Advertisements
Similar presentations
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Advertisements

Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA Health Insurance Portability and Accountability Act.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Are you ready for HIPPO??? Welcome to HIPAA
Professional Nursing Services.  Privacy and Security Training explains:  The requirements of the federal HIPAA/HITEC regulations, state privacy laws.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Privacy, Security, Confidentiality, and Legal Issues
Health information security & compliance
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
New Data Regulation Law 201 CMR TJX Video.
Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Privacy, Confidentiality, Security, and Integrity of Electronic Data
Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 2 The HIPAA Privacy Standards HIPAA for Allied Health Careers.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 2 This material was developed by Oregon Health & Science.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 1 This material was developed by Oregon Health & Science.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Privacy, Confidentiality, and Security Component 2/Unit 8c.
Working with HIT Systems
HIPAA Health Insurance Portability and Accountability Act of 1996.
Chap1: Is there a Security Problem in Computing?.
Privacy, Confidentiality, and Security Component 2/Unit 8b.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
The Medical College of Georgia HIPAA Privacy Rule Orientation.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
Audit Trail LIS 4776 Advanced Health Informatics Week 14
HIPAA PRIVACY & SECURITY TRAINING
Understanding HIPAA Dr. Jennifer Lu.
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
Health Care: Privacy in a Digital Age
The Health Insurance Portability and Accountability Act
HIPAA & PHI TRAINING & AWARENESS
PLANNING A SECURE BASELINE INSTALLATION
HIPAA Privacy and Security Update - 5 Years After Implementation
Introduction to the PACS Security
The Health Insurance Portability and Accountability Act
Presentation transcript:

WILLIAM HERSH, MD OREGON HEALTH & SCIENCE UNIVERSITY Privacy, Confidentiality, and Security: Basic Concepts Content licensed under Creative Commons Attribution-Share Alike 3.0 Unported

Privacy, confidentiality, and security Definitions Concerns  Privacy  Security Tools for protecting health information Approaches to protecting health information

Definitions Privacy – right to keep things to yourself Confidentiality – right to keep things about you from being disclosed to others Security – protection of your personal information Individually Identifiable Health Information (IIHI) – any data that can be correlated with an individual Personal health information – IIHI as defined by HIPAA Privacy Rule Consent – (in context of privacy) written or verbal permission to allow use of your IIHI

Concerns about privacy Personal privacy vs. common good Continued disclosures Concerns of public De-identified data

Personal privacy vs. the common good There is a spectrum of views  One end holds that while personal privacy is important, there are some instances when the common good of society outweighs it, such as in biosurveillance (Gostin, 2002; Hodge, 1999)  The other end holds that personal privacy trumps all other concerns (Privacy Rights Clearinghouse, 2009; see also Deborah Peel, MD and  Concerns expressed in ACLU video (ACLU, 2004)  More balanced views? – CHCF, 2008; ACP, 2009 Where do your views fit?

There continue to be patient information disclosures Google can pick up not only patient data, but also access points to databases, which may not be well protected (Chin, 2003) Portland, OR – Thieves broke into a car with back-up disks and tapes containing records of 365,000 patients (Rojas-Burke, 2006) Several episodes from VA, e.g., laptop with data of >1 million veterans, recovered without apparent access (Lee, 2006) HITECH now requires notification of breaches of over 500 individuals under HIPAA  breachnotificationrule/postedbreaches.html

Healthcare organizations are not well- prepared for security Deloitte, 2009  Data leakage is a primary threat  Identity and access management is a top priority  Trend towards outsourcing raises many third-party security concerns  Role of Chief Information Security Officer (CISO) has taken on greater significance  As security environment becomes more complex and regulation continues to grow, security budgets not keeping pace HIMSS, 2009  Healthcare organizations not keeping pace with security threats and readiness for them

Technology can worsen the problem USB (“thumb”) drives run programs when plugged into USB port; can be modified to extract data from computer (Wright, 2007) Personal health records based on Microsoft Access can easily have encryption compromised (Wright, 2007) 10% of hard drives sold by a second-hand retailer in Canada had remnants of personal health information (El Emam, 2007)

What is the role of governments? United States: HIPAA (Leyva, 2010)  Privacy Rule defines policies, including “treatment, payment, and operations” (TPO)  Security Rule specifies required protections European Commission Directive 95/46/EC (EC, 2007)  Stringent rules allow data processing only with consent or highly specific circumstances (legal obligation, public necessity)

