PRIVACY AND E-HEALTH INNOVATION. By: Sharona Hoffman



Similar documents
HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA and Mental Health Privacy:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security Rule Compliance

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

Introduction to HIPAA Privacy

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

Data Breach, Electronic Health Records and Healthcare Reform

Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida Telephone (904) Facsimile (904)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

My Docs Online HIPAA Compliance

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

Overview of the HIPAA Security Rule

The Basics of HIPAA Privacy and Security and HITECH

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

HIPAA Security Alert

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

The HIPAA Audit Program

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Security Compliance, Vendor Questions, a Word on Encryption

District of Columbia Health Information Exchange Policy and Procedure Manual

Implementing Privacy and Security Standards In Electronic Health Information Exchange

BUSINESS ASSOCIATE AGREEMENT

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Getting Hip to the HIPAA and HITECH Act Compliance

Joseph Suchocki HIPAA Compliance 2015

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Patient Privacy and Security. Presented by, Jeffery Daigrepont

New HIPAA regulations require action. Are you in compliance?

HIPAA Compliance Guide

Why Lawyers? Why Now?

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

2016 OCR AUDIT E-BOOK

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

Strategies for Electronic Exchange of Substance Abuse Treatment Records

HIPAA PRIVACY AND SECURITY AWARENESS

Bridging the HIPAA/HITECH Compliance Gap

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

SECURITY RISK ASSESSMENT SUMMARY

HIPAA and HITECH Compliance for Cloud Applications

Easing the Burden of Healthcare Compliance

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July Tex Med. 2012;108(7):33-37.

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

White Paper #6. Privacy and Security

Healthcare Compliance Solutions

HIPAA Compliance Annual Mandatory Education

HIPAA PRIVACY OVERVIEW

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Strategies for Electronic Exchange of Mental Health Records

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

Health Information Privacy Refresher Training. March 2013

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

HIPAA Security COMPLIANCE Checklist For Employers

Security Is Everyone s Concern:

This questionnaire is designed for the consumer to test their knowledge of electronic health records.

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Meaningful Use and Security Risk Analysis

A Technical Template for HIPAA Security Compliance

The Practical Guide to HIPAA Privacy and Security Compliance

M E M O R A N D U M. Definitions

AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS

Implications of HIPAA Requirements on Healthcare Payment Processing

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

OCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information

ADVANCE DIRECTIVE VOLUME 18 FALL 2008 PAGES The Benefits and Limitations of Electronic Medical Files. Robert Ybarra *

ARKANSAS OFFICE OF HEALTH INFORMATION TECHNOLOGY (OHIT) PRIVACY POLICIES

HIPAA Compliance Issues and Mobile App Design

Joe Dylewski President, ATMP Solutions

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

HIPAA 101. March 18, 2015 Webinar

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

HIPAA Compliance and the Protection of Patient Health Information

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Developing HIPAA Security Compliance. Trish Lugtu CPHIMS, CHP, CHSS Health IT Consultant

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Healthcare Compliance Solutions

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

REFERENCE 5. White Paper Health Insurance Portability and Accountability Act: Security Standards; Implications for the Healthcare Industry

Transcription:

