Healthcare Data Privacy & Security Real World Enforcement and Why Confusion Reigns Supreme Dec. 10, 2007 Dennis Melamed Editor/Publisher Health Information.
Post on 14-Dec-2015
216 Views
Preview:
Transcript
Healthcare Data Privacy & Security Healthcare Data Privacy & Security Real World Enforcement Real World Enforcement and and Why Confusion Reigns SupremeWhy Confusion Reigns SupremeDec. 10, 2007Dec. 10, 2007
Dennis Melamed
Editor/Publisher
Health Information Privacy/Security Alert
dmelamed@melamedia.com
www.melamedia.com
Dec. 10, 2007 Melamedia, LLC © 2007 2
Why Has It Been Why Has It Been So Difficult?So Difficult?
The Privacy Rule Governs the Most Common
Conversation We Have as Human Beings
Aunt Bee's busybody best friend,Clara Edwards
Dec. 10, 2007 Melamedia, LLC © 2007 3
Key Moments in the History of HIPAA Privacy Rule
August 1996. HIPAA Becomes The Law…
August 1999. Congress Fails to Enact Legislation. Newt Gingrich Allows Bill Clinton To Write the Privacy Rule
Abortion, State’s Rights, Minor’s Right to Privacy (Meaning Abortion) Stall Senate Action. House Never Really Got Off the Dime
Everyone Now Convinced That There Is No Medical Privacy Protection
The Long & Winded RoadThe Long & Winded Road
Dec. 10, 2007 Melamedia, LLC © 2007 4
Key Moments in the History of HIPAA Privacy Rule
Nov. 3, 1999. HHS Issues 600-page Proposal Generating Thousands of Comments. Comment Period Extended Another 45 Days.
Dec. 28, 2000. HHS Issues 500,000 Words In Rule and Accompanying Explanations..
March 27, 2002. HHS Issues 7,000-word modification requiring 93,000
words of explanation
Aug. 14, 2002. Second Final Rule Issued. CMS Punts on Claims Attachment Standard
The Long & Winded RoadThe Long & Winded RoadPart 2Part 2
Dec. 10, 2007 Melamedia, LLC © 2007 5
100s of Kinks 100s of Kinks In The Winded RoadIn The Winded Road
A Lot of People Believed Congress in the 1990s When It Said There Was Uneven Or No Medical Privacy Protection
The States Go On A Rampage NAIC and State Legislatures
HIPAA Gramm-Leach-Bliley Indiana Jones & The Lost Laws
Dec. 10, 2007 Melamedia, LLC © 2007 6
Now That We’ve Straightened That Now That We’ve Straightened That Out, Lets Preempt State LawOut, Lets Preempt State Law
IOM Report on Medical Errors Prompts New Federal Effort To Create Electronic Health Records
HIPAA Doesn’t Count CMS Continues to Punt on Claims Attachment
Standard
Dec. 10, 2007 Melamedia, LLC © 2007 7
Let’s Play “Pretend HIPAA…”Let’s Play “Pretend HIPAA…”
Efforts to Create EHRs, EMRs (or whatever you want to call them) Gathers Steam
Ooops. State Laws Pose Obstacles on Privacy and Security
Let’s Create A New Record Called a Personal Health Record
Dec. 10, 2007 Melamedia, LLC © 2007 8
The Berlin Wall Came Down, But The Berlin Wall Came Down, But We’re Still Manning The SilosWe’re Still Manning The Silos
EHR/EMR Proponents Continue to Ignore HIPAA CMS Continues to Punt on Claims Attachment
Standard CMS Comes Out in July With New Policy To Pay
For Some Clinical Trial Services for Medicare Beneficiaries.
