Embed Size (px)
Citation preview
Home Health Care Home Health Care Technologies, Issues, and Policies
Privacy and SecurityJ. Michael Fitzmaurice, Ph.D.
IEEE-USA Medical Technology Policy Committee& Agency for Healthcare Policy and Research
Department of Health and Human Services
November 9, 2000
Fitzmaurice--2
Agency for Healthcare Quality Agency for Healthcare Quality and Research (AHRQ)and Research (AHRQ)
1) Support improvements in health 1) Support improvements in health outcomesoutcomes
2) Strengthen quality measurement and 2) Strengthen quality measurement and improvementimprovement
3) Identify strategies to:3) Identify strategies to:
- Improve access- Improve access
- Foster appropriate use- Foster appropriate use
- Reduce unnecessary expenditures- Reduce unnecessary expenditures
Fitzmaurice--3
National Privacy LawsNational Privacy Laws
EU Privacy DirectiveEU Privacy Directive CanadaCanada Other countriesOther countries USUS
– No national law protecting the privacy of personal No national law protecting the privacy of personal health information!health information!
– 34/50 states have privacy laws—diverse34/50 states have privacy laws—diverse– State of MaineState of Maine
No flowers; no friends; no priests, ministersNo flowers; no friends; no priests, ministers
Fitzmaurice--4
AgendaAgenda
Personal Health Personal Health Information Information
HIPAA: Privacy and HIPAA: Privacy and SecuritySecurity
Implications for Implications for TelehealthTelehealth
Fitzmaurice--5
Personal Information (PI)Personal Information (PI)
How is PI used today?How is PI used today? What do people think of the privacy of their PI?What do people think of the privacy of their PI? What are they willing to trade in exchange for giving up What are they willing to trade in exchange for giving up
some PI?some PI?
Fitzmaurice--6
Who has and uses your PI?Who has and uses your PI?
Credit card companiesCredit card companies Grocery storesGrocery stores Catalogue companiesCatalogue companies BanksBanks InsurersInsurers HospitalsHospitals HMOsHMOs
Fitzmaurice--7
What do consumers want?What do consumers want?
Consumers like personalized marketing Consumers like personalized marketing (IBM study--6 of 10 do)(IBM study--6 of 10 do)
ButBut, they want, they want– Prior notificationPrior notification– Chance to opt outChance to opt out
May even pay $50 for 5 pseudonyms May even pay $50 for 5 pseudonyms (Freedom by Zero Knowledge) to avoid (Freedom by Zero Knowledge) to avoid recognition or recontactrecognition or recontact
Fitzmaurice--8
No national consensus existsNo national consensus exists
So a piecemeal approach is adoptedSo a piecemeal approach is adopted
Fitzmaurice--9
HIPAAHIPAA
Health Ins Portability and Accountability Act of Health Ins Portability and Accountability Act of 1996--Administration Simplification1996--Administration Simplification– Transactions & CodesTransactions & Codes– IdentifiersIdentifiers– Privacy (Confidentiality)Privacy (Confidentiality)– SecuritySecurity
NCVHS report on PMRINCVHS report on PMRI– The case for clinical health data standardsThe case for clinical health data standards
Fitzmaurice--10
Who’s Covered?Who’s Covered? Covered Entities Covered Entities
Health care providers Health care providers All health plansAll health plansAll health care clearinghousesAll health care clearinghouses
Authority is not comprehensiveAuthority is not comprehensive – Regs do not apply to employers, life Regs do not apply to employers, life
insurers, researchers, and others.insurers, researchers, and others.
