Presentation is loading. Please wait.

Presentation is loading. Please wait.

Healthcare Privacy and Security After September 11 The HIPAA Colloquium At Harvard University August 20, 2002 Presented by: Lauren Steinfeld Privacy Consultant,

Published byByron Cobb Modified over 8 years ago

Similar presentations

Presentation on theme: "Healthcare Privacy and Security After September 11 The HIPAA Colloquium At Harvard University August 20, 2002 Presented by: Lauren Steinfeld Privacy Consultant,"— Presentation transcript:

1 Healthcare Privacy and Security After September 11 The HIPAA Colloquium At Harvard University August 20, 2002 Presented by: Lauren Steinfeld Privacy Consultant, Morrison & Foerster Chief Privacy Officer, University of Pennsylvania

2 Overview ŸRelationship between security and privacy ŸThe Healthcare Example §HIPAA in a world of changed priorities §Post 9/11 politics ŸThe USA Patriot Act Example ŸThe Homeland Security Example ŸObservations – Privacy and Security Today §More emphasis on security §Implications for privacy? ŸConcluding Thoughts

3 I. Relationship between Privacy and Security ŸPrivacy – providing individuals some level of info and control re: uses and disclosures of PII ŸSecurity – prevention of unauthorized access, use, and disclosure of PII ŸPrivacy vs. Security §Perspective of more information gathering and sharing ŸPrivacy and Security §Perspective of good security leading to good privacy and vice versa

4 II.A. The Healthcare Example – HIPAA in a World of New Priorities ŸRule issued before Sept. 11. How well does it work today? ŸConsider biological warfare – e.g. anthrax ŸConsider need to report suspicious, I.e, terrorist, activities

5 Public Health ŸSec. 512(b) fairly broad ŸPHI can be disclosed to a public health authority “authorized by law to collect or receive such information” ŸPermitted purposes include reporting disease, injury, vital events, and conduct of public health surveillance, investigations & interventions ŸDisclosure also permitted, if authorized by law, to a person exposed to or at risk for a disease

6 Public Health -- Conclusions ŸThe rule permits what needs to be disclosed, if it is “authorized by law” -- check that ŸProper data handling needed by public health agencies: §Privacy -- good practices for patient data §Security -- make sure network is protected and data cannot be tampered with

7 Reporting Suspicious Activity ŸWhat if a suspected terrorist is in the hospital? Can you report that? ŸExample: patient exposed to anthrax, and you suspect person involved in making or distributing spores

8 When Can You Report? ŸNational security exception ŸAvert serious threats to health or public safety ŸLaw enforcement rules generally

9 National Security Exception ŸSection 512(k)(2) ŸMay disclose PHI “to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities” ŸThose activities as defined in law -- what you expect as “intelligence”

10 Averting Serious Threats ŸSection 512(j) permits voluntary disclosure by a covered entity ŸGeneral emergency circumstances: §“Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public”; and §“Is to a person or persons reasonably able to prevent or lessen the threat” ŸConfessions to violent crimes §Can’t disclose where confession is made as part of therapy for propensity to commit violent conduct

11 Averting Serious Threats ŸConclusion: the rule allows disclosure to avert serious threats, including by terrorists

12 General Law Enforcement ŸSec. 512(f) generally requires “in response to law enforcement official’s request” ŸCovered entity can’t volunteer the information, except where required by a reporting law or requested by law enforcement

13 General Law Enforcement ŸCourt order, grand jury subpoena, administrative subpoena for full file ŸTo locate or identify a suspect, fugitive, material witness, or missing person: §Name, SSN, limited other information

14 Summary on Reporting Suspicious Activity ŸFor anthrax suspect: §Likely national security §May have evidence, in good faith, of imminent threat §Can respond to law enforcement requests more broadly ŸThe rule holds up better than you might have expected to this new challenge ŸBut, still limits on your disclosure to the police

15 II.B. Healthcare Politics After 9/11 ŸBush Administration preserved rules ŸRelated electronic data exchange rules were extended; privacy specifically not extended ŸMarch NPRM §Nothing changed in response to new anti- terrorism priorities §Modest changes to address paperwork burden resulted in significant front page criticism (largely unjustified)

