Post on 07-Jan-2016
description
““Emerging Privacy and Emerging Privacy and Security Issues for Security Issues for
Healthcare”Healthcare”
Professor Peter P. SwireProfessor Peter P. Swire
The Ohio State UniversityThe Ohio State University
Center for American ProgressCenter for American Progress
Sentrigo WebinarSentrigo Webinar
July 16, 2008 July 16, 2008
OverviewOverview
My backgroundMy background Enforcement for medical privacy & securityEnforcement for medical privacy & security
Trends after 2008Trends after 2008
The increased importance of data breach The increased importance of data breach legislationlegislation Celebrity records & protecting against insidersCelebrity records & protecting against insiders
EHRs, PHRs, and distributed computing for EHRs, PHRs, and distributed computing for health carehealth care
Theme – growing importance of audit & controlTheme – growing importance of audit & control
I. My BackgroundI. My Background
Currently:Currently: Professor of Law, Ohio State UniversityProfessor of Law, Ohio State University Senior Fellow, Center for American ProgressSenior Fellow, Center for American Progress
• I live in the DC areaI live in the DC area ““Privacy Year in Review” distributed to all Privacy Year in Review” distributed to all
members of International Association of Privacy members of International Association of Privacy ProfessionalsProfessionals
““Information Privacy” – official book for Certified Information Privacy” – official book for Certified Information Privacy ProfessionalInformation Privacy Professional
www.peterswire.net
Chief Counselor for PrivacyChief Counselor for Privacy
Office of Management & Budget, 1999 to early Office of Management & Budget, 1999 to early 20012001
White House coordinator for 1999 proposed & White House coordinator for 1999 proposed & 2000 final HIPAA medical privacy rule2000 final HIPAA medical privacy rule Fall, 1999 – proposed ruleFall, 1999 – proposed rule 53,000 public comments53,000 public comments December, 2000 – final ruleDecember, 2000 – final rule 2002 – revised final rule2002 – revised final rule 2003 – compliance went into effect2003 – compliance went into effect
Chief Counselor for PrivacyChief Counselor for Privacy
Many other privacy topics (can be raised Many other privacy topics (can be raised in question period, if there is interest)in question period, if there is interest) GLB financial privacy law & ruleGLB financial privacy law & rule Chair, White House Working Group on how to Chair, White House Working Group on how to
update wiretap & surveillance lawsupdate wiretap & surveillance laws U.S. government’s own compliance with U.S. government’s own compliance with
privacy lawsprivacy laws Encryption policyEncryption policy Computer security & privacy (FIDNet)Computer security & privacy (FIDNet)
Health Care since 2001Health Care since 2001
Advisory board for Sentrigo, health care & Advisory board for Sentrigo, health care & database protectiondatabase protection
HIPAA implementation, with Morrison & HIPAA implementation, with Morrison & Foerster, LLPFoerster, LLP
Markle Connecting for Health advisorMarkle Connecting for Health advisor Frequent speaker & author on computer security Frequent speaker & author on computer security
& medical privacy& medical privacy
I. EnforcementI. Enforcement
A slow start to HIPAA privacy and security A slow start to HIPAA privacy and security enforcementenforcement Explicit HHS announcement in first year that Explicit HHS announcement in first year that
the goal was “corrective action” rather than the goal was “corrective action” rather than punishmentpunishment
““One free violation” – HHS regulation says no One free violation” – HHS regulation says no civil monetary penalties for first violationcivil monetary penalties for first violation
Criminal statute narrowly interpreted – only Criminal statute narrowly interpreted – only the institution & not the individualthe institution & not the individual
Shift in Enforcement?Shift in Enforcement?
Stronger enforcement statements from HHS – Stronger enforcement statements from HHS – “you’ve had time to comply”“you’ve had time to comply”
Stricter corrective action – 18% of complaints Stricter corrective action – 18% of complaints result now in changes in policies and proceduresresult now in changes in policies and procedures
Criminal enforcement – new interpretation says Criminal enforcement – new interpretation says employees can be prosecutedemployees can be prosecuted
State suits that treat HIPAA as minimum State suits that treat HIPAA as minimum standard of carestandard of care
The Numbers on EnforcementThe Numbers on Enforcement
36,000 complaints since 200336,000 complaints since 2003 844 complaints in May, 2008844 complaints in May, 2008 9,548 complaints led to investigation9,548 complaints led to investigation 6,392 of those led to corrective action6,392 of those led to corrective action 435 cases referred to Dept. of Justice for 435 cases referred to Dept. of Justice for
criminal investigationcriminal investigation General trend – enforcers expect more General trend – enforcers expect more
than they used tothan they used to
Most Common InvestigationsMost Common Investigations
Impermissible uses and disclosures of protected Impermissible uses and disclosures of protected health information (PHI); health information (PHI);
Lack of safeguards of PHI; Lack of safeguards of PHI; Lack of patient access to their PHI; Lack of patient access to their PHI; Uses or disclosures of more than the Minimum Uses or disclosures of more than the Minimum
Necessary PHI; and Necessary PHI; and Lack of or invalid authorizations for uses and Lack of or invalid authorizations for uses and
disclosures of protected health information. disclosures of protected health information.
