Christy Navarro, M.S., CIPP/US
Using a case study example:
•
Understand key privacy and data security
components to be integrated into any health
information exchange initiatives
•
Learn important privacy and security
Framework can be
expanded for other uses
of data such as:
comparative effectiveness research (CER)
additional data elements payment purposes and healthcare operations de-identified data sets or limited data sets
Sharing across state lines
3
• legal obligations for the Health Information Exchange
• security risk assessments
• determine requirements for patient consent and
authorizations
• identify key triggers for new requirements for the HIE or
participants
• policy structure
• governance
• contractual templates
5 Fair Information Practices PrinciplesFederal Law
(HIPAA)
Institutional
Policies
State Law
Individual Access Correction
Openness and Transparency Individual Choice
Collection, Use, Disclosure Limitation
Integrity Accountability Safeguards
7
Privacy Rule
Security
Rule
Enforcement
Security •Firewall Defense •Data Loss Prevention (DLP) •Security Information Event Management Shared by Both •Accuracy/Integrity •Access Availability •Accountability Privacy •Broader •Notice/Consent •Openness •Relevance •Content Limits
The Privacy Engineer’s
Manifesto pg. 48 9
Participant Policies
Preemption
•Most Access to Patient
•Most Protection to the Data
Understanding Breach
Notification
Responsibilities
•Business Associate (the HIE)
Structured Breast Cancer Data in HIE environment 11
•
Breast cancer
common female Cancers in California
26,300 California women are diagnosed
each year
identified as a high impact condition for
California Health eQuality (CHeQ)
Proof of concept to exchange Cancer
Continuity of Care Document (CaCCD)
Patients and providers support health IT initiatives but both are concerned about privacy and security of medical
information (Markel, 2011)
Two-thirds of consumers believe that privacy concerns should not stop forward movement of health IT initiatives (Markel, 2011).
Average cost of Data Breach 2 million over a two year period*
72% of respondents say they are only somewhat confident or not confident in the security and privacy of patient data
shared on HIE’s.*
* 2014 Ponemon Report on Patient Privacy & Data Security
13
• project INSPIRE Goal “To improve the acquisition and
exchange of patient data in high impact conditions in order to support care coordination practice improvement and
longitudinal disease registries”
• INPSIRE will be demonstrated with breast cancer as the
first “high impact condition”
INSPIRE – INteroperability to Support Practice Improvement,
• Assist Institute for Population Health Improvement by
developing a privacy and security road map for CheQ’s
Project INSPIRE
• Identify applicable laws and requirements associated with
privacy and security
• Make recommendations on best practice and policy
framework to meet the requirements of law
• Address fair information practice principles
• Apply practical approach that is scalable and can be used
again
15
•
legal obligations for the HIE and known
participants
•
requirements for patient consent and
authorizations
•
identify key triggers for new requirements for the
HIE or participants
•
policy structure, governance and contractual
templates
•
modeled after a privacy and security framework for
a multistate comparative effectiveness research
The Office of National Coordinator for Health Information
Technology’s Nationwide Privacy and Security Framework for
Electronic Exchange of Information
Base on Fair Information Practice Principles (FIPP’s)
•
allows future Use Cases as the HIE grows and
expands its capabilities and offerings
•
recognizes work already done in the area of privacy
and data security for California HIE
17
18•
Model Agreements for the HIE to initiate
participation
•
Policy framework
•
Privacy Matrix
•
Security Matrix
19Privacy Matrix - ONC’s Nationwide Privacy and Security Framework for HIE
Individual Access Correction
Openness and Transparency Individual Choice
Collection, Use, Disclosure Limitation Integrity
Accountability (Security Matrix) Safeguards (Security Matrix)
ONC Nationwide Privacy and Security Framework for Electronic Exchange of IIHI (ONC, 2008)
California Privacy and Security Guidelines/California Law and Federal Law
1. Individual Access Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a reliable form and format
Individual Access CalPSAB Principles provide individuals have the right to:
Ascertain the person responsible for IIHI for an entity, obtain confirmation of whether the entity has specific IIHI relating to the individual and obtain its location.
Receive their IIHI in a reasonable time and manner, at a reasonable charge, and in a format that is generally accessible*.
Challenge the accuracy of their IIHI and, if successful, to have the IIHI corrected, completed, or amended. Control access, use, or disclosure of their IIHI unless otherwise specified by law or regulations.
