1 / 29

Privacy, Confidentiality, and Security in Healthcare

Learn the differences between privacy, confidentiality, and security in healthcare, and discover methods to protect patient information using information technology. Understand the implications of HIPAA Privacy and Security rules and the need to balance a patient's right to privacy with the need to share and exchange information.

coombs
Download Presentation

Privacy, Confidentiality, and Security in Healthcare

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Culture of Health Care Privacy, Confidentiality, and Security Lecture a This material (Comp 2 Unit 9) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015. This material was updated in 2016 by Bellevue College under Award Number 90WT0002. This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/.

  2. Privacy, Confidentiality, and SecurityLearning Objectives • Define and discern the differences between privacy, confidentiality, and security (Lecture a). • Discuss methods for using information technology to protect privacy and confidentiality (Lecture b). • Describe and apply privacy, confidentiality, and security under the tenets of HIPAA Privacy and Security rules (Lectures c and d). • Discuss the intersection of a patient’s right to privacy with the need to share and exchange patient information (Lecture d).

  3. Privacy, Confidentiality, and Security • Definitions • Concerns • Privacy • Security • Tools for protecting health information • HIPAA • Privacy Rule • Security Rule • Enhancements in HITECH • Implications

  4. Definitions • Privacy • The right to be left alone • The right to keep personal information secret • The right to control personal information • Confidentiality • Sharing or disseminating data only to those with a “need to know” • Security • Mechanisms to assure the safety of data and systems in which the data reside

  5. Definitions Continued • Individually identifiable health information (IIHI): Any data that can be correlated with an individual • Also called protected health information, or PHI • Consent (in context of privacy): Written or verbal permission to allow use of your IIHI

  6. Concerns about Privacy • Personal privacy vs. common good • Continued disclosures • Concerns of public • De-identified data

  7. Personal Privacy vs. the Common Good • Concerns expressed in ACLU video Scary Pizza • A spectrum of views: • One end holds that while personal privacy is important, there are some instances when the common good of society outweighs it, such as in biosurveillance (Gostin & Hodge, 2002; Hodge, Gostin, & Jacobson, 1999) • The other end holds that personal privacy trumps all other concerns (Privacy Rights Clearinghouse, 2009; see also video by Deborah Peel, Designing Technology to Restore Privacy, http://www.patientprivacyrights.org) • More “balanced” views? (California Health Care Foundation, 2008; Detmer, 2010; American College of Physicians, 2011) • Where do your views fit?

  8. Patient Information Disclosures • Health care cybersecurity attacks over the past five years have increased 125% as the industry has become an easy target; personal health information is 50 times more valuable than financial information on the black market (Kutscher, 2016) • Portland, Oregon, thieves broke into a car with back-up disks and tapes containing records of 365,000 patients (Rojas-Burke, 2006) • Several episodes from Virginia, including a laptop with data of more than 1 million veterans, recovered without apparent access (Lee & Goldfarb, 2006) • Hack of Indianapolis-based payer Anthem’s IT systems exposed personal data of approximately 80 million customers (Perma, 2015) • Improper disclosure of research participants’ PHI results in $3.9 million HIPAA settlement (U.S. Dept. of Health and Human Services [HHS], 2016b) • Hospital pays hackers $17,000 to unlock EHRs frozen in “ransomware” attack (Conn, 2016)

  9. Patient Information Disclosures Continued • Privacy Rights Clearinghouse provides searchable Chronology of Data Breaches—not limited to medical • http://www.privacyrights.org/data-breach • HHS (2016a) must post list of breaches of unsecured PHI affecting 500 or more individuals (“wall of shame”) • https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf • 2015 top 10 data breaches accounted for just over 111 million records; the top six breaches affected at least 1 million individuals

  10. Breaches Adversely Impact Organizations • Costs (Ponemon Institute, 2015) • Estimated cost to the industry: $6 billion • Average cost per breach: $2.1 million • Significant part of cost: “lost business” • Criminal attacks up 125% in healthcare organizations—now number 1 cause of breaches • Attack sources (HIMSS, 2015) • Foreign sources, hacktivist, nation-state actor, malicious insider, hacker, social engineering, online scam artist • Security budgets (HIMSS, 2015) • Health care providers average > than 6% of the IT budget for security • Federal government spends 16% of its IT budget on security, while financial and banking institutions spend 12% to 15% • Information security is a business priority

