“Privacy and Security: Lessons from Non-Health Sectors” Professor Peter P. Swire Moritz College of Law The Ohio State University HIPAA Summit March 29,

Slides:



Advertisements
Similar presentations
Privacy and the Internet Professor Peter P. Swire Ohio State University National Press Foundation February 14, 2001.
Advertisements

The Chief Privacy Officer for the U.S. Government Professor Peter P. Swire Ohio State University Visiting, George Washington University Privacy Officers.
Data Breach as a Critical Infrastructure & Computer Security Issue Peter P. Swire Professor, The Ohio State University Senior Fellow, Center for American.
The Role of the Federal Government in Privacy Policy Professor Peter P. Swire The Ohio State University Center for American Progress The Privacy Symposium,
No Cop on the Beat: Underenforcement in E-Commerce and Cybercrime Peter P. Swire Ohio State University & Center for American Progress Fordham CLIP Information.
Trustwrap: The Importance of Legal Rules to E-Commerce and Internet Privacy Professor Peter P. Swire Moritz College of Law The Ohio State University Enforcing.
Privacy and Security: Lessons from Non-Health Sectors Professor Peter P. Swire Moritz College of Law The Ohio State University HIPAA Summit December 12,
Mental Health Issues & Information Sharing Professor Peter P. Swire The Ohio State University NAAG Task Force on School Safety July 5, 2007.
Reflections on the White House Privacy Office Peter P. Swire Ohio State University Center for American Progress N.C. State Privacy Day January 29, 2008.
The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.
Opportunities & Dangers: Consumers and Electronic Health Records Paul Feldman, Health Privacy Project Deven McGraw, National Partnership for Women & Families.
Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
March 29, 2012 Improving Health Outcomes for Children in Foster Care: the Role of Electronic Information Exchange.
Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21,
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Are you ready for HIPPO??? Welcome to HIPAA
1 WHAT IT MEANS FOR YOU? April Health Access is the leading voice for health care consumers in California. Founded in 1987, Health Access is the.
Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.
Can the US Meet International Privacy Standards in an Era of Personal Health Records, Consumer Scores and Watch Lists? UNSW's Cyberspace Law and Policy.
“Mortgages, Privacy, and Deidentified Data” Professor Peter Swire Ohio State University Center for American Progress Consumer Financial Protection Bureau.
Peter Swire Computing Community Consortium/CRA Workshop On Privacy By Design Berkeley February 6, 2015 Privacy by Design: More than Compliance with the.
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.
Navigating Privacy and Security Issues for HIE: A Consumer Perspective Deven McGraw Chief Operating Officer National Partnership for Women & Families
Health Information Technology Nationwide Activities and Issues Roy H. Wyman, Jr. May 7, 2009.
HIPAA PRIVACY AND SECURITY AWARENESS.
Key Issues For Your Remaining HIPAA Compliance Time – The Health Plan Perspective Kimberly GrayKirk J. Nahra Chief Privacy OfficerWiley Rein & Fielding.
1 Health Information Security and Privacy Collaboration (HISPC) National Conference HISPC Contributions to Massachusetts HIE Privacy and Security Progress:
“How Broader Privacy Policy Issues Impact Healthcare” Professor Peter P. Swire Moritz College of Law The Ohio State University HIT Summit September 26,
