hipaa john desmarteau, md faca ceo ehealthconnector, inc. privacy and security one clinician’s...
TRANSCRIPT
![Page 1: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/1.jpg)
HIPAAHIPAA
John DesMarteau, MD FACA
CEO eHealthConnector, Inc.
PRIVACY AND SECURITYPRIVACY AND SECURITYOne Clinician’s Perspective
National Health Care Compliance ConferenceFebruary 6, 2002
![Page 2: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/2.jpg)
2
HIPAA Requirements
Covered entities are required to have:
1. Privacy Officer and appropriate policies and procedures
2. Security Officer and appropriate policies and procedures
![Page 3: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/3.jpg)
3
HIPAA Requirements
Covered entities are: PROVIDERS Health Plans Health Care Clearing Houses
![Page 4: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/4.jpg)
4
Privacy and Security:
A Matter of…
People Systems Technology Regulations Evolution
![Page 5: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/5.jpg)
5
Privacy and Security:
It may be as simple as…
Paper consents/authorizations Obtained at the point of care Stored in the paper chart Physical flag on chart indicating
Viable current consents Revoked consents List of authorizations List of required disclosures
![Page 6: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/6.jpg)
6
Privacy and Security:
And…
Secured by… Locking the office files and the
office securely
Or…
![Page 7: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/7.jpg)
7
Privacy and Security:
As complex as…
Consents/authorizations - enterprise wide Obtained
At the point of care Mass mailings (paper) E-Forms
Entered/Stored in electronic databases Flag when accessing membership (patient)
system and/or electronic medical record Viable current consent Revoked consent Authorizations and their status
Disclosure Tracking System
![Page 8: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/8.jpg)
8
Payroll &Personnel files
AdministratorCorrespondence
Claims Database
Internet
Physicians
Confidential PatientInformation Database
Web ServerMail Server
Business Associates
Medical Research Database
Admission Data
Critical System Passwords
Clinical Trial Data
Remote Clinic
Physicians Pediatric Nurse
Network IDS
Firewall
DMZ
Router
Switch
Switch
Host Based IDS
VPN
Privacy and Security:
And…
![Page 9: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/9.jpg)
9
Privacy and Security:Information Assurance Cycle
RESPOND
ASSESS
PROTECT
DETECT
![Page 10: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/10.jpg)
10
Privacy and Security
Physician Internet Use
Still a reluctance to use the Internet Physician-Patient E- Mail
communication Only 23% using in a
survey of 1,200 physicians1
1Fulcrum Analytics Oct/Nov 2001 0%
10%
20%
30%40%
50%
60%70%
80%
Using
Not Using
![Page 11: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/11.jpg)
11
Privacy and Security
Physician Internet Use
Current Use Many using for
personal e-mail Clinical Uses
Visiting Pharmaceutical Web Sites
Recommending Info Web Sites to Patients
Source: Fulcrum Analytics Oct/Nov 2001
0%
10%
20%
30%
40%
50%
60%
Visit PharmaWeb Sites
RecommendWeb Sites
![Page 12: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/12.jpg)
12
Privacy and Security
Physician Internet Use
Future Use Likely to increase Based on Insurance
reimbursement and… Reallocation of staff Time saving See more patients Cut expenses
Source: Fulcrum Analytics Oct/Nov 2001
34%35%36%37%38%39%40%41%42%43%
ReallocateStaff
Save Time
See MorePatients
CutExpenses
![Page 13: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/13.jpg)
13
Privacy and Security
Physician Internet Use
The Wild Card - The PDA Use Likely to increase High speed mobile communication device
Telephony Internet 30% already using
84% Maintain personal schedules 67% Manage professional schedules 57% Accessing drug databases
50% hope to be able view lab results someday
Source: Fulcrum Analytics Oct/Nov 2001
![Page 14: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/14.jpg)
14
Privacy and Security
Physician Internet Use
The End Result: Physicians will ultimately migrate
from paper to digital Privacy and Security implementation
and their maintenance for clinicians will migrate from the simple to the more complex for most
![Page 15: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/15.jpg)
15
Privacy and Security:The Clock is Ticking
12/0312/01 12/0212/0012/99
TRANSACTION
PRIVACY
SECURITY?