  11. Challenges from Proliferation of Technologies and Applications • Increased technology use by all care providers • Health information exchange and data sharing activities across multiple networks • Cloud computing and third-party outsourcing • Increased use by patients, families, and consumers of their devices (tablets, smartphones, etc.) • New models of care require more care providers to access data across the patient care continuum • Clinicians using their own devices • Personal laptops, tablet devices, smartphones, and so on • Connected medical devices and implantable devices

  12. Some Technologies Can Worsen the Problem • USB (“thumb”) drives run programs when plugged into USB port; can be modified to extract data from computer (Wright & Sittig, 2007a, 2007b) • Personal health records, other systems, may lack encryption and be easily compromised • 10% of hard drives sold by a second-hand retailer in Canada had remnants of personal health information (El Emam, Neri, & Jonker, 2007) • Peer-to-peer (P2P) file sharing—0.5% of all U.S. IP addresses have PHI (El Emam et al., 2010) • Digital photocopiers store all copies made (Keteyian, 2010); scanners may also store copies Restrict physical access where possible, always encrypt!

  13. Health Care Organizations Are Not Well Prepared for Security • Security budgets are not keeping pace with complex IT environments and the growing risk of attacks (HIMSS, 2015) • Growing sophistication of attacks and number of threats make it hard to keep up • There is a need for innovative, advanced security tools and in-depth approaches to address threats and vulnerabilities (HIMSS, 2015) • There is not enough highly skilled, security expertise (Ponemon Institute, 2015) • Paper security breaches remain an issue (Ponemon Institute, 2015) • Data leakage is a primary threat • Identity and access management is a top priority • Chief information security officers (CISO) are not in all organizations

  14. What Is the Role of Government? • The American Recovery and Reinvestment Act of 2009 (ARRA) provided creation of the HIT Policy Committee and an HIT Standards Committee under the auspices of the Federal Advisory Committee Act (FACA). Groups under these two committees include • Privacy and Security Workgroup: Focus on policy issues and opportunities to ensure electronic data captured and exchanged is protected and shared consistent with consumer needs and expectations • API Task Force: Identifies privacy and security concerns that are barriers to widespread adoption of open APIs in health care • ONC’s Federal Advisory Committee Process: https://www.healthit.gov/facas/sites/faca/files/develop-recommendations-SOP.pdf • 2015 Precision Medicine Initiative: ONC was funded $5 million to support development of interoperability standards and requirements addressing privacy and enabling secure data exchange

  15. What Is the Role of Government? Continued • Most federal agencies actively involved with privacy and security • Including the Office of the Inspector General (OIG), the Office of Civil Rights (OCR), Federal Trade Commission (FTC), Food and Drug Administration (FDA), Federal Communications Commission (FCC), Department of Health and Human Services (HHS), and Department of Justice (DOJ) • The eHealth Exchange, previously the Nationwide Health Information Network, is a “network of exchange partners who securely share clinical information over the Internet across the US, using a standardized approach” • Data Use and Reciprocal Support Agreement (DURSA) ensures secure data exchange—all eHealth Exchange participants required to follow • States are involved in privacy and security policymaking and in creation of new laws

  16. What Do Other Governments Do? • 2012 European Commission Directive • Proposed comprehensive reform on data protection rules in the European Union • February, 2016: Finalized the reform of the EU data protection rules • EU–US Umbrella Agreement ensuring data protection for data transfers across the Atlantic (European Commission, 2016)