Poll: Has an institution you have Poll: Has an institution you have worked with had privacy or security worked with had privacy or security complaints to HHS under HIPAA?complaints to HHS under HIPAA?
1. Yes, 2 or more1. Yes, 2 or more
2. Yes, 1 that I know of2. Yes, 1 that I know of
3. None3. None
4. Don’t know4. Don’t know
What Could Change in 2009?What Could Change in 2009?
Because of press & Hill concern about Because of press & Hill concern about lack of enforcement, some possibilities:lack of enforcement, some possibilities: Civil monetary penalties more quicklyCivil monetary penalties more quickly More criminal enforcementMore criminal enforcement Greater staff/budget for enforcementGreater staff/budget for enforcement Increased audits, as CMS has begun under Increased audits, as CMS has begun under
the HIPAA security rule (hired PWC)the HIPAA security rule (hired PWC)
II. State Data Breach LawsII. State Data Breach Laws
California data breach law in 2003California data breach law in 2003 Focus was on identity theft, such as loss Focus was on identity theft, such as loss
of Social Security number or bank account of Social Security number or bank account numbernumber
Medical breaches usually not covered, Medical breaches usually not covered, except for loss of SSNsexcept for loss of SSNs
Notice to individuals whose data was Notice to individuals whose data was compromisedcompromised
Data Breach Laws SpreadData Breach Laws Spread
Today, over 40 states have data breach Today, over 40 states have data breach lawslaws
Push for federal law, but stalledPush for federal law, but stalled ChoicePoint, Veterans’ Administration, ChoicePoint, Veterans’ Administration,
and other large breaches listed at and other large breaches listed at www.privacyrights.org
Over 233 million notices sent 2005-2008Over 233 million notices sent 2005-2008
Medical Data BreachMedical Data Breach
New “trigger” for data breach notificationNew “trigger” for data breach notification California strikes again, effective Jan. 2008California strikes again, effective Jan. 2008 Notification required if unauthorized access Notification required if unauthorized access
to unencrypted medical histories, information to unencrypted medical histories, information on mental or physical conditions, and medical on mental or physical conditions, and medical treatments and diagnosestreatments and diagnoses
Also for health insurance informationAlso for health insurance information
What Does That Mean to You?What Does That Mean to You?
Minnesota & Rhode Island now have medical Minnesota & Rhode Island now have medical records triggerrecords trigger
Trend quite possibly will continueTrend quite possibly will continue A survey in 2006 by Phoenix Health Systems A survey in 2006 by Phoenix Health Systems
showed that 39 percent of health care providers showed that 39 percent of health care providers and 33 percent of insurers reported security and 33 percent of insurers reported security incidents in the previous six monthsincidents in the previous six months
ManyMany health care organizations could face costly health care organizations could face costly breach & notice requirementsbreach & notice requirements
III. A Special Form of BreachIII. A Special Form of Breach
UCLA fires workers UCLA fires workers for snooping in for snooping in Spears filesSpears files
‘‘It’s very It’s very disappointing,’ says disappointing,’ says hospital’s human hospital’s human resources directorresources director
L.A. Times, March 16, L.A. Times, March 16, 20082008
Farrah FawcettFarrah Fawcett
UCLA staffer passed UCLA staffer passed Farrah Fawcett’s Farrah Fawcett’s medical records to medical records to National EnquirerNational Enquirer
April 2, 2008April 2, 2008
Meanwhile, in New Jersey …Meanwhile, in New Jersey …
““Turns out a lot more Turns out a lot more people than George people than George Clooney and his Clooney and his girlfriend were hurt by girlfriend were hurt by the Hollywood hunk's the Hollywood hunk's motorcycle accident motorcycle accident last month.”last month.”