Related issues for medical privacy Who “owns” medical information?  Easier to answer with paper systems, but growing view is the patients own it, which has economic implications (Hall, 2009; Rodwin, 2009) “Compelled” disclosures (Rothstein, 2006)  We are often compelled to disclose information for non- clinical care reasons The ultimate “personal identifier” may be one’s genome (McGuire, 2006)  Even “de-identified” data may compromise privacy (Malin, 2005)  Genome of family members can identify siblings (Cassa, 2008)  Data from genome-wide association studies can reveal individual level information (Lumley, 2010)

So maybe “de-identified” data is more secure? Not necessarily Sweeney, 1997; Sweeney, 2002  87% of US population uniquely identified by five-digit zip code, gender, and date of birth  Identified William Weld, governor of Massachusetts, in health insurance database for state employees by purchasing voter registration for Cambridge, MA for $20 and linking zip code, gender, and date of birth to “de-identified” medical database Genomic data can aid re-identification in clinical research studies (Malin, 2005; Lumley, 2010) Social security numbers can be predicted from public data (Acquisti, 2009)

How Governor Weld was de-identified Ethnicity Visit date Diagnosis Procedure Medication Charge Zip Date of birth Gender Name Address Date registered Party affiliation Date last voted

Concerns about security Many points of leakage A problem for paper too Consequences of poor security Medical identity theft

Flow of information in healthcare – many points to “leak” Direct patient care Provider Clinic Hospital Support activity Payers Quality reviews Administration “Social” uses Insurance eligibility Public health Medical research Commercial uses Marketing Managed care Drug usage (Rindfleisch, 1997)

Security for paper records is a significant problem as well Difficult to audit trail of paper chart Fax machines are easily accessible Records frequently copied for many reasons  New providers, insurance purposes Records abstracted for variety of purposes  Research  Quality assurance  Insurance fraud → Health Information Bureau (Rothfeder, 1992)

Potential consequences of poor security Rindfleish, 1997  Patients avoid healthcare  Patients lie  Providers avoid entering sensitive data  Providers devise work-arounds CHCF, 2005  13% of consumers admit to engaging in “privacy-protective” behaviors that might put health at risk, such as  Asking doctor to lie about diagnosis  Paying for a test because they did not want to submit a claim  Avoid seeing their regular doctor

Tools for protecting health information IOM report: For the Record (1997) Report commissioned by NLM; informed HIPAA legistation Looked at current practices at six institutions Recommended immediate and future best practices Some content dated, but framework not

Threats to security Insider  Accidental disclosure  Curiosity  Subornation Secondary use settings Outside institution  A lot of press, few examples

Technologies to secure information Deterrents  Alerts  Audit trails System management precautions  Software management  Analysis of vulnerability Obstacles  Authentication  Authorization  Integrity management  Digital signatures  Encryption  Firewalls  Rights management

Encryption Necessary but not sufficient to ensure security Should, however, be used for all communications over public networks, e.g., the Internet Information is scrambled and unscrambled using a key Types: symmetric vs. asymmetric  Asymmetric, aka public key encryption, can be used for digital certificates, electronic signatures, etc.

NRC report best practices Organizational  Confidentiality and security policies and committees  Education and training programs  Sanctions  Patient access to audit trails Technical  Authentication of users  Audit trails  Physical security and disaster recovery  Protection of remote access points and external communications  Software discipline  Ongoing system vulnerability assessment

Authentication and passwords Authentication is process of gaining access to secure computer Usual approach is passwords (“what you know”), but secure systems may add physical entities (“what you have”), e.g.,  Biometric devices – physical characteristic, e.g., thumbprint  Physical devices – smart card or some other physical “key” Ideal password is one you can remember but no one else can guess Typical Internet user interacts with many sites for which he/she must use password  Many clamor for “single sign-on,” especially in healthcare, where users authenticate just once (Pabrai, 2008)

Health information security is probably a trade-off No security - Web pages Total security - CIA, NSA Where is the happy medium for healthcare?

Other issues about privacy and confidentiality to ponder… Who owns health information? How is informed consent implemented? When does public good exceed personal privacy?  e.g., public health, research, law enforcement What conflicts are there with business interests? How do we let individuals “opt out” of health information systems?  What are the costs? When do we override?

The work is provided under the terms of this Creative Commons Public License (“CCPL" or "license"). The work is protected by copyright and/or other applicable law. Any use of the work other than as authorized under this license or copyright law is prohibited.Creative Commons Public License