Privacy Audit
Incident Response
& Detection
Network Assessment Security
Policy
Information Criticality
Matrix
PHI Policy
Server Hardening
Update Assessment
Authorizations
Encryption
Compliance Documentation
Awareness Training
![Page 16: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/16.jpg)
16
Privacy: For almost 5000 years
“My left foot is numb and I have this incredible thirst. I’ve been kind of depressed lately.”
The patient tells another person:• no documentation
• no privacy
Nevertheless…A/C
![Page 17: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/17.jpg)
17
Privacy: Fears
Steven—you are to begin therapy, as your blood test indicates 25% risk of teenage depression based on your genetic profile.
Father just got a telemarketing call from a home blood sugar monitoring service. But I don’t think he ever followed up on that office visit to the doctor!
![Page 18: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/18.jpg)
18
Privacy: Over The Top
And now, Mr. Jones’ scores from our health insurance judges.
![Page 19: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/19.jpg)
19
Privacy: Over The Top (continued)
“Mr. Dawson, are you one of Dr. Smith’s office staff?What is your mother’s maiden name and who won the world series in 1934?
OK, please login to my personal medical records website, where I can grant you access to view my records before my visit. The web address is: www.myhealthypersonalonlinemedicalrecordnetcomwebdoctorehealthicareupracticenetorgcommd.biz/whatever.shtml”
“Hi, I have an appointment with Dr. Smith tomorrow.”
![Page 20: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/20.jpg)
20
Privacy: Two Important Tenets:
1. Managing Health Information
effectively is more critical than
restricting access.
2. The patient-provider relationship is
still at the heart of managing
integrity of the data.
![Page 21: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/21.jpg)
21
Privacy: Managing Health Information - 1
1. Determining the integrity and source of the information
2. Understanding its completeness
3. Knowing its relevance to the patient and/or circumstance
4. Defining its time sensitivity (is it fixed, as in height, or dynamic, as in
weight?)
![Page 22: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/22.jpg)
22
1. Does every provider manage his or her “own”information on a patient?
2. How do “prior” providers manage their “own” for subsequent providers?
3. Who has to know if the meaning of the data or the data itself changes downstream?
4. What is the role of the patient in the process?
Privacy: Managing Health Information - 2
![Page 23: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/23.jpg)
23
Privacy:Flux: Effects of Bio-surveillance
Protected Health Information definitions will change—
identifiable source of data (i.e. the patient) will become more
critical to disseminate for surveillance.
Definitions of usage of information will change.
Broad spectrum of possibilities for bio-exposure. Avoiding “Risk”
to individual will rapidly migrate to avoiding “risk” to other
individuals or groups.
Dynamic state of regulation may change depending on
circumstances.
Recent regulations on wiretapping and monitoring—are there
definitions around what parameters would reverse these?
![Page 24: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/24.jpg)
24
Privacy:Elements of Privacy Management -1
Admission Authentication Access controls Administration Accountability Audits (Before not after) Apprehension For example…
C
![Page 25: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/25.jpg)
25
Privacy:Elements of Privacy Management - 2
Audits Someone has to write the rules1
Someone has to run the audits2
Someone has to be accountable
1the rules have to be meaningful2the audits have to be meaningful
Electronic examples…C
![Page 26: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/26.jpg)
26
Privacy:Elements of Privacy Management - 2
The system must have sophisticated logic to determine who can access what, or there must be the ability to
select certain items of special concern.
The system must have sophisticated logic to determine who can access what, or there must be the ability to
select certain items of special concern.
And someone accountable for group behavior can monitor the accesses of individuals, if they know what these individuals SHOULD be allowed to access.
And someone accountable for group behavior can monitor the accesses of individuals, if they know what these individuals SHOULD be allowed to access.
The system must have sophisticated logic to determine who can access what, or there must be the ability to
select certain items of special concern.
The system must have sophisticated logic to determine who can access what, or there must be the ability to
select certain items of special concern.
![Page 27: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/27.jpg)
27
Privacy:QI Via Privacy Management
Tools that facilitate privacy management can also help in the management of data and its integrity thus improving quality of care through better communication.