How Can We Deal with Risks from the Internet: Why Privacy Legislation Is Hot Right Now Professor Peter Swire Ohio State University/Center for American.
Can We Have EHRs and Privacy Too? Dr. Alan F. Westin Professor of Public Law and Government Emeritus, Columbia University; Principal, Privacy Consulting.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
Update on Federal HIT Legislation Kirsten Beronio Mental Health America.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
WEDI ICD-10 Update National Committee on Vital and Health Statistics Subcommittee on Standards June 10, 2014 Jim Daley, Chairman, WEDI Director, IT Risk.
HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Where Did HIPAA Come From? “HIPAA Then and Now” Peter Swire Georgia Tech Scheller College of Business Alston & Bird LLP IAPP-Las Vegas 2015.
The Fifth National HIPAA Summit – October 30, 2002 What to Do Now: Operational Implementation of HIPAA Privacy and Security Training Presented by: Steven.
PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.
EHealth Progress Across the States in 2007 Results of a Survey of State Officials AcademyHealth National Health Policy Conference State Health Research.
Student Financial Assistance. Session 55-2 Session 55 Internet Privacy Laws.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Overview of ONC Report to Congress on Health Information Blocking Presented to the Health IT Policy Committee, Task Force on Clinical, Technical, Organizational,
Systems, Data and HIPAA from a Medicaid Perspective Rick Friedman, Director Division of State Systems Center for Medicare and Medicaid US Dept Health &
API Task Force Josh Mandel, Co-Chair Meg Marshall, Co-Chair December 4, 2015.
Consumer and Provider Education and Engagement Breakout Session Betsy Abramson, Wisconsin Coalition Against Domestic Violence Alison Bergum, UW Population.
1 Administrative Simplification: The Last Word National HIPAA Summit 8 Baltimore, MD March 9, 2004 William R. Braithwaite, MD, PhD “Doctor HIPAA”
Preparing to Implement HITECH A New Report from the State Alliance For E-Health Ree Sailors Kentucky e-Health Summit September 16, 2009.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Office of the Secretary Office for Civil Rights (OCR) Enforcement and Policy Challenges in Health Information Privacy Linda Sanches HIPAA Summit Special.
“Privacy and Security: Lessons from Non-Health Sectors” Professor Peter P. Swire Moritz College of Law The Ohio State University HIT Symposium at MIT July.
CIS 170 MART Teaching Effectively/cis170mart.com FOR MORE CLASSES VISIT HCA 497 MART Inspiring Minds/hca497mart.com FOR MORE CLASSES.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
School of Health Sciences Unit 4 Legal Aspects of Health Information and Health Care Statistics HI 135 Instructor: Alisa Hayes, MSA, RHIA, CCRC.
HCA 497 MART Experience Tradition /hca497mart.com FOR MORE CLASSES VISIT
Health Insurance Portability and Accountability Act of 1996
“Privacy and Security: Lessons from Non-Health Sectors”
SHARING CLINICAL DATA: Legal and Privacy Issues
Concerns of a Privacy Advocate – and How to Respond
Healthcare Privacy: The Perspective of a Privacy Advocate
manatt | phelps | phillips
Enforcement and Policy Challenges in Health Information Privacy
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Objectives Describe the purposes of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 Explore how the HITECH Act.
Managing Privacy Risk in Your Commercial Practices
Presentation transcript:

