““Emerging Privacy and Emerging Privacy and Security Issues for Security Issues for

Healthcare”Healthcare”

Professor Peter P. SwireProfessor Peter P. Swire

The Ohio State UniversityThe Ohio State University

Center for American ProgressCenter for American Progress

Sentrigo WebinarSentrigo Webinar

July 16, 2008 July 16, 2008

OverviewOverview

My backgroundMy background Enforcement for medical privacy & securityEnforcement for medical privacy & security

Trends after 2008Trends after 2008

The increased importance of data breach The increased importance of data breach legislationlegislation Celebrity records & protecting against insidersCelebrity records & protecting against insiders

EHRs, PHRs, and distributed computing for EHRs, PHRs, and distributed computing for health carehealth care

Theme – growing importance of audit & controlTheme – growing importance of audit & control

I. My BackgroundI. My Background

Currently:Currently: Professor of Law, Ohio State UniversityProfessor of Law, Ohio State University Senior Fellow, Center for American ProgressSenior Fellow, Center for American Progress

• I live in the DC areaI live in the DC area ““Privacy Year in Review” distributed to all Privacy Year in Review” distributed to all

members of International Association of Privacy members of International Association of Privacy ProfessionalsProfessionals

““Information Privacy” – official book for Certified Information Privacy” – official book for Certified Information Privacy ProfessionalInformation Privacy Professional

www.peterswire.net

Chief Counselor for PrivacyChief Counselor for Privacy

Office of Management & Budget, 1999 to early Office of Management & Budget, 1999 to early 20012001

White House coordinator for 1999 proposed & White House coordinator for 1999 proposed & 2000 final HIPAA medical privacy rule2000 final HIPAA medical privacy rule Fall, 1999 – proposed ruleFall, 1999 – proposed rule 53,000 public comments53,000 public comments December, 2000 – final ruleDecember, 2000 – final rule 2002 – revised final rule2002 – revised final rule 2003 – compliance went into effect2003 – compliance went into effect

Chief Counselor for PrivacyChief Counselor for Privacy

Many other privacy topics (can be raised Many other privacy topics (can be raised in question period, if there is interest)in question period, if there is interest) GLB financial privacy law & ruleGLB financial privacy law & rule Chair, White House Working Group on how to Chair, White House Working Group on how to

update wiretap & surveillance lawsupdate wiretap & surveillance laws U.S. government’s own compliance with U.S. government’s own compliance with

privacy lawsprivacy laws Encryption policyEncryption policy Computer security & privacy (FIDNet)Computer security & privacy (FIDNet)

Health Care since 2001Health Care since 2001

Advisory board for Sentrigo, health care & Advisory board for Sentrigo, health care & database protectiondatabase protection

HIPAA implementation, with Morrison & HIPAA implementation, with Morrison & Foerster, LLPFoerster, LLP

Markle Connecting for Health advisorMarkle Connecting for Health advisor Frequent speaker & author on computer security Frequent speaker & author on computer security

& medical privacy& medical privacy

I. EnforcementI. Enforcement

A slow start to HIPAA privacy and security A slow start to HIPAA privacy and security enforcementenforcement Explicit HHS announcement in first year that Explicit HHS announcement in first year that

the goal was “corrective action” rather than the goal was “corrective action” rather than punishmentpunishment

““One free violation” – HHS regulation says no One free violation” – HHS regulation says no civil monetary penalties for first violationcivil monetary penalties for first violation

Criminal statute narrowly interpreted – only Criminal statute narrowly interpreted – only the institution & not the individualthe institution & not the individual

Shift in Enforcement?Shift in Enforcement?

Stronger enforcement statements from HHS – Stronger enforcement statements from HHS – “you’ve had time to comply”“you’ve had time to comply”

Stricter corrective action – 18% of complaints Stricter corrective action – 18% of complaints result now in changes in policies and proceduresresult now in changes in policies and procedures

Criminal enforcement – new interpretation says Criminal enforcement – new interpretation says employees can be prosecutedemployees can be prosecuted

State suits that treat HIPAA as minimum State suits that treat HIPAA as minimum standard of carestandard of care

The Numbers on EnforcementThe Numbers on Enforcement

36,000 complaints since 200336,000 complaints since 2003 844 complaints in May, 2008844 complaints in May, 2008 9,548 complaints led to investigation9,548 complaints led to investigation 6,392 of those led to corrective action6,392 of those led to corrective action 435 cases referred to Dept. of Justice for 435 cases referred to Dept. of Justice for

criminal investigationcriminal investigation General trend – enforcers expect more General trend – enforcers expect more

than they used tothan they used to

Most Common InvestigationsMost Common Investigations

Impermissible uses and disclosures of protected Impermissible uses and disclosures of protected health information (PHI); health information (PHI);

Lack of safeguards of PHI; Lack of safeguards of PHI; Lack of patient access to their PHI; Lack of patient access to their PHI; Uses or disclosures of more than the Minimum Uses or disclosures of more than the Minimum

Necessary PHI; and Necessary PHI; and Lack of or invalid authorizations for uses and Lack of or invalid authorizations for uses and

disclosures of protected health information. disclosures of protected health information.