Tools that facilitate privacy management can also help in the management of data and its integrity thus improving quality of care through better communication.
A/C
![Page 28: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/28.jpg)
28
Privacy:Privacy Officer Needed
• Necessary for the practice to be HIPAA compliant• Necessary as a good business practice
Making certain that the practice remains HIPAA compliant
Gathering consents Proper disclosures Proper security
Interface with patients• Can be the “office manager”• HIPAA Publications abound (print and Internet)• Expert help abounds
![Page 29: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/29.jpg)
29
Proposed Security Standard
Four Categories:
Administrative Procedures
Physical Safeguards
Technical Security Services
Technical Security Mechanisms
Future Placeholder for Electronic Signature
Security:Sizing a Security Program
![Page 30: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/30.jpg)
30
Final Security Standard
Each covered entity is responsible for:
Securing patient records containing individually identifiable health information (PHI) so that they are not readily available to those who do not need them
Establishing appropriate safeguards to ensure privacy
Security:Sizing a Security Program
![Page 31: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/31.jpg)
31
Security:The Top Reason to Defer Security
“Compliance is in the eye of the beholder”
““The HIPAA Security Standard The HIPAA Security Standard
is not finalized!”is not finalized!”
![Page 32: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/32.jpg)
32
Security:How Is Information Threatened?
Donn Parker, SRIIntegrity
Confidentiality
Availability
Information is a Health Industry Asset
Information can be critical and/or sensitive
Loss of Confidentiality, Integrity, or Availability can have financial implications
Loss of Integrity or Availability can cost a life!
![Page 33: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/33.jpg)
33
Security:Threats:
What is a threat?Possibility, or likelihood, of an attack against your organizationPotential for damage to your organization
Accidental vs. intentional threats Threat forms
Human ErrorsMalicious ActsSystem FailuresNatural Disasters
![Page 34: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/34.jpg)
34
Item Paper Digital
Lack of policies and procedures
Incorrect policy implementation
No intrusion detection Software bugs/design flaws
No firewall or poor implementation
No virus protection or poor implementation
Security:
Vulnerabilities: some examples
![Page 35: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/35.jpg)
35
Security:Information Security Hierarchy
Administrative Policy and Procedure Personnel Security
Technical Network Connectivity Viruses Authentication Audit Backup and
Recovery Encryption Physical Security
Step 1Information Security Policy and Standards
Step 2Information Security Architecture and Processes
Step 3Information Security Awareness and Training
Step 4Information Security Technologies and Products
Step 5Auditing, Monitoring and Investigating
Step 6Validation
Best Practices Approach
Source: Gartner ResearchSource: Gartner Research
![Page 36: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/36.jpg)
36
Privacy & Security:Recommended Response…NOW!
Assessment Gap Establish Roadmap Implement appropriateappropriate
administrative measures Information Classification Policies Awareness Training
Undertake appropriateappropriate technical remediation
Configurations Physical security
“Little pieces at at time”
RESPOND
ASSESS
PROTECT
DETECT
![Page 37: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/37.jpg)
37
Privacy and Security:Change is inevitable:
1. Technology is advancing.
2. People are critical to the process of ensuring privacy, regardless of technology.
3. Keeping up with the pace of development of new uses for information will tax security experts.
4. HIPAA is a “work-in-progress” and your voice is important.
![Page 38: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/38.jpg)
38
It’s not
A
Privacy and Security:HIPAA Compliance
![Page 39: HIPAA John DesMarteau, MD FACA CEO eHealthConnector, Inc. PRIVACY AND SECURITY One Clinician’s Perspective National Health Care Compliance Conference February](https://reader035.vdocuments.site/reader035/viewer/2022062308/56649ecb5503460f94bd9eb1/html5/thumbnails/39.jpg)
39
HIPAAHIPAA
Thanks for attending!Thanks for attending!
PRIVACY AND SECURITYPRIVACY AND SECURITYOne Clinician’s Perspective
National Health Care Compliance ConferenceFebruary 6, 2002
John DesMarteau, MD FACACEO
eHealthConnector, Inc.4651 Massachusetts Ave NW
Washington, DC 20016301-523-7571 (Cell/Pager)