Privacy - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Privacy

Description:

Notification of privacy incidents to the member/patient is the right thing to do ... for Medicare & Medicaid Services. State - Department of Health Services ... – PowerPoint PPT presentation

Number of Views:187
Avg rating:3.0/5.0
Slides: 16
Provided by: mons194
Category:

less

Transcript and Presenter's Notes

Title: Privacy


1
Privacy Security at Kaiser Permanente
Real Life Experiences with Data Theft March 30,
2007 Roger A. Skinner, MHSA, CHC Kaiser
Permanente Northern California Privacy and
Security Compliance Officer
2
What is Kaiser Permanente?
  • Kaiser Permanente is a large nation-wide
    organization.
  • 8 regions in 9 states and Washington DC
  • 8.5 million health plan members
  • 37 medical centers and 431 medical office
    buildings
  • 150,000 employees and 12,900 physicians
  • Each region has a health plan and medical group
  • Four regions also have a hospital organization

3
What is Kaiser Permanente?
  • Kaiser Permanente is a large nation-wide
    organization.

4
Breach Management Process
Initiation of the formalized Breach Management
Process
  • January, 2005 Phone call stating Kaiser
    Permanente Protected Health Information (PHI) was
    available on the internet
  • Discovery of the incident reported to a
    regulatory agency
  • Resulting lessons learned and the processes
    created have been actively applied on going
    forward basis
  • The formation of the breach management process
    within Kaiser Permanente

5
Breach Management Process
Policy Creation Adoption
  • Experiences within Kaiser Permanente coupled with
    leadership vision
  • Evolving breach management processes and
    practices over time formalized into program wide
    policy
  • Notification of privacy incidents to the
    member/patient is the right thing to do
  • Meets the requirements of state law

6
Breach Management Process
Assessment of Data Breaches
  • Factors gathered in the assessment process
  • Circumstances about the disclosure itself (Who,
    What, When, Where, Why)
  • Number of members/patients PHI involved
  • Listing data points for each member
  • Assessment of impact or potential impact on
    members/patients
  • Other attributes unique to the situation itself

7
Breach Management Process
Notification Audiences
  • Member/Patient
  • Typically a blend of telephone calls and letters
  • Purchaser Groups
  • Contractual obligations to notify purchasers
  • Notification for relationship purposes
  • Regulatory Agencies
  • Federal - Center for Medicare Medicaid Services
  • State - Department of Health Services
  • State - Department of Managed Health Care

8
Breach Management Process
Corrective Action Plans
  • For each incident, corrective action plans are
    created
  • Plans are created to address the incident
    specific issues as well as the root cause
  • Ongoing monitoring of the corrective action plan
    is conducted until all action items are fully
    accomplished
  • Documentation is required to substantiate the
    completion of each items

9
Breach Management Process
Long Term Implications
  • Reputation risks with members/patients,
    purchasers, regulators
  • Adjustments to organizational strategy
  • Increased scrutiny
  • Direct and indirect financial costs

10
Breach Management Process
Case Studies PHI on Internet
  • Allegation that PHI was available on the internet
  • Discovery of the incident reported to a
    regulatory agency
  • Blended notification approach of telephone calls
    and letters
  • Regulatory investigation resulted in financial
    penalty from state regulator
  • Negative Media
  • Television media story
  • Newspaper
  • Magazine
  • On-line news coverage

11
Breach Management Process
Case Studies Laptop Theft
  • Laptop containing PHI in a database stolen from a
    medical center
  • Blended notification approach of telephone calls
    and letters
  • Negative Media
  • Television media story

12
Breach Management Process
Case Studies Laptop Theft
  • Laptop stolen that contained elements of PHI
    within two files stored on the hard drive
  • Letters to impacted members/patients sent
  • Inbound telephone calls from affected members to
    clarify questions
  • Negative media
  • Local newspapers
  • Two stories in television news media
  • Trade publications

13
Breach Management Process
Case Studies Public Presentations
  • Various presentations over time have included
    screenshots of various data systems
  • Some screenshots have included what would appear
    to be live patient data
  • In reality, the data has been fictitious
  • New guidance has been communicated to add
    disclaimer language, so that there clarity that
    the data is not live patient data

14
Breach Management Process
Case Studies - Other
  • Additional examples
  • Questions answers

15
Questions or follow-up?
Roger A. Skinner, MHSA, CHC roger.skinner_at_kp.org (
510) 625-2413
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Privacy" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!