"Security and Privacy After September 11: The Healthcare Example Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP April.

Slides:



Advertisements
Similar presentations
Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
Advertisements

Telecom, Privacy & Security After September 11 Professor Peter P. Swire Ohio State University Ohio Telecommunications Industry Association October 2, 2001.
Privacy & Security After September 11 Professor Peter P. Swire Ohio State University University of Michigan Lecture December 4, 2001.
Privacy and National Security After September 11 Professor Peter P. Swire Ohio State University FLICC 2002 Forum Library of Congress March 19, 2002.
The Chief Privacy Officer for the U.S. Government Professor Peter P. Swire Ohio State University Visiting, George Washington University Privacy Officers.
"Security and Privacy After September 11 Professor Peter P. Swire Ohio State Law School Consultant, Morrison & Foerster Privacy & Data Security Summit.
Reflections on the White House Privacy Office Peter P. Swire U.S. Chief Counselor for Privacy, OSU College of Law, 2001-present CFP, March 8,
Electronic Surveillance, Security, and Privacy Professor Peter P. Swire Ohio State University InSITes -- Carnegie Mellon February 7, 2002.
Key New Surveillance Provisions Professor Peter P. Swire Ohio State University Privacy 2001 Conference October 4, 2001.
HIPAA In Relation to Other Federal Laws Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP Glasser LegalWorks/HIPAA Conference.
"Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop.
Sharing of Medical Records Pursuant to an Authorization Professor Peter P. Swire Moritz College of Law, Ohio St. Univ. Consultant, Morrison & Foerster,
Research and Privacy Under HIPAA Professor Peter P. Swire Moritz College of Law Ohio State University National Academy of Science Panel on Science, Technology.
The Role of the Federal Government in Privacy Policy Professor Peter P. Swire The Ohio State University Center for American Progress The Privacy Symposium,
HIPAA and the War on Terrorism Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP HIPAA Summit West June 7, 2003.
"Security and Privacy After September 11: Implications for Healthcare" Professor Peter P. Swire George Washington Law School Consultant, Morrison & Foerster.
Mental Health Issues & Information Sharing Professor Peter P. Swire The Ohio State University NAAG Task Force on School Safety July 5, 2007.
Reflections on the White House Privacy Office Peter P. Swire Ohio State University Center for American Progress N.C. State Privacy Day January 29, 2008.
Surviving Securely & Surviving Security -- Thoughts After 9/11 Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP HIPAA.
The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
HIPAA AWARENESS TRAINING
Responding to Subpoenas and Law Enforcement Demands for PHI: An Overview Janet A. Newberg Chair, Health Law Section Felhaber Larson Fenlon & Vogt, P.A.
I.G. Subpoenas and the HIPAA Privacy Rule The views and opinions expressed in the presentation are those of the presenter, and not necessarily official.
Confidentiality and HIPAA
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Health Insurance Portability and Accountability Act (HIPAA)
Objectives  Review federal statutes (HIPAA, FERPA)  Discuss state guidelines  Review local procedures
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
HIPAA Health Insurance Portability & Accountability Act of 1996.
Health Insurance Portability and Accountability Act (HIPAA)
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
1 VUMC Confidentiality Policy and HIPAA Implications for Clinical Research General Clinical Research Center Skills Workshop March 2, 2007 Gaye Smith Privacy.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Health Insurance Portability and Accountability Act (HIPAA)
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Practicing In Harmony with HIPAA The views and opinions expressed in the presentation are those of the presenter, and not necessarily official positions.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
Health Insurance portability and Accountability Act (HIPAA)‏
HIPAA Privacy: Those Nagging Issues That Don’t Seem to Go Away Rebecca L. Williams, RN, JD Partner; Co-Chair of HIT/HIPAA Practice Group Davis Wright.
HIPAA History March 3, HIPAA Ruling Health Insurance Portability Accountability Act Health Insurance Portability Accountability Act Passed by Congress.
HIPAA Training Workshop #1 Council of Community Clinics – San Diego February 7, 2003 by Kaye L. Rankin Rankin Healthcare Consultants, Inc.
Davis Wright Tremaine LLP The Seventh National HIPAA Summit HIPAA Privacy: Privacy Rule Compliance on Public Health Activities and Research Thomas E. Jeffry,
Healthcare Privacy and Security After September 11 The HIPAA Colloquium At Harvard University August 20, 2002 Presented by: Lauren Steinfeld Privacy Consultant,
AAMC Contact: Ivy Baer Accounting for Disclosures Under HIPAA Proposed Rule: 76 Federal Register 31426, May 31, 2011.
WHAT GUARDIANSHIP ATTORNEYS SHOULD KNOW BY RACHEL ANNE BROOKS MARCH 15, 2016 Health Care Privacy.
Health Insurance Portability and Accountability Act (HIPAA) © 2013 Project Lead The Way, Inc.Principles of Biomedical Science.
HIPAA Training Workshop #2 Trainer: Kaye L. Rankin Rankin Healthcare Consultants, Inc.
Juvenile Legislative Update 2013 Confidential Records and Protected Disclosures.
Health Insurance Portability and Accountability Act
The HIPAA Privacy Rule: Implications for Medical Research
HIPAA Administrative Simplification
Health Insurance Portability and Accountability Act
Confidential Records and Protected Disclosures
Disability Services Agencies Briefing On HIPAA
"Security and Privacy After September 11: The Healthcare Example”
Enforcement and Policy Challenges in Health Information Privacy
Analysis of Final HIPAA Privacy Modification Rule
Health Insurance Portability and Accountability Act
HIPAA Do’s and Don'ts: What is Really Behind Protected Health Information (PHI) and Health Care Privacy Rules Paul Sisler, Director, Information Services;
Presentation transcript:

