Presentation is loading. Please wait.

Presentation is loading. Please wait.

Developing Privacy and Security Standards Allen Briskin Allen Briskin

Published byOpal Hood Modified over 9 years ago

Similar presentations

Presentation on theme: "Developing Privacy and Security Standards Allen Briskin Allen Briskin"— Presentation transcript:

1 Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com

2 Davis Wright Tremaine LLP Overview What is HIE? Legal baselines HIPAA State laws California HISPC findings Privacy and security principles How Can Lawyers Fit Into Privacy/Security Rulemaking? What is HIE? Legal baselines HIPAA State laws California HISPC findings Privacy and security principles How Can Lawyers Fit Into Privacy/Security Rulemaking?

3 Davis Wright Tremaine LLP What is HIE? Common notion: Moving data, context and knowledge on an individual’s health from application to application, repository to repository without loss of meaning Requires everyone to be fully equipped to give and receive in context Consider: health information access as an alternative Perhaps the most significant benefit from having access to a patient’s health records is the integrated workflow and compilation of information in meaningful ways to improve diagnosis and treatment decisions What’s needed for access: Data use / data sharing agreement Restricted (1-patient) quarantined portal viewer and secure method of access to the viewer Common method for user authentication and authorization across entity boundaries HIE is going to take many forms in response to market demand Common notion: Moving data, context and knowledge on an individual’s health from application to application, repository to repository without loss of meaning Requires everyone to be fully equipped to give and receive in context Consider: health information access as an alternative Perhaps the most significant benefit from having access to a patient’s health records is the integrated workflow and compilation of information in meaningful ways to improve diagnosis and treatment decisions What’s needed for access: Data use / data sharing agreement Restricted (1-patient) quarantined portal viewer and secure method of access to the viewer Common method for user authentication and authorization across entity boundaries HIE is going to take many forms in response to market demand

4 Davis Wright Tremaine LLP Legal Baseline: HIPAA Privacy It’s not really about privacy, it’s about facilitating disclosure Patient consent not required for payment, treatment, health operations Notice of Privacy Practices The kitchen sink of policies Like drinking from a fire hose It’s not really about privacy, it’s about facilitating disclosure Patient consent not required for payment, treatment, health operations Notice of Privacy Practices The kitchen sink of policies Like drinking from a fire hose

5 Davis Wright Tremaine LLP Legal Baseline: HIPAA Security The Privacy Rule sets the standards for who may have access to PHI The Security Rule sets the standards for ensuring that only those who should have access to ePHI will actually have access The security requirements were designed to be technology neutral and scalable The Privacy Rule sets the standards for who may have access to PHI The Security Rule sets the standards for ensuring that only those who should have access to ePHI will actually have access The security requirements were designed to be technology neutral and scalable

6 Davis Wright Tremaine LLP Legal Baseline: State laws HISPC project discloses a crazy-quilt of state laws Sensitive information HIV/AIDS Mental health Substance abuse Genetic testing “my own private HIPAA” HISPC project discloses a crazy-quilt of state laws Sensitive information HIV/AIDS Mental health Substance abuse Genetic testing “my own private HIPAA”

7 Davis Wright Tremaine LLP Legal Baseline: California Laws Highlights of California March 30, 2007 Report Stakeholders have varying perceptions about the degree to which privacy laws are enforced A potential deterrent to exchange Detracts from credibility of HIE Privacy is at risk because there are no common standards for users accessing data and non-covered entities under HIPAA Highlights of California March 30, 2007 Report Stakeholders have varying perceptions about the degree to which privacy laws are enforced A potential deterrent to exchange Detracts from credibility of HIE Privacy is at risk because there are no common standards for users accessing data and non-covered entities under HIPAA