N.Y. Daily News, Oct. N.Y. Daily News, Oct. 10, 200710, 2007
The Clooney FilesThe Clooney Files
““As many as 40 doctors and other As many as 40 doctors and other employees at the Palisades Medical employees at the Palisades Medical Center in North Bergen, N.J., got Center in North Bergen, N.J., got suspensions for allegedly leaking suspensions for allegedly leaking confidential medical information about the confidential medical information about the couple”couple”
Worse Than Just Losing Your JobWorse Than Just Losing Your Job
Lawanda Jackson Lawanda Jackson indicted for criminal indicted for criminal HIPAA violations, for HIPAA violations, for allegedly receiving allegedly receiving $4600 from the $4600 from the National Enquirer for National Enquirer for 33 disclosures in 33 disclosures in 2006-07; checks were 2006-07; checks were written to her written to her husbandhusband
Poll: Has an institution you have Poll: Has an institution you have worked with had disclosures of records worked with had disclosures of records
about a well-known individual?about a well-known individual?
1. Yes, 2 or more1. Yes, 2 or more
2. Yes, 1 that I know of2. Yes, 1 that I know of
3. Don’t know3. Don’t know
4. None (and I’m glad we don’t treat movie 4. None (and I’m glad we don’t treat movie stars)stars)
IV. Importance of Audit/ControlIV. Importance of Audit/Control
Let’s examine topics thus far:Let’s examine topics thus far: HIPAA enforcement climbing, perhaps rapidlyHIPAA enforcement climbing, perhaps rapidly Medical data breach laws emergingMedical data breach laws emerging Celebrity records creating a big stirCelebrity records creating a big stir
Common theme:Common theme: The importance of having better control over The importance of having better control over
your organization’s medical records databaseyour organization’s medical records database
Insider AbuseInsider Abuse
Computer security experts generally say Computer security experts generally say that a large majority of incidents come that a large majority of incidents come from insiders, not outside hackersfrom insiders, not outside hackers
The challenge: how to detect, deter, and The challenge: how to detect, deter, and punish unauthorized insider access to punish unauthorized insider access to recordsrecords
The central importance of audit and The central importance of audit and controls over access/egress for databasescontrols over access/egress for databases
Advantages of Database Advantages of Database ControlControl
For celebrity records, send the clear message For celebrity records, send the clear message that violations will become known and traceable that violations will become known and traceable to the individualto the individual
For data breachesFor data breaches Ensure good practices to reduce likelihood of Ensure good practices to reduce likelihood of
breachesbreaches Pinpoint the extent of breach, so notices go to Pinpoint the extent of breach, so notices go to
the 100 affected persons, and not the 1,000 the 100 affected persons, and not the 1,000 or 10,000 who might otherwise have to or 10,000 who might otherwise have to receive noticereceive notice
V. EHRs & the FutureV. EHRs & the Future
Focus thus far has been on the single institutionFocus thus far has been on the single institution Electronic health records & the shift to RHIOs Electronic health records & the shift to RHIOs
(regional health information organizations)(regional health information organizations) With information sharing comes information riskWith information sharing comes information risk How assure control over data you are How assure control over data you are
responsible for?responsible for? Existing audit/control systems will not be Existing audit/control systems will not be
adequate for the multi-institution near futureadequate for the multi-institution near future
Electronic Health RecordsElectronic Health Records
Markle Connecting for HealthMarkle Connecting for Health www.markle.org ““Common Framework for Initiating Private Common Framework for Initiating Private
and Secure Health Information Sharing”and Secure Health Information Sharing” Toolkit for implementing effective privacy and Toolkit for implementing effective privacy and
security in information sharingsecurity in information sharing Audit/database control an essential elementAudit/database control an essential element
The Near Future of EHRsThe Near Future of EHRs
Both political parties are stressing electronic Both political parties are stressing electronic health recordshealth records ““Paper kills”Paper kills” No one wants to be on the side of paper in a No one wants to be on the side of paper in a
future that requires electronic recordsfuture that requires electronic records How well does your organization controlHow well does your organization control
Its own records (core database)Its own records (core database) How records are shared with multiple other How records are shared with multiple other
organizations?organizations?
ConclusionConclusion
HIPAA enforcementHIPAA enforcement Medical data breachesMedical data breaches Celebrity records & publicity about your Celebrity records & publicity about your
organizationorganization EHRs and the information-sharing futureEHRs and the information-sharing future For these reasons, audit & control must be For these reasons, audit & control must be
a much more prominent feature of medical a much more prominent feature of medical records managementrecords management
Contact InformationContact Information
Professor Peter SwireProfessor Peter Swire www.peterswire.net www.americanprogress.org Moritzlaw.osu.eduMoritzlaw.osu.edu