1 / 50

Privacy/Security of Healthcare Information

Privacy/Security of Healthcare Information. A Comprehensive Legislative Analysis Daniel Ruskin Fall 2018 // CSE-5810 daniel.ruskin@uconn.edu. Motivation. Americans are not confident in healthcare data security

mikkel
Télécharger la présentation

Privacy/Security of Healthcare Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy/Security of Healthcare Information A Comprehensive Legislative Analysis Daniel Ruskin Fall 2018 // CSE-5810 daniel.ruskin@uconn.edu

  2. Motivation • Americans are not confident in healthcare data security • 70% of individuals concerned about privacy/security of medical records (ONC, 2015) • Lack of confidence stems from a real problem • 26,000 privacy/security breaches uncovered by HHS in last 15 years (HHS, 2018) • Many medical providers, insurance companies, employers, etc do not have effective security programs

  3. Motivation • Privacy/security breaches have always been a problem in healthcare • Recently aggregated by rise of Electronic Healthcare Records (EHR) • EHR has higher threat surface than paper records • Takeaway: healthcare privacy/security is more important than ever today. So how do we prevent breaches?

  4. Laws/Regulations • A number of laws, regulations have attempted to address privacy/security breaches • General approach: regulate use and disclosure of healthcare information • Use: How can I use healthcare information to run my business? • Disclosure: Who can I disclose healthcare information to? • Difference between law vs. regulation • Regulations implement laws

  5. Laws/Regulations • We will cover four major laws/regulations • Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Genetic Information Nondiscrimination Act of 2008 (GINA) • 42 C.F.R. Part 2 • Federal Policy for the Protection of Human Subjects (the Common Rule)

  6. HIPAA: Motivation • Before HIPAA, healthcare billing plagued by inefficiencies • Paper billing • “Local code” system (Hartley & Jones, 2014) • Industry/government established Workgroup for Electronic Data Interchange (WEDI) in 1991 • Task: investigate universal, standardized electronic billing system

  7. HIPAA: Motivation • WEDI reports published in 1992, 1993 • Provided comprehensive plan to implement electronic billing, including: • Implementation guides • Network architectures • WEDI’s report was primarily technical, but also included legislative recommendations • Ex: how to incentivize use of new system; how to protect data privacy/security • Foundation of HIPAA

  8. HIPAA: General Context • HIPAA passed 1996 in response to WEDI report • HIPAA authorized the creation of 5 regulations by HHS • Privacy Rule • Security Rule • Breach Notification Rule • (and others)

  9. HIPAA: General Context • HIPAA regulates the use, disclosure, and security of Protected Health Information (PHI) • PHI = most individually identifiable healthcare information • HIPAA applies to Covered Entities • Healthcare Providers, Healthcare Plans, Healthcare Clearinghouses • HIPAA applies to Business Associates • Anyone who handles PHI on behalf of a Covered Entity

  10. HIPAA: Privacy Rule • Outlines exactly how PHI can be used and how PHI can be disclosed • “When must PHI be used or disclosed?” (mandated uses/disclosures) • “When can PHI be used or disclosed?” (allowed uses/disclosures) • “When can PHI not be used or disclosed?” (prohibited uses/disclosures)

  11. HIPAA: Privacy Rule • Mandated Uses and Disclosures • Disclosures to HHS for violation investigations (45 C.F.R. § 164.502) • Disclosures to patients upon request (45 C.F.R. § 164.524)

  12. HIPAA: Privacy Rule • Allowed Uses and Disclosures • 1: Uses and disclosures allowed per explicit patient consent (45 C.F.R. § 164.508) • 2: Uses and disclosures for Treatment, Payment, and Healthcare Operations (45 C.F.R. § 164.502) • 3: Uses and disclosures of an incidental nature (45 C.F.R. § 164.502) • 4: Uses and disclosures to family, friends, disaster relief agencies (45 C.F.R. 164.510) • 5: Uses and disclosures that serve the public interest (45 C.F.R. § 164.502 • 6: Uses and disclosures allowed per Business Associate contract (45 C.F.R. § 164.502)