PRIVACY AND E-HEALTH INNOVATION By: Sharona Hoffman INTRODUCTION The practice of medicine in the United States is undergoing a transformation. Traditional paper medical files are being replaced by electronic health record (EHR) systems. The federal government has allocated 27 billion dollars over ten years to assist health care providers with the purchase and adoption of health information technology. 1 The computerization of medical information has raised significant concerns about privacy. Electronic records may be vulnerable to inappropriate disclosure through hacking, stolen laptops, employee mistakes, or intentional malice. 2 This short thought piece analyzes the privacy concerns that are particular to health information and the mechanisms by which the government and industry have addressed them. It argues that a focus on privacy is essential to our successful transition to digitized medicine because without it, patients may resent and distrust EHRs. In addition, appropriate technological responses to privacy concerns can, as a side effect, enhance the overall safety and quality of EHR systems. At the same time, however, I caution against radical approaches to privacy protection that might prevent clinicians, researchers, and patients from enjoying the full benefits of health information technology. THE NEED FOR EHR PRIVACY PROTECTION Privacy safeguards are vital in the medical arena because individuals health records contain personal and sensitive information that might be of interest to a large number of parties. 3 Employers wish to hire healthy workers who will not have productivity and absenteeism problems or submit costly medical claims for reimbursement. Various types of insurers (e.g. life, disability, long-term care) want to find clients who are low-risk and whose premium payments will exceed claims. Lenders are interested in borrowers who can work and earn sufficiently to pay off their loans. Advertisers and marketers hope to influence doctors prescribing decisions and patients medical purchasing choices. Political operators may hope to use health information to disqualify or embarrass candidates, and blackmailers or other criminals may seek financial Professor of Law and Bioethics, Co Director of Law Medicine Center, Case Western Reserve University School of Law; B.A., Wellesley College; J.D., Harvard Law School; LL.M. in Health Law, University of Houston. 1 David Blumenthal & Marilyn Tavenner, The Meaningful Use Regulation for Electronic Health Records, 363 N. ENGL. J. MED. 501, 501 (2010). 2 See Robert Pear, tighter Medical Privacy Rules Sought, N.Y. TIMES, August 22, 2010 (discussing a number of recent privacy breaches). 3 See Sharona Hoffman & Andy Podgurski, In Sickness, Health, and Cyberspace: Protecting the Security of Electronic Private Health Information, 48 B.C. L. REV. 331, 334 35 (2007). 1

gain through its possession and use. These few examples illustrate the potential value of personal health data to parties outside the clinician-patient relationship. 4 THE INTERDEPENDENCE OF PRIVACY SAFEGUARDS AND INNOVATION Without comprehensive security safeguards to protect patient privacy, the transition to EHR systems may well fail. Patients must believe that use of health information technology is in their best interest and buy into the mammoth effort to transform the practice of medicine through digitization. Any well-publicized privacy leaks could erode patient trust in computerized systems and create political backlash against them, especially if the breaches cause discernable harm, such as embarrassment, loss of employment opportunities, or damage to reputation. Fear of such consequences may cause individuals to forego needed medical care or not to be fully candid with clinicians who treat them. 5 Patients who worry that their psychiatric records, HIV status, sexual histories, or other sensitive information will fall into the hands of third parties may refuse to disclose important medical facts to their health care providers or avoid seeking routine, preventive and non-emergency medical care. Fortifying EHR system security and workplace procedures for privacy purposes can also improve the quality of health care in many other ways. For example, authentication and authorization standards, password management, and workforce clearance procedures for those handling EHRs can ensure that unauthorized personnel do not access records and inadvertently or intentionally corrupt medical data. Automatic logoff after a specified period of inactivity can prevent clinicians from erroneously entering information into a record that was left open by another user. In addition, protection against malicious software such as viruses and worms can prevent system failures and downtime. THE GOVERNMENT S RESPONSE THE HIPAA SECURITY RULE Regulatory Requirements The U.S. Department of Health and Human Services (HHS) has not ignored the privacy risks associated with EHR systems. In 2005 it enacted the HIPAA Security Rule, 6 which was later amended by the Health Information Technology for Economic and Clinical Health Act of 2009. 7 The Rule supplemented the previously enacted HIPAA Privacy Rule, which governs the 4 Id. 5 LYNNE SAM BISHOP ET AL., CAL. HEALTHCARE FOUND., NATIONAL CONSUMER HEALTH PRIVACY SURVEY 2005: EXECUTIVE SUMMARY 3 4 (2005) (finding that 67% of respondents were concerned about the confidentiality of their medical records and 13% had taken various steps to protect their own privacy (e.g. avoiding medical tests, paying out of pocket, or asking doctors to distort diagnoses)). 6 45 C.F.R. 164.302 318 (2010). 7 Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. No. 111 5 (Feb. 17, 2009). 2

