Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
NAU HIPAA Awareness Training
Today’s Schools face:  Numerous State and Federal Regulations  Reduced Technology Funding  More Stringent Guidelines for Technology Use.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Complying with Privacy to Enable Innovation & Research
Informed Consent and HIPAA Tim Noe Coordinating Center.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Security and Confidentiality Practices - Houston Dept. of Health and Human Services Jerald Harms, MPH, CART and Jeff Meyer, MD, MPH HIV/AIDS Surveillance.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Privacy and Confidentiality. Definitions n Privacy - having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally,
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
Eliza de Guzman HTM 520 Health Information Exchange.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Health Insurance portability and Accountability Act (HIPAA)‏
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
HIPAA History March 3, HIPAA Ruling Health Insurance Portability Accountability Act Health Insurance Portability Accountability Act Passed by Congress.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Table of Contents. Lessons 1. Introduction to HIPAA Go Go 2. The Privacy Rule Go Go.
Board of Directors – March 24, 2016 Denise Mannon, AHFI, CHPC Corporate Compliance Officer.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
The Medical College of Georgia HIPAA Privacy Rule Orientation.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Juvenile Legislative Update 2013 Confidential Records and Protected Disclosures.
Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
Privacy & Information Security Basics
Electronic Health Records (EHR)
Privacy & Confidentiality
HIPAA Administrative Simplification
Health Insurance Portability and Accountability Act
Confidential Records and Protected Disclosures
Move this to online module slides 11-56
Disability Services Agencies Briefing On HIPAA
Health Insurance Portability and Accountability Act
HIPAA Security Standards Final Rule
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
The Health Insurance Portability and Accountability Act
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Lesson 1: Introduction to HIPAA
Presentation transcript:

Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure Development Global AIDS Program, CDC 31 March 2004 WHO,Geneva

Definition of Terms Confidentiality –Assuring that medical information will be used only for appropriate care and treatment of individuals and populations. Security –The protections (policy, physical, and where appropriate, electronic) which assure that no breaches in the confidentiality of medical information will occur.

The Current Situation Local health facilities –Staff responsible for medical care may lack sufficient training in or understanding of the importance of maintaining confidentiality or security of medical records; –Physical protections around records systems may be inadequate or unaffordable Log books are often readily accessible by unauthorized staff Multiple copies of potentially sensitive information exist throughout larger facilities –Cultural norms may not sufficiently discourage inappropriate disclosure of information

The Current Situation National programs –Statistical data abstracted for program monitoring and improvement may contain information that inadvertently identifies individuals. This can be directly, e.g., through disclosure of patient identifiers (name, address, identification numbers such as SSN), or indirectly, by allowing for cross matching with other available data sets which contain identifiers). –Medical data need to be shared across institutions when patients move from one provider to another, but this increases the risk of inappropriate disclosure.

Developing Recommendations Review existing guidelines, models, tools Define specific data/program needs –what’s useful to share across programs, facilities, levels –what degree of detail produces unique identifiers Determine reasonable risk –Likelihood of disclosure –Likelihood of harm from disclosure Balance competing requirements Action steps

Existing Guidelines WHO guidelines? Other diseases (TB?) European standards? –Human Rights Act of 1998 U.S. standards –Public Health Act –HIPAA (1996, Privacy rule published 2003) –Security and Confidentiality Guidelines for HIV/AIDS Surveillance (1998) Numerous electronic security standards (e.g., NIST, Carnegie Mellon) –Need to pick the proper ones, but they do exist –Many commercial solutions for electronic security exist (some at little or no cost)

Health Insurance Portability and Accountability Act Are there relevant lessons from the U.S.? In the U.S., HIPAA mandates strict rules on medical records –(Electronic) information may only be shared with formal patient consent There are two exceptions –Public health needs –Law enforcement/national security

Health Insurance Portability and Accountability Act Organized around 4 overlapping categories: Administrative procedures Physical safeguards Protection for data at rest Protection for data in transit From HIPAA security rule, Health care providers are required to: –“Ensure the confidentiality, integrity, and availability of …health information the … entity creates, receives, maintains, or transmits.” –“Protect against any reasonably anticipated threats…” –“Protect against any reasonably anticipated uses…” –“Ensure compliance … by its workforce”

Excerpts from the U.S. Public Health Service Act, Section 308d (paraphrased) “information in the system that would identify an individual is collected with a guarantee that it will be held in strict confidence.” “information reported for statistical purposes will be sent without identifiers that might either directly or indirectly identify individuals”

U.S. Security and Confidentiality Guidelines for HIV/AIDS Surveillance Consist of 35 requirements programs must meet (via self-certification) as a condition of continued funding Includes various examples of how each requirement is being met by specific programs Group neatly into three categories: –Policy –Physical –Electronic

U.S. Security and Confidentiality Guidelines for HIV/AIDS Surveillance Examples: –Standard operational policies and procedures must be in writing. –I nformation must be accessible only be individuals requiring that information for patient care, reporting, or program management –Information must be kept inside a locked room –Rooms must not be easily accessible by window –Copies of information must be housed inside locked file cabinets –Information must be de-identified if taken out of the secured area for the purpose of data analysis. –Electronic databases must have appropriate security (password protection, encryption, etc.)

Four Models Open Model –Access to all systems is initially available; access to confidential or sensitive information is prohibited on a case-by-case basis Closed Model –Access to all systems is initially prohibited; permission to access information must be granted as requested an authorized Broken Model –Access to all systems is available even though prohibited No Model

Information Needs for Public Health Traditional surveillance Improving program delivery – monitoring and evaluation Resistance monitoring

Striking a Balance Information Must be Accessible to Provide Appropriate Care Information Must be Protected to Prevent Harm to the Patient

Practical Considerations Clear understanding by health workers on what information must be kept confidential –Written policies –Training –Evaluation Clear understanding on security procedures –Written policies –Training –Evaluation

Practical Considerations (continued) Agreements on reporting requirements to the district, provincial, national, and international levels –Current WHO indicators are at the aggregate level only and pose virtually no risk to confidentiality –Systems (paper and electronic) that support sharing of clinical records across sites may pose a risk Includes systems where patients carry paper records electronic databases represent an added risk

Possible Next Steps How critical is the need to develop guidance? Who are are relevant stakeholders? Best methods for building consensus? Time frame? PEPFAR has made funding available to support activity in this area.