Hipaa summit West II preconference III: Basic Training for Healthcare Privacy & Security Officers

Download 459 b.
Hajmi459 b.
  1   2   3

HIPAA Summit West II

  • PRECONFERENCE III: Basic Training for Healthcare Privacy & Security Officers

Today’s Agenda

  • I. Introduction: Headlines, Paradox & Challenge

  • II. The Regulatory Landscape

  • III. Healthcare Privacy and Security

  • IV. Healthcare Privacy Beyond HIPAA

  • V. The Role of the Privacy Officer

  • VI. The Role of the Security Officer

  • VII. Privacy Trends and Technology

  • VIII. Lessons from Other Industries

  • IX. Round Table Discussion

I. Introduction

  • Privacy/Security Landscape

    • Shaped by laws and lawsuits, regulations, consumer concerns, changes in technology, and above all, human nature
    • Cannot be reduced to a short list of audit and compliance items
  • Privacy Paradox

    • Desire to be treated and respect as a person
    • Reluctance to reveal personal information
  • Security Challenge

    • To protect information while sharing it.

You Don’t Need Headlines Like These

  • Security breach: Hacker gets medical records

    • A computer break-in at the University of Washington puts the spotlight on the privacy of medical records -- January 29, 2001
  • Eli Lilly Settles FTC Security Breach Charges

    • Federal Trade Commission has settled its case with Eli Lilly & Co, the drug giant that inadvertently disclosed the personal information of 669 Prozac users to the public -- January 18, 2002
  • Medical Records Security Breach

    • A disturbing security breach at St. Joseph's Mercy Hospital in Pontiac, Michigan, left some confidential patient records accessible to the public because the system did not require users to input a password or any other security roadblock -- September 23, 1999

Hard to Claim You Weren’t Aware of This...

Stand By Your Privacy Officer?

  • Legendary country singer Tammy Wynette was admitted to Pittsburgh University Medical Center under an assumed name (1996)

  • Her medical records were sold to paper [allegedly]

  • Wynette sued for privacy invasion and paper settled

  • What did it cost in terms of reputation, jobs, legal fees, etc?

All of These Could Have Been Prevented

  • Database created by the state of Maryland in 1993 to keep the medical records of all its residents for cost containment purposes was used by state employees to sell confidential information on Medicaid recipients to health maintenance organizations (HMOs), and was accessed by a banker who employed the information to call in the loans of customers who he discovered had cancer.

  • A medical student in Colorado sold the medical records of patients to malpractice lawyers (1997)

  • A convicted child rapist working at a hospital in Newton, Massachusetts, used a former employee's computer password to access nearly 1,000 patient files to make obscene phone calls to young girls (1995)

And All Are Actionable

  • The 13-year-old daughter of a Jacksonville, Florida, hospital clerk allegedly used a computer at the hospital to print out a list of patients and telephone numbers. She then called several patients and told them that they were infected with HIV. In one case, she also told a female patient that she had had a positive pregnancy test; that patient attempted suicide.

  • A study in five Pittsburgh hospitals found that doctors routinely discuss confidential patient information in elevators, even when other people are present (1995).

  • In the not too distant future, incidents like these will be punishable offences under HIPAA,

    • But they are also actionable right now
    • And at no time are they acceptable

What Would The Reaction Be Today?

  • 1996: Florida state health department worker used a list of 4,000 HIV positive people to screen dates. List was forwarded to two newspapers (note: this was not a junior clerk but a veteran HRS employee with three masters degrees)

  • “Chicago hospital will pay fines of $161,000 resulting from claims of unauthorized duplication of software. The hospital apparently did not have an effective information security program for the protection of proprietary software.” 1997

  • Physicians at Harvard Community Health Plan routinely put psychiatric notes into computerized medical records, which were accessible to many of the HMO's employees. 1995

Security Challenge and Privacy Paradox

  • Security Challenge: Organizations must respect and protect privacy wishes of individuals, but security is accustomed to serving the organization, protecting its secrets

  • E.g. when we studied security risks for a large health care company in 1996, security was 100% organizationally focuses, protecting money, assets

  • But a personal privacy breach can cost far more than any other form of security breach

  • Privacy Paradox: People want personal attention but are reluctant to share personal data

The Privacy Paradox

  • In many situations, people want a personalized experience

  • But they are reluctant to divulge personal information

  • In healthcare, professionals need very accurate and very personal information, in order to provide care

  • But they may not get it, for a variety of reasons

  • Throughout society, any gathering of data today is likely to cause privacy concerns to surface

  • A result of adopting information technology faster than we can think about the implications.

