Embed Size (px)
DESCRIPTION
"eHealth Privacy and Security" was presented at the Center for Health Literacy Conference 2011: Plain Talk in Complex Times by Ira J. Rothman, MBA, CPHIMS, CIPP, Senior Vice President and Privacy Official, MAXIMUS. Description: This session will provide an overview of the principal eHealth privacy and security issues. Understand the basic privacy and security issues that impact Protected Health Information (PHI) and what you can do to protect yourself and your patients or clients.
Citation preview
eHealth Privacy and Security
Plain Talk in Complex Times
By: Ira J. Rothman, MBA, CPHIMS, CIPPSenior Vice President – Privacy Official
September 23, 2011
Agenda
• eHealth Privacy in the News• eHealth Privacy Concerns• HIPAA – the Legal Basis for eHealth Privacy• eHealth Security Concerns• Privacy Actions You Should Take• Security Actions You Should Take• Questions
Sept 23, 2011 2
eHealth Privacy in the News
• Privacy issues getting major attention by Congress and the media– New York Times front page Friday, Sept 9, 2011
• Medical Data of Thousands Posted Online– Billing Vendor Handled Leaked Records
– “Everyone with an electronic medical record is at risk, and that means everyone.”
Sept 23, 2011 3
eHealth Privacy in the News
• HHS Recently Sent Breach Report to Congress– Department of Health and Human Services (HHS) reported to Congress that
5.4 million individuals were affected by breaches of protected health information (PHI) in 2010
– 207 breaches involved over 500 individuals per breach• 5.4 million individuals notified
– 25,000 breaches involved less than 500 individuals per breach• 50,000 individuals notified
– Five general causes in the report of large breaches• Theft• Loss of electronic media or paper records containing PHI• Unauthorized access to, use, or disclosure of PHI• Human error• Improper disposal
– Majority of small breaches involved misdirected communications and affected just one individual each on average.
Sept 23, 2011 4
eHealth Privacy Concerns
• What is privacy?– The right to keep something confidential until the owner chooses to reveal it.– E.g., sending an envelope with the contents not revealed. The information
inside remains private until the addressee opens the envelope.
• What is Protected Health Information (PHI)?– Who defines it?– Who can look at it?
• Common concerns– Medical staff and others looking at PHI they have no need or right to review– Employers and others (e.g., government, police) reviewing PHI to make
decisions– Outsiders gaining access to private emails
Sept 23, 2011 5
HIPAA – the Legal Basis for eHealth Privacy
• HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.
• HIPAA sets federal requirements for handling Protected Health Information (PHI). It gives individuals privacy rights and imposes requirements on health-related companies including providers, insurers, and government agencies on how to handle PHI.
• The HIPAA rules were modified by the American Recovery and Reinvestment Act (ARRA) effective February 18, 2009.– Includes the Health Information Technology for Economic and Clinical Health
(HITECH) Act– Extends privacy and security coverage to business associates– Establishes breach notification requirements– Maximum penalty amount of $1.5 million
Sept 23, 2011 6
The HIPAA Privacy Rule and PHI
• The HIPAA Privacy Rule states that health care organizations must protect the privacy of individual's medical records and other personal health information. Individual's data must be protected from intentional or unintentional use or disclosure, except for legitimate medical or business reasons.
• Protected Health Information (PHI) is information that can be used to identify an individual or that relates to that individual's:– Past, present or future physical or mental condition– Health care provided to that individual– Payment for health care
• PHI includes all individually identifiable health information. This includes:– Name, address, phone numbers, date of birth – Social Security Number– Payment for health care– Insurance coverage or enrollment/disenrollment– Medical, dental, or prescription drug records– Health plan beneficiary number– Participation status in a government program– Hospital admittance and discharge dates
Sept 23, 2011 7
State Privacy and Security Regulations
• 45 states have laws governing privacy and security– Most deal with electronic transmission of data on the internet or breaches of
personal information– Personal information can include name, social security number, credit card
number, birth date and other identifying information– Penalties often include civil fines
Sept 23, 2011 8
eHealth Security Concerns
• What is security?– Security is the degree of protection against danger, damage and loss.– E.g., Sending an envelope with the contents protected from prying eyes.