disclosure of medical information stored in either paper or electronic form and details the rights patients have with respect to their medical records. 8 The Security Rule applies to most health care providers, health plans, and health care clearinghouses and their business associates. 9 It does not, however, apply to any other entities, no matter how much private health information they might possess. The Rule delineates the administrative, physical, and technical safeguards that these covered entities must employ to secure electronic health information. In order to understand the types of technological and organizational interventions that can protect confidentiality, it is useful to detail some of the regulatory requirements. The administrative safeguard standards focus on security management processes, workforce security, information access management, security awareness and training, security incident procedures, and contingency plans. Implementation specifications mandate risk assessment, the establishment of a sanctions policy for non-compliant employees, workforce clearance procedures, log-in monitoring, password management, and many other measures. 10 The physical safeguards section emphasizes facility access controls, workstation use, workstation security, and device and media controls. For example, covered entities are required to develop plans and procedures related to facility security, access control and validation, and data backup and storage. 11 The technical safeguards include the establishment of procedures to control access to electronic health information (EHI), to audit activity in information systems that process EHI, to protect EHI from improper modification or elimination, and to obtain authentication from those seeking access to EHI. Appropriate methods to achieve some of these goals are encryption and decryption. 12 The Shortcomings of the HIPAA Security Rule Despite its significant achievements, the HIPAA Security Rule suffers from several gaps, which I have discussed at length in prior work. 13 A very brief summary of my critique is provided below. First, the HIPAA Security Rule does not reach all parties that might pose privacy threats for patients. Employers, marketers, life insurers, and others who have health information are not bound by the Rule s mandates and thus are not legally required to implement security precautions. Employers, for example often collect significant medical information from workers 8 45 C.F.R. 164.534 (2010). 9 45 C.F.R. 160.102 160.103 (2010); 45 Fed. Reg. 40912 (2010). 10 45 C.F.R. 164.308 (2010). 11 45 C.F.R. 164.310 (2010). 12 45 C.F.R. 164.312 (2010). 13 See Hoffman & Podgurski, supra note 3 at 359 84. 3

through pre-employment physicals or periodic exams and storing such data electronically without appropriate security safeguards would create a risk of privacy breaches. 14 Equally troubling is the fact that the HIPAA Privacy Rule applies to the same narrow category of covered entities as the Security Rule, and thus non-covered entities are free of the regulations restrictions on the disclosure of personally identifiable health information. 15 Second, the HIPAA Security Rule does not provide aggrieved individuals with a private cause of action. 16 Its efficacy is dependent upon HHS having sufficient enforcement resources, and therefore, it may lack the deterrence power that the prospect of private litigation would bestow. In addition, patients whose confidential information is inappropriately disclosed or leaked cannot receive compensation no matter what harm they suffered. Finally, the Security Rule s standards and implementation specifications lack sufficient guidance. Covered entities without sophisticated information technology departments are unlikely to find that the Rule provides adequate instructions concerning compliance with the various requirements. 17 Nevertheless, by enacting the HIPAA Security Rule, the federal government recognized that without robust privacy protections, there can be no shift to e-health in the U.S. Despite its limitations, the Rule is a laudable and important step in providing patients with comprehensive privacy protection. A WORD OF CAUTION ABOUT OVERLY ZEALOUS APPROACHES TO PRIVACY The importance of privacy and security for electronic health information is irrefutable. Nevertheless, some advocates wish to carry the commitment to privacy too far. Some have suggested the implementation of privacy practices that are extreme and inadvisable. These proposals include allowing patients to opt-out of having an EHR, to place portions of their EHRs (e.g. mental health treatment) in secure envelopes that can be accessed only with the individuals specific permission, to control what information is disclosed to which providers, or to access and edit their records as they see fit. 18 Such practices, however, could compromise patient care. One of the significant advantages of interoperable EHR systems is that patient records can be obtained by authorized personnel even if they are stored by other health care facilities or networks. Thus, if a patient is brought unconscious to the emergency room, doctors can review 14 Sharona Hoffman, Employing E Health: The Impact of Electronic Health Records on the Workplace, 19 KANSAS J. L. & PUBLIC POL Y 409, 409 10, 418 20, & 430 (2010). 15 45 C.F.R. 160.103 (2010). 16 See 45 C.F.R. 160.300.552 (2010). 17 See Hoffman & Podgurski, supra note 3 at 350 54. 18 Nicolas P. Terry & Leslie P. Francis, Ensuring the Privacy and Confidentiality of Electronic Health Records, 2007 U. ILL. L. REV. 681, 725 30 (2007). 4