“Privacy and Security: Lessons from Non-Health Sectors” Professor Peter P. Swire Moritz College of Law The Ohio State University HIPAA Summit March 29, 2007

Overview  My background  Importance of privacy & security to deployment of health IT  Two key issues, informed by non-health experiences: Preemption Preemption Enforcement Enforcement  Explain the consumer, industry, & political perspectives on these issues  Conclusion: the choice we face

Swire Background  Now law professor, based in D.C. Active in many privacy & security activities Active in many privacy & security activities Senior Fellow, Center for American Progress Senior Fellow, Center for American Progress  Chief Counselor for Privacy, U.S. Office of Management & Budget U.S. Office of Management & Budget WH coordinator, HIPAA privacy rule WH coordinator, HIPAA privacy rule Financial, Internet, government agency privacy Financial, Internet, government agency privacy National security & FISA National security & FISA Computer security Computer security

Background  Health care since 2001: Written on health privacy & security topics, at Written on health privacy & security topics, at Consulted on HIPAA implementation Consulted on HIPAA implementation Markle, Connecting for Health Markle, Connecting for Health Deidentification White Paper Deidentification White Paper

One Current Healthcare Activity  Advisor to new company, product this spring  Hedgehog - Database Security from Sentrigo  Addresses a major gap – protecting against insider misuse/access to databases  A next logical security step: Protect against database breaches caused by insiders – free download, pay for enhanced Protect against database breaches caused by insiders – free download, pay for enhanced Logical next step in HIPAA security Logical next step in HIPAA security Assures partners, such as in NHIN, of internal safeguards Assures partners, such as in NHIN, of internal safeguards

Privacy, Security & the NHIN  As public policy matter, crucial to get the benefits of data flows (electronic health records) while minimizing the risks (privacy and security)  As political matter, privacy and security are the greatest obstacles to adoption Focus group – the emergency room while out of town as the only scenario that got substantial majority to favor EHRs Focus group – the emergency room while out of town as the only scenario that got substantial majority to favor EHRs Many individuals see risks > rewards of EHRs Many individuals see risks > rewards of EHRs

Implications of Public Concern  All those who support EHRs must have good answers to the privacy and security questions that will be posed at every step  “Trust us” not likely to be a winning strategy The need for demonstrable, effective protections The need for demonstrable, effective protections The system must be strong enough to survive the inevitable data breaches & resultant bad publicity The system must be strong enough to survive the inevitable data breaches & resultant bad publicity

Preemption  Industry perspective: Benefits of data sharing high – “paper kills” Benefits of data sharing high – “paper kills” Shift to electronic clinical records is inevitable; that shift has occurred in other sectors Shift to electronic clinical records is inevitable; that shift has occurred in other sectors Can only run a national system if have a national set of rules Can only run a national system if have a national set of rules Preemption is essential – a “no brainer” Preemption is essential – a “no brainer”

Preemption: Consumer View Janlori Goldman, Health Privacy Project Janlori Goldman, Health Privacy Project A lot of state privacy laws A lot of state privacy laws HIVHIV Other STDsOther STDs Mental health (beyond psychotherapy notes)Mental health (beyond psychotherapy notes) Substance abuse & alcoholSubstance abuse & alcohol Reproductive & contraceptive care (where states vary widely in policy)Reproductive & contraceptive care (where states vary widely in policy) Public health & other state agenciesPublic health & other state agencies HIPAA simply doesn’t have provisions for these topics – if preempt, then big drop in privacy protection HIPAA simply doesn’t have provisions for these topics – if preempt, then big drop in privacy protection

Consumers & Preemption  Link of reporting and privacy HIV and other public health reporting based on privacy promises HIV and other public health reporting based on privacy promises So, objections if do reporting w/out privacy So, objections if do reporting w/out privacy  Concrete problems of multi-state? Many RHIOs have only one or a few states Many RHIOs have only one or a few states Build out from there Build out from there State laws both as “burdens” (industry) and “protections” (consumers) State laws both as “burdens” (industry) and “protections” (consumers)

Preemption & Politics  Consumer and privacy advocates see states as the engine for innovation  Current example: data breach California went first, and now Congress is trying to catch up with a uniform standard California went first, and now Congress is trying to catch up with a uniform standard  Basic political dynamic – industry gets preemption in exchange for raising standards nationally

Preemption in Other Sectors  Gramm-Leach-Bliley: no preemption But, Fair Credit 2003 does some of that But, Fair Credit 2003 does some of that  Wiretap (ECPA): no preemption  Data breach: proposed preemption  FTC unfair/deceptive enforcement: no preemption  CAN-SPAM: significant preemption  Conclusion -- variation

Key Issues in Preemption  Scope of preemption matters & can vary  One policy baseline: scope of preemption matches the scope of the federal regime If the scope is for networked health IT, then preemption about that, not entire health system If the scope is for networked health IT, then preemption about that, not entire health system  Preserve state tort and contract law?  Preserve state unfair & deceptive enforcement?  Grandfather existing state laws? Some of them?

Summary on Preemption  Strong pressures for preemption in national, networked system  If simply preempt and apply HIPAA, then have a dramatic reduction in privacy & security  This is a major & complicated policy challenge that is not likely to have a simple outcome

Enforcement  The critique here of enforcement: Critique of policies, not of the good faith of the individuals involved Critique of policies, not of the good faith of the individuals involved  The current “no enforcement” system  Key question for the NHIN: Can the current no-enforcement system be a credible basis for EHRs and the NHIN? Can the current no-enforcement system be a credible basis for EHRs and the NHIN?

