Christy Navarro, M.S., CIPP/US. Using a case study example:

Transcription

1 Christy Navarro, M.S., CIPP/US Using a case study example: Understand key privacy and data security components to be integrated into any health information exchange initiatives Learn important privacy and security exposure points 2

2 Framework can be expanded for other uses of data such as: comparative effectiveness research (CER) additional data elements payment purposes and healthcare operations de-identified data sets or limited data sets Sharing across state lines 3 legal obligations for the Health Information Exchange security risk assessments determine requirements for patient consent and authorizations identify key triggers for new requirements for the HIE or participants policy structure governance contractual templates 4

3 5 Institutional Policies Federal Law (HIPAA) State Law Fair Information Practices Principles 6

4 Individual Access Correction Openness and Transparency Individual Choice Collection, Use, Disclosure Limitation Integrity Accountability Safeguards 7 Privacy Rule Security Rule Enforcement 8

5 Security Firewall Defense Data Loss Prevention (DLP) Security Information Event Management Privacy Broader Notice/Consent Openness Relevance Content Limits Shared by Both Accuracy/Integrity Access Availability Accountability The Privacy Engineer s Manifesto pg Participant Policies Preemption Most Access to Patient Most Protection to the Data Understanding Breach Notification Responsibilities Business Associate (the HIE) Participants (Providers) 10

6 11 Structured Breast Cancer Data in HIE environment Breast cancer common female Cancers in California 26,300 California women are diagnosed each year identified as a high impact condition for California Health equality (CHeQ) Proof of concept to exchange Cancer Continuity of Care Document (CaCCD) 12

7 Patients and providers support health IT initiatives but both are concerned about privacy and security of medical information (Markel, 2011) Two-thirds of consumers believe that privacy concerns should not stop forward movement of health IT initiatives (Markel, 2011). Average cost of Data Breach 2 million over a two year period* 72% of respondents say they are only somewhat confident or not confident in the security and privacy of patient data shared on HIE s.* * 2014 Ponemon Report on Patient Privacy & Data Security 13 project INSPIRE Goal To improve the acquisition and exchange of patient data in high impact conditions in order to support care coordination practice improvement and longitudinal disease registries INPSIRE will be demonstrated with breast cancer as the first high impact condition INSPIRE INteroperability to Support Practice Improvement, Disease REgistries, and Care Coordination 14

8 Assist Institute for Population Health Improvement by developing a privacy and security road map for CheQ s Project INSPIRE Identify applicable laws and requirements associated with privacy and security Make recommendations on best practice and policy framework to meet the requirements of law Address fair information practice principles Apply practical approach that is scalable and can be used again 15 legal obligations for the HIE and known participants requirements for patient consent and authorizations identify key triggers for new requirements for the HIE or participants policy structure, governance and contractual templates 16

9 modeled after a privacy and security framework for a multistate comparative effectiveness research The Office of National Coordinator for Health Information Technology s Nationwide Privacy and Security Framework for Electronic Exchange of Information Base on Fair Information Practice Principles (FIPP s) allows future Use Cases as the HIE grows and expands its capabilities and offerings recognizes work already done in the area of privacy and data security for California HIE 17 18

10 Model Agreements for the HIE to initiate participation Policy framework Privacy Matrix Security Matrix 19 Privacy Matrix - ONC s Nationwide Privacy and Security Framework for HIE Individual Access Correction Openness and Transparency Individual Choice Collection, Use, Disclosure Limitation Integrity Accountability (Security Matrix) Safeguards (Security Matrix) 20