her medical history, drug and allergy lists, and other vital information. Similarly, doctors treating patients who are forgetful or confused about their medical details would not need to rely on the patients unreliable accounts. If patients are empowered to opt out of EHR use or to disallow treating physicians access to their records, they may lose much of the benefit of computerization. Many clinicians would continue to care for patients in ignorance of essential facts that could make the difference between appropriate and inappropriate treatment decisions. For example, it might seem at first blush that most physicians would not need access to a patient s psychiatric records. However, a psychiatric diagnosis may help other specialists better understand the patient s symptoms, and the patient s complete drug list, including psychiatric drugs, is vital for purposes of safely prescribing additional medications. 19 Another benefit of EHRs is that they can enable the creation of general research databases containing millions of deidentified patient records. Such databases could enable researchers to conduct comprehensive observational studies based on the actual clinical experience of patients with diverse demographics and to fill many medical knowledge gaps. Some experts worry, however, that deidentification is insufficient to protect patient privacy and would prefer that informed consent be obtained each time data will be used or that data subjects be allowed to opt out of each individual research project before it is commenced. 20 It is important that deidentification be thorough and responsible 21 and that patients have the opportunity to consent to the initial inclusion of their records in research databases. However, making database administration and research excessively burdensome because of over-zealous privacy and consent requirements would be ill-advised. 22 Investigators who must identify and re-contact millions of patients to ask if they wish to have their anonymized records included in each particular study may find the task impossibly time-consuming or costly and abandon important research initiatives. Furthermore, if, out of an abundance of caution, patients are repeatedly contacted and warned about the risks of inclusion in a research database and consequently opt out in large numbers, research data could become fragmented, making it difficult for investigators to draw general inferences. To illustrate, if individuals who have a particular ancestry, who suffer from a certain disease, or who share certain lifestyle habits opt out disproportionately, research data may become skewed and unreliable. CONCLUSION 19 It should be noted that psychotherapy notes are not generally disclosable without patient consent. 45 C.F.R. 164.508 (2010). 20 Mark A. Rothstein, Is Deidentification Sufficient to Protect Health Privacy in Research? 10 AM. J. BIOETHICS 3 11 (2010). 21 See 45 C.F.R. 164.514(b)(2)(i) (2010) for deidentification guidance provided by the HIPAA Privacy Rule. 22 See Sharona Hoffman, Electronic Health Records and Research: Privacy vs. Scientific Priorities, 10 AM. J. BIOETHICS 19 (2010). 5

Careful attention to privacy and security safeguards is vital to the success of EHR system adoption. Such safeguards will reassure patients that computerization will not compromise confidentiality and allow physicians to earn patient trust and cooperation, which will facilitate health information technology implementation. Security precautions may also yield other benefits by improving the overall quality of EHR products and reducing clinician error rates. So long as radical privacy measures are not espoused, privacy protection is in the best interest of all who have a stake in the successful implementation of health information technology: industry, the government, medical professionals, and patients. 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information