  • Which means society as a whole still has a lot more questions than answers – which adds to the challenge

Some Consequences of Privacy Paradox

  • People buy less online, people lie more

  • People urge politicians to do something

  • 67% of consumers had not made two or more purchase in the past six months primarily due to privacy reasons. (IDC)

  • 67% of users admit providing false information (Forrester)

  • This is a problem for companies AND consumers

  • And healthcare is no exception

Example: Healthcare

  • One in five American adults believe that a health care provider, insurance plan, government agency, or employer has improperly disclosed personal medical information. Half of these people say it resulted in personal embarrassment or harm.

    • Health Privacy Project 1999, California HealthCare Foundation, national poll, January 1999

The Fear is Real, With Adverse Effects

  • In a recent survey of Fortune 500 companies, only 38% responded that they do not use or disclose employee health information for employment decisions.

  • (Report prepared for Rep. Henry A. Waxman by Minority Staff Special Investigations Division Committee on Government Reform, U.S. House of Representatives April 6, 2000)

Privacy-protective Behaviors & Effect

  • Behaviors

    • Asking a doctor not to write down certain health information or to record a less serious or embarrassing condition
    • Giving inaccurate or incomplete information
    • Paying out-of-pocket
    • Doctor-hopping
    • Avoiding care altogether
  • Effects

    • Patient risks undetected and untreated conditions;
    • Doctor’s ability to diagnose and treat patients is jeopardized without access to complete and accurate information; and
    • Future treatment may be compromised if the doctor misrepresents patient information so as to encourage disclosure.

So What is Personal Information?

  • According to the Federal Trade Commission (FTC), any of the following:

    • Full name
    • Physical address
    • E-mail address
    • Social Security Number
    • Telephone number
    • A screen name revealing an e-mail address
    • A persistent identifier, such a number held in cookie, which is combined with personal information
    • Any information tied to personal information -- age, gender, hobbies, preferences, etc.

Personally Identifiable Information

  • Information that relates to an individual who can be identified, directly or indirectly, from the data, particularly by reference to an identification number or aspects of his or her physical, mental, economic, cultural, or social identity.

Privacy Concerns Are Far-Reaching

  • Out of a list of eight policy issues, 56% of adults responded that they are “very concerned” about a loss of personal privacy.

  • The category came in second out of the eight, beating out such topics as healthcare, crime and taxes.

    • Harris Poll, October 2000
  • Healthcare impacts not confined to care, many areas of medical research are also negatively impacted

Privacy Should Be A Concern

  • FTC Report to Congress – May 2000

    • Virtually every commercial Web site collects personal information
    • Only 20% implement all four fair information practice principles
      • Notice, Choice, Access and Security
  • October 2001 – FTC “Pro-Privacy Agenda”

  • December 2001 – FTC “assumes” web privacy policies apply across the enterprise

Recap on Why Privacy Is Important Today

  • The issue of privacy could be a decisive factor in the success of the “New Economy”

    • Consumers getting vocal and press coverage spreading (KGAB)
    • U.S. Congress and 50 statehouses are responding with a patchwork of privacy, anti-spam and cybercrime bills
  • Organizations of all kinds are struggling with issues

    • Unable to comply or track the evolving multitude of laws, regulations and best practices
  • People of all kinds are struggling with issues

    • One reason this is so hard? We don’t know what to think (for an example, check out today’s privacy scenarios, CO-DMV )
  • Consumer trust confidence with respect to privacy are essential for the adoption and use of interactive technologies which fuel may areas of the economy, from pharmacies to disease management

Not Just Our Opinion

  • To survive mounting consumer anxiety and the growing labyrinth of US and foreign regulation, firms need to institutionalize their commitment to protecting and managing their customers’ privacy by taking a comprehensive, whole-view approach to privacy.

  • Anyone today who thinks the privacy issue has peaked is greatly mistaken. As with environmentalism [in the 60s] we are in the early stages of a sweeping change in attitudes that will fuel years of political battles and put once-routine business practices under the microscope.