Fitzmaurice--11
PRIVACYPRIVACY
Fitzmaurice--12
What’s CoveredWhat’s Covered
Only Protected Health Info is Only Protected Health Info is CoveredCovered
Not CoveredNot Covered– Information maintained solely non-Information maintained solely non-
electronically (e.g., on paper) electronically (e.g., on paper) – Information generated by entities not Information generated by entities not
covered (e.g., employers or schools)covered (e.g., employers or schools)
Fitzmaurice--13
General RuleGeneral Rule
Must have individual authorization to use Must have individual authorization to use or disclose PHIor disclose PHI
Except as explicitly permitted by the Except as explicitly permitted by the regulation, including:regulation, including:– Treatment, Payment and OperationsTreatment, Payment and Operations– National priorities (about 13)National priorities (about 13)
With specified restrictions by type of activityWith specified restrictions by type of activity
Fitzmaurice--14
National PrioritiesNational Priorities
Covered entities Covered entities maymay disclose protected disclose protected health information without individual health information without individual authorization only for:authorization only for:– Oversight Oversight -- Required by law-- Required by law– Public health, Public health, -- Emergencies;-- Emergencies;– ResearchResearch -- Law enforcement-- Law enforcement– Judicial and administrative proceedingsJudicial and administrative proceedings– OthersOthers
Fitzmaurice--15
Individual RightsIndividual Rights
Right to written notice of information Right to written notice of information practices from health plans and providerspractices from health plans and providers
Right to inspect and copy their protected Right to inspect and copy their protected health informationhealth information
Right to request amendment or correctionRight to request amendment or correction Right to an accounting of disclosures for Right to an accounting of disclosures for
purposes other than treatment, payment, purposes other than treatment, payment, or health care operationsor health care operations
Fitzmaurice--17
Minimum Necessary RuleMinimum Necessary Rule
CE must restrict information to CE must restrict information to minimum amount necessary to minimum amount necessary to accomplish the purpose.accomplish the purpose.
De-identify the data--eliminate 19 De-identify the data--eliminate 19 variables/or use statistical expertise--to variables/or use statistical expertise--to escape HIPAA coverageescape HIPAA coverage
Fitzmaurice--18
Treatment, Payment, and Treatment, Payment, and OperationsOperations
Individuals may ask for restrictions on use Individuals may ask for restrictions on use and disclosure for these purposes.and disclosure for these purposes.
Providers do not have to agree.Providers do not have to agree.
Fitzmaurice--19
Disclosure RequirementsDisclosure Requirements
NONO disclosure is disclosure is requiredrequired by this rule, except: by this rule, except: – disclosure to the subject individual, and disclosure to the subject individual, and – certain disclosures for the purposes of enforcement. certain disclosures for the purposes of enforcement.
Uses and disclosures permitted by this rule are Uses and disclosures permitted by this rule are only only permittedpermitted, not required. , not required.
Includes no authority to refuse a disclosure Includes no authority to refuse a disclosure mandated by other law. mandated by other law.
Information remains protected for two years after Information remains protected for two years after death.death.
Fitzmaurice--20
Business Associate ApproachBusiness Associate Approach
Receives PHI to perform a function of the Receives PHI to perform a function of the covered entitycovered entity
Covered entity is responsible for actions Covered entity is responsible for actions of Business Associate per required of Business Associate per required contractcontract
Fitzmaurice--21
SECURITYSECURITY
Fitzmaurice--22
What’s Covered by Security?What’s Covered by Security?
Only Electronic Data Systems are Only Electronic Data Systems are CoveredCovered– Systems used to maintain or transmit health Systems used to maintain or transmit health
information [electronically]information [electronically]
Not Covered by NPRMNot Covered by NPRM– Systems used to maintain or transmit health Systems used to maintain or transmit health
information non-electronically (e.g., on information non-electronically (e.g., on paper)paper)
Fitzmaurice--23
Security RequirementsSecurity Requirements
Covered Entities shall maintain reasonable Covered Entities shall maintain reasonable and appropriate administrative, technical, and appropriate administrative, technical, and physical safeguards --and physical safeguards --– to ensure integrity and confidentialityto ensure integrity and confidentiality– to protect against reasonably anticipated to protect against reasonably anticipated
threats or hazards to security or integritythreats or hazards to security or integrity unauthorized uses or disclosuresunauthorized uses or disclosures
– to ensure compliance by officers and to ensure compliance by officers and employeesemployees
Fitzmaurice--24
Key Security PhilosophyKey Security Philosophy
Identify & assess risks/threats to:Identify & assess risks/threats to:– AvailabilityAvailability– IntegrityIntegrity– ConfidentialityConfidentiality
Take steps to reduce riskTake steps to reduce risk
Fitzmaurice--25
Security StandardsSecurity Standards
Data Confidentiality, Integrity, and AvailabilityData Confidentiality, Integrity, and Availability– Administrative Policies and ProceduresAdministrative Policies and Procedures
Certification, contingency planning, security management Certification, contingency planning, security management process, training, assigned responsibility ...process, training, assigned responsibility ...