  17. Related Issues for Medical Privacy • Who “owns” medical information? • Complex; varies from state to state (http://www.healthinfolaw.org/comparative-analysis/who-owns-medical-records-50-state-comparison) • May have economic value, which should be shared back to patient (Hall & Shulman, 2009; Rodwin, 2009) • “Compelled” disclosures (Rothstein & Talbott, 2006) • We are often compelled to disclose information for nonclinical care reasons • Ultimate “personal identifier” may be individual’s genome (McGuire & Gibbs, 2006) • Even “de-identified” data may compromise privacy (Malin & Sweeney, 2005) • Genome of family members can identify siblings (Cassa et al., 2008) • Data from genome-wide association studies can reveal individual-level information (Lumley & Rice, 2010)

  18. Health Information Rights • Declaration of Health Data Rights • Right to our own health data • Right to know the source of each health data element • Right to take possession of a complete copy of our individual health data, without delay, at minimal or no cost; if data exist in computable form, they must be made available in that form • Right to share our health data with others as we see fit • Read: https://sites.tufts.edu/prep/2009/07/07/declaration-of-health-data-rights • AHIMA Health Information Bill of Rights (2009) • http://bok.ahima.org/PdfView?oid=107674 • Slightly more detailed but with similar provisions • HIPAA Privacy Rule Provisions (2016) • www.healthit.gov/patients-families/your-health-information-rights

  19. Is “De-identified” Data More Secure? Not Necessarily • 87% of US population uniquely identified by five-digit ZIP code, gender, and date of birth (Sweeney, 2002) • Sweeney identified William Weld, governor of Massachusetts, in health insurance database for state employees by purchasing voter registration for Cambridge, Massachusetts, for $20 and linking ZIP code, gender, and date of birth to “de-identified” medical database (Sweeney, 1997) • Genomic data can aid re-identification in clinical research studies (Malin & Sweeney, 2005; Lumley & Rice, 2010) • Social security numbers can be predicted from public data (Acquisti & Gross, 2009)

  20. How Governor Weld Was Identified 9.1 Figure: The overlapping data enabled identification of the Governor. (Adapted from Sweeney, 1997).

  21. Privacy, Confidentiality, and SecuritySummary – Lecture a • Privacy is the right to keep information to ourselves, whereas confidentiality is the right to keep information about ourselves from being disclosed to others • For many reasons, breaches and disclosures of patient information are increasing • “De-identified” information is not necessarily more secure

  22. Privacy, Confidentiality, and SecurityReferences – Lecture a References Acluvideos. (2009) Scary Pizza [Video file] Retrieved from https://youtu.be/33CIVjvYyEk Acquisti, A., & Gross, R. (2009). Predicting Social Security numbers from public data. Proceedings of the National Academy of Sciences, 106, 10975–10980. AHIMA. (n.d.). AHIMA consumer health information bill of rights. Retrieved from http://bok.ahima.org/PdfView?oid=107674 American College of Physicians. (2011). Health information technology & privacy: Position paper. Retrieved from http://www.acponline.org/advocacy/where_we_stand/policy/hit_privacy.pdf California Health Care Foundation (CHCF). (2005). National consumer health privacy survey 2005. Oakland: CHCF. Retrieved from http://www.chcf.org/topics/view.cfm?itemID=115694 Cassa, C., Schmidt, B., Kohane, I., & Mandl, K. (2008). My sister's keeper?: Genomic research and the identifiability of siblings. BMC Medical Genomics, 1(1), 32. Retrieved from http://www.biomedcentral.com/1755-8794/1/32 Cohn, S. (2006). Privacy and confidentiality in the nationwide health information network. Washington, DC: National Committee for Vital and Health Statistics. Retrieved from http://www.ncvhs.hhs.gov/recommendations-reports-presentations/june-22-2006-letter-to-the-secretary-recommendations-regarding-privacy-and-confidentiality-in-the-nationwide-health-information-network/ Cohn, S. (2008). Individual control of sensitive health information accessible via the Nationwide Health Information Network for purposes of treatment. Retrieved from http://www.ncvhs.hhs.gov/wp-content/uploads/2014/05/080220lt.pdf

