Privacy, Confidentiality, and Security Component 2/Unit 8b.

Slides:

Advertisements

Similar presentations

Independent Contractor Orientation HIPAA What Is HIPAA? Health Insurance Portability and Accountability Act of 1996 The Health Insurance Portability.

Advertisements

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA Health Insurance Portability and Accountability Act.

NAU HIPAA Awareness Training

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/

© 2009 The McGraw-Hill Companies, Inc. All rights reserved 3-1 LEGAL AND ETHICAL ISSUES in Medical Practice, Including HIPAA PowerPoint® presentation.

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

Privacy, Security, Confidentiality, and Legal Issues

Health information security & compliance

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

UTEPComputer Science Dept.1 University of Texas at El Paso Privacy in Statistical Databases Dr. Luc Longpré Computer Science Department Spring 2006.

WILLIAM HERSH, MD OREGON HEALTH & SCIENCE UNIVERSITY Privacy, Confidentiality, and Security: Basic Concepts Content licensed under Creative Commons Attribution-Share.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

“Privacy Implications of RFID Technology in Health Care Settings” Marc Rotenberg President EPIC Dept. of Health & Human Services Washington, DC 11 January.

Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.

HIPAA PRIVACY AND SECURITY AWARENESS.

Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

Component 4: Introduction to Information and Computer Science Unit 2: Internet and the World Wide Web 1 Component 4/Unit 2Health IT Workforce Curriculum.

Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.

PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 1 This material was developed by Oregon Health & Science.

HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

Working with HIT Systems

IT Applications Theory Slideshows By Mark Kelly Vceit.com Privacy Laws.

Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.

HIPAA Privacy The Morning After Panel What do we do now? William R. Braithwaite, MD, PhD (moderator) Washington, DC Ross Hallberg, Corporate Compliance.

C HAPTER 34 Code Blue Health Sciences Edition 4. Confidentiality of sensitive information is an important issue in healthcare. Breaches of confidentiality.

Snowe Amendment to the Wired Act William F. Pewen, Ph.D., M.P.H. Office of Senator Olympia J. Snowe, ME (202)

Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.

HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.

APEC Privacy Framework “The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element.

AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc

 Health Insurance and Accountability Act Cornelius Villalon Jr.

Terminology in Healthcare and Public Health Settings Electronic Health Records Lecture b – Definitions and Concepts in the EHR This material Comp3_Unit15.

HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.

Protection of Personal Information Act An Analysis on the impact.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 3 This material was developed by Oregon Health & Science University,

Information Security and Privacy in HRIS

Health Insurance Portability and Accountability Act of 1996

HIPAA THE PRIVACY RULE Reviewed December 2012.

Component 4: Introduction to Information and Computer Science Unit 2: Internet and the World Wide Web Lecture 4 This material was developed by Oregon.

Move this to online module slides 11-56

Other Sources of Information

D3 Confidentiality.

Concerns of a Privacy Advocate – and How to Respond

Healthcare Privacy: The Perspective of a Privacy Advocate

The Health Insurance Portability and Accountability Act

THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,

HIPAA Privacy and Security Update - 5 Years After Implementation

Introduction to the PACS Security

The Health Insurance Portability and Accountability Act

Presentation transcript:

Privacy, Confidentiality, and Security Component 2/Unit 8b

Privacy, confidentiality, and security Definitions Concerns – Privacy – Security Tools for protecting health information HIPAA – Privacy Rule – Security Rule – Additions in HITECH – Implications Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

Definitions Privacy – right to keep things to yourself Confidentiality – right to keep things about you from being disclosed to others Security – protection of your personal information Individually identifiable health information (IIHI) – any data that can be correlated with an individual Personal health information – IIHI as defined by HIPAA Privacy Rule Consent – (in context of privacy) written or verbal permission to allow use of your IIHI Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

Concerns about privacy Personal privacy vs. common good Continued disclosures Concerns of public De-identified data Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

Personal privacy vs. the common good There is a spectrum of views – One end holds that while personal privacy is important, there are some instances when the common good of society outweighs it, such as in biosurveillance (Gostin, 2002; Hodge, 1999) – The other end holds that personal privacy trumps all other concerns (Privacy Rights Clearinghouse, 2009; see also Deborah Peel, MD and Concerns expressed in ACLU video (ACLU, 2004) – More balanced views? – CHCF, 2008; ACP, 2009 Where do your views fit? Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

There continue to be patient information disclosures Google can pick up not only patient data, but also access points to databases, which may not be well protected (Chin, 2003) Portland, OR – Thieves broke into a car with back-up disks and tapes containing records of 365,000 patients (Rojas-Burke, 2006) Several episodes from VA, e.g., laptop with data of >1 million veterans, recovered without apparent access (Lee, 2006) HIMSS Analytics report (2008) found aggregated data in hospitals and healthcare facilities richest source for fraud and abuse; over 1.5 million names exposed in HITECH now requires notification of breaches of over 500 individuals under HIPAA – breachnotificationrule/postedbreaches.html Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

Healthcare organizations are not well- prepared for security Deloitte, 2009 – Data leakage is a primary threat – Identity and access management is a top priority – Trend towards outsourcing raises many third-party security concerns – Role of Chief Information Security Officer (CISO) has taken on greater significance – As security environment becomes more complex and regulation continues to grow, security budgets not keeping pace HIMSS, 2009 – Healthcare organizations not keeping pace with security threats and readiness for them Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

