Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policies for Information Sharing

Published by Modified over 5 years ago

Similar presentations

Presentation on theme: "Policies for Information Sharing"— Presentation transcript:

1 Policies for Information Sharing
HIT SYMPOSIUM AT MIT July 18, 2006 Marcy Wilder Hogan & Hartson LLP When you introduce yourself, please explain your relationship to Connecting for Health.

2 Overview of Connecting for Health Architecture
A sub-network organization (SNO) brings together a number of providers and other health information sources They are linked together by contract Agree to follow common policies and procedures

3 Connecting for Health: Privacy Principles
Openness and Transparency Purpose Specification and Minimization Collection Limitation Use Limitation Individual Participation and Control Data Integrity and Quality Security Safeguards and Controls Accountability and Oversight Remedies These principles are derived from fair information practices in the US and other countries that apply to information use generally, not just in a health context. We think the privacy of health information is particularly important because if it’s lost, you can’t reclaim it. Leaks of financial info can be remedied through payment, but lost privacy of health info could result in discrimination, embarrassment, or worse. Openness and Transparency – Patients should know what information about them exists, who uses it, what it’s used for, and where it’s kept. Purpose Specification and Minimization– When you collect personal information, tell patients specifically why. Collection Limitation – Collect the minimum amount of information needed, and do it in a legal way, keeping the patient informed. Use Limitation – Don’t use data for something other than the purpose specified. Individual Participation and Control -- Patients should be able to see the information about them and challenge its correctness. In response to such a challenge, data should be fixed, completed, or amended. Data Integrity and Quality -- Data needs to be accurate, complete, and current. Security Safeguards and Controls -- Use reasonable safeguards against loss, unauthorized access, destruction, use, modification, or disclosure of information. Accountability and Oversight -- Anyone who holds personal health information must be held accountable for following these information practices. Remedies -- Legal and financial remedies should exist to address security breaches or privacy violations.

4 The Privacy Principles are Interdependent
Openness Purpose Specification Remedies Accountability Collection Limitation Security Refer to “P1: The Architecture for Privacy in a Networked Health Information Environment” for a full discussion of the privacy principles and their implementation in a networked health information environment. Data Integrity Use Limitation Individual Participation and Control

5 Model Privacy Policies and Procedures
To be used in conjunction with the Model Contract for Health Information Exchange Establish baseline privacy protections – participants can follow more protective practices Based on HIPAA, although some policies offer greater privacy protections Rooted in nine privacy principles Should be customized to reflect participants’ circumstances and state laws The Model Privacy Policies and Procedures were developed to be used in conjunction with the Model Contract for Health Information Exchange. They are intended as a starting off point for an organization’s internal policies for health information exchange and give guidance for both participants in health information exchange networks and the networks themselves.. The model policies, of course, will need to be customized to reflect an organization’s circumstances and any applicable state laws. Refer to “P2: Model Privacy Policies and Procedures” for a full discussion of the Common Framework model privacy policies and procedures for implementing private and secure health information exchange.

6 Common Framework Policy Topics Addressed
Notification and consent Uses and disclosures of health information Patient access to their own information Breaches of confidential information

7 Sample Policy Documents
Sample policy language CFH Recommended policy This slide illustrates how the policy documents work together with the Model Contract. On the left is sample policy language (in this case, from “P8: Breaches of Confidential Health Information”). On the right is a page from the Model Contract discussing relevant alternative contractual provisions. From P8 – Breaches, p. 4 From M2 – Model Contract, p. 10

8 Notification and Consent
Inclusion of a person’s demographic information and the location of her medical records in the RLS raises privacy issues and issues regarding personal choice What should an institution participating in the RLS be required to do to inform patients and give them the ability to decide not to be listed in the RLS index? See “P2: Model Privacy Procedures for Health Information Exchange,” SNO Policies 200 and 300, and “P3: Notification and Consent When Using a Record Locator Service” for a full discussion on Notification and Consent and Individual Participation and Control of Information Posted to the RLS.