  13. HIPAA: Privacy Rule • ProhibitedUses and Disclosures • Any use/disclosure that is not statutorily required or permitted (45 C.F.R. § 164.530) • Certain other specific edge cases, i.e. any use/disclosure for health insurance underwriting (i.e. determining premiums) (45 C.F.R § 164.502)

  14. HIPAA: Security Rule • Outlines security measures/standards to protect PHI • Goal: prevent uses/disclosures not authorized under Privacy Rule • Provides administrative, physical, and technical standards • Addressable Standards vs. Required Standards • Flexibility of implementation

  15. HIPAA: Security Rule • Full analysis of standards beyond scope of PPT • Examples • Administrative: CEs/BAs must generate and review PHI audit/access logs (45 C.F.R § 164.308) • Physical: CEs/BAs must wipe hard drives before disposal/reuse (45 C.F.R § 164.310) • Technical: CEs/BAs must have disaster/emergency recovery plan (45 C.F.R § 164.312)

  16. HIPAA: Breach Notification Rule • Breach Notification Rule dictates how to handle unauthorized uses/disclosures • In other words, what happens when the Privacy Rule is violated • Goal: prevent breaches from being “swept under the rug”

  17. HIPAA: Breach Notification Rule • After an unauthorized use/disclosure, CEs/BAs must make several notifications (45 C.F.R § 164.402) • Individuals whose PHI was disclosed • HHS • The news media (if breach affects more than 500 people) • Exceptions • Breach that is unlikely to comprise PHI (i.e. encrypted PHI) (45 C.F.R § 164.402) • Innocuous breaches involving only honest employees (45 C.F.R § 164.402)

  18. HIPAA: Analysis • HIPAA and related legislation brought about rise of EHR • Over $30 billion in incentive programs made it lucrative for CEs/BAs to adopt EHR • Ex: $2m+ for each hospital that satisfies “meaningful use” requirements for EHR • Ex: Penalties for hospitals that do not adopt EHR, such as reduced Medicare payments • HIPAA and related legislation brought about the safe rise of EHR • Prevented breaches before they could occur • But also represents substantial compliance burden

  19. HIPAA: Analysis • HIPAA brought about substantial protections for patients • Right of Access rule • PHI cannot be used for discriminatory purposes (i.e. underwriting) • Established process for research disclosures

  20. HIPAA: Analysis • Is HIPAA good or bad for CEs/BAs? Depends on who you ask. • Compliance burden has negative financial impact (Khansa et al., 2012) • Reduced data breaches have positive financial impact (Gatzlaff & McCullough, 2010) • Maybe we should focus more on non-financial impacts, i.e. EHR and HIPAA compliance is an investment (Hartley & Jones, 2003)

  21. GINA: Motivation • By 1990s, research community realized importance of genetic testing • Ex: personalized medicine • Many researchers wanted to conduct studies, but patients were hesitant to participate • Fear: “If a study reveals that I have an unlucky gene, will I lose my job or health insurance?” • Senate Committee on Health, Education, Labor, and Pensions investigated • 63% of individuals would not take genetic test if employer, health insurer could view (S. Rep. No. 110-48, 2007)

  22. GINA: Description • Genetic Information Nondiscrimination Act (GINA) passed in 2008 • Goal: address public fears of genetic discrimination • Increase participation in important genetics research • Applies to health insurance companies and employers • GINA Entities

  23. GINA: Description • Prohibits GINA Entities from knowingly obtaininggenetic information • Genetic tests of a patient • Genetic tests of a patient’s family • Disease history of family • (42 U.S.C. § 2000ff)

  24. GINA: Description • Prohibits GINA Entities from discriminating based on genetic information • Ex: employers cannot deny someone a job • Ex: health insurance companies cannot raise premiums • (42 U.S.C. § 2000ff)