16 III. USA PATRIOT Act ŸResponse to recognized need to update law enforcement authorities in light of Internet and other electronic communications ŸCompare: §Policy review prior to 9/11 §Law passage after 9/11

17 Policy Review Prior to 9/11 Ÿ2000 proposal had number of new law enforcement authorities, but also privacy safeguards §E-mail interceptions protected as phone interceptions §Trap & trace orders – judicial review instead of prosecutor certification ŸBipartisan approval in House Judiciary, though made more privacy protective

18 Law Passage After 9/11 ŸUSA PATRIOT Act §Proposed one week after 9/11 §Passed 10/25 §Little opportunity for public debate ŸMuch broader range of law enforcement authorities without any privacy protections (except sunset on some provisions)

19 IV. Homeland Security ŸHearings held to look at privacy implications ŸResults – House-passed bill includes: §Privacy Officer §Privacy Impact Assessments §No National ID §No “TIPS” Program

20 V. Security and Privacy Today ŸFocus on more information sharing for security reasons ŸAlso recognition of privacy and security working together towards national security goals §Protection against unauthorized access, use and disclosure §Audit trails §Tiered access – Need-to-know analysis ŸExample: ID theft

21 Concluding Thoughts ŸSecurity upgrades provide opportunities for building greater privacy protection in ŸRecognize the compatible applications of privacy and security §Privacy as a source of good security -- BNA Special Report (07/02) ŸWhere security and privacy seem at cross-purposes, one need not “win” over the other §Perform thoughtful analysis regarding accomplishing both objectives

Download ppt "Healthcare Privacy and Security After September 11 The HIPAA Colloquium At Harvard University August 20, 2002 Presented by: Lauren Steinfeld Privacy Consultant,"

Similar presentations

Security and Privacy After September 11 Professor Peter P. Swire Ohio State Law School Consultant, Morrison & Foerster Privacy & Data Security Summit.

"Security and Privacy After September 11 Professor Peter P. Swire Ohio State Law School Consultant, Morrison & Foerster Privacy & Data Security Summit.
Electronic Surveillance, Security, and Privacy Professor Peter P. Swire Ohio State University InSITes -- Carnegie Mellon February 7, 2002.

Electronic Surveillance, Security, and Privacy Professor Peter P. Swire Ohio State University InSITes -- Carnegie Mellon February 7, 2002.
Key New Surveillance Provisions Professor Peter P. Swire Ohio State University Privacy 2001 Conference October 4, 2001.

Key New Surveillance Provisions Professor Peter P. Swire Ohio State University Privacy 2001 Conference October 4, 2001.
Security and Privacy After September 11: The Healthcare Example Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP April.

"Security and Privacy After September 11: The Healthcare Example Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP April.
HIPAA and the War on Terrorism Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP HIPAA Summit West June 7, 2003.

HIPAA and the War on Terrorism Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP HIPAA Summit West June 7, 2003.
Security and Privacy After September 11: Implications for Healthcare Professor Peter P. Swire George Washington Law School Consultant, Morrison & Foerster.

"Security and Privacy After September 11: Implications for Healthcare" Professor Peter P. Swire George Washington Law School Consultant, Morrison & Foerster.
Mental Health Issues & Information Sharing Professor Peter P. Swire The Ohio State University NAAG Task Force on School Safety July 5, 2007.

Mental Health Issues & Information Sharing Professor Peter P. Swire The Ohio State University NAAG Task Force on School Safety July 5, 2007.
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Responding to Subpoenas and Law Enforcement Demands for PHI: An Overview Janet A. Newberg Chair, Health Law Section Felhaber Larson Fenlon & Vogt, P.A.

Responding to Subpoenas and Law Enforcement Demands for PHI: An Overview Janet A. Newberg Chair, Health Law Section Felhaber Larson Fenlon & Vogt, P.A.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA and Public Health 2007 Epi Rapid Response Team Conference.

HIPAA and Public Health 2007 Epi Rapid Response Team Conference.
Anne Arundel County Fire Department

Anne Arundel County Fire Department
Confidentiality and HIPAA

Confidentiality and HIPAA
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/2009 0.

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Similar presentations

Ads by Google