![Page 1: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/1.jpg)
Healthcare Privacy and Security Healthcare Privacy and Security After September 11After September 11
The HIPAA Colloquium
At Harvard University
August 20, 2002
Presented by:
Lauren Steinfeld
Privacy Consultant, Morrison & Foerster
Chief Privacy Officer, University of Pennsylvania
![Page 2: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/2.jpg)
OverviewOverview
Relationship between security and privacy The Healthcare Example
HIPAA in a world of changed priorities Post 9/11 politics
The USA Patriot Act Example The Homeland Security Example Observations – Privacy and Security Today
More emphasis on security Implications for privacy?
Concluding Thoughts
![Page 3: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/3.jpg)
I. Relationship between Privacy and I. Relationship between Privacy and SecuritySecurity
Privacy – providing individuals some level of info and control re: uses and disclosures of PII
Security – prevention of unauthorized access, use, and disclosure of PII
Privacy vs. Security Perspective of more information gathering and
sharing Privacy and Security
Perspective of good security leading to good privacy and vice versa
![Page 4: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/4.jpg)
II.A. The Healthcare Example – II.A. The Healthcare Example – HIPAA in a World of New PrioritiesHIPAA in a World of New Priorities
Rule issued before Sept. 11. How well does it work today?
Consider biological warfare – e.g. anthrax Consider need to report suspicious, I.e,
terrorist, activities
![Page 5: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/5.jpg)
Public Health Public Health
Sec. 512(b) fairly broad PHI can be disclosed to a public health
authority “authorized by law to collect or receive such information”
Permitted purposes include reporting disease, injury, vital events, and conduct of public health surveillance, investigations & interventions
Disclosure also permitted, if authorized by law, to a person exposed to or at risk for a disease
![Page 6: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/6.jpg)
Public Health -- ConclusionsPublic Health -- Conclusions
The rule permits what needs to be disclosed, if it is “authorized by law” -- check that
Proper data handling needed by public health agencies: Privacy -- good practices for patient data Security -- make sure network is protected
and data cannot be tampered with
![Page 7: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/7.jpg)
Reporting Suspicious ActivityReporting Suspicious Activity
What if a suspected terrorist is in the hospital? Can you report that?
Example: patient exposed to anthrax, and you suspect person involved in making or distributing spores
![Page 8: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/8.jpg)
When Can You Report?When Can You Report?
National security exception Avert serious threats to health or public
safety Law enforcement rules generally
![Page 9: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/9.jpg)
National Security ExceptionNational Security Exception
Section 512(k)(2) May disclose PHI “to authorized federal
officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities”
Those activities as defined in law -- what you expect as “intelligence”
![Page 10: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/10.jpg)
Averting Serious ThreatsAverting Serious Threats
Section 512(j) permits voluntary disclosure by a covered entity
General emergency circumstances: “Is necessary to prevent or lessen a serious
and imminent threat to the health or safety of a person or the public”; and
“Is to a person or persons reasonably able to prevent or lessen the threat”
Confessions to violent crimes Can’t disclose where confession is made as
part of therapy for propensity to commit violent conduct
![Page 11: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/11.jpg)
Averting Serious ThreatsAverting Serious Threats
Conclusion: the rule allows disclosure to avert serious threats, including by terrorists
![Page 12: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/12.jpg)
General Law EnforcementGeneral Law Enforcement
Sec. 512(f) generally requires “in response to law enforcement official’s request”
Covered entity can’t volunteer the information, except where required by a reporting law or requested by law enforcement
![Page 13: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/13.jpg)
General Law EnforcementGeneral Law Enforcement
Court order, grand jury subpoena, administrative subpoena for full file
To locate or identify a suspect, fugitive, material witness, or missing person: Name, SSN, limited other information
![Page 14: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/14.jpg)
Summary on Reporting Suspicious Summary on Reporting Suspicious Activity Activity
For anthrax suspect: Likely national security May have evidence, in good faith, of imminent
threat Can respond to law enforcement requests
more broadly The rule holds up better than you might have
expected to this new challenge But, still limits on your disclosure to the police
![Page 15: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/15.jpg)
II.B. Healthcare Politics After 9/11II.B. Healthcare Politics After 9/11
Bush Administration preserved rules Related electronic data exchange rules
were extended; privacy specifically not extended
March NPRM Nothing changed in response to new anti-
terrorism priorities Modest changes to address paperwork
burden resulted in significant front page criticism (largely unjustified)
![Page 16: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/16.jpg)
III. USA PATRIOT ActIII. USA PATRIOT Act
Response to recognized need to update law enforcement authorities in light of Internet and other electronic communications
Compare: Policy review prior to 9/11 Law passage after 9/11
![Page 17: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/17.jpg)
Policy Review Prior to 9/11Policy Review Prior to 9/11
2000 proposal had number of new law enforcement authorities, but also privacy safeguards E-mail interceptions protected as phone
interceptions Trap & trace orders – judicial review instead
of prosecutor certification Bipartisan approval in House Judiciary,
though made more privacy protective
![Page 18: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/18.jpg)
Law Passage After 9/11Law Passage After 9/11
USA PATRIOT Act Proposed one week after 9/11 Passed 10/25 Little opportunity for public debate
Much broader range of law enforcement authorities without any privacy protections (except sunset on some provisions)
![Page 19: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/19.jpg)
IV. Homeland Security IV. Homeland Security
Hearings held to look at privacy implications
Results – House-passed bill includes: Privacy Officer Privacy Impact Assessments No National ID No “TIPS” Program
![Page 20: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/20.jpg)
V. Security and Privacy TodayV. Security and Privacy Today
Focus on more information sharing for security reasons
Also recognition of privacy and security working together towards national security goals Protection against unauthorized access, use
and disclosure Audit trails Tiered access – Need-to-know analysis
Example: ID theft
![Page 21: Healthcare Privacy and Security After September 11](https://reader036.vdocuments.net/reader036/viewer/2022081603/56813cea550346895da694d0/html5/thumbnails/21.jpg)
Concluding ThoughtsConcluding Thoughts
Security upgrades provide opportunities for building greater privacy protection in
Recognize the compatible applications of privacy and security Privacy as a source of good security -- BNA
Special Report (07/02) Where security and privacy seem at
cross-purposes, one need not “win” over the other Perform thoughtful analysis regarding
accomplishing both objectives