  25. GINA: Analysis • GINA unique in that it prevented discrimination before it occurred • Addressed fears of discrimination vs. discrimination itself • “Most anti-discrimination legislation addresses patterns of past discrimination. GINA, however, is meant to prevent genetic discrimination from occurring in the future, since there is only limited evidence that it is currently a problem” (Feldman, 2012) • Ex: ADA • Addressed public fears at the time • Drastically limits health insurance writing

  26. GINA: Analysis • Some have raised concerns about effectiveness of GINA • Ex: GINA does not cover an individual’s manifest disease (Green et al., 2015) • Ex: GINA only applies to health insurance companies (not life, LTC) (Green et al., 2015)

  27. GINA: Analysis • Is GINA duplicative of ACA, ADA? • ACA also prevents health insurance companies from using genetic information • ADA also prevents (most) employer discrimination based on genetic information • Regardless, anti-discrimination is a legislative/regulatory priority • ACA, ADA, GINA, etc

  28. 42 C.F.R. Part 2: Motivation • Drug abuse crisis is hot-button issue - and has been for many years • In 1969, 48% of Americans thought that “drug use was a serious problem in their community” (Robison, 2002) • Many solutions have been proposed/implemented • Free treatment programs • Harm reduction programs (i.e. free needles) • Aggressive and/or reduced law enforcement • Best long-term solution: effective treatment

  29. 42 C.F.R. Part 2: Motivation • Problem: substance abusers are often hesitant to seek out treatment • Afraid that treatment information will be provided to law enforcement • Congress passed 42 C.F.R. Part 2 in 1974 to address this fear • Goal: guarantee that substance abusers will not be punished for treatment

  30. 42 C.F.R. Part 2: Description • Restricts use and disclosureof substance abuse treatment information (SATI) • Analogous to HIPAA Privacy Rule • SATI generally cannot be released without written consent of patient • SATI can never be provided to law enforcement (LE) • Even if LE obtains SATI, generally cannot use for criminal proceedings (42 U.S.C § 290dd–2)

  31. 42 C.F.R. Part 2: Description • Also specifies a number of security measures for SATI (42 C.F.R. § 2.16) • Analogous to HIPAA Security Rule • Ex: paper records must be stored in locked room • Ex: electronic records must be wiped from hard drives before reuse

  32. 42 C.F.R. Part 2: Description • Part 2 applies only to specific covered entities (like HIPAA) • Federally funded treatment orgs (Part 2 Programs) • Contractors of Part 2 Programs • Researchers who receive information from Part 2 Programs • Etc

  33. 42 C.F.R. Part 2: Analysis • Practical effect is similar to HIPAA - but substantially more strict • Written patient consent required for almost all disclosures - even TPO disclosures • Poses substantial compliance burden • “Compliance with federal confidentiality regulations prohibiting unauthorized release of information on treatment for alcohol and drug use disorders [Part 2] effectively requires a separate record for alcohol and drug treatment and may inhibit coordination and integration of care” (McCarty et al. 2017, emphasis mine)

  34. 42 C.F.R. Part 2: Analysis The 42 CFR part 2 regulations are awful. We need practice standards that allow us to share patient information without violations of HIPAA and 42 CFR. Community health workers meet frequently to discuss patients with providers. I can’t be in the room because I am sure there are violations. Quote from executive director of Part 2 Program (McCarty et al., 2017)

  35. 42 C.F.R. Part 2: Analysis • Overdose Prevention and Patient Safety Act aims to address complaints • Currently pending in Congress • Supported by American Hospital Association (improve coordination of care) • Opposed by some addiction advocacy organizations (neuter Part 2 protections)

  36. Common Rule: Motivation • History is marked with disturbing ethical breaches in research • Ex: Nazi “research” studies (15,754 victims) (Weindling, 2016) • Ex: “The Tuskegee Study of Untreated Syphilis in the Negro Male” (399 victims) (Breault, 2006) • Until 1962, no laws in America to regulate research ethics • 1962 marked first research ethics regulation, regulated FDA-funded research (Breault, 2006) • 1962-1974 marked a number of similar agency-siloed regulations

