Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Privacy and Security Update - 5 Years After Implementation

Published byῬαμά Γκόφας Modified over 5 years ago

Similar presentations

Presentation on theme: "HIPAA Privacy and Security Update - 5 Years After Implementation"— Presentation transcript:

1 HIPAA Privacy and Security Update - 5 Years After Implementation
William R. “Bill” Braithwaite, MD, PhD Health Information Policy Consulting Washington, DC May 14, 2008

2 Timetables Privacy Security Administrative Simplification - 1994
HIPAA NPRM Final – 2000 Modification NPRM Final Final OCR Enforcement Security Administrative Simplification HIPAA NPRM -1998 Final CMS Enforcement Copyright © 2007

3 Principles of Fair Information Practice
Notice Existence and purpose of record-keeping systems must be known. Choice – information is: Collected only with knowledge and permission of subject. Used only in ways relevant to the purpose for which the data was collected. Disclosed only with permission or overriding legal authority. Access Individual right to see records and assure quality of information. accurate, complete, and timely. Security Reasonable safeguards for confidentiality, integrity, and availability of information. Enforcement Violations result in reasonable penalties and mitigation. Copyright © 2007

4 HIPAA Privacy Rule of Thumb
Don’t surprise the patient with a use or disclosure they don’t expect! (or should know to expect) Tell the patient about all uses and disclosures that are part of normal operations of the healthcare enterprise (TPO). Give the patient the opportunity to object to limited disclosures in common practice for the good of the patient. Follow procedure for a public policy exception. e.g., required reporting of contagious disease. Get explicit permission for anything else. Copyright © 2007

5 Controversial Areas Minimum Necessary Disclosure Log Consent Marketing
Enforcement Copyright © 2007

6 OCR Privacy Enforcement
Year Complaints Resolved after Review Investigated No Violation Found Corrective Action Obtained 2003 3,744 1,169 339 79 260 2004 6,534 3,372 1,392 359 1,033 2005 6,853 3,818 1,803 642 1,161 2006 7,332 4,001 2,466 895 1,571 2007 8,132 4,977 2,199 715 1,484 Totals 32,595 17,337 8,199 2,690 5,509 Copyright © 2007

7 New Privacy Issues HSA PHR HIE On-line services New Law
Banks handling PHI to pay medical expenses PHR Non Covered Entities HIE Consent granularity more than opt-in/opt-out On-line services BA chain to off-shore services Marketing banners and pop-ups New Law Federal v. State law Regulations Copyright © 2007

8 CMS Security Complaints
Total 302 as of March 2008 Open = 73 Closed with Corrective Action = 47 Closed otherwise = 182 Examples: Patient data visible to any user on a provider's appointment scheduling website A pharmacy allowed multiple employees to use a single login ID and password to access systems containing EPHI Copyright © 2007

9 Most Common Security Complaints
Information Access Management Security Awareness and Training Access Control Workstation Use Device and Media Controls Copyright © 2007

10 New Security Risks Portable devices are being stolen
Portable media must be encrypted Consider lo-jack features Single factor authentication is inadequate for remote access to sensitive information Second factor authentication is now a requirement Health information is now a target for identity theft Security must be a dynamic program responding constantly to new risks Copyright © 2007

11 Privacy Conclusions Uses and disclosures come in many flavors.
Different flavors are treated differently by HIPAA based on principles of fair information practice. HIPAA Privacy Rule intent is to protect individual privacy while allowing most current practices to continue with transparency. Most current practices are beneficial but often poorly understood by patients. HIPAA Privacy Rule is clear when applied to covered cases. Complexity of healthcare environment and diversity of desired secondary uses makes it difficult to apply simple rules. Current rule in inadequate to cover new developments in healthcare. Copyright © 2007

12 Security Conclusions Security risks are constantly changing
New and serious risks are being introduced at a very rapid rate; the unprepared are suffering. Security services, tools, and methods are constantly changing. What was impossible or too costly to implement last year is now possible and cost-effective. HIPAA Security Rule is clear. Security must include processes of risk assessment and management, repeated regularly, forever. With appropriate risk assessment, the security rule can cover the new risks without needing to be changed. Copyright © 2007

13 William R. “Bill” Braithwaite, MD, PhD
Thank you! William R. “Bill” Braithwaite, MD, PhD Washington, DC Copyright © 2007

Download ppt "HIPAA Privacy and Security Update - 5 Years After Implementation"

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.

NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

Similar presentations

Ads by Google