11 ONC Nationwide Privacy California Privacy and Security Guidelines/California Law and Federal Law and Security Framework for Electronic Exchange of IIHI (ONC, 2008) 1. Individual Access Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a reliable form and format Individual Access CalPSAB Principles provide individuals have the right to: Ascertain the person responsible for IIHI for an entity, obtain confirmation of whether the entity has specific IIHI relating to the individual and obtain its location. Receive their IIHI in a reasonable time and manner, at a reasonable charge, and in a format that is generally accessible*. Challenge the accuracy of their IIHI and, if successful, to have the IIHI corrected, completed, or amended. Control access, use, or disclosure of their IIHI unless otherwise specified by law or regulations. CalPSAB Privacy and Security Guidelines Sec. 2.4: ACCESS TO INFORMATION BY THE INDIVIDUAL AND OTHERS [Note that this principle applies only to designated record sets; an individual s right of access would depend on whether it was part of a designated record set.] An individual or his/her personal representative has the right to access his/her designated record set that is in the custody or under the control of the entity. An entity shall establish a process to receive all requests for access to individual health information. References: CMIA CA Civil Code Section 56.07; Health and Safety Code Section a- c.45 CFR (a) (e) Access to PHI. *45 CFR (c)(2)(ii) if maintained electronically and the individual requests electronic access the CE must provide the PHI in the electronic format requested by the patient. 21 Security Requirements Administrative Controls Security Requirements Business Continuity & Contingency Planning Security Requirements Facility and Equipment Controls Security Requirements Data Protection and User Access Controls 22

12 Security Advisory Board Guideline Guideline vs. HIPAA Significant Differences HIPAA Referenced Citations Security Guidelines/HIPAA Security Rule Crosswalk Guidelines vs. HIPAA Significant Referenced Citations Security Guideline Policy Differences Security Requirements Administrative Controls 5.1 Information Security (Organization & Responsibility) - An entity shall identify the entity s primary security official who is responsible for implementation and compliance to these guidelines. Such official shall be identified in such a way that anyone who might have a security issue or concern may contact that person. [45 C.F.R (a)(2)] This guideline clarifies the HIPAA standard by making the designation of the primary security official more transparent to individuals who may have a security issue. Standard: Assigned security responsibility Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity. [45 C.F.R (a)(2)] 23 HIE s Policy Requirements by Use Case Introduction and Overview Systems and Services Participants Authorized Users Security of Patient Data Privacy of Patient Data Exchange of Patient Data Technology HIO Operations Fees Insurance To be used in conjunction with the Model Modular Participation Agreement. Citations refer back to MMPA section that should align with these policies and procedures. 24

13 Agreements Authentication of Users Patient Consent Specialized Types of Information Auditing and Monitoring Policy Development Privacy & Security Officer Collaboration CaCCD Requirements (accepting all segments) 25 Use what is publically available Take a Use Case Approach Consider patient trust & fair information practice principles Privacy and data security integrated into governance structure Budget for ongoing privacy and security resources Transparency and patient focused communications about privacy and security Security Risk Assessments & Privacy Impact Assessments (upfront and when changes occur) 26

14 27 Maturity models for technical, legal and ethical controls (day-to-day business) Using Innovative Approaches to Detect Unauthorized Access Statistical machine learning to detect suspicious activity real time Accountable Care like flags for behavior Cultivating trust among providers and patients is and ongoing effort 28

15 Consent supports Transparency Paper Forms to Participate in HIE? Is it meaningful? Is it efficient? Integrity issues Patient separately consents for EVERY provider to participate. Benefits include convenience, more informed and engaged patients, improved comprehension Strategic advantage for HIO s/hie s to offer consent management as part of services. Make this patient centric and meaningful 29 HIV, mental health, substance abuse often have special protections in law Patients ages are not allowed to have access to the patient portal Consequence is exclusion of the data or patient type from HIE conversation because of lack of controls designed into the technology More work to do. 30

16 Office of the National Coordinator for Health Information Technology, Governance Framework for Trusted Electronic Health Information Exchange (May 3, 2013), Model Modular Participation Agreement found on California Office of Health Information Integrity website The Markle Common Framework for Private and Secure Information Exchange Information Privacy in the Evolving Healthcare Environment Koontz HIMSS purchase required 2014 Ponemon Report on Patient Privacy & Data Security Registration is required. The Privacy Engineer s Manifesto Dennedy, Fox and Finneran purchase required. 31 Christy Navarro, CIPP/US, M.S Fair Oaks Blvd. #195 Sacramento, CA Cell: Office: cnavarro@navarroprivacy.com Website: navarroprivacy.com 32

17 33