Poll: Has an institution you have Poll: Has an institution you have worked with had privacy or security worked with had privacy or security complaints to HHS under HIPAA?complaints to HHS under HIPAA?

1. Yes, 2 or more1. Yes, 2 or more

2. Yes, 1 that I know of2. Yes, 1 that I know of

3. None3. None

4. Don’t know4. Don’t know

What Could Change in 2009?What Could Change in 2009?

Because of press & Hill concern about Because of press & Hill concern about lack of enforcement, some possibilities:lack of enforcement, some possibilities: Civil monetary penalties more quicklyCivil monetary penalties more quickly More criminal enforcementMore criminal enforcement Greater staff/budget for enforcementGreater staff/budget for enforcement Increased audits, as CMS has begun under Increased audits, as CMS has begun under

the HIPAA security rule (hired PWC)the HIPAA security rule (hired PWC)

II. State Data Breach LawsII. State Data Breach Laws

California data breach law in 2003California data breach law in 2003 Focus was on identity theft, such as loss Focus was on identity theft, such as loss

of Social Security number or bank account of Social Security number or bank account numbernumber

Medical breaches usually not covered, Medical breaches usually not covered, except for loss of SSNsexcept for loss of SSNs

Notice to individuals whose data was Notice to individuals whose data was compromisedcompromised

Data Breach Laws SpreadData Breach Laws Spread

Today, over 40 states have data breach Today, over 40 states have data breach lawslaws

Push for federal law, but stalledPush for federal law, but stalled ChoicePoint, Veterans’ Administration, ChoicePoint, Veterans’ Administration,

and other large breaches listed at and other large breaches listed at www.privacyrights.org

Over 233 million notices sent 2005-2008Over 233 million notices sent 2005-2008

Medical Data BreachMedical Data Breach

New “trigger” for data breach notificationNew “trigger” for data breach notification California strikes again, effective Jan. 2008California strikes again, effective Jan. 2008 Notification required if unauthorized access Notification required if unauthorized access

to unencrypted medical histories, information to unencrypted medical histories, information on mental or physical conditions, and medical on mental or physical conditions, and medical treatments and diagnosestreatments and diagnoses

Also for health insurance informationAlso for health insurance information

What Does That Mean to You?What Does That Mean to You?

Minnesota & Rhode Island now have medical Minnesota & Rhode Island now have medical records triggerrecords trigger

Trend quite possibly will continueTrend quite possibly will continue A survey in 2006 by Phoenix Health Systems A survey in 2006 by Phoenix Health Systems

showed that 39 percent of health care providers showed that 39 percent of health care providers and 33 percent of insurers reported security and 33 percent of insurers reported security incidents in the previous six monthsincidents in the previous six months

ManyMany health care organizations could face costly health care organizations could face costly breach & notice requirementsbreach & notice requirements

III. A Special Form of BreachIII. A Special Form of Breach

UCLA fires workers UCLA fires workers for snooping in for snooping in Spears filesSpears files

‘‘It’s very It’s very disappointing,’ says disappointing,’ says hospital’s human hospital’s human resources directorresources director

L.A. Times, March 16, L.A. Times, March 16, 20082008

Farrah FawcettFarrah Fawcett

UCLA staffer passed UCLA staffer passed Farrah Fawcett’s Farrah Fawcett’s medical records to medical records to National EnquirerNational Enquirer

April 2, 2008April 2, 2008

Meanwhile, in New Jersey …Meanwhile, in New Jersey …

““Turns out a lot more Turns out a lot more people than George people than George Clooney and his Clooney and his girlfriend were hurt by girlfriend were hurt by the Hollywood hunk's the Hollywood hunk's motorcycle accident motorcycle accident last month.”last month.”