CalPSAB Privacy and Security Guidelines Sec. 2.4: ACCESS TO INFORMATION BY THE INDIVIDUAL AND OTHERS [Note that this principle applies only to designated record sets; an individual’s right of access would depend on whether it was part of a designated record set.] An individual or his/her personal representative has the right to access his/her designated record set that is in the custody or under the control of the entity. An entity shall establish a process to receive all requests for access to individual health information.
References: CMIA CA Civil Code Section 56.07; Health and Safety Code Section 123110 a-c.45 CFR § 164.524 (a) – (e) Access to PHI. *45 CFR § 164.524 (c)(2)(ii) –if maintained
electronically and the individual requests electronic access the CE must provide the PHI in the electronic format requested by the patient.
21
Security Requirements –
Administrative Controls Security Requirements –
Business Continuity & Contingency Planning Security Requirements – Facility
and Equipment Controls Security Requirements – Data
Protection and User Access Controls
• Security Advisory Board Guideline • Guideline vs. HIPAA Significant Differences • HIPAA Referenced Citations
Security Guidelines/HIPAA Security Rule Crosswalk
Security Guideline Policy
Guidelines vs. HIPAA Significant Differences
Referenced Citations
126072 Security Requirements – Administrative Controls 5.1 Information
Security (Organization & Responsibility) - An entity shall identify the entity’s primary security official who is responsible for implementation and compliance to these guidelines. Such official shall be identified in such a way that anyone who might have a security issue or concern may contact that person.
[45 C.F.R § 164.308 (a)(2)] This guideline clarifies the HIPAA standard by making the designation of the primary security official more transparent to individuals who may have a security issue.
Standard: Assigned security responsibility
Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity.
[45 C.F.R § 164.308 (a)(2)]
23
HIE’s Policy Requirements by Use Case
• Introduction and Overview
• Systems and Services
• Participants
• Authorized Users
• Security of Patient Data
• Privacy of Patient Data
• Exchange of Patient Data
• Technology
• HIO Operations
• Fees
• Insurance
To be used in conjunction with the Model Modular Participation
Agreement. Citations refer back to MMPA section that should align with these policies and procedures.
• Agreements
• Authentication of Users
• Patient Consent
• Specialized Types of Information
• Auditing and Monitoring
• Policy Development
• Privacy & Security Officer Collaboration
• CaCCD Requirements (accepting all segments)
25
Use what is publically available Take a Use Case Approach
Consider patient trust & fair information practice principles Privacy and data security integrated into governance
structure
Budget for ongoing privacy and security resources
Transparency and patient focused communications about privacy and security
Security Risk Assessments & Privacy Impact Assessments (upfront and when changes occur)
27• Maturity models for technical, legal and ethical controls
(day-to-day business)
• Using Innovative Approaches to Detect Unauthorized Access
Statistical machine learning to detect suspicious activity real time
Accountable Care like “flags” for behavior
• Cultivating trust among providers and patients is and
ongoing effort
• Consent supports Transparency
• Paper Forms to Participate in HIE?
Is it meaningful? Is it efficient? Integrity issues
Patient separately consents for EVERY provider to participate.
• Benefits include convenience, more informed and engaged
patients, improved comprehension
• Strategic advantage for HIO’s/HIE’s to offer consent
management as part of services.
• Make this patient centric and meaningful
29
• HIV, mental health, substance abuse often have special
protections in law
• Patients ages 12-17 are not allowed to have access to the
patient portal
• Consequence is exclusion of the data or patient type from
HIE conversation because of lack of controls designed into the technology
• Office of the National Coordinator for Health Information
Technology, Governance Framework for Trusted Electronic Health Information Exchange (May 3, 2013), www.healthit.gov
• Model Modular Participation Agreement found on California
Office of Health Information Integrity website
• The Markle Common Framework for Private and Secure
Information Exchange
• Information Privacy in the Evolving Healthcare Environment
Koontz HIMSS– purchase required
• 2014 Ponemon Report on Patient Privacy & Data Security–
Registration is required.
• The Privacy Engineer’s Manifesto Dennedy, Fox and Finneran –
purchase required.
31
Christy Navarro, CIPP/US, M.S.
2424 Fair Oaks Blvd. #195 Sacramento, CA 95825 Cell: 916.541.7404 Office: 916.388.2678
Email: [email protected] Website: navarroprivacy.com
