Download presentation
Presentation is loading. Please wait.
Published byMartina Powell Modified over 9 years ago
1
August 21-24, 2007 Privacy and Security Leaders as Partners in Patient-Centered Care Presented by Samuel P. Jenkins, FACHE Director, Defense Privacy Office The Privacy Symposium – Summer 2007 Cambridge, MA
2
2 Agenda Military Health System (MHS) Background Patient-Centered Privacy and Security Landscape The Case for Privacy and Security Leaders as Partners in Patient-Centered Care
3
3 MHS is a leader in the healthcare industry as a government provider and payor
4
4 What Makes the Military Health System Unique? CharacteristicsDescription Size of staffSupport staff of 132,500+ individuals (more for HIPAA training) Mobile and relocatingReach a highly mobile workforce with frequent changes in work location Global locationsServe facilities and beneficiaries stationed in many countries and the battlefield Distinct Branches of Service Integrate large organizational units with distinct business processes (Army, Navy, Air Force and Coast Guard) Multiple time zonesConduct business in almost every time zone Diverse patient and employee population Require knowledge of many diverse cultures Foreign language requirements Perform work in multiple languages
5
Patient-Centered Privacy and Security Landscape
6
6 Privacy and security leaders can be powerful and effective partners in protecting patient data "While comprehensive data do not exist, available evidence suggests that breaches of sensitive personal information have occurred frequently and under widely varying circumstances. –For example, more than 570 data breaches were reported in the news media from January 2005 through December 2006, according to lists maintained by private groups that track reports of breaches. These incidents varied significantly in size and occurred across a wide range of entities, including federal, state, and local government agencies; retailers; financial institutions; colleges and universities; and medical facilities. –The extent to which data breaches have resulted in identity theft is not well known, largely because of the difficulty of determining the source of the data used to commit identity theft." Source: GAO-07-737, June 4, 2007
7
7 The potential for identity theft presents a challenge to patient confidence and adoption of EHRs and PHRs More dangerous than financial identity theft, medical identity theft may also harm its victims by creating false entries in their health records at hospitals, doctors' offices, pharmacies, and insurance companies Rising healthcare costs are driving instances of medical identity theft, in which individuals use the names and medical records of others to obtain healthcare
8
8 Responding consumers indicate that loss of their personal healthcare information ranks among their top five concerns *Source: 2007 Survey on Consumer Privacy, June 2007
9
9 Responding consumers express most concern about potential data loss by healthcare organizations *Source: 2007 Survey on Consumer Privacy, June 2007
10
10 The Department of Health and Human Services (HHS) is working to address data protection challenges
11
11 HHS has engaged a range of U.S. healthcare industry stakeholders to support widespread EHR/PHR adoption
12
12 The AHIC Confidentiality, Privacy and Security (CPS) Workgroup recommends data protection measures to HHS Current working hypothesis under consideration –All persons and entities that participate in an electronic health information exchange network, at a local, state, regional or nationwide level, through which individually identifiable electronic health information is stored, compiled, transmitted, or accessed, should be required to meet privacy and security criteria at least equivalent to relevant HIPAA requirements. Potential Impacts –The working hypothesis, if adopted, would extend the HIPAA regulations and codify requirements to business associates and other non-covered entities. –This may impact structure and content of Business Associate Agreements, Data Use Agreements, Memoranda of Understanding between some healthcare partners.
13
13 Data protection interests are appearing in federal privacy and security legislation Key Privacy Legislation Proposed* Leahy-Spector Personal Data Privacy and Security Act of 2007 – S 495.IS Data Accountability and Trust Act – HR 958.IH Cyber Security Enhancement and Consumer Data Protection Act of 2007 – HR 836.IH Notification of Risk to Personal Data Act of 2007 – S 239.IS VIP Act – HR 1307.IH (applies to victims of the 2006 VA breach only) Prevention of Fraudulent Access to Phone Records – HR 936.IH Data Protection Issues Close watch on government “databanks” Review underway of present laws –DHS, Data Privacy and Integrity Advisory Committee –NIST, Information Security Privacy Advisory Board Recent security breaches –Increased sense of urgency –Covered personal information –Credit file freeze rules –Social security numbers usage Trigger notification –Acquisition or access? –“Reasonable” or significant risk of identity theft? –Actual harm? –When to notify regulators? –When to notify individuals at risk? Spyware inhibiting routine business process *As of June 2007
14
The Case for Privacy and Security Leaders as Partners in Patient-Centered Care
15
15 The movement from paper to electronic healthcare data is changing the landscape Governance issues are paramount in ensuring patient- centered privacy and security is implemented Roles and responsibilities and lines of authority must be clearly defined Policy requirements overlap privacy and security areas requiring collaboration Training messages can be consolidated to address both privacy and security concerns
16
16 The shifting threat requires privacy and security leaders to act together to prevent potential intrusions *Source: Electronic Privacy Information Center, http://www.epic.org
17
17 Privacy and security leaders can partner to implement controls to protect against probable causes Source: The Business Impact of Data Breach survey by Ponemon Institute, May 2007
18
18 Proactive measures must be taken to protect healthcare information from most frequent failures Source: The Business Impact of Data Breach survey by Ponemon Institute, May 2007
19
19 Privacy and security professionals can combine skills and resources to address threats to healthcare data Most serious threat to an organization is sometimes overlooked – that is, the formal and informal organizational boundaries erected between privacy and security Privacy and security must work hand in hand for true compliance in healthcare settings –Is it reflected in policies? –In organizational structure? –In roles and responsibilities? –In lines of authority? We must strive to build partnerships and a shared vision between the privacy and security leaders – focus on protecting patient data
20
20 What we have learned – there are risks that must be managed
21
21 Thank You 2007 Consumer Survey on Data Security by Ponemon Institute - http://www.vontu.com/consumersurvey/ Centers for Medicare and Medicaid Services (CMS) - http://www.cms.hhs.gov/HIPAAGenInfo/ http://www.cms.hhs.gov/HIPAAGenInfo/ HHS Health IT Efforts - http://www.hhs.gov/healthit/http://www.hhs.gov/healthit/ HHS Office for Civil Rights (OCR) - http://www.hhs.gov/ocr/hipaa/http://www.hhs.gov/ocr/hipaa/ TMA Privacy Office - www.tricare.osd.mil/tmaprivacy/HIPAA.cfmwww.tricare.osd.mil/tmaprivacy/HIPAA.cfm TMA Privacy Office Contact - privacymail@tma.osd.milprivacymail@tma.osd.mil The Business Impact of Data Breach survey by Ponemon Institute http://www.scottandscottllp.com/resources/data_breach.pdf http://www.scottandscottllp.com/resources/data_breach.pdf
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.