N.Y. Daily News, Oct. N.Y. Daily News, Oct. 10, 200710, 2007

The Clooney FilesThe Clooney Files

““As many as 40 doctors and other As many as 40 doctors and other employees at the Palisades Medical employees at the Palisades Medical Center in North Bergen, N.J., got Center in North Bergen, N.J., got suspensions for allegedly leaking suspensions for allegedly leaking confidential medical information about the confidential medical information about the couple”couple”

Worse Than Just Losing Your JobWorse Than Just Losing Your Job

Lawanda Jackson Lawanda Jackson indicted for criminal indicted for criminal HIPAA violations, for HIPAA violations, for allegedly receiving allegedly receiving $4600 from the $4600 from the National Enquirer for National Enquirer for 33 disclosures in 33 disclosures in 2006-07; checks were 2006-07; checks were written to her written to her husbandhusband

Poll: Has an institution you have Poll: Has an institution you have worked with had disclosures of records worked with had disclosures of records

about a well-known individual?about a well-known individual?

1. Yes, 2 or more1. Yes, 2 or more

2. Yes, 1 that I know of2. Yes, 1 that I know of

3. Don’t know3. Don’t know

4. None (and I’m glad we don’t treat movie 4. None (and I’m glad we don’t treat movie stars)stars)

IV. Importance of Audit/ControlIV. Importance of Audit/Control

Let’s examine topics thus far:Let’s examine topics thus far: HIPAA enforcement climbing, perhaps rapidlyHIPAA enforcement climbing, perhaps rapidly Medical data breach laws emergingMedical data breach laws emerging Celebrity records creating a big stirCelebrity records creating a big stir

Common theme:Common theme: The importance of having better control over The importance of having better control over

your organization’s medical records databaseyour organization’s medical records database

Insider AbuseInsider Abuse

Computer security experts generally say Computer security experts generally say that a large majority of incidents come that a large majority of incidents come from insiders, not outside hackersfrom insiders, not outside hackers

The challenge: how to detect, deter, and The challenge: how to detect, deter, and punish unauthorized insider access to punish unauthorized insider access to recordsrecords

The central importance of audit and The central importance of audit and controls over access/egress for databasescontrols over access/egress for databases

Advantages of Database Advantages of Database ControlControl

For celebrity records, send the clear message For celebrity records, send the clear message that violations will become known and traceable that violations will become known and traceable to the individualto the individual

For data breachesFor data breaches Ensure good practices to reduce likelihood of Ensure good practices to reduce likelihood of

breachesbreaches Pinpoint the extent of breach, so notices go to Pinpoint the extent of breach, so notices go to

the 100 affected persons, and not the 1,000 the 100 affected persons, and not the 1,000 or 10,000 who might otherwise have to or 10,000 who might otherwise have to receive noticereceive notice

V. EHRs & the FutureV. EHRs & the Future

Focus thus far has been on the single institutionFocus thus far has been on the single institution Electronic health records & the shift to RHIOs Electronic health records & the shift to RHIOs

(regional health information organizations)(regional health information organizations) With information sharing comes information riskWith information sharing comes information risk How assure control over data you are How assure control over data you are

responsible for?responsible for? Existing audit/control systems will not be Existing audit/control systems will not be

adequate for the multi-institution near futureadequate for the multi-institution near future

Electronic Health RecordsElectronic Health Records

Markle Connecting for HealthMarkle Connecting for Health www.markle.org ““Common Framework for Initiating Private Common Framework for Initiating Private

and Secure Health Information Sharing”and Secure Health Information Sharing” Toolkit for implementing effective privacy and Toolkit for implementing effective privacy and

security in information sharingsecurity in information sharing Audit/database control an essential elementAudit/database control an essential element

The Near Future of EHRsThe Near Future of EHRs

Both political parties are stressing electronic Both political parties are stressing electronic health recordshealth records ““Paper kills”Paper kills” No one wants to be on the side of paper in a No one wants to be on the side of paper in a

future that requires electronic recordsfuture that requires electronic records How well does your organization controlHow well does your organization control

Its own records (core database)Its own records (core database) How records are shared with multiple other How records are shared with multiple other

organizations?organizations?

ConclusionConclusion

HIPAA enforcementHIPAA enforcement Medical data breachesMedical data breaches Celebrity records & publicity about your Celebrity records & publicity about your

organizationorganization EHRs and the information-sharing futureEHRs and the information-sharing future For these reasons, audit & control must be For these reasons, audit & control must be

a much more prominent feature of medical a much more prominent feature of medical records managementrecords management

Contact InformationContact Information

Professor Peter SwireProfessor Peter Swire www.peterswire.net www.americanprogress.org Moritzlaw.osu.eduMoritzlaw.osu.edu