8 Davis Wright Tremaine LLP Legal Baseline: California Laws Privacy rules governing some public health issues are incomplete and unclear It is not feasible for one person to understand the complexity resulting from the convergence of law that affect privacy and security The complex interaction of federal and State laws and differences in stakeholders’ level of knowledge and interpretation results in restrictive sharing of information Privacy rules governing some public health issues are incomplete and unclear It is not feasible for one person to understand the complexity resulting from the convergence of law that affect privacy and security The complex interaction of federal and State laws and differences in stakeholders’ level of knowledge and interpretation results in restrictive sharing of information

9 Davis Wright Tremaine LLP Legal Baseline: California Laws The Problem: multiple interpretations and applications of laws governing privacy and security result in different approaches to HIE – Solutions: Establish a legal committee to include all stakeholders and their legal counsel The legal committee would recommend solutions to CPSAB concerning the legal issues among federal and state laws and state law pre-emption Compile an index of applicable laws Analyze potential impacts of applying standards to all HIE participants or to all individually identifiable health information, regardless of location Barriers include “inability to agree on core principles, goals or laws” The Problem: multiple interpretations and applications of laws governing privacy and security result in different approaches to HIE – Solutions: Establish a legal committee to include all stakeholders and their legal counsel The legal committee would recommend solutions to CPSAB concerning the legal issues among federal and state laws and state law pre-emption Compile an index of applicable laws Analyze potential impacts of applying standards to all HIE participants or to all individually identifiable health information, regardless of location Barriers include “inability to agree on core principles, goals or laws”

10 Davis Wright Tremaine LLP Privacy and Security Principles (Thanks to Connecting for Health) Openness and Transparency There should be a general policy of openness about developments, practices, and policies with respect to personal data. Individuals should be able to know what information exists about them, the purpose of its use, who can access and use it, and where it resides Purpose Specification and Minimization The purposes for which personal data are collected should be specified at the time of collection, and the subsequent use should be limited to those purposes or others that are specified on each occasion of change of purpose Collection Limitation Personal health information should only be collected for specified purposes, should be obtained by lawful and fair means and, where possible, with the knowledge or consent of the data subject Openness and Transparency There should be a general policy of openness about developments, practices, and policies with respect to personal data. Individuals should be able to know what information exists about them, the purpose of its use, who can access and use it, and where it resides Purpose Specification and Minimization The purposes for which personal data are collected should be specified at the time of collection, and the subsequent use should be limited to those purposes or others that are specified on each occasion of change of purpose Collection Limitation Personal health information should only be collected for specified purposes, should be obtained by lawful and fair means and, where possible, with the knowledge or consent of the data subject

11 Davis Wright Tremaine LLP Privacy and Security Principles (Thanks to Connecting for Health) Use Limitation Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified Individual Participation and Control Individuals should control access to their personal information: Individuals should be able to obtain from each entity that controls personal health data information about whether or not the entity has data relating to them Individuals should have the right to: Have personal data relating to them communicated within a reasonable time (at an affordable charge, if any), and in a form that is readily understandable; Be given reasons if a request (as described above) is denied, and to be able to challenge such denial; and Challenge data relating to them and have it rectified, completed, or amended Use Limitation Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified Individual Participation and Control Individuals should control access to their personal information: Individuals should be able to obtain from each entity that controls personal health data information about whether or not the entity has data relating to them Individuals should have the right to: Have personal data relating to them communicated within a reasonable time (at an affordable charge, if any), and in a form that is readily understandable; Be given reasons if a request (as described above) is denied, and to be able to challenge such denial; and Challenge data relating to them and have it rectified, completed, or amended

12 Davis Wright Tremaine LLP Privacy and Security Principles (Thanks to Connecting for Health) Data Integrity and Quality All personal data collected should be relevant to the purposes for which they are used and should be accurate, complete, and current Security Safeguards and Controls Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure Accountability and Oversight Entities in control of personal health data must be held accountable for implementing these information practices Remedies Legal and financial remedies must exist to address any security breaches or privacy violations Data Integrity and Quality All personal data collected should be relevant to the purposes for which they are used and should be accurate, complete, and current Security Safeguards and Controls Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure Accountability and Oversight Entities in control of personal health data must be held accountable for implementing these information practices Remedies Legal and financial remedies must exist to address any security breaches or privacy violations

