Emerging Privacy and Security Issues for Healthcare Professor Peter P. Swire The Ohio State University Center for American Progress Sentrigo Webinar July 16, 2008

Overview My background My background Enforcement for medical privacy & security Enforcement for medical privacy & security Trends after 2008 Trends after 2008 The increased importance of data breach legislation The increased importance of data breach legislation Celebrity records & protecting against insiders Celebrity records & protecting against insiders EHRs, PHRs, and distributed computing for health care EHRs, PHRs, and distributed computing for health care Theme – growing importance of audit & control Theme – growing importance of audit & control

I. My Background Currently: Currently: Professor of Law, Ohio State University Professor of Law, Ohio State University Senior Fellow, Center for American Progress Senior Fellow, Center for American Progress I live in the DC areaI live in the DC area Privacy Year in Review distributed to all members of International Association of Privacy Professionals Privacy Year in Review distributed to all members of International Association of Privacy Professionals Information Privacy – official book for Certified Information Privacy Professional Information Privacy – official book for Certified Information Privacy Professional

Chief Counselor for Privacy Office of Management & Budget, 1999 to early 2001 Office of Management & Budget, 1999 to early 2001 White House coordinator for 1999 proposed & 2000 final HIPAA medical privacy rule White House coordinator for 1999 proposed & 2000 final HIPAA medical privacy rule Fall, 1999 – proposed rule Fall, 1999 – proposed rule 53,000 public comments 53,000 public comments December, 2000 – final rule December, 2000 – final rule 2002 – revised final rule 2002 – revised final rule 2003 – compliance went into effect 2003 – compliance went into effect

Chief Counselor for Privacy Many other privacy topics (can be raised in question period, if there is interest) Many other privacy topics (can be raised in question period, if there is interest) GLB financial privacy law & rule GLB financial privacy law & rule Chair, White House Working Group on how to update wiretap & surveillance laws Chair, White House Working Group on how to update wiretap & surveillance laws U.S. governments own compliance with privacy laws U.S. governments own compliance with privacy laws Encryption policy Encryption policy Computer security & privacy (FIDNet) Computer security & privacy (FIDNet)

Health Care since 2001 Advisory board for Sentrigo, health care & database protection Advisory board for Sentrigo, health care & database protection HIPAA implementation, with Morrison & Foerster, LLP HIPAA implementation, with Morrison & Foerster, LLP Markle Connecting for Health advisor Markle Connecting for Health advisor Frequent speaker & author on computer security & medical privacy Frequent speaker & author on computer security & medical privacy

I. Enforcement A slow start to HIPAA privacy and security enforcement A slow start to HIPAA privacy and security enforcement Explicit HHS announcement in first year that the goal was corrective action rather than punishment Explicit HHS announcement in first year that the goal was corrective action rather than punishment One free violation – HHS regulation says no civil monetary penalties for first violation One free violation – HHS regulation says no civil monetary penalties for first violation Criminal statute narrowly interpreted – only the institution & not the individual Criminal statute narrowly interpreted – only the institution & not the individual

Shift in Enforcement? Stronger enforcement statements from HHS – youve had time to comply Stronger enforcement statements from HHS – youve had time to comply Stricter corrective action – 18% of complaints result now in changes in policies and procedures Stricter corrective action – 18% of complaints result now in changes in policies and procedures Criminal enforcement – new interpretation says employees can be prosecuted Criminal enforcement – new interpretation says employees can be prosecuted State suits that treat HIPAA as minimum standard of care State suits that treat HIPAA as minimum standard of care

The Numbers on Enforcement 36,000 complaints since ,000 complaints since complaints in May, complaints in May, ,548 complaints led to investigation 9,548 complaints led to investigation 6,392 of those led to corrective action 6,392 of those led to corrective action 435 cases referred to Dept. of Justice for criminal investigation 435 cases referred to Dept. of Justice for criminal investigation General trend – enforcers expect more than they used to General trend – enforcers expect more than they used to

Most Common Investigations Impermissible uses and disclosures of protected health information (PHI); Impermissible uses and disclosures of protected health information (PHI); Lack of safeguards of PHI; Lack of safeguards of PHI; Lack of patient access to their PHI; Lack of patient access to their PHI; Uses or disclosures of more than the Minimum Necessary PHI; and Uses or disclosures of more than the Minimum Necessary PHI; and Lack of or invalid authorizations for uses and disclosures of protected health information. Lack of or invalid authorizations for uses and disclosures of protected health information.

Poll: Has an institution you have worked with had privacy or security complaints to HHS under HIPAA? 1. Yes, 2 or more 2. Yes, 1 that I know of 3. None 4. Dont know

What Could Change in 2009? Because of press & Hill concern about lack of enforcement, some possibilities: Because of press & Hill concern about lack of enforcement, some possibilities: Civil monetary penalties more quickly Civil monetary penalties more quickly More criminal enforcement More criminal enforcement Greater staff/budget for enforcement Greater staff/budget for enforcement Increased audits, as CMS has begun under the HIPAA security rule (hired PWC) Increased audits, as CMS has begun under the HIPAA security rule (hired PWC)

II. State Data Breach Laws California data breach law in 2003 California data breach law in 2003 Focus was on identity theft, such as loss of Social Security number or bank account number Focus was on identity theft, such as loss of Social Security number or bank account number Medical breaches usually not covered, except for loss of SSNs Medical breaches usually not covered, except for loss of SSNs Notice to individuals whose data was compromised Notice to individuals whose data was compromised

