Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Microsoft Corporation Confidential and Privileged.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Microsoft Corporation Confidential and Privileged."— Presentation transcript:

1 1 Microsoft Corporation Confidential and Privileged

2 PRIVACY REGULATION IN HEALTHCARE: WHAT WORKS, WHAT DOESN’T AND WHY

3 3 Microsoft Corporation Confidential and Privileged Privacy and security

4 Security 4

5 SECURITY ISSUES Medical ID Theft/Fraud (Brittany Spears) Outsourcing Data Breach Public Exposure

6 SECRUITY Current Protections: California AB 1298: requires companies with medical information to take steps to protect it Federal Protections: Federal Data Breach Legislation; The Trust Act (HR 5442); Health Information Privacy and Security Act (S 1814)

7 SECURITY CALIFORNIA AB 1298 State law requirements on protecting privacy/data breach expanded to include medical and health information. Covers any business that maintains medical information – specifically the data breach notification requirements apply to all entities, not just health care providers. Audit, Security Measures, Encryption, Training, Breach Response

8 SECURITY TRUST ACT, HR 5442 Requirement to establish “appropriate administrative, organizational, technical, and physical safeguards and procedures to ensure the privacy, confidentiality, security, accuracy, and integrity of personal health information” that is held or used.

9 TRUST ACT HHS to develop model guidelines for safeguards and procedures on “individual authentication, access controls, audit trails, encryption or any additional security methodology or technology other than encryption which renders data in electronic form unreadable or indecipherable, physical security, protection from remote access points and protections of external electronic communications, periodic security assessments….etc.”

10 Privacy 10

11 DATA PROTECTION ISSUES Data Use: Marketing (By who? For what?) Discrimination: Insurance; Workplace; Benefits Public Exposure Government Access

12 REGULATORY LIMBO Health Insurance Portability and Accountability Act (HIPAA) does not apply to EHR’s/PHR’s. HIPAA allows health-care providers to share your data to treat you. But, HIPAA also allows information to be shared with “business associates” – and you may not be able to say “no.” HHS – no national strategy that addresses privacy and security of medical health records.

13 PROPOSED RULES Trust Act/Health Information Privacy and Security Act Call for: Privacy Rights Includes: Consent, Notice, Access/Correction, Inspect/Copy, Breach Notification, Audit, Security

14 WHY IS THIS IMPORTANT TO GET RIGHT? Public trust is needed for adoption of HIT. 58% concerned that existing regulatory framework does not provide adequate protections. “Despite public interest (in PHR’s), security was a major consumer concern that would hinder public participation in the medium.”

15 FOCUS: NEED FOR A POLICY FRAMEWORK Authentication Access/Authorization Security Use/Disclosure Policies Secondary Use Deidentification Research/Public Health

16 Microsoft HealthVault Design Fundamentals 16 Microsoft Corporation Confidential and Privileged PRIVACYSECURITYINDUSTRY STANDARDS-BASED ECOSYSTEM Health is one of the most personal, private and emotional aspect of people’s lives. Privacy is a critical means toward improving medical outcomes, on and offline. People who know they can trust the health care system and health information technology are more likely to seek treatment and in turn, live healthier lives. The consumer is in “complete control” over their data We are the ‘trustee’ creating an environment for them to receive and store and share their information, as they see fit. We do not use the data in Microsoft® HealthVault™ for search or ads or anything – without the opt-in consent of the consumer. Complete consumer control is central to Microsoft® HealthVault™: Individuals decide who can read, write, or modify their records. The data within an individual's Microsoft® HealthVault™ remains hers and hers alone. Only when she agrees can anyone else have access to these records. This strict control model promotes widespread adoption by encouraging confidence that the system maintains privacy and confidentiality, empowering individuals to benefit from the value of their own health care information. As support: Microsoft has established stringent privacy guidelines for Microsoft® HealthVault™ and its partners – designed in consultation with consumer privacy advocates – so that consumers can be confident their personal health information will not be used for any purposes without their knowledge and consent, except where required by law. Microsoft® HealthVault™ was built from the ground up with security as one of our fundamental principles Microsoft will hold itself and its partners to the highest standards of security to safeguard consumer health information from theft, loss, or damage. We have fully leveraged the Microsoft Secure Development Lifecycle in the development of the product, and have had extensive security validation from internal and external parties, including “penetration testing” by white hat hackers. Microsoft® HealthVault™ allows users to assign and manage access rights not just for other people, but for applications they use as well. Combined with data encryption and other security measures built into Microsoft® HealthVault™, these access rules ensure that the user is always in complete control of exactly what happens with their personal information. Microsoft has a long-standing reputation around and commitment to interoperability; Microsoft supports access to our technologies and compatible designs so we can connect people and data We are enabling an ecosystem – based on existing industry standards – of applications and devices to simplify and organize consumer health Microsoft® HealthVault™ has been built as a platform that enables participation by all members of the Healthcare Ecosystem. Anyone willing to comply with consumer expectations around privacy and security can establish a relationship with consumers through the Microsoft® HealthVault™ experience. We expect and encourage cooperation and competition amongst our partners to deliver the best value to consumers. Microsoft® HealthVault™ uses XML-based data structures that have been built to be trivially transformable between all relevant standards in the industry, ensuring inbound and outbound interoperability with existing and future healthcare systems. Microsoft® HealthVault™ data types permit varied levels of internal structure, so that no important data is lost in these translations. The Microsoft® HealthVault™ API is accessible from any modern programming environment, including but not limited to Microsoft.NET, Win32, Java, PHP and more. The HealthVault ecosystem has been designed with three core fundamentals in mind: Privacy and Security, which are critical to building customer trust; and Interoperability, which is critical to gaining industry trust.