      • Forrester Report, February 2001

II. The Regulatory Landscape

  • There are healthcare specific laws, such as HIPAA and the Common Rule

  • But these exist in the context of a wider framework of regulation

  • Including

    • State Laws (these are many and varied)
    • Foreign Laws
  • Many are based on core tenets of Fair Information Practices (FTC)

    • General & Industry Specific
    • Privacy of Children (COPPA)
    • Privacy of Financial Information (Gramm-Leach-Bliley)
    • Privacy of Medical Information (HIPAA)

Framework of Laws

  • Tenets of Fair Information Practices, 1973 Health, Education and Welfare report to Congress:

    • Notice: Disclosure of information practices
    • Choice: Opt-in or Opt-out of information practices
    • Access: Reasonable access to profile information
    • Security: Reasonable security for data collected
    • Enforcement/Redress: Must be a way to enforce these and respond to complaints

Over 30 Federal Laws Affect Privacy

  • 1. Administrative Procedure Act. (5 U.S.C. §§ 551, 554-558)

  • 2. Cable Communications Policy Act (47 U.S.C. § 551)

  • 3. Census Confidentiality Statute (13 U.S.C. § 9)

  • 4. Children’s Online Privacy Protection Act of 1998 (15 U.S.C. §§ 6501 et seq., 16 C.F.R. § 312)

  • 5. Communications Assistance for Law Enforcement (47 U.S.C. § 1001)

  • 6. Computer Security Act (40 U.S.C. § 1441)

  • 7. Criminal Justice Information Systems (42 U.S.C. § 3789g)

  • 8. Customer Proprietary Network Information (47 U.S.C. § 222)

  • 9. Driver’s Privacy Protection Act (18 U.S.C. § 2721)

  • 10. Drug and Alcoholism Abuse Confidentiality Statutes (21 U.S.C. § 1175; 42 U.S.C. § 290dd-3)

  • 11. Electronic Communications Privacy Act (18 U.S.C. § 2701, et seq.)

  • 12. Electronic Funds Transfer Act (15 U.S.C. § 1693, 1693m)

  • 13. Employee Polygraph Protection Act (29 U.S.C. § 2001, et seq.)

  • 14. Employee Retirement Income Security Act (29 U.S.C. § 1025)

  • 15. Equal Credit Opportunity Act (15 U.S.C. § 1691, et. seq.)

  • 16. Equal Employment Opportunity Act (42 U.S.C. § 2000e, et seq.)

  • 17. Fair Credit Billing Act (15 U.S.C. § 1666)

Over 30 Federal Laws Affect Privacy

  • 18. Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.)

  • 19. Fair Debt Collection Practices Act (15 U.S.C. § 1692 et seq.)

  • 20. Fair Housing Statute (42 U.S,C. §§ 3604, 3605)

  • 21. Family Educational Rights and Privacy Act (20 U.S.C. § 1232g)

  • 22. Freedom of Information Act (5 U.S.C. § 552) (FOIA)

  • 23. Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801 et seq)

  • 24. Health Insurance Portability and Accountability Act (Pub. Law No. 104-191 §§262,264: 45 C.F.R. §§ 160-164)

  • 25. Health Research Data Statute (42 U.S.C. § 242m)

  • 26. Mail Privacy Statute (39 U.S.C. § 3623)

  • 27. Paperwork Reduction Act of 1980 (44 U.S.C. § 3501, et seq.)

  • 28. Privacy Act (5 U.S.C. § 552a)

  • 29. Privacy Protection Act (42 U.S.C. § 2000aa)

  • 30. Right to Financial Privacy Act (12 U.S.C. § 3401, et seq.)

  • 31. Tax Reform Act (26 U.S.C. §§ 6103, 6108, 7609)

  • 32. Telephone Consumer Protection Act (47 U.S.C. § 227)

  • 33. Video Privacy Protection Act (18 U.S.C. § 2710)

  • 34. Wiretap Statutes (18 U.S.C. § 2510, et seq.; 47 U.S.C. § 605)


  • Title V - Privacy Act, Pub. L. 106-102 includes two subtitles:

    • Subtitle A - Disclosure of Nonpublic Personal Information; and
    • Subtitle B - Fraudulent Access to Financial Information.

  • Do'stlaringiz bilan baham:
  1   2   3

Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©fayllar.org 2017
ma'muriyatiga murojaat qiling