  37. Common Rule: Motivation • Agency-specific regulations were inconsistent, difficult to comply with • Ethics rules changed based on funding sources • Ex: FDA-funded studies regulated differently than NIH-funded studies • Congress passed National Research Act in 1974 to begin a solution • Created the National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research • Goal of this group: develop unified research ethics regulation • Famous Belmont Report published in 1978

  38. Common Rule: Description • Federal Policy for the Protection of Human Subjects passed in 1991 • Implemented recommendations in Belmont Report • Also called the Common Rule • Common Rule outlines extensive research ethics rules • Specifies data privacy/security requirements - but vague

  39. Common Rule: Description • Common Rule requires: • “there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data [in research studies]” (45 C.F.R. § 46.111) • What is “adequate”? • HHS directed to issue guidance, but they have not yet done so • Left up to Institutional Review Boards (group responsible for approving studies)

  40. Common Rule: Analysis • Researchers now must take data privacy/security into account • But exact requirements are vague - left up to individual IRBs • Common Rule only applies to federally-funded research studies • Research funded entirely by private sector is not covered • Partially resolved via Federalwide Assurances (FWAs) - but still a serious loophole (Breault 2006)

  41. Common Rule: Analysis • Common Rule does not intersect well with HIPAA • Ex: HIPAA allows for pre-IRB-review study recruitment, Common Rule does not • Ex: Common Rule only covers living individuals; HIPAA covers decedents as well • Inconsistencies make compliance difficult

  42. Common Rule: Analysis [At] best, the current language and interpretations of the Common Rule and Privacy Rule are confusing and the source of much misunderstanding. At worst, in several key places the rules diverge to create gaps in basic privacy protections or burden researchers in ways that are not justified by a commensurate increase in privacy protection (Rothstein, 2005)

  43. Overall Analysis: Regulatory Flaws • Healthcare legislation is fairly comprehensive, but there are flaws • Ex: HIPAA compliance is costly • Ex: GINA does not apply to life, LTC insurance • Ex: Part 2 does not have TPO exception • Ex: Common Rule does not apply to most non-federally-funded research

  44. Overall Analysis: Regulatory Flaws • Thought Experiment: Are there any healthcare institutions that: • Are not HIPAA Covered Entities or Business Associates, • Are not GINA Entities, • Are not Part 2 Programs, and • Are not researchers covered under the Common Rule • Yes - non-traditional medical providers

  45. Overall Analysis: Non-Traditional Medical Providers There are numerous daily sources of medical and health data outside of HIPAA protection. These include credit card payments for physician visit co-pays, purchase of over the counter (OTC) medications, home testing products, tobacco products, health foods, items related to disabilities, and visits to alternative practitioners. People also volunteer medical information online by searching for disease information, discussing their medical experiences in emails, blogs, chat groups, or social media sites including those dedicated to specific illnesses, or by calls to toll-free numbers (Glenn & Monteith, 2014)

  46. Overall Analysis: Non-Traditional Medical Providers • Particularly impactful example: Home Genetic Testing (i.e. 23andme) • Over 1 in 25 American adults have requested a home genetic test (Regalado, 2018) • But laws have not yet caught up. • HIPAA, GINA, Part 2, Common Rule do not apply to home genetic testing • FTC can regulate, but to a very limited extent - must demonstrate “unfair” practices

  47. Overall Analysis: Non-Traditional Medical Providers Customers are wrong to think their information is safely locked away. It's not; it's getting sold far and wide. … Genetic testing has tremendous benefits. We are provided a closer look at our own biology. Medical researchers develop a deeper understanding of the origins of disease and can create powerful new treatments. But today, far too many donors are operating under a false sense of security, handling profoundly intimate data without appropriate protections (Pitts 2017)

  48. Summary • We analyzed the four major healthcare laws/regulations in detail • HIPAA • GINA • Part 2 • Common Rule • These regulations are fairly comprehensive, but have flaws and coverage gaps • Must be corrected over time by Congress (laws) and federal agencies (regulations)