9 Notification and Consent
Easy to fall into trap of opt-in/opt-out debate, but question is really about enabling individual choice See “P2: Model Privacy Procedures for Health Information Exchange,” SNO Policies 200 and 300, and “P3: Notification and Consent When Using a Record Locator Service” for a full discussion on Notification and Consent and Individual Participation and Control of Information Posted to the RLS.

10 Notification and Consent: recommendations
Subcommittee recommendations are more protective of privacy than HIPAA – HIPAA is a floor but not always sufficient in this environment Patient must be given notice that institution participates in RLS and provided opportunity to remove information from index Revision of HIPAA Notice of Privacy Practices should reflect participation in RLS See “P2: Model Privacy Procedures for Health Information Exchange,” SNO Policies 200 and 300, and “P3: Notification and Consent When Using a Record Locator Service” for a full discussion on Notification and Consent and Individual Participation and Control of Information Posted to the RLS. The Subcommittee’s recommendations exceed HIPAA’s requirements by requiring an institution to disclose information related to the SNO and RLS and allowing individuals to decide whether or not to have information included in RLS An institution should revise its Notice of Privacy Practices to inform individuals about what information may be available through the SNO and RLS, who can access it, and that they may have information about them removed from the RLS An entity cannot withhold coverage or care on the basis of the individual’s choice Other Subcommittee recommendations: Information on patients of participating institutions should be included in the RLS on day one (patient names, demographics, and institution names) in order to maximize startup speed of system The ability for an Initial Inquiry Audit should be developed wherein a patient receives a notice from the SNO when his/her record has been looked up for the first time Patient access to RLS record should be enabled when technology allows secure patient authentication

11 Notification and Consent
Recommendations strike balance between burden on SNO participants, individual patient choice and control, and maximizing the benefits of a networked health information environment Encourages participation in system by engendering patient trust Separation of clinical record from locations included in the RLS add layer of privacy protection

12 Uses and Disclosures of Health Information
Networked health information environments include higher volumes of easily collected and shared health data – thereby increasing privacy risks Issues raised include proper purpose specification, collection, and use of health information

13 Uses and Disclosures of Health Information
HIPAA is a floor but not always sufficient in this environment Focus should be on proper and improper uses of health information – not on who is allowed to participate in any particular SNO

14 Uses and Disclosures of Health Information: recommendations
Integrate HIPAA permissible purpose and minimization premises Uses for treatment, payment and operations are permissible Uses for law enforcement, disaster relief, research, and public health are generally permissible Marketing and discrimination not permissible See “P2: Model Privacy Procedures for Health Information Exchange,” SNO Policy 400 for a full discussion on Uses and Disclosures of Health Information

15 Uses and Disclosures of Health Information
Recommendations require monitoring of access to health information and an ability to determine and record who has accessed health information and when. These provisions exceed those required by HIPAA.

16 Patient Access Patients have a vital interest in accessing sensitive information about their own health care Enables informed choices about who should get such information, under what circumstances Facilitates awareness of errors that the records my contain Ability to effectively access personal health information could be significantly enhanced with the use of new technologies See “P6: Patient Access to Their Own health Information” for a full discussion of issues regarding patient access in health information exchange networks.

17 Patient Access How can we facilitate patients’ access to their own health information in health information exchange networks? Involves issues of openness and transparency and individual control of health information See “P6: Patient Access to Their Own health Information” for a full discussion of issues regarding patient access in health information exchange networks.

18 Patient Access HIPAA – the baseline
Right to See, Copy, and Amend own health information Accounting for Disclosures Covered entities required to follow both Privacy Rule and related state laws Allows stronger privacy safeguards at state level

19 Patient Access As a matter of principle, patients should be able to access the RLS. Access will empower patients to be more informed and active in their care However, significant privacy and security concerns exist regarding giving patients direct access at this stage Ensuring that information is not accessed by unauthorized individuals is central to establishing privacy and security, but developing a reliable and convenient method of authentication even beyond the issue of patient access remains a significant obstacle in the field of health information exchange.