Security is the ability to keep the envelope from being opened or see inside until it arrives at the addressee and they decide to open it.
• What are common eHealth Security concerns?– Personal information including health and financial information being
available on the internet for anyone to see• Employers, contractors, vendors or others with personal information databases may
inadvertently expose the data to search engines, e.g., Google, violating privacy.• Information sent over the internet may be intercepted.
– Information on hard drives or other portable storage devices containing PHI being lost or stolen. Someone can then sell this information or use it for identity theft.
– PHI in electronic records being looked at by people that have no need or right to look at
Sept 23, 2011 9
Privacy Actions You Should Take
• Create strong privacy and security policies and procedures– Enforce policies with sanctions
• Required by HIPAA• Have a sanctions policy defining penalties for serious violations, e.g., removing PHI
from the facility against policy, unauthorized access.
– Define who can look at PHI• Only those with a need to know
– Define security policies and procedures to support the privacy policy• Control and log access• Privacy and security need to work together
• Educate staff concerning privacy and security– HIPAA requires training appropriate to employee job responsibilities– Deliver annual refresher– Value staff who recognize privacy risks and correct or report them
Sept 23, 2011 10
Privacy Actions You Should Take
• Make sure subcontractors are following HIPAA privacy regulations– Many subcontractors (also called business associates) that handle PHI may not
have adequate privacy and security policies and procedures in place– A legal agreement (business associate agreement) is required by HIPAA
defining their responsibilities– Conduct audits to verify compliance– Frequent cause of breaches is subcontractor lack of attention to privacy and
security
• Don’t forget to shred paper– Cross cut shredder best for shredding documents containing PHI
• Perform a risk assessment– Survey the environment with an open mind to identify risks– Develop and implement a strategy to mitigate risks
Sept 23, 2011 11
Security Actions You Should Take
• Focus on reducing corporate and personal risks• Use strong passwords
– 8 digits consisting of upper and lower case letters and numbers and special characters.
– Don’t use easily guessed words
• Put a password on your smartphone or tablet– Have the password automatically set after a short period of time, e.g., 10
minutes
• Don’t use wifi in a public place to access a website containing personal information– Particularly be aware of web sites that don’t use https as part of the web
address– Wifi can be intercepted
• Don’t use email or text messages or Twitter to send personal information– Only use encryption, if available for email.
Sept 23, 2011 12
Security Actions You Should Take
• Don’t post personal information on web sites that may be subject to breach, e.g., Facebook.– Privacy policies change frequently with no notice– Private information may be made public
• Use antivirus software– Detects and removes malicious software– Keep up to date with subscriptions– Can detect and protect against new threats
• Use encryption– Makes data unreadable to unauthorized viewers.– Encrypt data on hard drives and other removable memory, e.g. USB sticks.– Commercial software is available to encrypt entire hard drives.– Make sure meets standard of FIPS 140-2 (i.e., standard set by Federal agency)– Common cause of data breach is lack of appropriate encryption.
Sept 23, 2011 13
Security Actions You Should Take
• Educate staff and family– Malware or malicious software includes
• Trojans• Viruses• Hoaxes• Phishing• Worms• Hackers
– Don’t open unsolicited attachments.• Malware may be hidden in the attachment
– User should lock screens when not at desk.• Set screen saver password
– Don’t click on popup ads while surfing the web.• Another opportunity for malware to be installed.
– Report strange activity to network administration.• Could reflect malware installed on computer
Sept 23, 2011 14
Questions?
• Contact information
Ira J. Rothman
Senior Vice President – Privacy Official
MAXIMUS, Inc.
Email: [email protected]
Phone: 916-673-4152
Sept 23, 2011 15