"Security and Privacy After September 11: The Healthcare Example Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP April 25, 2002

Overview n Introduction n Security and Privacy after September 11 – Can you report a terrorist/patient? – More emphasis on security – What implication for privacy? n Proposed Rule Changes & Consumer Groups – Some surprises: FDA exception, employer exception, hybrid entity changes

I. Background n Clinton Administration Chief Counselor for Privacy n Unusual double major: – White House coordinator for HIPAA medical privacy rule, – Chair, White House task force on how to update wiretap and surveillance laws for the Internet age

Currently n Ohio State University College of Law – Director D.C. program n Consultant, Morrison & Foerster, with focus on medical privacy (materials available today) n Full version of this talk forthcoming, Minnesota Law Review n

II. Reporting Suspicious. Activity n Rule issued before Sept. 11. How well does it work today? n What if a suspected terrorist is in the hospital? Can you report that? n Example: patient exposed to anthrax, and you suspect person involved in making or distributing spores

When Can You Report? n National security exception n Avert serious threats to health or public safety n Law enforcement rules generally

National Security Exception n Section 512(k)(2) n May disclose PHI to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities n Those activities as defined in law -- what you expect as intelligence

Averting Serious Threats n Section 512(j) permits voluntary disclosure by a covered entity n Must be consistent with applicable law and standards of ethical conduct

Averting Serious Threats n Option 1, can disclose where: – Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and – Is to a person or persons reasonably able to prevent or lessen the threat

Averting Serious Threats n Option 2, disclosure OK where: – Is necessary for law enforcement authorities to identify or apprehend an individual – Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim – That is, confessions to violent crimes

Averting Serious Threats n Cant disclose where confession is made as part of therapy for propensity to commit violent conduct n Conclusion: the rule allows disclosure to avert serious threats, including by terrorists

General Law Enforcement n Sec. 512(f) generally requires in response to law enforcement officials request n Covered entity cant volunteer the information, except where required by a reporting law or requested by law enforcement

General Law Enforcement n Court order, grand jury subpoena, administrative subpoena for full file n To locate or identify a suspect, fugitive, material witness, or missing person: – Name, SSN, limited other information

Summary on law enforcement n For anthrax suspect: – Likely national security – May have evidence, in good faith, of imminent threat – Can respond to law enforcement requests more broadly n The rule holds up better than you might have expected to this new challenge n But, still limits on your disclosure to the police

Security & Privacy Today n Greater focus on (cyber) security n Security vs. privacy n Security and privacy

Greater Focus on Security n Less tolerance for hackers and other unauthorized use n Cyber-security and the need to protect critical infrastructures n Back-up needed in case of cyber-attack, attack on payments system, electricity grid, telephone system, or other systems you need

Security vs. Privacy n Security sometimes means greater surveillance, information gathering, & information sharing n Computer trespasser exception in USA Patriot Act n Report possible terrorists n Err on the side of public health reporting n In short, greater disclosures to foster security

Security and Privacy n Good data handling practices become more important -- good security protects PHI against unauthorized use n Audit trails, accounting become more obviously desirable -- helps some HIPAA compliance n Part of system upgrade for security will be system upgrade for other requirements, such as HIPAA privacy

Security, Privacy & Health Care n Greater law enforcement & anti-terrorism urgency after September 11 n Medical privacy rule already has provisions to respond to September 11: – Public health – Report terrorists n Not clear so far that need changes here to HIPAA privacy rule

III. Comments on the Rule n Public debate to date about: – Consent vs. acknowledgment – Marketing n Watch for these issues from consumer side: – New public health exception, especially for drug companies – New exception for employee records – New hybrid entity provision

Public health uses and disclosure n From 12/2000 rule – PHI can be disclosed to a public health authority authorized by law to collect or receive such information – PHI can be disclosed where required by the FDA or under other applicable law

Public health changes n Proposed rule would allow disclosure to: – Any person subject to FDA jurisdiction – For the purpose of activities related to the quality, safety, or effectiveness of an FDA regulated product or activity – No re-use limits on those who receive data – Major provision for the drug companies?

Employee Data n New exclusion from definition of PHI for – Employment records held by a covered entity in its role as employer. – Limiting language in preamble. – But the regulatory text is very broad -- those records are entirely outside of the rule.

Hybrid entities n Current law: – If primarily a covered entity, then all your operations are covered. n Proposal: – Covered entity defines components that are covered n Example: – If no standard transactions, could a hospital web site be outside the rule? Sell all data?

Concluding Thoughts on Security n Biggest messages today: n Data handling will have to improve n Computer security will get more attention and budget n Critical systems will need to be robust against new threats n Better data handling, in general, will lead to better privacy compliance, too

How the Proposed Rule Looks to the Consumer Groups n Consent -- Senator Kennedy hearings n Marketing -- many activities now excluded from the definition n FDA exception -- gift to drug companies n Employee exception -- gift to employers n Hybrid entities -- invitation to create loopholes and surprise consumers

Finally n Industry will continue to identify issues where the rule is burdensome or HHS needs to provide clarification n Consumer groups have their talking points, as well n Look for continued fireworks

Contact Information n Professor Peter Swire n Phone: (301) n n Web: n Presidential Privacy Archives: