Information Security Information Security and Privacy: HIPAA’s and Privacy: HIPAA’s Potential Impact Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information Security Officer, Mayo Foundation, Rochester, MN
60
Embed
Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Information Security and Information Security and Privacy: HIPAA’s Potential Privacy: HIPAA’s Potential
Impact Impact
Gordon J. AppleAttorney at Law, Law Office of Gordon J. Apple, St. Paul, MN
Lee OlsonInformation Security Officer, Mayo Foundation, Rochester, MN
Program ObjectivesProgram Objectives
Overview of data security/privacy issues Review of HIPAA security standards Review of HIPAA privacy standards Facing HIPAA challenges
Existing Data Protection Existing Data Protection RequirementsRequirements
State law Federal law JCAHO Conditions of Participation Professional codes
New HIPAA RequirementsNew HIPAA Requirements
Standards for electronic transactions and code sets
National standard health care provider identifier
National standard employer identifier Security and electronic signature standards
New HIPAA Requirements New HIPAA Requirements cont’dcont’d
Standards for privacy of individually identifiable health information
National standard for health claims attachment
National standard identifiers for health plans
I. Overview of Data Security I. Overview of Data Security and Privacy Issuesand Privacy Issues
PrivacyPrivacy
“The right to privacy is an integral part of our humanity; one has a public persona, exposed and active, and a private persona, guarded and preserved. The heart of our liberty is choosing which parts of our lives shall become public and which parts we shall hold close.”
Minnesota Supreme Court 582 N.W.2d 231, 1998
The Power of AnecdotesThe Power of Anecdotes
Data MiningData Mining
Develop clinical pathways to improve patient care
Develop drug formularies Develop marketing opportunities?
CVS CaseCVS Case
Pharmacy records Alleged misuse PR firestorm Class action litigation
““It is only slightly facetious to It is only slightly facetious to say that digital information say that digital information lasts forever - or five years, lasts forever - or five years,
whichever comes first.”whichever comes first.”
Jeff Rothenberg
Scientific American, Jan. 1995
Geek SpeakGeek Speak
Firewall Hacker Bandwidth Router Port Probes TTP
Geek Speak IIGeek Speak II
CA PKI PKE PKE LAN ISP
WetwareWetware
II. General Review of HIPAA II. General Review of HIPAA Security StandardsSecurity Standards
SecuritySecurity
“The purpose of security is to protect both the system and the information it contains from unauthorized access from without and misuse from within.”
Three aspects to consider– confidentiality– integrity– availability
Applies to any health plan, provider or clearinghouse that electronically maintains or transmits any individually identifiable health information, internally or externally
Security is Security is risk managementrisk management
Risk Management ProcessRisk Management Process
Quantify assets, risks and threats– a mix of the objective and subjective– need not be complicated
Who will collect & analyze the data?– Information Security Officer’s role– Stewards & Administrators’ roles
Pitfalls to Avoid Pitfalls to Avoid
Overanalyzing the requirements & process– Leads to corporate constipation– Academics need to put on their operational hats
Garbage in, garbage out– Must understand the goal & process– Effective communication & buy-in essential
Don’t sweat the details…. for now– Use a top down approach, not Band Aids
Develop Implementation PlanDevelop Implementation Plan
Strategy must address both administrative & technical levels– coordinate with e-commerce– awareness & education– initiate process changes– modify systems & applications – replace systems & applications
Final rule may necessitate minor course changes
SourcesSources
Minnesota Health Data Institute
http://zen.mhdi.org/
North Carolina Healthcare Information and Communication Alliance http://www.nchica.org/
Massachussetts Health Data Consortium
http://www.mahealthdata.org
Workgroup for Electronic Data Interchange
http://www.wedi.org
HIPAAlert news briefs published by Phoenix Health Systems, Inc.
http://hipaalert.com
III. General review of HIPAA III. General review of HIPAA Privacy StandardsPrivacy Standards
Covered EntitiesCovered Entities
Health plans Health care providers who transmit PHI in
electronic form in connection with standard transactions
Health care clearinghouses Short list indirectly expanded through
business partner requirements
HIPAA Data HIPAA Data
Heath information Individually identifiable health information
Protected health information
(PHI)
Protected Health InformationProtected Health Information
Individually Identifiable Health Information that is or has been electronically transmitted or electronically maintained by a covered entity and includes such information in any other form (printout of electronic data)
45 CFR 164.504
Uses and Disclosures of Uses and Disclosures of Protected Health InformationProtected Health Information
To carry out treatment, payment or health care operations
With patient consent No consent, but for public health, health
oversight, judicial/administrative proceedings, coroners/MEs, law enforcement, …. 45 CFR 164.510
Uses and Disclosures Uses and Disclosures Requiring Patient ConsentRequiring Patient Consent
Requests by patient Request by CEs re: marketing, fundraising,
employers for employment determinations, non-health related divisions of the CE…
45 CFR 164.508
Fair Information PracticesFair Information Practices
Series of individual rights
General rule on disclosure– “Minimum necessary”
Minimum Necessary Minimum Necessary
To meet the purpose of the use or disclosure To limit access only to those people who
need access to the information to accomplish the use or disclosure.
Notice of Information Notice of Information PracticesPractices
An individual has a right to adequate notice of the policies and procedures of a covered entity that is a health plan or a health care provider with respect to protected health information
45 CFR 164.512
Access of Individuals to Access of Individuals to Protected Health InformationProtected Health Information
Right of access includes access to PHI with – Health plan– Health care provider– Business partner if records not a duplicate
Access as long as records maintained
45 CFR 164.514
Accounting for Disclosures of Accounting for Disclosures of Protected Health InformationProtected Health Information
Right to full accounting of disclosures from CEs except for treatment, payment and health care operations and for certain disclosures to health oversight or law enforcement agencies.
Right of accounting also applies to business partners
45 CFR 164.515
Right to Request Amendment Right to Request Amendment or Correctionor Correction
Requests will have to be either accepted or rejected within 60 days
Rejections will require an explanation in plain language
Patients can still file statement of disagreement - for the record