17 Microsoft core privacy principles & HealthVault 17 Microsoft Corporation Confidential and Privileged Core Privacy Principle (1) Consumer Health Privacy Commitment Accountability We expect to be held accountable for proper handling of personal information we collect, store, or with the individual’s permission, share with our vendors and partners (e.g., those offering applications that are integrated with our consumer health platform). We will take steps to hold our vendors and partners accountable for protecting such information (e.g., by revoking their access if they fail to comply with the requirements included our agreements). We will share our policies and guidelines to make it clear how we help protect individual privacy. NoticeWe will provide privacy disclosures that document, in a straight-forward manner, what personal information is collected, how that information is used, and what controls are available to the individual. Microsoft’s Corporate Privacy Group has outlined 10 company-wide privacy principles. HealthVault delivers against each of those areas while also supporting our own privacy principles

18 Microsoft core privacy principles & HealthVault, cont’d 18 Microsoft Corporation Confidential and Privileged Choice and Consent We will provide individuals with clear choices and control over how we collect, use and share their information. We will obtain the individual’s consent before we share their personal information with vendors, partners or other individuals. Access We will provide mechanisms for individuals to inquire about, review, and update personal information they provide to us. We will allow the use of designated proxies (e.g., family member, caregiver, or guardian) who will have full or partial control of an individual’s records. We will provide mechanisms for individuals to delete their records. Collection We will collect an individual’s personal information only for the purposes to which they consented. Use and Retention We will only use an individual’s personal information for the purposes we disclosed and to which the individual has agreed. We will not retain personal information longer than is necessary to fulfill the purposes for which it was collected or as required by applicable laws or regulations. Unless we receive user consent for a longer time period, we will anonymize search query data after 18 months by removing IP address and other cross-session identifiers. Disclosure or Onward Transfer We will limit our disclosure of personal information to authorized third parties and for those purposes described in our privacy notice. We will implement authentication procedures to limit access to the personal information we store. We will provide individuals with the capability to review information about who has accessed their personal information (e.g., via audit trails) and a mechanism to revoke access. QualityWe will provide individuals with the ability to determine the origin of each piece of their personal information in our records and any changes that have been made to those records.

19 Microsoft core privacy principles & HealthVault, cont’d 19 Microsoft Corporation Confidential and Privileged Enhanced Security We will implement rigorous safeguards to help protect an individual’s personal information against unauthorized access, disclosure, use, destruction or modification. We will maintain public documents that outline the technical design of our security model and will have the design reviewed by industry experts as the security of our platform is constantly enhanced. We will collaborate with industry partners to set best practices and will comply with applicable laws when responding to confirmed security breaches. Monitoring and EnforcementWe will maintain a compliance program with our privacy policies and practices, both internally (e.g., via audits) and with our vendors and partners. We will provide consumers with clear and simple processes to address inquiries, complaints and disputes.

20 20 Microsoft Corporation Confidential and Privileged

Download ppt "1 Microsoft Corporation Confidential and Privileged."

Similar presentations

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
Confidentiality and HIPAA

Confidentiality and HIPAA
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Westbrook Technologies from Document Management’s Role in HIPAA.

Westbrook Technologies from Document Management’s Role in HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
6/1/2015MINISTRY OF ENERGY, COMMUNICATIONS AND MULTIMEDIA 1 PRESENTATION OF PERSONAL DATA PROTECTION BILL PRESENTATION OF PERSONAL DATA PROTECTION BILL.

6/1/2015MINISTRY OF ENERGY, COMMUNICATIONS AND MULTIMEDIA 1 PRESENTATION OF PERSONAL DATA PROTECTION BILL PRESENTATION OF PERSONAL DATA PROTECTION BILL.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

Similar presentations

Ads by Google