20 Patient Access: recommendations
Patient access to the information in the RLS Each SNO should have a formal process through which information in the RLS can be requested by a patient or on a patient’s behalf Participants and SNOs shall consider and work towards providing patients direct, secure access to the information about them in the RLS See “P6: Patient Access to Their Own health Information” for a full discussion of issues regarding patient access in health information exchange networks.

21 Patient Access Recommendations strike balance between current security and authentication challenges and principle that patients should have same access to their own information as health care providers do RLS could ultimately empower patients to access a reliable list of where their personal health information is stored

22 Breaches of Confidential Health Information
Networked health information environments include higher volumes of easily collected and shared health data – thereby increasing privacy risks Security experts assure us that breaches will occur in even the most secure environments

23 Breaches of Confidential Health Information
What policies should a SNO have regarding breaches of confidentiality of patient data? Involves issues of purpose specification, collection, and use of health information, accountability, and remedies Who should be notified of breaches, and when? Is breach a reason for a participant to withdraw from the SNO? Should special rules for indemnification apply in the case of a breach? See “P8: Breaches of Confidential Health Information” for a full discussion of breaches of confidential health informaiton in health information exchange networks.

24 Breaches of Confidential Health Information: recommendations
SNO should comply with HIPAA Security Rule. SNO Participants should comply with applicable federal, state, and local laws Responsibility of Participants to train personnel and enforce institutional confidentiality policies and disciplinary procedures See “P8: Breaches of Confidential Health Information” for a full discussion of breaches of confidential health informaiton in health information exchange networks.

25 Breaches of Confidential Health Information: recommendations
SNO must report any breaches and/or security incidents. SNO Participants must inform SNO of serious breaches of confidentiality Participants and SNOs should work towards system that ensures affected patients are notified in the event of a breach See “P8: Breaches of Confidential Health Information” for a full discussion of breach in health information exchange networks. Additional Subcommittee recommendations: SNO contract could include provision allowing Participant withdrawal from SNO in case of serious breach of patient data SNO contract could include indemnification provisions pertaining to breach of confidentiality of protected health information

26 Breaches of Confidential Health Information: recommendations
SNO contract could include provision allowing participant withdrawal from SNO in case of serious breach of patient data SNO contract could include indemnification provisions pertaining to breach of confidentiality of protected health information

27 Breaches of Confidential Health Information
Recommendations strike balance between levels of institutional and SNO responsibility for breaches and goal of notifying patients in the event of a breach Model language for SNO policies regarding breach is provided

28 Thank You MARCY WILDER Hogan & Hartson LLP

Download ppt "Policies for Information Sharing"

Similar presentations

Overview of the Connecting for Health Common Framework Privacy and Confidentiality Workshop eHealth Initiative and Vanderbilt Center for Better Health.

Overview of the Connecting for Health Common Framework Privacy and Confidentiality Workshop eHealth Initiative and Vanderbilt Center for Better Health.
Criteria For Approval 45 CFR 46.111 25 CFR 56.111 Minimized risks Reasonable risk/benefit ratio Equitable subject selection Informed consent process Informed.

Criteria For Approval 45 CFR CFR Minimized risks Reasonable risk/benefit ratio Equitable subject selection Informed consent process Informed.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.

Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.
Developing Privacy and Security Standards Allen Briskin Allen Briskin

Developing Privacy and Security Standards Allen Briskin Allen Briskin
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA 2014. The policy advocacy and regulatory work of the GSMA Mobile Money team.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
Informed Consent and HIPAA Tim Noe Coordinating Center.

Informed Consent and HIPAA Tim Noe Coordinating Center.
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.
Tackling the Policy Challenges of Health Information Exchange Carol Diamond, MD, MPH Managing Director, Markle Foundation.

Tackling the Policy Challenges of Health Information Exchange Carol Diamond, MD, MPH Managing Director, Markle Foundation.
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.

Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.
Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.

Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.

Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.

© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.

Similar presentations

Ads by Google