Technology can worsen the problem USB (“thumb”) drives run programs when plugged into USB port; can be modified to extract data from computer (Wright, 2007) Personal health records based on Microsoft Access can easily have encryption compromised (Wright, 2007) 10% of hard drives sold by a second-hand retailer in Canada had remnants of personal health information (El Emam, 2007) Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

What is the role of governments? In US, GAO has criticized government inaction for protecting data in its systems and developing policy (Koontz, 2007) NCVHS recommendations – 26 recommendations for policy concerning health privacy for the Nationwide Health Information Network (NHIN) (Cohn, 2006) – Further elaborated recommendations for personal control and call for consistent and coherent policy (Cohn, 2008) Health Information Security and Privacy Collaboration (HISPC) has assessed 42 states and territories, finding diverse approaches and laws, making nationwide approaches difficult (HHS, 2010) Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

Role of governments (cont.) Nationwide Privacy and Security Framework (2008) based on principles – Individual access – Correction – Openness and transparency – Individual choice – Collection, use, and disclosure limitation – Data quality and integrity – Safeguards – Accountability Not surprisingly, some believed did not go far enough (Conn, 2008) Further work has laid out approach to identifying stakeholders and eliciting consumer preferences for access and exchange of personal health data (HHS, 2009) Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

What do other governments do? European Commission Directive 95/46/EC (EC, 2007) –Stringent rules allow data processing only with consent or highly specific circumstances (legal obligation, public necessity) –Countries that implement Directive 95/46/EC provide examples for how “consent” for use of information on Nationwide Health Information Network (NHIN) may proceed in US (Pritts, 2007) Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

Related issues for medical privacy Who “owns” medical information? – Easier to answer with paper systems, but growing view is the patients own it, which has economic implications (Hall, 2009; Rodwin, 2009) “Compelled” disclosures (Rothstein, 2006) – We are often compelled to disclose information for non-clinical care reasons The ultimate “personal identifier” may be one’s genome (McGuire, 2006) – Even “de-identified” data may compromise privacy (Malin, 2005) – Genome of family members can identify siblings (Cassa, 2008) – Data from genome-wide association studies can reveal individual level information (Lumley, 2010) Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

The public is concerned Harris Interactive, 2005 – Split between saying benefits outweigh risks of EHRs (48%) vs. risks outweigh benefits (47%) – 70% somewhat or very concerned that sensitive health information might be leaked due to inappropriate security – 82% desire tools to track their own information and assert privacy rights from start CHCF, 2005 – 67% somewhat or very concerned about privacy of their medical records – 52% somewhat or very concerned that their employers might misuse their medical information – Consumers generally unfamiliar with HIPAA Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

AHIMA Health Information Bill of Rights (AHIMA, 2009) The right to access your health information free of charge The right to access your health information during the course of treatment The right to expect that your health information is accurate and as complete as possible The right for you or your personal representative(s) to know who provides, accesses, and updates your health information, except as precluded by law or regulation The right to expect healthcare professionals and others with lawful access to your health information to be held accountable for violations of all privacy and security laws, policies, and procedures, including the sharing of user IDs and passwords The right to expect equivalent health information privacy and security protections to be available to all healthcare consumers regardless of state or geographic boundaries or the location (jurisdiction) of where the treatment occurs The right to the opportunity for private legal recourse in the event of a breach of one’s health information that causes harm See also: HealthDataRights.org Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

So maybe “de-identified” data is more secure? Not necessarily Sweeney, 1997; Sweeney, 2002 – 87% of US population uniquely identified by five-digit zip code, gender, and date of birth – Identified William Weld, governor of Massachusetts, in health insurance database for state employees by purchasing voter registration for Cambridge, MA for $20 and linking zip code, gender, and date of birth to “de- identified” medical database Genomic data can aid re-identification in clinical research studies (Malin, 2005; Lumley, 2010) Social security numbers can be predicted from public data (Acquisti, 2009) Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

How Governor Weld was de-identified Health IT Workforce Curriculum Version 1.0/Fall Ethnicity Visit date Diagnosis Procedure Medication Charge Zip Date of birth Gender Name Address Date registered Party affiliation Date last voted Component 2/Unit 8b

Concerns about security Many points of leakage A problem for paper too Consequences of poor security Medical identity theft Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

Flow of information in healthcare – many points to “leak” Health IT Workforce Curriculum Version 1.0/Fall Direct patient care Provider Clinic Hospital Support activity Payors Quality reviews Administration “Social” uses Insurance eligibility Public health Medical research Commercial uses Marketing Managed care Drug usage (Rindfleisch, 1997) Component 2/Unit 8b

Security for paper records is a significant problem as well Difficult to audit trail of paper chart Fax machines are easily accessible Records frequently copied for many reasons –New providers, insurance purposes Records abstracted for variety of purposes –Research –Quality assurance –Insurance fraud → Health Information Bureau (Rothfeder, 1992) Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

Potential consequences of poor security Rindfleish, 1997 – Patients avoid healthcare – Patients lie – Providers avoid entering sensitive data – Providers devise work-arounds CHCF, 2005 – 13% of consumers admit to engaging in “privacy- protective” behaviors that might put health at risk, such as Asking doctor to lie about diagnosis Paying for a test because they did not want to submit a claim Avoid seeing their regular doctor Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b

Medical identity theft A growing concern, emanating from general identity theft, defined as use of IIHI for obtaining access to property or services (AHIMA, 2008) – Victims are not only individuals but also health providers and plans as well as society at large – Value of medical identity information much higher than just Social Security number HHS report outlines approaches to prevention, detection, and remediation (2009) Health IT Workforce Curriculum Version 1.0/Fall Component 2/Unit 8b