Dec. 10, 2007 Melamedia, LLC © 2007 9
To RecuperateTo Recuperate Congress Fails To Act on HIPAA States Act on Medical Privacy Feds Move on Electronic Records Personal Health Records Appear The Future Looks Now More Mysterious
and Unknowable. But We Know It Won’t Be Orderly And We Know We Will Continue To Muddle Through
Dec. 10, 2007 Melamedia, LLC © 2007 10
Trends in Medical Privacy Trends in Medical Privacy EnforcementEnforcement
OCR CMS FTC State Courts Federal Courts
Dec. 10, 2007 Melamedia, LLC © 2007 11
OCR Enforcement TrendsOCR Enforcement Trends
Complaints from April 14, 2003 through 10/31/07
Total Complaints: 31,194 Complaints Investigated: 7,882 Investigations Resulting In Changed Behavior: 5,299 Investigations In Which There Was No Violation: 2,583
Dec. 10, 2007 Melamedia, LLC © 2007 12
Most Common Privacy ComplaintsMost Common Privacy ComplaintsIssues Most Commonly Investigated Impermissible Uses And Disclosures
Of Protected Health Data Lack Of Safeguards Of Protected
Health Information Lack Of Patient Access To Their
Protected Health Information Uses Or Disclosures Of More Than
The Minimum Necessary Protected Health Information
Lack Of Or Invalid Authorizations For Uses And Disclosures Of Protected Health Information
Most Common Covered Entities Required To Take Corrective
Action Private Practices General Hospitals Outpatient Facilities Health Plans (Group Health Plans
And Health Insurance Issuers) Pharmacies
Dec. 10, 2007 Melamedia, LLC © 2007 13
What Happens To OCR Complaints?What Happens To OCR Complaints?Or My Son Is on The 7-Year Plan at CollegeOr My Son Is on The 7-Year Plan at College
No Civil Penalties More Than 415 Criminal Referrals To
Department Of Justice More Than 216 Referrals To CMS
Dec. 10, 2007 Melamedia, LLC © 2007 14
CMS Enforcement Trends CMS Enforcement Trends (We could use a few consultants)(We could use a few consultants)
Questions Over Technical Expertise Questions Over Any Capability Given OESS
Budget
Dec. 10, 2007 Melamedia, LLC © 2007 15
Most Common Security Complaints Most Common Security Complaints And OutcomesAnd Outcomes
Information Access Management Security Awareness And Training Access Controls
No Civil Penalties No Data on Referrals CMS Hires PWC
Dec. 10, 2007 Melamedia, LLC © 2007 16
FTC: We Don’t Do HIPAA, FTC: We Don’t Do HIPAA, But…But…
FCRA Consumer Protection
Dec. 10, 2007 Melamedia, LLC © 2007 17
State Courts: Where the Action Is
State Courts Rarely Invoke HIPAA. They Have Their Own Laws….Remember? They Even Have Constitutions.
When Courts Do Invoke HIPAA, The Issue Typically Revolves Around Technical Legal Issues that Invoke Latin Words like ex parte
Judges Actually Insist on Relevancy
Dec. 10, 2007 Melamedia, LLC © 2007 18
Federal Courts Not Very ActiveFederal Courts Not Very Active
No Way for Patients to Sue Under HIPAA Gyrations Needed to Invoke HIPAA Even
on Employees of Covered Entities One Caution on Definition of Individual
Dec. 10, 2007 Melamedia, LLC © 2007 19
A Word on De-IdentificationA Word on De-IdentificationHIPAA Was One Of The First Attempts To Make A Person Functionally Invisible – At Least On Paper…Or In A Computer Database HHS should issue guidance on the specific threshold of
statistical de-identification that ensures information is rendered not individually identifiable.
HHS should define allowable uses of HIPAA de-identified data, and provide guidance to covered entities regarding what uses of HIPAA de-identified data are not permitted without authorization by the individual so that covered entities may be guided in development of their business associate contracts.
NCVHS Draft Recommendations 10/21/07
Dec. 10, 2007 Melamedia, LLC © 2007 20
The ForecastThe Forecast
Partly Cloudy Followed by More Clouds Coming In
from the South, North, East and West Temperatures Rising
top related