The No Enforcement System  Imagine some other area of law that you care about – violations are serious.  Batting average: 0 enforcement actions for 25,000 complaints; > 4,100 violations  Enforcement policy: one free violation  Criminal enforcement: DOJ cut back scope of criminal penalties DOJ cut back scope of criminal penalties No prosecution for the > 350 criminal referrals No prosecution for the > 350 criminal referrals Not even referred back to HHS Not even referred back to HHS 4 cases brought by local federal prosecutors 4 cases brought by local federal prosecutors

Effects of No Enforcement  Signals work Surveys already showing lower efforts at HIPAA compliance and lower reported actual compliance by covered entities Surveys already showing lower efforts at HIPAA compliance and lower reported actual compliance by covered entities Contrast internal HIPAA efforts and budget (low enforcement) with compliance efforts on Medicare fraud & abuse (hi enforcement) Contrast internal HIPAA efforts and budget (low enforcement) with compliance efforts on Medicare fraud & abuse (hi enforcement)  Why should Congress and consumer groups trust compliance with HIPAA, much less with new rules for the NHIN?  GAO Report, 2007, on lack of privacy in the NHIN

Other Privacy Enforcement  Fair Credit, stored communications, video rentals, cable TV Federal plus private right of action Federal plus private right of action  Deceptive practices, CAN-SPAM, COPPA, proposed data breach Federal, plus state AG Federal, plus state AG  HIPAA as outlier, with federal-only enforcement If feds don’t do it, then have no enforcement of the HIPAA rules themselves If feds don’t do it, then have no enforcement of the HIPAA rules themselves

What We Have Learned  Within health IT debates, consensus statements often sound like this: Need preemption to do the national network Need preemption to do the national network Should not punish/enforce against covered entities, when they are struggling in good faith to implement new HIPAA mandates Should not punish/enforce against covered entities, when they are struggling in good faith to implement new HIPAA mandates Of course, privacy and security should be part of the NHIN, but likely don’t go beyond HIPAA requirements Of course, privacy and security should be part of the NHIN, but likely don’t go beyond HIPAA requirements

What We Have Learned  That trio of conclusions, based on experience in other sectors, may face serious political obstacles: Preemption is likely to be partial and require new federal standards in some areas Preemption is likely to be partial and require new federal standards in some areas The “no-enforcement system” will be hard to sustain The “no-enforcement system” will be hard to sustain New privacy/security protections quite likely will accompany new NHIN data flows New privacy/security protections quite likely will accompany new NHIN data flows

Conclusion: Your Choice  Option 1: Play Hardball Decide the costs of privacy & security are too high to be built into the NHIN Decide the costs of privacy & security are too high to be built into the NHIN Push a strategy of high preemption and low enforcement Push a strategy of high preemption and low enforcement Grudgingly give only the bare minimum on privacy/security when the political system forces it onto industry Grudgingly give only the bare minimum on privacy/security when the political system forces it onto industry

The Better Choice  Option 2: A NHIN to Be Proud Of Incorporate the key values of state laws – especially for sensitive data – into the NHIN Incorporate the key values of state laws – especially for sensitive data – into the NHIN Support reasonable enforcement, so that bad actors are deterred and good actors within covered entities get support Support reasonable enforcement, so that bad actors are deterred and good actors within covered entities get support Build privacy & security into the fabric of new systems, not just as a patch later Build privacy & security into the fabric of new systems, not just as a patch later Connecting for Health as an exampleConnecting for Health as an example

The Better Choice  With the second option – A NHIN to Be Proud Of – the patients are not treated as the political enemies The risk of political backlash is less The risk of political backlash is less The quality of the NHIN for actual patients is higher The quality of the NHIN for actual patients is higher  That, I think, should be our goal  Thank you

Contact Information  Phone: (240)   Web:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.