  23. Privacy, Confidentiality, and SecurityReferences – Lecture a Continued Conn, J. (2016, February 17). Hospital pays hackers $17,000 to unlock EHRs frozen in “ransomware” attack. Modern Healthcare. Retrieved from http://www.modernhealthcare.com/article/20160217/ NEWS/160219920 Detmer, D. (2010). Activating a full architectural model: Improving health through robust population health records. Journal of the American Medical Informatics Association, 17, 367–369. El Emam, K., Neri, E., & Jonker, E. (2007). An evaluation of personal health information remnants in second-hand personal computer disk drives. Journal of Medical Internet Research, 9(3), e24. El Emam, K., Neri, E., Jonker, E., Sokolova, M., Peyton, L., Neisa, A., & Scassa, T. (2010). The inadvertent disclosure of personal health information through peer-to-peer file sharing programs. Journal of the American Medical Informatics Association, 17, 148–158. European Commission. (2016, February 29). European Commission unveils EU-U.S. privacy shield. Retrieved from http://ec.europa.eu/justice/newsroom/data-protection/news/160229_en.htm European Commission. (2016, March 23). Protection of personal data. Retrieved from http://ec.europa.eu/justice/data-protection/index_en.htm Gostin, L., & Hodge, J. (2002). Personal privacy and common goods: a framework for balancing under the national health information privacy rule. Minnesota Law Review, 86, 1439–1479. Retrieved from http://scholarship.law.georgetown.edu/cgi/viewcontent.cgi?article=1086&context=facpub Hall, M., & Schulman, K. (2009). Ownership of medical information. JAMA, 301, 1282–1284. Retrieved from http://jamanetwork.com/journals/jama/article-abstract/183601

  24. Privacy, Confidentiality, and SecurityReferences – Lecture a Continued 2 HealthIT.gov. (2013). Federal-state healthcare coordination: Health information security and privacy collaboration (HISPC). Retrieved from https://www.healthit.gov/policy-researchers-implementers/health-information-security-privacy-collaboration-hispc HealthIT.gov. (2016). Your health information rights. Retrieved from https://www.healthit.gov/patients-families/your-health-information-rights HIMSS (Healthcare Information and Management Systems Society). (2015). 2015 HIMSS security survey. Retrieved from http://www.himss.org/2015-cybersecurity-survey (full report limited to members only; executive summary available free to download). Hodge, J., Gostin, L., & Jacobson, P. (1999). Legal issues concerning electronic health information: Privacy, quality, and liability. JAMA, 282, 1466–1471. Keteyian, A. (2010, April 15). Digital photocopiers loaded with secrets. CBS News. Retrieved from http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml Kutscher, B. (2016, March 3). Healthcare underspends on cybersecurity as attacks accelerate. Modern Healthcare. Retrieved from http://www.modernhealthcare.com/article/20160303/NEWS/ 160309922/healthcare-underspends-on-cybersecurity-as-attacks-accelerate Lee, C., & Goldfarb, Z. (2006, June 30). Stolen VA laptop and hard drive recovered. Washington Post, p. A01. Retrieved from http://www.washingtonpost.com/wp-dyn/content/article/2006/06/29/ AR2006062900352.html Lumley, T., & Rice, K. (2010). Potential for revealing individual-level information in genome-wide association studies. JAMA, 303, 859–860.

  25. Privacy, Confidentiality, and SecurityReferences – Lecture a Continued 3 Malin, B., & Sweeney, L. (2005). How (not) to protect genomic data privacy in a distributed network: Using trail re-identification to evaluate and design anonymity protection systems. Journal of Biomedical Informatics, 37, 179–192. McGuire, A., & Gibbs, R. (2006). No longer de-identified. Science, 312, 370–371. Milken Institute School of Public Health. (2012). Who owns medical records: 50 state comparison. Retrieved from http://www.healthinfolaw.org/comparative-analysis/who-owns-medical-records-50-state-comparison Munro, D. (2015, Dec. 31). Data breaches in healthcare totaled over 112 million records in 2015. Forbes, Pharma & Healthcare. Retrieved from http://www.forbes.com/sites/danmunro/2015/ 12/31/data-breaches-in-healthcare-total-over-112-million-records-in-2015/#356bb7337fd5 Orcutt, M. (2015, Dec. 23) 2015 could be the year of the hospital hack. MIT Technology Review. Retrieved from https://www.technologyreview.com/s/533631/2015-could-be-the-year-of-the-hospital-hack Patient Privacy Rights Foundation. (n.d.). Patient privacy rights. Retrieved from https://patientprivacyrights.org Perma, Gabriel. (2015, Feb. 5). Anthem hit by large data breach. Healthcare Informatics. Retrieved from http://www.healthcare-informatics.com/news-item/anthem-hit-large-data-brach Ponemon Institute. (2015). Fifth annual benchmark study on privacy and security of healthcare data. Retrieved from https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on-privacy-security-incidents-of-healthcare-data

