Presentation is loading. Please wait.

Presentation is loading. Please wait.

Davis Wright Tremaine LLP Healthcare Privacy and Security Issues in HIT, EHR and RHIO Initiatives Fifteenth National HIPAA Summit Summit Day II - December.

Published byAubrey Stanley Bruce Modified over 9 years ago

Similar presentations

Presentation on theme: "Davis Wright Tremaine LLP Healthcare Privacy and Security Issues in HIT, EHR and RHIO Initiatives Fifteenth National HIPAA Summit Summit Day II - December."— Presentation transcript:

1 Davis Wright Tremaine LLP Healthcare Privacy and Security Issues in HIT, EHR and RHIO Initiatives Fifteenth National HIPAA Summit Summit Day II - December 13 – 2:30 p.m. Gerry Hinkley gerryhinkley@dwt.com Fifteenth National HIPAA Summit Summit Day II - December 13 – 2:30 p.m. Gerry Hinkley gerryhinkley@dwt.com

2 Davis Wright Tremaine LLP Overview What’s driving public opinion? Surveys and reports Privacy principles Legal baselines HIPAA State laws On the horizon HIE policies and procedures RHIO participation agreement Implications for networks of networks What’s driving public opinion? Surveys and reports Privacy principles Legal baselines HIPAA State laws On the horizon HIE policies and procedures RHIO participation agreement Implications for networks of networks

3 Davis Wright Tremaine LLP What’s driving public opinion? May 2006: VA Disability ratings stolen along with names and Social Security numbers June 2006: CMS reports health information of 17,000 Americans whose insurance plans are provided by Humana, Inc. was at risk because of unsecured computer data September 2006: New York City's public hospital system suspends 39 employees without pay for peeking at the private medical records of 7 year old Nixzmary Brown September 2006: Medical identities of 42 Virginia Mason Clinic patients stolen and used by two employees since May 2005 May 2006: VA Disability ratings stolen along with names and Social Security numbers June 2006: CMS reports health information of 17,000 Americans whose insurance plans are provided by Humana, Inc. was at risk because of unsecured computer data September 2006: New York City's public hospital system suspends 39 employees without pay for peeking at the private medical records of 7 year old Nixzmary Brown September 2006: Medical identities of 42 Virginia Mason Clinic patients stolen and used by two employees since May 2005

4 Davis Wright Tremaine LLP What’s driving public opinion? November 2006: Richard Yaw Adjei of Bear, Delaware pleaded guilty in federal court on November 16 to aggravated identity theft and three counts of fraud for his part in a widespread criminal scheme that used information from a hospital billing service to steal the identities of more than 400 people November 2006: The personal health information of more than 200 people was discovered by TV investigators in unlocked garbage dumpsters outside Houston area Walgreens, CVS and other pharmacies March 2007: The California state Department of Health Services inadvertently revealed the names and addresses of up to 53 people living with enrolled in an AIDS drug assistance program to other enrollees by putting benefit notification letters in the wrong envelopes November 2006: Richard Yaw Adjei of Bear, Delaware pleaded guilty in federal court on November 16 to aggravated identity theft and three counts of fraud for his part in a widespread criminal scheme that used information from a hospital billing service to steal the identities of more than 400 people November 2006: The personal health information of more than 200 people was discovered by TV investigators in unlocked garbage dumpsters outside Houston area Walgreens, CVS and other pharmacies March 2007: The California state Department of Health Services inadvertently revealed the names and addresses of up to 53 people living with enrolled in an AIDS drug assistance program to other enrollees by putting benefit notification letters in the wrong envelopes

5 Davis Wright Tremaine LLP Surveys and reports September 2005: CHCF survey shows 52% of respondents concerned that employers may use health information to limit job opportunities; 61% concerned about privacy of their health information; one in four consumers is aware of recent privacy breaches September 2006: GAO survey finds almost half of all responding Medicare Advantage contractors admitted to recent breaches of privacy of health records November 2006: Medicare Advantage providers “mostly compliant” with HIPAA decreases from 91% in 2005 to 85% in 2006 April 2007: Mathematica survey finds nearly all low income racial and ethnic minority groups mistrust the security of electronic health records systems, driving them out of the system September 2005: CHCF survey shows 52% of respondents concerned that employers may use health information to limit job opportunities; 61% concerned about privacy of their health information; one in four consumers is aware of recent privacy breaches September 2006: GAO survey finds almost half of all responding Medicare Advantage contractors admitted to recent breaches of privacy of health records November 2006: Medicare Advantage providers “mostly compliant” with HIPAA decreases from 91% in 2005 to 85% in 2006 April 2007: Mathematica survey finds nearly all low income racial and ethnic minority groups mistrust the security of electronic health records systems, driving them out of the system

