health care: privacy in a digital age
DESCRIPTION
Health Care: Privacy in a Digital Age. Concordia School of Management October 18, 2001 Chris Apgar, Data Security & HIPAA Compliance Officer Providence Health Plans. Presentation Overview. Electronic Records & You Risks & Valid Concerns Legal Protections - PowerPoint PPT PresentationTRANSCRIPT
1
Health Care: Privacy in a Digital Age
Concordia School of Management
October 18, 2001
Chris Apgar, Data Security & HIPAA Compliance Officer
Providence Health Plans
October 18, 2001 Presenter - Chris Apgar 2
Presentation Overview
• Electronic Records & You• Risks & Valid Concerns• Legal Protections• Providence Health Plan - Case Study• Tips for Protecting Privacy• Resources• Q&A
October 18, 2001 Presenter - Chris Apgar 3
Electronic Records & You• Health care information users
– Providers (I.e., doctors, chiropractors, EAP, etc.)
– Health insurance companies
– Government & government contractors
– Third parties (I.e., billing services, medical management, etc.)
• How much control do you really have?• Marketing, research and other “hidden” uses
October 18, 2001 Presenter - Chris Apgar 4
Electronic Records & You• Moving information around
– FTP (file transfer protocol)
– Other forms of magnetic media
– US Postal Service and other carriers
– Secure web sites & other forms of secure messaging
• Storage and internal organization information transfer
October 18, 2001 Presenter - Chris Apgar 5
Risks & Valid Concerns• Unprotected Internet• Web browsing & cookies -
tracking your travel• Authentication or who
can look at my record• Networks, firewalls and the lack thereof• Inappropriate information use for marketing
and other sales activities• Government, courts and data sharing
October 18, 2001 Presenter - Chris Apgar 6
Risks & Valid Concerns• Hackers and other illegal activity• Internal mischief or the disgruntled employee• Carelessness or “my record on the counter”• Lack of physical security (“it’s
not locked up”)• Lack of defined policies,
confidentiality practices, etc.
October 18, 2001 Presenter - Chris Apgar 7
Legal Protections• Oregon statute & rule• Health Information Portability &
Accountability Act of 1996 (HIPAA)• Gram-Leach-Bliley Act• Children’s On-line Privacy
Protection Rule• Other federal statute & rule• Litigation
October 18, 2001 Presenter - Chris Apgar 8
Legal Protections: HIPAA Example
Privacy• Release of information
– Consent form for treatment billing & healthcare operations
– Only providers required to obtain consent
– Consent revocation & what it means
– Authorization for all other activities (I.e., some research activities, release to attorney, etc.)
October 18, 2001 Presenter - Chris Apgar 9
Legal Protections: HIPAA Example
Privacy• Vendor & “business associate agreements”
– Business associates definition (versus “covered entities” governed by HIPAA)
– Business associate in practice covered by HIPAA Administrative Simplification privacy requirements
– Required to assess compliance requirements and document
– Statutory & rule limitations
October 18, 2001 Presenter - Chris Apgar 10
Legal Protections: HIPAA ExamplePrivacy
• Access tracking & “need to know”– Does not apply to treatment, billing &
healthcare operations– Yours for the asking
• “Minimum necessary” standard– Applies to internal & external data access– Access defined by role or permissions to use data– Appropriate access controls & documentation required
October 18, 2001 Presenter - Chris Apgar 11
Legal Protections: HIPAA Example
Privacy• Member/patient record access & amendment
– Who “owns” your medical records?
– Business associates do not “own” records
– Covered entities required to act on requests to amend records but not required to make amendments
• Forms of data or media covered (electronic, paper, etc.)
October 18, 2001 Presenter - Chris Apgar 12
Legal Protections: HIPAA Example
Risk Assessment Policy & procedure
development Training & awareness Contingency Plan Information access
control (“need to know”) Audit & certification Documentation
Record access (release management & file access)
Personnel security & authentication
Chain of Trust/Business Associate Agreement
Security & privacy management Security incident response Physical security
Data Security
October 18, 2001 Presenter - Chris Apgar 13
• Security & privacy officers appointed• Data security & privacy standards developed &
implemented • Staff training & policies developed
& communicated• Use of firewalls and other tools
to protect information
Providence Health Plan - Case Study
October 18, 2001 Presenter - Chris Apgar 14
• On-going network & other access point monitoring
• Enforcement of secure transfer of information to authorized staff and external partners
• All accessing confidential information legally bound to enforce privacy & security
• Internal & external audit of policies, training plan & processes
Providence Health Plan - Case Study
October 18, 2001 Presenter - Chris Apgar 15
• Collaboration with Providence Health System
• On-going work with external partners (providers, plans, government, etc.)
• Participation in local and national security/ privacy forums
• Privacy & confidentiality - Providence strategic objective
Providence Health Plan - Case Study
October 18, 2001 Presenter - Chris Apgar 16
• Talk to your provider and insurance carrier - what is their privacy policy, how do they protect your confidential health information, etc.)
• Check out web sites (I.e., security,privacy policies, etc.)
• Cookies and what to do with them
Tips for Protecting Privacy
October 18, 2001 Presenter - Chris Apgar 17
• Avoid sharing health information over unsecured web sites
• Report on-line privacy violations as appropriate
• Avoid unsecured e-mail (even with your provider)
• Periodically request copies of your health record from provider and insurance carrier
Tips for Protecting Privacy
October 18, 2001 Presenter - Chris Apgar 18
• Carefully read consent & authorization forms (I.e., information release, purpose of confidential data use, etc.)
• Question if in doubt and avoid signing when transmission of your health information not clearly defined
• Know your rights and exercise them
Tips for Protecting Privacy
October 18, 2001 Presenter - Chris Apgar 19
Resources
• Federal Trade Commission: http://www.ftc.gov
• HIPAA Web Site: http://aspe.hhs.gov/admnsimp
• National Institute of Health (regulatory information): http://list.nih.gov
• “Defend Your Medical Data” (ACLU): http://www.aclu.org/action/medregs/readstories.html
October 18, 2001 Presenter - Chris Apgar 20
Resources
• Health Privacy Project: http://www.healthprivacy.org
• Department of Health & Human Services Office of Civil Rights: http://www.os.dhhs.gov/ocr/hipaa
• American Medical Association “Domain of Privacy”: http://www.ama-assn.org/ama/pub/category/3653.html
October 18, 2001 Presenter - Chris Apgar 21
Resources
• American Psychology Association on Privacy: http://helping.apa.org/dotcomsense
• Providence (see privacy statement): http://www.providence.org
• Google (search engine; advanced search on “privacy health): http://www.google.com
October 18, 2001 Presenter - Chris Apgar 22
Question & Answer
Chris Apgar, Data Security & HIPAA Compliance Officer
Providence Health Plan3601 SW Murray Blvd., Suite 10
Beaverton, OR 97005(503) 574-7927 (voice)
(503) 574-8655 (fax)[email protected]