Data Breach Laws Spread Today, over 40 states have data breach laws Today, over 40 states have data breach laws Push for federal law, but stalled Push for federal law, but stalled ChoicePoint, Veterans Administration, and other large breaches listed at ChoicePoint, Veterans Administration, and other large breaches listed at Over 233 million notices sent Over 233 million notices sent

Medical Data Breach New trigger for data breach notification New trigger for data breach notification California strikes again, effective Jan California strikes again, effective Jan Notification required if unauthorized access to unencrypted medical histories, information on mental or physical conditions, and medical treatments and diagnoses Notification required if unauthorized access to unencrypted medical histories, information on mental or physical conditions, and medical treatments and diagnoses Also for health insurance information Also for health insurance information

What Does That Mean to You? Minnesota & Rhode Island now have medical records trigger Minnesota & Rhode Island now have medical records trigger Trend quite possibly will continue Trend quite possibly will continue A survey in 2006 by Phoenix Health Systems showed that 39 percent of health care providers and 33 percent of insurers reported security incidents in the previous six months A survey in 2006 by Phoenix Health Systems showed that 39 percent of health care providers and 33 percent of insurers reported security incidents in the previous six months Many health care organizations could face costly breach & notice requirements Many health care organizations could face costly breach & notice requirements

III. A Special Form of Breach UCLA fires workers for snooping in Spears files Its very disappointing, says hospitals human resources director L.A. Times, March 16, 2008

Farrah Fawcett UCLA staffer passed Farrah Fawcetts medical records to National Enquirer April 2, 2008

Meanwhile, in New Jersey … Turns out a lot more people than George Clooney and his girlfriend were hurt by the Hollywood hunk's motorcycle accident last month. Turns out a lot more people than George Clooney and his girlfriend were hurt by the Hollywood hunk's motorcycle accident last month. N.Y. Daily News, Oct. 10, 2007 N.Y. Daily News, Oct. 10, 2007

The Clooney Files As many as 40 doctors and other employees at the Palisades Medical Center in North Bergen, N.J., got suspensions for allegedly leaking confidential medical information about the couple

Worse Than Just Losing Your Job Lawanda Jackson indicted for criminal HIPAA violations, for allegedly receiving $4600 from the National Enquirer for 33 disclosures in ; checks were written to her husband

Poll: Has an institution you have worked with had disclosures of records about a well-known individual? 1. Yes, 2 or more 2. Yes, 1 that I know of 3. Dont know 4. None (and Im glad we dont treat movie stars)

IV. Importance of Audit/Control Lets examine topics thus far: Lets examine topics thus far: HIPAA enforcement climbing, perhaps rapidly HIPAA enforcement climbing, perhaps rapidly Medical data breach laws emerging Medical data breach laws emerging Celebrity records creating a big stir Celebrity records creating a big stir Common theme: Common theme: The importance of having better control over your organizations medical records database The importance of having better control over your organizations medical records database

Insider Abuse Computer security experts generally say that a large majority of incidents come from insiders, not outside hackers Computer security experts generally say that a large majority of incidents come from insiders, not outside hackers The challenge: how to detect, deter, and punish unauthorized insider access to records The challenge: how to detect, deter, and punish unauthorized insider access to records The central importance of audit and controls over access/egress for databases The central importance of audit and controls over access/egress for databases

Advantages of Database Control For celebrity records, send the clear message that violations will become known and traceable to the individual For celebrity records, send the clear message that violations will become known and traceable to the individual For data breaches For data breaches Ensure good practices to reduce likelihood of breaches Ensure good practices to reduce likelihood of breaches Pinpoint the extent of breach, so notices go to the 100 affected persons, and not the 1,000 or 10,000 who might otherwise have to receive notice Pinpoint the extent of breach, so notices go to the 100 affected persons, and not the 1,000 or 10,000 who might otherwise have to receive notice

V. EHRs & the Future Focus thus far has been on the single institution Focus thus far has been on the single institution Electronic health records & the shift to RHIOs (regional health information organizations) Electronic health records & the shift to RHIOs (regional health information organizations) With information sharing comes information risk With information sharing comes information risk How assure control over data you are responsible for? How assure control over data you are responsible for? Existing audit/control systems will not be adequate for the multi-institution near future Existing audit/control systems will not be adequate for the multi-institution near future

Electronic Health Records Markle Connecting for Health Markle Connecting for Health Common Framework for Initiating Private and Secure Health Information Sharing Common Framework for Initiating Private and Secure Health Information Sharing Toolkit for implementing effective privacy and security in information sharing Toolkit for implementing effective privacy and security in information sharing Audit/database control an essential element Audit/database control an essential element

The Near Future of EHRs Both political parties are stressing electronic health records Both political parties are stressing electronic health records Paper kills Paper kills No one wants to be on the side of paper in a future that requires electronic records No one wants to be on the side of paper in a future that requires electronic records How well does your organization control How well does your organization control Its own records (core database) Its own records (core database) How records are shared with multiple other organizations? How records are shared with multiple other organizations?

Conclusion HIPAA enforcement HIPAA enforcement Medical data breaches Medical data breaches Celebrity records & publicity about your organization Celebrity records & publicity about your organization EHRs and the information-sharing future EHRs and the information-sharing future For these reasons, audit & control must be a much more prominent feature of medical records management For these reasons, audit & control must be a much more prominent feature of medical records management

Contact Information Professor Peter Swire Professor Peter Swire Moritzlaw.osu.edu Moritzlaw.osu.edu