6 Davis Wright Tremaine LLP Privacy Principles (Thanks to Connecting for Health) Openness and Transparency There should be a general policy of openness about developments, practices, and policies with respect to personal data. Individuals should be able to know what information exists about them, the purpose of its use, who can access and use it, and where it resides Purpose Specification and Minimization The purposes for which personal data are collected should be specified at the time of collection, and the subsequent use should be limited to those purposes or others that are specified on each occasion of change of purpose Collection Limitation Personal health information should only be collected for specified purposes, should be obtained by lawful and fair means and, where possible, with the knowledge or consent of the data subject Openness and Transparency There should be a general policy of openness about developments, practices, and policies with respect to personal data. Individuals should be able to know what information exists about them, the purpose of its use, who can access and use it, and where it resides Purpose Specification and Minimization The purposes for which personal data are collected should be specified at the time of collection, and the subsequent use should be limited to those purposes or others that are specified on each occasion of change of purpose Collection Limitation Personal health information should only be collected for specified purposes, should be obtained by lawful and fair means and, where possible, with the knowledge or consent of the data subject

7 Davis Wright Tremaine LLP Privacy Principles (Thanks to Connecting for Health) Use Limitation Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified Individual Participation and Control Individuals should control access to their personal information: Individuals should be able to obtain from each entity that controls personal health data information about whether or not the entity has data relating to them Individuals should have the right to: Have personal data relating to them communicated within a reasonable time (at an affordable charge, if any), and in a form that is readily understandable; Be given reasons if a request (as described above) is denied, and to be able to challenge such denial; and Challenge data relating to them and have it rectified, completed, or amended Use Limitation Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified Individual Participation and Control Individuals should control access to their personal information: Individuals should be able to obtain from each entity that controls personal health data information about whether or not the entity has data relating to them Individuals should have the right to: Have personal data relating to them communicated within a reasonable time (at an affordable charge, if any), and in a form that is readily understandable; Be given reasons if a request (as described above) is denied, and to be able to challenge such denial; and Challenge data relating to them and have it rectified, completed, or amended

8 Davis Wright Tremaine LLP Privacy Principles (Thanks to Connecting for Health) Data Integrity and Quality All personal data collected should be relevant to the purposes for which they are used and should be accurate, complete, and current Security Safeguards and Controls Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure Accountability and Oversight Entities in control of personal health data must be held accountable for implementing these information practices Remedies Legal and financial remedies must exist to address any security breaches or privacy violations Data Integrity and Quality All personal data collected should be relevant to the purposes for which they are used and should be accurate, complete, and current Security Safeguards and Controls Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure Accountability and Oversight Entities in control of personal health data must be held accountable for implementing these information practices Remedies Legal and financial remedies must exist to address any security breaches or privacy violations

9 Davis Wright Tremaine LLP Legal Baseline: HIPAA It’s not about privacy, it’s about disclosure Patient consent not required for payment, treatment, health operations Notice of Privacy Practices The kitchen sink of policies Like drinking from a fire hose It’s not about privacy, it’s about disclosure Patient consent not required for payment, treatment, health operations Notice of Privacy Practices The kitchen sink of policies Like drinking from a fire hose

10 Davis Wright Tremaine LLP Legal Baseline: State laws RTI project discloses a crazy-quilt of state laws Sensitive information HIV/AIDS Mental health Substance abuse Genetic testing All health information (NY) “my own private HIPAA” RTI project discloses a crazy-quilt of state laws Sensitive information HIV/AIDS Mental health Substance abuse Genetic testing All health information (NY) “my own private HIPAA”

11 Davis Wright Tremaine LLP On the Horizon: Wired for Health Care Quality Act Operator of health information data base is a HIPAA “covered entity” Health plans, clearinghouses and providers who transmit data must notify patients of breaches Operator of health information data base is a HIPAA “covered entity” Health plans, clearinghouses and providers who transmit data must notify patients of breaches

12 Davis Wright Tremaine LLP On the Horizon: Kennedy- Leahy – "the new HIPAA" Patient’s right to Privacy of health information “Opt out” Inspect records Modify information Nondisclosure if private pay Possessors of information must implement Safeguards Risk management and control Accounting for disclosures Opt-out procedure Limited uses Labeling as “PHI” Patient’s right to Privacy of health information “Opt out” Inspect records Modify information Nondisclosure if private pay Possessors of information must implement Safeguards Risk management and control Accounting for disclosures Opt-out procedure Limited uses Labeling as “PHI”