  49. References (1/2) S. Rep. No. 110-48 (2007). 29 U.S.C., § 18-1191b. 42 C.F.R., §§ I-2.1-2.67. 42 U.S.C., §§ 21F-2000ff-2000ff-11. 42 U.S.C., § 6A-290dd–2. 45 C.F.R., §§ A-160.101-160.552. 45 C.F.R., §§ A-164.102-164.534. 45 C.F.R., §§ A-46.101-46.505. American Hospital Association. (2018, June 20). HR 6082 Letter To House [Letter to United States House of Representatives]. Washington, DC. Breault, J. L. (2006). Protecting Human Research Subjects: The Past Defines the Future. The Ochsner Journal. Centers for Disease Control and Prevention. (n.d.). Tuskegee Study - Timeline - CDC - NCHHSTP. Retrieved October 19, 2018, from https://www.cdc.gov/tuskegee/timeline.htm Centers for Medicare and Medicaid Services. (2014, July 02). Administrative Simplification Compliance Act Self Assessment. Retrieved from https://www.cms.gov/Medicare/Billing/ElectronicBillingEDITrans/ASCASelfAssessment.html United States. (1974). Comprehensive alcohol abuse and alcoholism prevention, treatment, and rehabilitation act of 1970, as amended, including changes made by Public law 93-282, May 14, 1974: Prepared for the Subcommittee on Alcoholism and Narcotics of the Committee on Labor and Public Welfare, United States Senate. Washington: U.S. Govt. Print. Off. Department of Health and Human Services, et al. (2017). Federal Policy for the Protection of Human Subjects(12th ed., Vol. 82, Rules and Regulations) (United States.). Washington, D.C.: U.S. Govt. Print. Off. Faces & Voices of Recovery. (2017, August 18). Statement Opposing the Overdose Prevention and Patient Safety Act (HR 3545). Retrieved October 19, 2018, from https://facesandvoicesofrecovery.org/get-involved/action-alerts.html/title/statement-opposing-the-overdose-prevention-and-patient-safety-act-hr-3545- Feldman, E. A. (2012). The Genetic Information Nondiscrimination Act (GINA): Public Policy and Medical Practice in the Age of Personalized Medicine. Journal of General Internal Medicine,27(6), 743-746. doi:10.1007/s11606-012-1988-6 Galea, S., & Tracy, M. (2007). Participation Rates in Epidemiologic Studies. Annals of Epidemiology,17(9), 643-653. doi:10.1016/j.annepidem.2007.03.013 Gallup, Inc. (n.d.). Confidence in Institutions. Retrieved October 19, 2018, from https://news.gallup.com/poll/1597/confidence-institutions.aspx Gatzlaff, K. M., & McCullough, K. A. (2010). The Effect of Data Breaches on Shareholder Wealth. Risk Management and Insurance Review,13(1), 61-83. doi:10.1111/j.1540-6296.2010.01178.x Glenn, T., & Monteith, S. (2014). Privacy in the Digital World: Medical and Health Data Outside of HIPAA Protections. Current Psychiatry Reports,16(11). doi:10.1007/s11920-014-0494-4 Green, R. C., Lautenbach, D., & McGuire, A. L. (2015). GINA, Genetic Discrimination, and Genomic Medicine. The New England Journal of Medicine. Hartley, C., & Jones, E. (2003). Hipaa Plain and Simple: A Compliance Guide for Healthcare Professionals(1st ed.). Chicago: American Medical Association. Hartley, C., & Jones, E. (2011). HIPAA plain & simple: A health care professionals guide to achieve HIPAA and HITECH compliance. Chicago: American Medical Association. Hartley, C., & Jones, E. (2014). HIPAA plain and simple: After the final rule. Chicago: AMA, American Medical Association. Hazel, J., & Slobogin, C. (2018). Who Knows What, and When?: A Survey of the Privacy Policies Proffered by U.S. Direct-to-Consumer Genetic Testing Companies. Cornell Journal of Law and Public Policy. Jha, A. K. (2010). Meaningful Use of Electronic Health Records, The Road Ahead. The Journal of the American Medical Association.

