1 / 15

"Security and Privacy After September 11: The Healthcare Example”

"Security and Privacy After September 11: The Healthcare Example”. Professor Peter P. Swire Ohio State University Minnesota Law Review Symposium February 9, 2002. Overview. After September 11: Public health Can you report a terrorist/patient? USA-Patriot Act & health care (in paper)

carrington
Download Presentation

"Security and Privacy After September 11: The Healthcare Example”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. "Security and Privacy After September 11:The Healthcare Example” Professor Peter P. Swire Ohio State University Minnesota Law Review Symposium February 9, 2002

  2. Overview • After September 11: • Public health • Can you report a terrorist/patient? • USA-Patriot Act & health care (in paper) • Security and Privacy after September 11 • More emphasis on security • What implication for privacy?

  3. Background • Unusual double major: • White House coordinator for HIPAA medical privacy rule, 1999-2000 • Chair, White House task force on how to update wiretap and surveillance laws for the Internet age

  4. I. Public Health & September 11 • Sec. 512(b) quite broad • PHI can be disclosed to a public health authority “authorized by law to collect or receive such information” • Permitted purposes include public health surveillance, investigations & interventions

  5. Public health (cont.) • Disclosure also permitted, if authorized by law, to a person exposed to or at risk for a disease • Uses permitted by a covered entity that is a public health authority whenever it is permitted to disclose that PHI

  6. Public Health -- Implications • The rule permits what needs to be disclosed, if it is “authorized by law” -- check that • Proper data handling needed by public health agencies: • Privacy -- good practices for patient data • Security -- make sure network is protected and data cannot be tampered with

  7. Reporting Suspicious Activity • Rule issued before Sept. 11. How well does it work today? • What if a suspected terrorist is in the hospital? Can you report that? • Example: patient exposed to anthrax, and you suspect person involved in making or distributing spores

  8. National Security Exception • Section 512(k)(2) • May disclose PHI “to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities”

  9. Averting Serious Threats • Section 512(j) permits voluntary disclosure by a covered entity • Notably, applies where “necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public”

  10. General Law Enforcement • Sec. 512(f) generally requires “in response to law enforcement official’s request” • Court order, grand jury subpoena, administrative subpoena for full file • To locate or identify a suspect, fugitive, material witness, or missing person: • Name, SSN, limited other information

  11. Summary on law enforcement • For anthrax suspect: • Likely national security • May have evidence, in good faith, of imminent threat • Can respond to law enforcement requests more broadly • The rule holds up better than you might have expected to this new challenge • But, still significant privacy protections on disclosure to the police

  12. II. Security & Privacy After 9/11 • Less tolerance for hackers and other unauthorized use • Cyber-security and the need to protect critical infrastructures such as payments system, electricity grid, & telephone system • Greater tolerance for surveillance, which many people believe is justified by greater risks

  13. Security vs. Privacy • Security sometimes means greater surveillance, information gathering, & information sharing • USA Patriot increases surveillance powers • Greater industry willingness to share data with government

  14. Security and Privacy • Good data handling practices become more important -- good security protects information against unauthorized use • Audit trails, accounting become more obviously desirable -- helps fight sloppy privacy practices

  15. Concluding Thoughts • HIPAA stands up well to the changed circumstances after September 11 • Reinforces the decision to insist that privacy, security, and IT upgrades occur together • But, will need to insist on good new safeguards in public health system and elsewhere

More Related