13 Davis Wright Tremaine LLP Privacy Meets Security Privacy rules protect the individual’s interest in maintaining confidentiality of and directing the use and disclosure of his/her personal health information Security rules are to ensure only those who should have access to personal health information will have access Privacy rules protect the individual’s interest in maintaining confidentiality of and directing the use and disclosure of his/her personal health information Security rules are to ensure only those who should have access to personal health information will have access

14 Davis Wright Tremaine LLP How Can Lawyers Fit Into Privacy/Security Rulemaking? Goal: reconciling the legal baselines and the principles and removing roadblocks to create a socially accepted, legally sound set of rules Why do we need lawyers? IT professionals generally do not know what lawyers do The laws and regs are the specifications for life and, since they are written down, they should be easy to figure out Tell me what’s really important? Goal: reconciling the legal baselines and the principles and removing roadblocks to create a socially accepted, legally sound set of rules Why do we need lawyers? IT professionals generally do not know what lawyers do The laws and regs are the specifications for life and, since they are written down, they should be easy to figure out Tell me what’s really important?

15 Davis Wright Tremaine LLP Case Study – Common Framework for HIE – Model Agreement We were hired by Connecting for Health to prepare the model We consulted with the client to get direction on relevant precedent and general scope of the project We prepared a draft based on legal principles and precedent We highlighted the legal issues and provided alternatives We vetted the document with a small group and revised to reflect their input The policy subcommittee then vetted with a large group We made revisions The policy subcommittee finalized it We were hired by Connecting for Health to prepare the model We consulted with the client to get direction on relevant precedent and general scope of the project We prepared a draft based on legal principles and precedent We highlighted the legal issues and provided alternatives We vetted the document with a small group and revised to reflect their input The policy subcommittee then vetted with a large group We made revisions The policy subcommittee finalized it

16 Davis Wright Tremaine LLP How Can Lawyers Fit Into Privacy/Security Rulemaking? It is difficult and unproductive to address legal issues in a vacuum It is not necessary to address all potential legal issues just in case There needs to be a nexus between the expected policy deliverables and legal advice Lawyers should highlight the legal issues and provide alternatives Lawyers should assist in the initial drafting The policymaking body should then vet the proposals Lawyers provide advice The policymaking body then decides what to go with It is difficult and unproductive to address legal issues in a vacuum It is not necessary to address all potential legal issues just in case There needs to be a nexus between the expected policy deliverables and legal advice Lawyers should highlight the legal issues and provide alternatives Lawyers should assist in the initial drafting The policymaking body should then vet the proposals Lawyers provide advice The policymaking body then decides what to go with

17 Davis Wright Tremaine LLP This is a publication of the Health Information Technology Group of Davis Wright Tremaine LLP with a purpose to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations. Copyright 2008, Davis Wright Tremaine LLP (reprints with attribution permitted) This is a publication of the Health Information Technology Group of Davis Wright Tremaine LLP with a purpose to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations. Copyright 2008, Davis Wright Tremaine LLP (reprints with attribution permitted)

18 Davis Wright Tremaine LLP Questions?

Download ppt "Developing Privacy and Security Standards Allen Briskin Allen Briskin"

Similar presentations

Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,

Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,
Legal Work Group Developing a Uniform EHR/HIE Patient Consent Form.

Legal Work Group Developing a Uniform EHR/HIE Patient Consent Form.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21,

Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21,
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.

NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.

Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.

HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,

Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
Overview of Engagement – Under the terms of this engagement, the Advisor will provide advice in the areas checked below. Investment Management – Develop.

Overview of Engagement – Under the terms of this engagement, the Advisor will provide advice in the areas checked below. Investment Management – Develop.

Similar presentations

Ads by Google