– Physical Plant SafeguardsPhysical Plant Safeguards Media controls, physical access controls, workstation security Media controls, physical access controls, workstation security
and use guidelines ...and use guidelines ...
– Technical Security ServicesTechnical Security Services Encryption, authentication, Encryption, authentication,
audit controls ...audit controls ...
Fitzmaurice--26
Security Standards (2)Security Standards (2)
Data Transmitted Over a Data Transmitted Over a Communications NetworkCommunications Network– Technical Security MechanismsTechnical Security Mechanisms
Integrity controls, event alarms, encryption ...Integrity controls, event alarms, encryption ...
Electronic Signature Requirements--laterElectronic Signature Requirements--later– Authentication, non-alterability, binding …Authentication, non-alterability, binding …– Message Integrity, Non Repudiation, User Message Integrity, Non Repudiation, User
AuthenticationAuthentication
Fitzmaurice--27
PenaltiesPenalties
SecuritySecurity– $100 for each violation$100 for each violation– Maximum of $25,000 for each standard violatedMaximum of $25,000 for each standard violated
PrivacyPrivacy– For wrongful disclosure, malicious intent, For wrongful disclosure, malicious intent,
commercial gaincommercial gain– Fines: up to $250,000Fines: up to $250,000– Jail: Up to 10 years in prisonJail: Up to 10 years in prison
Fitzmaurice--28
Implications for TelehealthImplications for Telehealth
Transmission and storage of PHITransmission and storage of PHI– Security--integrity, risk protectedSecurity--integrity, risk protected– Accessible for patient careAccessible for patient care
Patient access to PHI from the providerPatient access to PHI from the provider– Video tapes, images, notes, medical recordVideo tapes, images, notes, medical record
Business associatesBusiness associates– Chain of trust agreementsChain of trust agreements– Bound to HIPAA by your contract with themBound to HIPAA by your contract with them
Hold harmless clauseHold harmless clause
Fitzmaurice--29
ImplicationsImplications
Sensitive areasSensitive areas– Mental health consultations--protectedMental health consultations--protected– HeartHeart -- Cancer -- STDs-- Cancer -- STDs
State lawsState laws– Maine--kept flowers and friends awayMaine--kept flowers and friends away
Fitzmaurice--30
ImplicationsImplications
Security costsSecurity costs– Risk assessmentRisk assessment– Education and trainingEducation and training– Extend to business associates and their Extend to business associates and their
employeesemployees
Fitzmaurice--31
ImplicationsImplications
HIPAA may lead to additional confidentiality HIPAA may lead to additional confidentiality and security for PHI collected away from the and security for PHI collected away from the provider’s office or institutionprovider’s office or institution– CostsCosts -- Benefits-- Benefits
Patients’ confidence will increasePatients’ confidence will increase– Their information will be more secureTheir information will be more secure
Fitzmaurice--32
It’s the right thing to do:It’s the right thing to do:
Promotes efficiencyPromotes efficiency Safeguards Safeguards
confidentialityconfidentiality Promotes uniformityPromotes uniformity Gives individualsGives individuals
– Information Information – ChoicesChoices– ProtectionProtection
Fitzmaurice--33
HIPAA Security and PrivacyHIPAA Security and Privacy
It is the price of a ticket into the 21st century It is the price of a ticket into the 21st century benefits of information technology for healthbenefits of information technology for health
Home Health Care Home Health Care Technologies, Issues, and Policies
Privacy and SecurityJ. Michael Fitzmaurice, Ph.D.
IEEE-USA Medical Technology Policy Committee& Agency for Healthcare Policy and Research
Department of Health and Human Services
November 9, 2000