13 Davis Wright Tremaine LLP On the Horizon: Kennedy- Leahy – "the new HIPAA" (2) Notice of privacy practices Prior to obtaining or disclosing PHI for treatment or payment or any other purpose must obtain signed authorization from patient Disclosure to next of kin, directories Overseas outsourcing scrutinized Notice of loss or corruption of data to patient Notice of breach to owner or licensee Office of Health Information Privacy Notice of privacy practices Prior to obtaining or disclosing PHI for treatment or payment or any other purpose must obtain signed authorization from patient Disclosure to next of kin, directories Overseas outsourcing scrutinized Notice of loss or corruption of data to patient Notice of breach to owner or licensee Office of Health Information Privacy

14 Davis Wright Tremaine LLP On the Horizon: Kennedy- Leahy – "the new HIPAA" (3) Criminal penalties for violations Civil sanctions for violations Private right of action Enforcement by states attorneys general Whistleblower protections No pre-emption of state laws that provide greater protections, relate to police powers HIPAA regulations to be amended to conform Criminal penalties for violations Civil sanctions for violations Private right of action Enforcement by states attorneys general Whistleblower protections No pre-emption of state laws that provide greater protections, relate to police powers HIPAA regulations to be amended to conform

15 Davis Wright Tremaine LLP On the Horizon: Independent Health Record Trust Act of 2007 IHRT: certified by FTC; standards set by FTC with input from NCVHS “Privacy”: as to PHI = control over acquisition, uses, and disclosures Affirmative consent Data entry: EHR users, participants; limitations on “sensitive information” Data access: participant specifies what is accessible; exception – law enforcement Violations: fines, imprisonment IHRT: certified by FTC; standards set by FTC with input from NCVHS “Privacy”: as to PHI = control over acquisition, uses, and disclosures Affirmative consent Data entry: EHR users, participants; limitations on “sensitive information” Data access: participant specifies what is accessible; exception – law enforcement Violations: fines, imprisonment

16 Davis Wright Tremaine LLP HIE policies and procedures: So what’s a RHIO to do? Structure emphasizing cooperation among participants RHIO in supervisory and disciplinary role Broadly representative RHIO governing body RHIO Policies promote efficient and consistent operation promote trust among participants, trust by patients/consumers and the community Contracts among participants are the glue Flexible arrangements permitting change as circumstances change, laws change and electronic HIE matures Structure emphasizing cooperation among participants RHIO in supervisory and disciplinary role Broadly representative RHIO governing body RHIO Policies promote efficient and consistent operation promote trust among participants, trust by patients/consumers and the community Contracts among participants are the glue Flexible arrangements permitting change as circumstances change, laws change and electronic HIE matures

17 Davis Wright Tremaine LLP RHIO Participation Agreement: It’s all about the contract Inputs Legal requirements RHIO policies Privacy-related subjects Patient Consent Permitted Uses of Data Prohibited Uses of Data Authorized Users Measures to Assure Privacy and Security of Data Breaches of Privacy and Security Inputs Legal requirements RHIO policies Privacy-related subjects Patient Consent Permitted Uses of Data Prohibited Uses of Data Authorized Users Measures to Assure Privacy and Security of Data Breaches of Privacy and Security

18 Davis Wright Tremaine LLP Implications for networks of networks Back to the Common Framework Patient consent commonality – a new semantic away from “opt in/opt out” Address the adequacy of technology State-level leadership A national dialogue toward federal leadership and direction In the meantime Don’t erect barriers to growth and connectivity Get on with it Back to the Common Framework Patient consent commonality – a new semantic away from “opt in/opt out” Address the adequacy of technology State-level leadership A national dialogue toward federal leadership and direction In the meantime Don’t erect barriers to growth and connectivity Get on with it

19 Davis Wright Tremaine LLP This is a publication of the Health Information Technology Group of Davis Wright Tremaine LLP with a purpose to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations. Copyright 2007, Davis Wright Tremaine LLP (reprints with attribution permitted) This is a publication of the Health Information Technology Group of Davis Wright Tremaine LLP with a purpose to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations. Copyright 2007, Davis Wright Tremaine LLP (reprints with attribution permitted)

Download ppt "Davis Wright Tremaine LLP Healthcare Privacy and Security Issues in HIT, EHR and RHIO Initiatives Fifteenth National HIPAA Summit Summit Day II - December."

Similar presentations

Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,

Davis Wright Tremaine LLP HIT Legal Issues: HIPAA Implications to a Regional Health Information Organization Becky Williams, R.N., J.D. Partner, Co-Chair,
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21,

Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21,
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA) Presented by: APS Healthcare Southwestern PA Health Care Quality Unit (HCQU) December 2010.

Health Insurance Portability and Accountability Act (HIPAA) Presented by: APS Healthcare Southwestern PA Health Care Quality Unit (HCQU) December 2010.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

Similar presentations

Ads by Google