  50. References (2/2) Khansa, L., Cook, D. F., James, T., & Bruyaka, O. (2012). Impact of HIPAA provisions on the stock market value of healthcare institutions, and information security and other information technology firms. Computers & Security,31(6), 750-770. doi:10.1016/j.cose.2012.06.007 Lazer, D., Kennedy, R., King, G., & Vespignani, A. (2014). The Parable of Google Flu: Traps in Big Data Analysis. Science, 343(6176), 1203-1205. doi:10.1126/science.1248506 McCarty, D., Rieckmann, T., Baker, R. L., & Mcconnell, K. J. (2017). The Perceived Impact of 42 CFR Part 2 on Coordination and Integration of Care: A Qualitative Analysis. Psychiatric Services,68(3), 245-249. doi:10.1176/appi.ps.201600138 Overdose Prevention and Patient Safety Act, H.R. 6082, 115 Cong. (2018). Patel, V., Hughes, P., Savage, L., & Barker, W. (n.d.). Individuals’ Perceptions of the Privacy and Security of Medical Records(Vol. 27, ONC Data Brief) (United States of America, The Office of the National Coordinator for Health Information Technology). Pitts, P. (2017, February 15). The Privacy Delusions Of Genetic Testing. Forbes. Polito, C. C., Cribbs, S. K., Martin, G. S., O’Keeffe, T., Herr, D., Rice, T. W., & Sevransky, J. E. (2014). Navigating the Institutional Review Board Approval Process in a Multicenter Observational Critical Care Study*. Critical Care Medicine,42(5), 1105-1109. doi:10.1097/ccm.0000000000000133 Regalado, A. (2018, February 12). 2017 was the year consumer DNA testing blew up. MIT Technology Review. Robison, J. (2002, July 02). Decades of Drug Use: Data From the '60s and '70s. Retrieved from https://news.gallup.com/poll/6331/decades-drug-use-data-from-60s-70s.aspx Rothstein, M. A. (2005). Research Privacy Under HIPAA and the Common Rule. The Journal of Law, Medicine & Ethics. Sarata, A. K., DeBergh, J. V., & Staman, J. (2011). The Genetic Information Nondiscrimination Act of 2008 and the Patient Protection and Affordable Care Act of 2010: Overview and Legal Analysis of Potential Interactions(Rep.). Surescripts Homepage. (n.d.). Retrieved from https://surescripts.com/ The Office of the National Coordinator for Health Information Technology. (2018, September 05). Health IT Quick Stats. Retrieved October 19, 2018, from https://dashboard.healthit.gov/quickstats/quickstats.php The Office of the National Coordinator for Health Information Technology. (2015, June 01). ONC Data Brief No. 27. Retrieved October 19, 2018, from https://www.healthit.gov/sites/default/files/briefs/oncdatabrief27june2015privacyandsecurity.pdf U.S. Department of Health and Human Services. (2015, November 06). Methods for De-identification of PHI. Retrieved October 19, 2018, from https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html U.S. Department of Health and Human Services. (2018, July 31). Numbers at a Glance. Retrieved October 19, 2018, from https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/numbers-glance/index.html U.S. Department of Health and Human Services. (2018, June 13). Research. Retrieved from https://www.hhs.gov/hipaa/for-professionals/special-topics/research/index.html University of California, Irvine. (n.d.). Data Security. Retrieved from https://www.research.uci.edu/compliance/human-research-protections/researchers/data-security.html University of Pittsburgh. (n.d.). Electronic Data Security. Retrieved from https://www.irb.pitt.edu/electronic-data-security Weindling, P., Villiez, A. V., Loewenau, A., & Farron, N. (2016). The victims of unethical human experiments and coerced research under National Socialism. Endeavour,40(1), 1-6. doi:10.1016/j.endeavour.2015.10.005

More Related