  26. Privacy, Confidentiality, and SecurityReferences – Lecture a Continued 4 Pritts, J., & Connor, K. (2007). The implementation of e-consent mechanisms in three countries: Canada, England, and the Netherlands. Washington, DC: Substance Abuse and Mental Health Services Administration. Retrieved from http://ihcrp.georgetown.edu/pdfs/prittse-consent.pdf Privacy Rights Clearinghouse. (2005). Chronology of data breaches. Retrieved from http://www.privacyrights.org/data-breach Privacy Rights Clearinghouse. (2014). Fact sheet 8c: The HIPAA privacy rule: Patients’ rights. Retrieved from https://www.privacyrights.org/content/hipaa-privacy-rule-patients-rights Rodwin, M. (2009). The case for public ownership of patient data. JAMA, 302, 86–88. Rojas-Burke, J. (2006). Providence critics push for safer records. The Oregonian. Rothstein, M., & Talbott, M. (2006). Compelled disclosure of health information: Protecting against the greatest potential threat to privacy. JAMA, 295, 2882–2885. Sequoia Project. (2016). Data use and reciprocal support agreement (DURSA). Retrieved from http://sequoiaproject.org/ehealth-exchange/onboarding/dursa Sweeney, L. (1997). Guaranteeing anonymity when sharing medical data: The Datafly System. Proceedings of the 1997 AMIA Annual Fall Symposium, Nashville, TN, 51–55. Sweeney, L. (2002). k-Anonymity: A model for protecting privacy. International Journal on Uncertainty, Fuzziness, and Knowledge-based Systems, 10(5), 557–570. TEDx Talks (2104). Designing technology to restore privacy: Deborah C. Peel, MD at TEDxTraverseCity [Video File] Retrieved from https://www.youtube.com/watch?v=f1JPjLCxPFQ

  27. Privacy, Confidentiality, and SecurityReferences – Lecture a Continued 5 Tufts University School of Medicine. (2009). Declaration of health data rights. Retrieved from https://sites.tufts.edu/prep/2009/07/07/declaration-of-health-data-rights U.S. Department of Health and Human Services (HHS). (2016a). Breaches affecting 500 or more individuals. Retrieved from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf U.S. Department of Health and Human Services (HHS). (2016b). Improper disclosure of research participants’ protected health information results in $3.9 million HIPAA settlement. Retrieved from http://www.hhs.gov/about/news/2016/03/17/improper-disclosure-research-participants-protected-health-information-results-in-hipaa-settlement.html# White House Office of the Press Secretary. (2015) Fact sheet: President Obama’s precision medicine initiative. Retrieved from https://www.whitehouse.gov/the-press-office/2015/01/30/fact-sheet-president-obama-s-precision-medicine-initiative Wright, A., & Sittig, D. (2007a). Encryption characteristics of two USB-based personal health record devices. Journal of the American Medical Informatics Association, 14, 397-399. Wright, A., & Sittig, D. (2007b). Security threat posed by USB-based personal health records. Annals of Internal Medicine, 146, 314–315. Tables, Charts, Figures 9.1 Figure 1 Adapted from Sweeney, L. (1997). Guaranteeing anonymity when sharing medical data, the Datafly System. Proceedings of the 1997 AMIA Annual Fall Symposium, Nashville, TN, 51–55.

  28. The Culture of Health CarePrivacy, Confidentiality, and SecurityLecture a This material was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015. This material was updated in 2016 by Bellevue College under Award Number 90WT0002.

More Related