Health Care: Privacy in a Digital Age

1
Health Care Privacy in a Digital Age

• Concordia School of Management
• October 18, 2001
• Chris Apgar, Data Security HIPAA Compliance
  Officer
• Providence Health Plans

2
Presentation Overview

• Electronic Records You
• Risks Valid Concerns
• Legal Protections
• Providence Health Plan - Case Study
• Tips for Protecting Privacy
• Resources
• QA

3
Electronic Records You

• Health care information users
• Providers (I.e., doctors, chiropractors, EAP,
  etc.)
• Health insurance companies
• Government government contractors
• Third parties (I.e., billing services, medical
  management, etc.)
• How much control do you really have?
• Marketing, research and other hidden uses

4
Electronic Records You

• Moving information around
• E-mail
• FTP (file transfer protocol)
• Other forms of magnetic media
• US Postal Service and other carriers
• Secure web sites other forms of secure
  messaging
• Storage and internal organization information
  transfer

5
Risks Valid Concerns

• Unprotected Internet
• Web browsing cookies - tracking your travel
• Authentication or who can look at my record
• Networks, firewalls and the lack thereof
• Inappropriate information use for marketing and
  other sales activities
• Government, courts and data sharing

6
Risks Valid Concerns

• Hackers and other illegal activity
• Internal mischief or the disgruntled employee
• Carelessness or my record on the counter
• Lack of physical security (its not locked up)
• Lack of defined policies, confidentiality
  practices, etc.

7
Legal Protections

• Oregon statute rule
• Health Information Portability Accountability
  Act of 1996 (HIPAA)
• Gram-Leach-Bliley Act
• Childrens On-line Privacy Protection Rule
• Other federal statute rule
• Litigation

8
Legal Protections HIPAA Example

• Privacy
• Release of information
• Consent form for treatment billing healthcare
  operations
• Only providers required to obtain consent
• Consent revocation what it means
• Authorization for all other activities (I.e.,
  some research activities, release to attorney,
  etc.)

9
Legal Protections HIPAA Example

• Privacy
• Vendor business associate agreements
• Business associates definition (versus covered
  entities governed by HIPAA)
• Business associate in practice covered by HIPAA
  Administrative Simplification privacy
  requirements
• Required to assess compliance requirements and
  document
• Statutory rule limitations

10
Legal Protections HIPAA Example

• Privacy
• Access tracking need to know
• Does not apply to treatment, billing
  healthcare operations
• Yours for the asking
• Minimum necessary standard
• Applies to internal external data access
• Access defined by role or permissions to use data
• Appropriate access controls documentation
  required

11
Legal Protections HIPAA Example

• Privacy
• Member/patient record access amendment
• Who owns your medical records?
• Business associates do not own records
• Covered entities required to act on requests to
  amend records but not required to make amendments
• Forms of data or media covered (electronic,
  paper, etc.)

12
Legal Protections HIPAA Example
Data Security

• Risk Assessment
• Policy procedure development
• Training awareness
• Contingency Plan
• Information access control (need to know)
• Audit certification
• Documentation

• Record access (release management file access)
• Personnel security authentication
• Chain of Trust/Business Associate Agreement
• Security privacy management
• Security incident response
• Physical security

13
Providence Health Plan - Case Study

• Security privacy officers appointed
• Data security privacy standards developed
  implemented
• Staff training policies developed
  communicated
• Use of firewalls and other tools to protect
  information

14
Providence Health Plan - Case Study

• On-going network other access point monitoring
• Enforcement of secure transfer of information to
  authorized staff and external partners
• All accessing confidential information legally
  bound to enforce privacy security
• Internal external audit of policies, training
  plan processes

15
Providence Health Plan - Case Study

• Collaboration with Providence Health System
• On-going work with external partners (providers,
  plans, government, etc.)
• Participation in local and national security/
  privacy forums
• Privacy confidentiality - Providence strategic
  objective

16
Tips for Protecting Privacy

• Talk to your provider and insurance carrier -
  what is their privacy policy, how do they protect
  your confidential health information, etc.)
• Check out web sites (I.e., security,privacy
  policies, etc.)
• Cookies and what to do with them

17
Tips for Protecting Privacy

• Avoid sharing health information over unsecured
  web sites
• Report on-line privacy violations as appropriate
• Avoid unsecured e-mail (even with your provider)
• Periodically request copies of your health record
  from provider and insurance carrier

18
Tips for Protecting Privacy

• Carefully read consent authorization forms
  (I.e., information release, purpose of
  confidential data use, etc.)
• Question if in doubt and avoid signing when
  transmission of your health information not
  clearly defined
• Know your rights and exercise them

19
Resources

• Federal Trade Commission http//www.ftc.gov
• HIPAA Web Site http//aspe.hhs.gov/admnsimp
• National Institute of Health (regulatory
  information) http//list.nih.gov
• Defend Your Medical Data (ACLU)
  http//www.aclu.org/action/medregs/readstories.htm
  l

20
Resources

• Health Privacy Project http//www.healthprivacy.
  org
• Department of Health Human Services Office of
  Civil Rights http//www.os.dhhs.gov/ocr/hipaa
• American Medical Association Domain of Privacy
  http//www.ama-assn.org/ama/pub/category/3653.htm
  l

21
Resources

• American Psychology Association on Privacy
  http//helping.apa.org/dotcomsense
• Providence (see privacy statement)
  http//www.providence.org
• Google (search engine advanced search on
  privacy health) http//www.google.com

22
Question Answer
Chris Apgar, Data Security HIPAA Compliance
Officer Providence Health Plan 3601 SW Murray
Blvd., Suite 10 Beaverton, OR 97005 (503)
574-7927 (voice) (503) 574-8655
(fax) apgarc_at_providence.org